IETF Logo Mail Archive

Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05

Alexey Melnikov <alexey.melnikov@isode.com> Tue, 24 January 2012 16:59 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C676621F85FF; Tue, 24 Jan 2012 08:59:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.355
X-Spam-Level:
X-Spam-Status: No, score=-102.355 tagged_above=-999 required=5 tests=[AWL=0.244, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BrcPA1dvcARQ; Tue, 24 Jan 2012 08:59:40 -0800 (PST)
Received: from rufus.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id CA0B321F84BD; Tue, 24 Jan 2012 08:59:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1327424378; d=isode.com; s=selector; i=@isode.com; bh=UxBFxG/pFlKusl/JnMGg+NE6DtYSPedspYio6qYI4l0=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=tNGjekNuvO6GOz2ATocN8AQJPhwiBqzl75izTGWd9JQyuX3WEKT3LxIa5i0Cio/ueyDLcu yond2G1xDQadcXwZMMgHAWAzbelSulEXRTNORUA4CpOb8sZFamWUASgJ7D9gmwf4GktS1Y 3ElMxgpJlwJUobM/FKVyoBKilaBwTKE=;
Received: from [188.28.204.193] (188.28.204.193.threembb.co.uk [188.28.204.193]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <Tx7jdQAV57OW@rufus.isode.com>; Tue, 24 Jan 2012 16:59:36 +0000
Message-ID: <4F1EE379.7080505@isode.com>
Date: Tue, 24 Jan 2012 16:59:37 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20111105 Thunderbird/8.0
To: Peter Saint-Andre <stpeter@stpeter.im>
References: <4F11E975.9070307@isode.com> <10722E0B-059E-4800-84C0-B330F397B63A@tik.ee.ethz.ch> <4F16D95A.3000006@isode.com> <89E47BB4-C228-4700-94C4-3F4ED03F99A2@tik.ee.ethz.ch> <4F1704DE.1090208@isode.com> <4F170904.2000603@isode.com> <60243B0C-A3FF-4B51-AFF8-27C34158E02E@tik.ee.ethz.ch> <4F185391.9050005@isode.com> <4F18704B.4010309@stpeter.im> <C36BCAAE-5F03-4514-8F18-34A5476C3F8E@tik.ee.ethz.ch> <4F1D5E5A.6090505@isode.com> <5ED8B1A1-11AF-4416-9940-63C75358FFF3@tik.ee.ethz.ch> <4F1D7DA7.8060600@isode.com> <BAE06AC9-65DE-451E-8DE2-462CCC0B479C@tik.ee.ethz.ch> <4F1D8808.9090203@isode.com> <48460543-BDED-4B54-B1A7-07D210968A08@tik.ee.ethz.ch> <4F1EE02A.5070800@stpeter.im>
In-Reply-To: <4F1EE02A.5070800@stpeter.im>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: gen-art@ietf.org, Kathleen Moriarty <kathleen.moriarty@emc.com>, The IESG <iesg@ietf.org>, Brian Trammell <trammell@tik.ee.ethz.ch>
Subject: Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2012 16:59:40 -0000

On 24/01/2012 16:45, Peter Saint-Andre wrote:
> On 1/24/12 2:25 AM, Brian Trammell wrote:
>> Hi, Alexey,
>>
>> So far only one voice on the WG list, stating no need for CN-ID. However, on thinking about it a bit further, if you happen to have an older PKI built out, and you're still using it, you've probably got a large investment in it, and it probably makes sense to allow you to use it for RID too...
>>
>> So, I'd suggest the following language to grudgingly allow such a thing:
>>
>> The use of CN-ID identifiers in certificates identifying RID systems
>> is NOT RECOMMENDED, and CN-ID identifiers MUST be ignored by PKI
>> implementations which can use DNS-ID identifiers. However, CN-ID
>> identifiers MAY be used when the RID consortium to which the system
>> belongs uses an older, existing PKI implementation.
> Brian, first of all, thanks for working with us on this topic. As you
> can see from the length of RFC 6125 (which didn't start out that big!),
> there's more complexity here than meets the eye.
>
> I think the mix of "NOT RECOMMENDED, MUST be ignored by some, but MAY be
> used by others" might be a bit confusing to those who implement and
> deploy RID. Also, RFC 6125 makes a distinction between cert generation
> and cert checking, which gets obscured by the word "use". Thus I might
> make the following suggestion:
>
>     The inclusion of Common Names (CN-IDs) in certificates identifying
>     RID systems is NOT RECOMMENDED.  A PKI implementation that
>     understands DNS-IDs SHOULD ignore CN-IDs when checking server
>     certificates.
I thought RFC 6125 has a rule saying that CN-IDs are ignored in presence 
of DNS-IDs? I would just rather reference RFC 6125, or at least be clear 
that this is defined there (using "as specified in RFC 6125").

The rest of your proposal looks fine.
> However, because many existing PKI implementations
>     still include CN-IDs when generating certificates, RID consortiums
>     might want to continue supporting them during certificate checking.
>
> This removes the normative force from the text about existing PKI
> implementations, while still encouraging use of DNS-IDs.
>
> Let us know what you think.
>
> Peter
>

v2.23.0 | Report a Bug | By Email