Re: [certid] section 4.6 rewrite (aka: Bad certificate handling)
Peter Saint-Andre <stpeter@stpeter.im> Wed, 29 September 2010 23:18 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id F37E83A6C2F for <certid@core3.amsl.com>;
Wed, 29 Sep 2010 16:18:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.548
X-Spam-Level:
X-Spam-Status: No, score=-102.548 tagged_above=-999 required=5 tests=[AWL=0.051,
BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F-u4QATor759 for
<certid@core3.amsl.com>; Wed, 29 Sep 2010 16:18:43 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com
(Postfix) with ESMTP id 4370B3A6C09 for <certid@ietf.org>;
Wed, 29 Sep 2010 16:18:43 -0700 (PDT)
Received: from moveme.cisco.com (72-163-0-129.cisco.com [72.163.0.129])
(Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id
A93B340BB9; Wed, 29 Sep 2010 17:25:00 -0600 (MDT)
Message-ID: <4CA3C97D.8060809@stpeter.im>
Date: Wed, 29 Sep 2010 17:19:25 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1.12) Gecko/20100914 Thunderbird/3.0.8
MIME-Version: 1.0
To: Jim Schaad <ietf@augustcellars.com>
References: <4CA3AF50.6050101@KingsMountain.com>
<006801cb6024$6049f5a0$20dde0e0$@augustcellars.com>
<4CA3C022.8050202@stpeter.im>
<006a01cb602c$f3dd1150$db9733f0$@augustcellars.com>
In-Reply-To: <006a01cb602c$f3dd1150$db9733f0$@augustcellars.com>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: 'IETF cert-based identity' <certid@ietf.org>,
'=JeffH' <Jeff.Hodges@KingsMountain.com>
Subject: Re: [certid] section 4.6 rewrite (aka: Bad certificate handling)
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Sep 2010 23:18:45 -0000
On 9/29/10 5:20 PM, Jim Schaad wrote: > > >> -----Original Message----- From: Peter Saint-Andre >> [mailto:stpeter@stpeter.im] Sent: Wednesday, September 29, 2010 >> 3:40 PM To: Jim Schaad Cc: '=JeffH'; 'IETF cert-based identity' >> Subject: Re: [certid] section 4.6 rewrite (aka: Bad certificate >> handling) >> >> On 9/29/10 4:19 PM, Jim Schaad wrote: >>> >>> >>>> -----Original Message----- From: certid-bounces@ietf.org >>>> [mailto:certid-bounces@ietf.org] On Behalf >>> Of >>>> =JeffH Sent: Wednesday, September 29, 2010 2:28 PM To: IETF >>>> cert-based identity Subject: [certid] section 4.6 rewrite (aka: >>>> Bad certificate handling) >>>> >>>> I and PeterSA took a hard look at section "4.6 Outcome" (aka: >>>> Bad >>> certificate >>>> handling) and indeed its language needed some semi-major >>>> rewriting, which we've done. The entire new section "4.6 >>>> Outcome" is below. >>>> >>>> comments? >>>> >>>> thanks, >>>> >>>> =JeffH >>>> >>>> ### >>>> >>>> 4.6. Outcome >>>> >>>> The outcome of the checking procedure is one of the following >>>> cases. >>>> >>>> 4.6.1. Case #1: Match Found >>>> >>>> If the client has found a presented identifier that matches a >>>> reference identifier, matching has succeeded. In this case, >>>> the client MUST use the matched reference identifier as the >>>> validated identity of the server. >>>> >>>> 4.6.2. Case #2: No Match Found, Cached Certificate >>>> >>>> If the client does not find a presented identifier matching any >>>> of the reference identifiers, and (a) a human user has >>>> previously accepted and cached a certificate for this >>>> application service during a previous interaction with the >>>> service or (b) a certificate has been cached via configuration >>>> settings, then the client MUST verify that the presented >>>> certificate matches the cached certificate. If the presented >>>> certificate does not match the cached certificate then the >>>> client MUST proceed as described under Section 4.6.4. >>> >>> There was one case in the original text here that I was expecting >>> to be kept. This was the case of the chain of certificates >>> being changed from when it was originally presented. Given the >>> suggestion that the chain is shown for advanced users (see 4.6.4) >>> I am wondering about the fact that we are no longer looking at >>> anything more that the terminal certificate at this point. >> >> Yes, that's important. >> >> I think this text is a bit confusing because it uses the term >> "match" for comparing the entire cached certificate against the >> entire presented certificate, whereas in the rest of the document >> we use the term "match" for comparing reference identifiers against >> presented identifiers. >> >> Therefore I propose the following adjusted text: >> >> If the client does not find a presented identifier matching any of >> the reference identifiers, and (a) a human user has previously >> accepted and cached a certificate for this application service >> during a previous interaction with the service or (b) a certificate >> has been cached via configuration settings, then the client MUST >> verify that the presented certificate is the same as the cached >> certificate, including verification of the entire certification >> path. If the presented certificate is not the same as the cached >> certificate then the client MUST proceed as described under Section >> 4.6.4. >> > > You might change the text to be "cached a certificate with > certificate path" for the text in (a) and (b) This makes it more > clear that the entire certificate path is supposed to be cached. > (This is a potentially harder thing for configuration settings as a > certificate path would be required to be loaded. But making it more > explicitly is probably helpful.) I'm always in favor of making such things explicit. This will be fixed in the next version -- I now have "certificate (with certificate path)" in multiple locations of the working copy. Peter -- Peter Saint-Andre https://stpeter.im/
- [certid] section 4.6 rewrite (aka: Bad certificat… =JeffH
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Matt McCutchen
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Matt McCutchen
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… =JeffH
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Martin Rex
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Jim Schaad
- Re: [certid] section 4.6 rewrite (aka: Bad certif… Peter Saint-Andre