Re: [certid] section 4.6 rewrite (aka: Bad certificate handling)
Matt McCutchen <matt@mattmccutchen.net> Thu, 30 September 2010 00:56 UTC
Return-Path: <matt@mattmccutchen.net>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id E39523A6AE3 for <certid@core3.amsl.com>;
Wed, 29 Sep 2010 17:56:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.556
X-Spam-Level:
X-Spam-Status: No, score=-2.556 tagged_above=-999 required=5 tests=[AWL=0.043,
BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgztC88n980u for
<certid@core3.amsl.com>; Wed, 29 Sep 2010 17:56:04 -0700 (PDT)
Received: from homiemail-a3.g.dreamhost.com (caiajhbdccac.dreamhost.com
[208.97.132.202]) by core3.amsl.com (Postfix) with ESMTP id DCCDB3A6BD7 for
<certid@ietf.org>; Wed, 29 Sep 2010 17:56:04 -0700 (PDT)
Received: from homiemail-a3.g.dreamhost.com (localhost [127.0.0.1]) by
homiemail-a3.g.dreamhost.com (Postfix) with ESMTP id 8E937284071;
Wed, 29 Sep 2010 17:56:49 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from
:to:cc:in-reply-to:references:content-type:date:message-id
:mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net;
b=jgfySu2dcLGjyx3iYTxhMEiFifViFM0rosO70v+2GdC
ZN4+M4zXhctxSfKT4aRYplp5ItZN/hqoHhnW6F25CG+mdYQCQsVi0o5ByVcX+pZW
/KnwdXpebWAs42AWWQTte70q7PubQN4iWkC0Rc3iEdvVrZ8zKmJo/ZHhSR4t/VgA =
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net;
h= subject:from:to:cc:in-reply-to:references:content-type:date
:message-id:mime-version:content-transfer-encoding; s= mattmccutchen.net;
bh=xaEO2XzuXMKGfPxVwf1H5qgOsJI=;
b=juSZGi+w+2 aFf9Z3mvgUDqyWBThb6s/MA8j3km9HiZ3DFM+hntNBz8mEm6/Zu8QW5RR9s0KNbx
XvSFjQeX+KBip2XG2DJfNDdztrqF8xTgrsNcYwrcp1/k2DhWolE8VpRWNKYuzO4Q
xyvOQs4WzXSGTcuLF3aElYplY31dth478=
Received: from [129.2.249.209] (ml2.student.umd.edu [129.2.249.209])
(Authenticated sender: matt@mattmccutchen.net) by
homiemail-a3.g.dreamhost.com (Postfix) with ESMTPA id 4754F28406C;
Wed, 29 Sep 2010 17:56:49 -0700 (PDT)
From: Matt McCutchen <matt@mattmccutchen.net>
To: =JeffH <Jeff.Hodges@KingsMountain.com>
In-Reply-To: <4CA3AF50.6050101@KingsMountain.com>
References: <4CA3AF50.6050101@KingsMountain.com>
Content-Type: text/plain; charset="UTF-8"
Date: Wed, 29 Sep 2010 20:56:47 -0400
Message-ID: <1285808207.1917.28.camel@mattlaptop2.local>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.4
Content-Transfer-Encoding: 7bit
Cc: IETF cert-based identity <certid@ietf.org>
Subject: Re: [certid] section 4.6 rewrite (aka: Bad certificate handling)
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2010 00:56:06 -0000
On Wed, 2010-09-29 at 14:27 -0700, =JeffH wrote: > I and PeterSA took a hard look at section "4.6 Outcome" (aka: Bad certificate > handling) and indeed its language needed some semi-major rewriting, which we've > done. The entire new section "4.6 Outcome" is below. > > comments? The cases of "no cached certificate" and "different cached certificate" could probably be combined into "certificate not cached" to simplify things. I.e.: ### 4.6. Outcome ... 4.6.1. Case #1: Match Found ... 4.6.2. Case #2: No Match Found, Certificate Cached If the client does not find a presented identifier matching any of the reference identifiers, but the presented certificate has been designated as acceptable for this application service (a) by a human user during a previous interaction with the service or (b) via configuration settings, the server identity check succeeds. [XXX: What is the validated identity of the server? Should the cached certificate rather be designated as acceptable for a reference identifier, which can be taken as the identity of the server?] 4.6.3. Case #3: No Match Found, Certificate Not Cached If the client does not find a presented identifier matching any of the reference identifiers and the presented certificate has not been accepted as described in section 4.6.2, then the client MUST NOT consider the certificate to include a validated identity for the application service. Instead, the client MUST proceed as follows. [...] ### -- Matt
- [certid] section 4.6 rewrite (aka: Bad certificat… =JeffH
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Matt McCutchen
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Matt McCutchen
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… =JeffH
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre