IETF Logo Mail Archive

[IPsec] #117: Hash and URL interop

Tero Kivinen <kivinen@iki.fi> Fri, 30 October 2009 13:55 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 531153A67B6 for <ipsec@core3.amsl.com>; Fri, 30 Oct 2009 06:55:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.494
X-Spam-Level:
X-Spam-Status: No, score=-2.494 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I7LnMBSL1se7 for <ipsec@core3.amsl.com>; Fri, 30 Oct 2009 06:55:15 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 319513A68D6 for <ipsec@ietf.org>; Fri, 30 Oct 2009 06:55:14 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.13.8) with ESMTP id n9UDtM7d011106 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 30 Oct 2009 15:55:22 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id n9UDtL9F007786; Fri, 30 Oct 2009 15:55:21 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19178.61513.606708.918055@fireball.kivinen.iki.fi>
Date: Fri, 30 Oct 2009 15:55:21 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Yaron Sheffer <yaronf@checkpoint.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EA9@il-ex01.ad.checkpoint.com>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EA9@il-ex01.ad.checkpoint.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 6 min
X-Total-Time: 110 min
Cc: IPsecme WG <ipsec@ietf.org>
Subject: [IPsec] #117: Hash and URL interop
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2009 13:55:16 -0000

Yaron Sheffer writes:
> To improve interoperability, allow only the "http" URL method. The
> current text (end of sec. 3.6) implies that any method is allowed,
> although HTTP MUST be supported. 

If that means adding MUST NOT for other URL methods, I do not think we
want to do it. We alrady have one mandatory to implement URL method
(http) and that should be enough to provide interoperability. If
someone wants to create implementation which uses some other format in
addition to http method for their own use, I do not see any reason why
they should be forbidded to do so. 

Note, that HASH and URL formats are not limited to
exactly one URL format for each hash. Implementation would are allowed
to send multiple cert payloads, each having same HASH but different
URLs having different methods. If implementation does not support
certain URL method it just ignores the cert payload, and as multiple
methods point to same certificate each of them have same hash, thus it
does not matter which one of them the implementation uses to fetch the
certificate.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email