Re: [IPsec] #120: CA indication with cert req - allowed types

Tero Kivinen <kivinen@iki.fi> Mon, 02 November 2009 14:18 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 53B5E28C0EF for <ipsec@core3.amsl.com>; Mon, 2 Nov 2009 06:18:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.502
X-Spam-Level:
X-Spam-Status: No, score=-2.502 tagged_above=-999 required=5 tests=[AWL=0.097, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HpU5K0PtQfqX for <ipsec@core3.amsl.com>; Mon, 2 Nov 2009 06:18:41 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 28DC428C0DB for <ipsec@ietf.org>; Mon, 2 Nov 2009 06:18:40 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.13.8) with ESMTP id nA2EIxWj003092 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 2 Nov 2009 16:18:59 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id nA2EIxBD006100; Mon, 2 Nov 2009 16:18:59 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <19182.59987.327545.475873@fireball.kivinen.iki.fi>
Date: Mon, 2 Nov 2009 16:18:59 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: David Wierbowski <wierbows@us.ibm.com>
In-Reply-To: <OFC3B20FF4.BF2F748A-ON8525765F.007B7318-8525765F.007BA8F3@us.ibm.com>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EAC@il-ex01.ad.checkpoint.com> <19178.63776.974040.367597@fireball.kivinen.iki.fi> <OFC3B20FF4.BF2F748A-ON8525765F.007B7318-8525765F.007BA8F3@us.ibm.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 4 min
X-Total-Time: 3 min
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] #120: CA indication with cert req - allowed types
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2009 14:18:42 -0000

David Wierbowski writes:
> > So the text most likely should say that "For other values the
> > certificate authority field contents is not defined, and can be
> > anything (or empty) until specifications that specify their contents
> > is published."
> I do not think they can be anything.  I think they need to be empty until
> specifications that specify their contents are published.

Thats fine for the sending side, but for recipient it is very hard to
know when specification has been published, thus recipient should not
reject (or crash) in case it receives certreq having type of x and
having something inside the certificate authority field, even though
no specification was available when that implementation was created.

Thats why I think it would be safer to say they can be anything, or
perhaps more accurate should say they MUST be sent as empty, but
recipient MUST be able to handle CERTREQ regardless what there is in
the certificate authority field.

But on the other hand I do not think we want to add new MUSTs/SHOULDs
etc here, but just say they can be anything (including empty) should
be enough.
-- 
kivinen@iki.fi