IETF Logo Mail Archive

Re: Last Call: draft-ietf-csi-send-cert (Certificate profile and certificate management for SEND) to Proposed Standard

Sean Turner <turners@ieca.com> Fri, 30 April 2010 19:16 UTC

Return-Path: <turners@ieca.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2CA983A6C00 for <ietf@core3.amsl.com>; Fri, 30 Apr 2010 12:16:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.777
X-Spam-Level:
X-Spam-Status: No, score=-0.777 tagged_above=-999 required=5 tests=[AWL=-0.779, BAYES_50=0.001, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RxXj84okVXrD for <ietf@core3.amsl.com>; Fri, 30 Apr 2010 12:16:25 -0700 (PDT)
Received: from smtp115.biz.mail.re2.yahoo.com (smtp115.biz.mail.re2.yahoo.com [66.196.116.35]) by core3.amsl.com (Postfix) with SMTP id 1AABC3A6A2E for <ietf@ietf.org>; Fri, 30 Apr 2010 12:16:25 -0700 (PDT)
Received: (qmail 77199 invoked from network); 30 Apr 2010 19:16:08 -0000
Received: from thunderfish.local (turners@96.231.124.139 with plain) by smtp115.biz.mail.re2.yahoo.com with SMTP; 30 Apr 2010 12:16:08 -0700 PDT
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: CE2VtzkVM1moYErU3cUvgotycoH5iuIPvZxOaNfQbHSMTtNzQqTJjZWAGKj4Zs8B8rRrUy0y14zR21WUfKTfdqjKyrTzNR6dPsbKjaPSXODc_SEpwuSuXYP64FbI4Xlfq8UZjSR92n4elKNiZFcI8IlMnSys7aZpt6bBpYR8.ShcmFylaC.DJud.4_oUD4WqHDiGWnugmRT2CV8HXKlk3sWhWjOOiy9ZnAwwiVPG5OH55ey17xr_7JwGovuW84t7Tpou4gfwaYAsF_31J.EGH.E2hhp53arOG_pwZtz_WJKZlyrmfyTf6X2qj7bS92Si1Fk3n2TzznGO.Pq1XzhZYZT6yUSC4uQAtOQi0ifPICv3I2t3eC4AyZ3MEDBqukWURdPfSrgGVCOfFQ6eMm6kPX3PS8iKg.JrO.94gEjdzRjpZXLMm8sk4E2fyWFhF6ceGB6Vc.XF7xNt5tjvoec-
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4BDB2C77.6000206@ieca.com>
Date: Fri, 30 Apr 2010 15:16:07 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: ietf@ietf.org, cga-ext@ietf.org
Subject: Re: Last Call: draft-ietf-csi-send-cert (Certificate profile and certificate management for SEND) to Proposed Standard
References: <20100430135557.183CD3A6C24@core3.amsl.com>
In-Reply-To: <20100430135557.183CD3A6C24@core3.amsl.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2010 19:16:26 -0000

The IESG wrote:
> The IESG has received a request from the Cga & Send maIntenance WG (csi) 
> to consider the following document:
> 
> - 'Certificate profile and certificate management for SEND '
>    <draft-ietf-csi-send-cert-03.txt> as a Proposed Standard
> 
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action.  Please send substantive comments to the
> ietf@ietf.org mailing lists by 2010-05-14. Exceptionally, 
> comments may be sent to iesg@ietf.org instead. In either case, please 
> retain the beginning of the Subject line to allow automated sorting.

1) I would like to see an ASN.1 module added to the document.  That way 
we can import the EKUs.  Here's what I'm looking for (something similar 
was done in draft-ietf-sip-eku):

-----
SENDCertExtns { iso(1) identified-organization(3) dod(6) internet(1)
   security(5) mechanisms(5) pkix(7) id-mod(0)
   id-mod-send-cert-extns(TBD) }

DEFINITIONS IMPLICIT TAGS ::=

BEGIN

-- OID Arc

id-kp  OBJECT IDENTIFIER  ::=
   { iso(1) identified-organization(3) dod(6) internet(1)
     security(5) mechanisms(5) pkix(7) 3 }

-- Extended Key Usage Values

id-kp-sendRouter OBJECT IDENTIFIER ::= { id-kp TBA1 }
id-kp-sendProxy OBJECT IDENTIFIER ::= { id-kp TBA2 }
id-kp-sendOwner OBJECT IDENTIFIER ::= { id-kp TBA3 }

END
-----

2) You also need to register the OIDs for the EKUs and the ASN.1 module. 
  I assume you're going to try to get them out of the PKIX arc?

3) Technically your IANA considerations is wrong because you need to get 
OIDs. Might I suggest something like:

   This document makes use of object identifiers to identify a Extended
   Key Usages (EKUs) and the ASN.1 module found in Appendix *TBD*.  The
   EKUs and ASN.1 module OID are registered in an arc delegated by IANA
   to the PKIX Working Group.  No further action by IANA is necessary for
   this document or any anticipated updates.

4) In the last paragraph of Section 7 you describe what the 
certificate-using application might require.

4.a) It says that including the EKU extension is a MAY, but the first 
paragraph says it MUST be present in EE certificates for SEND. 
Assuming the 1st paragraph is correct the 1st MAY needs to be a MUST in 
the last paragraph.

4.b) Assuming the 1st paragraph in is correct and EKU MUST be present 
then shouldn't value also be required?  That is, make the second MAY a 
MUST in the last paragraph.

4.c) Was there discussion about support for the anyExtendedKeyUsage OID 
from 4.2.1.12 of RFC 5280?

4.d) You should look at draft-ietf-sip-eku for what they say about 
processing their EKU.  Those rules are helpful to implementers.

5) draft-ietf-sidr-res-certs-17 is expired.

spt

v2.23.0 | Report a Bug | By Email