Re: Last Call: draft-ietf-csi-send-cert (Certificate profile and certificate management for SEND) to Proposed Standard
Sean Turner <turners@ieca.com> Fri, 30 April 2010 19:16 UTC
Return-Path: <turners@ieca.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2CA983A6C00 for <ietf@core3.amsl.com>; Fri, 30 Apr 2010 12:16:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.777
X-Spam-Level:
X-Spam-Status: No, score=-0.777 tagged_above=-999 required=5 tests=[AWL=-0.779, BAYES_50=0.001, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RxXj84okVXrD for <ietf@core3.amsl.com>; Fri, 30 Apr 2010 12:16:25 -0700 (PDT)
Received: from smtp115.biz.mail.re2.yahoo.com (smtp115.biz.mail.re2.yahoo.com [66.196.116.35]) by core3.amsl.com (Postfix) with SMTP id 1AABC3A6A2E for <ietf@ietf.org>; Fri, 30 Apr 2010 12:16:25 -0700 (PDT)
Received: (qmail 77199 invoked from network); 30 Apr 2010 19:16:08 -0000
Received: from thunderfish.local (turners@96.231.124.139 with plain) by smtp115.biz.mail.re2.yahoo.com with SMTP; 30 Apr 2010 12:16:08 -0700 PDT
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: CE2VtzkVM1moYErU3cUvgotycoH5iuIPvZxOaNfQbHSMTtNzQqTJjZWAGKj4Zs8B8rRrUy0y14zR21WUfKTfdqjKyrTzNR6dPsbKjaPSXODc_SEpwuSuXYP64FbI4Xlfq8UZjSR92n4elKNiZFcI8IlMnSys7aZpt6bBpYR8.ShcmFylaC.DJud.4_oUD4WqHDiGWnugmRT2CV8HXKlk3sWhWjOOiy9ZnAwwiVPG5OH55ey17xr_7JwGovuW84t7Tpou4gfwaYAsF_31J.EGH.E2hhp53arOG_pwZtz_WJKZlyrmfyTf6X2qj7bS92Si1Fk3n2TzznGO.Pq1XzhZYZT6yUSC4uQAtOQi0ifPICv3I2t3eC4AyZ3MEDBqukWURdPfSrgGVCOfFQ6eMm6kPX3PS8iKg.JrO.94gEjdzRjpZXLMm8sk4E2fyWFhF6ceGB6Vc.XF7xNt5tjvoec-
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4BDB2C77.6000206@ieca.com>
Date: Fri, 30 Apr 2010 15:16:07 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: ietf@ietf.org, cga-ext@ietf.org
Subject: Re: Last Call: draft-ietf-csi-send-cert (Certificate profile and certificate management for SEND) to Proposed Standard
References: <20100430135557.183CD3A6C24@core3.amsl.com>
In-Reply-To: <20100430135557.183CD3A6C24@core3.amsl.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2010 19:16:26 -0000
The IESG wrote: > The IESG has received a request from the Cga & Send maIntenance WG (csi) > to consider the following document: > > - 'Certificate profile and certificate management for SEND ' > <draft-ietf-csi-send-cert-03.txt> as a Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2010-05-14. Exceptionally, > comments may be sent to iesg@ietf.org instead. In either case, please > retain the beginning of the Subject line to allow automated sorting. 1) I would like to see an ASN.1 module added to the document. That way we can import the EKUs. Here's what I'm looking for (something similar was done in draft-ietf-sip-eku): ----- SENDCertExtns { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-send-cert-extns(TBD) } DEFINITIONS IMPLICIT TAGS ::= BEGIN -- OID Arc id-kp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) 3 } -- Extended Key Usage Values id-kp-sendRouter OBJECT IDENTIFIER ::= { id-kp TBA1 } id-kp-sendProxy OBJECT IDENTIFIER ::= { id-kp TBA2 } id-kp-sendOwner OBJECT IDENTIFIER ::= { id-kp TBA3 } END ----- 2) You also need to register the OIDs for the EKUs and the ASN.1 module. I assume you're going to try to get them out of the PKIX arc? 3) Technically your IANA considerations is wrong because you need to get OIDs. Might I suggest something like: This document makes use of object identifiers to identify a Extended Key Usages (EKUs) and the ASN.1 module found in Appendix *TBD*. The EKUs and ASN.1 module OID are registered in an arc delegated by IANA to the PKIX Working Group. No further action by IANA is necessary for this document or any anticipated updates. 4) In the last paragraph of Section 7 you describe what the certificate-using application might require. 4.a) It says that including the EKU extension is a MAY, but the first paragraph says it MUST be present in EE certificates for SEND. Assuming the 1st paragraph is correct the 1st MAY needs to be a MUST in the last paragraph. 4.b) Assuming the 1st paragraph in is correct and EKU MUST be present then shouldn't value also be required? That is, make the second MAY a MUST in the last paragraph. 4.c) Was there discussion about support for the anyExtendedKeyUsage OID from 4.2.1.12 of RFC 5280? 4.d) You should look at draft-ietf-sip-eku for what they say about processing their EKU. Those rules are helpful to implementers. 5) draft-ietf-sidr-res-certs-17 is expired. spt
- Re: Last Call: draft-ietf-csi-send-cert (Certific… Sean Turner
- Re: Last Call: draft-ietf-csi-send-cert (Certific… Suresh Krishnan
- Re: Last Call: draft-ietf-csi-send-cert (Certific… Sean Turner
- Re: Last Call: draft-ietf-csi-send-cert (Certific… Suresh Krishnan
- Re: Last Call: draft-ietf-csi-send-cert (Certific… Sean Turner
- Last Call: draft-ietf-csi-send-cert (Certificate … Jim Schaad
- Re: Last Call: draft-ietf-csi-send-cert (Certific… Suresh Krishnan
- RE: Last Call: draft-ietf-csi-send-cert (Certific… Jim Schaad
- Re: Last Call: draft-ietf-csi-send-cert (Certific… Sean Turner