[keyassure] End entity certificate matching, trust anchors, and protocol-06

Paul Hoffman <paul.hoffman@vpnc.org> Sat, 12 March 2011 23:00 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 8F8C03A6A15 for <keyassure@core3.amsl.com>; Sat, 12 Mar 2011 15:00:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[AWL=0.622, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id 9YHvtjcbY3Hf for <keyassure@core3.amsl.com>; Sat, 12 Mar 2011 15:00:02 -0800 (PST)
Received: from hoffman.proper.com (unknown [IPv6:2001:4870:a30c:41::81]) by core3.amsl.com (Postfix) with ESMTP id 0D2DA3A6A5B for <keyassure@ietf.org>; Sat, 12 Mar 2011 15:00:01 -0800 (PST)
Received: from MacBook-08.local (75-101-30-90.dsl.dynamic.sonic.net []) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p2CN1MS6096345 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <keyassure@ietf.org>; Sat, 12 Mar 2011 16:01:22 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Message-ID: <4D7BFB41.4000403@vpnc.org>
Date: Sat, 12 Mar 2011 15:01:21 -0800
From: Paul Hoffman <paul.hoffman@vpnc.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: "keyassure@ietf.org" <keyassure@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [keyassure] End entity certificate matching, trust anchors, and protocol-06
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Mar 2011 23:00:03 -0000

Greetings again. Draft -06 has two major changes, mandatory-to-implement 
algorithms and revised semantics for End entity certificate matching and 
trust anchors. The first is fairly straight-forward and hopefully 
exactly what was prescribed for the resolution to now-closed issue #21.

The second is more problematic, which is reflected in the fact that 
there is now much more text. Please read the new text carefully, 
including the quoted text from RFC 5280. You may be surprised both by 
the restrictions that PKIX puts on us (namely that self-signed 
certificates are always CA certificates) and by the measures suggested 
in -06 (format validation on end entity certificates is relaxed to allow 
self-signed certificates for end entities).

Comments are, of course, welcome. Proposals for new wording if needed 
are even more welcome. If we have made mistakes in reading RFC 5280, 
quoting from that document in your messages will be helpful to the 
entire WG.

We will be presenting on this in Prague, but would love to see 
discussion happen in the weeks before then.

--Paul Hoffman