[keyassure] End entity certificate matching, trust anchors, and protocol-06
Paul Hoffman <paul.hoffman@vpnc.org> Sat, 12 March 2011 23:00 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8F8C03A6A15 for <keyassure@core3.amsl.com>; Sat, 12 Mar 2011 15:00:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Level:
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[AWL=0.622, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9YHvtjcbY3Hf for <keyassure@core3.amsl.com>; Sat, 12 Mar 2011 15:00:02 -0800 (PST)
Received: from hoffman.proper.com (unknown [IPv6:2001:4870:a30c:41::81]) by core3.amsl.com (Postfix) with ESMTP id 0D2DA3A6A5B for <keyassure@ietf.org>; Sat, 12 Mar 2011 15:00:01 -0800 (PST)
Received: from MacBook-08.local (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p2CN1MS6096345 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <keyassure@ietf.org>; Sat, 12 Mar 2011 16:01:22 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Message-ID: <4D7BFB41.4000403@vpnc.org>
Date: Sat, 12 Mar 2011 15:01:21 -0800
From: Paul Hoffman <paul.hoffman@vpnc.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: "keyassure@ietf.org" <keyassure@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [keyassure] End entity certificate matching, trust anchors, and protocol-06
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Mar 2011 23:00:03 -0000
Greetings again. Draft -06 has two major changes, mandatory-to-implement algorithms and revised semantics for End entity certificate matching and trust anchors. The first is fairly straight-forward and hopefully exactly what was prescribed for the resolution to now-closed issue #21. The second is more problematic, which is reflected in the fact that there is now much more text. Please read the new text carefully, including the quoted text from RFC 5280. You may be surprised both by the restrictions that PKIX puts on us (namely that self-signed certificates are always CA certificates) and by the measures suggested in -06 (format validation on end entity certificates is relaxed to allow self-signed certificates for end entities). Comments are, of course, welcome. Proposals for new wording if needed are even more welcome. If we have made mistakes in reading RFC 5280, quoting from that document in your messages will be helpful to the entire WG. We will be presenting on this in Prague, but would love to see discussion happen in the weeks before then. --Paul Hoffman
- [keyassure] End entity certificate matching, trus… Paul Hoffman
- Re: [keyassure] End entity certificate matching, … Peter Gutmann
- Re: [keyassure] End entity certificate matching, … Peter Gutmann
- Re: [keyassure] CN/SAN matching (was: End entity … Paul Hoffman
- [keyassure] CN/SAN matching (was: End entity cert… Peter Palfrader
- Re: [keyassure] CN/SAN matching (was: End entity … Jakob Schlyter
- Re: [keyassure] CN/SAN matching (was: End entity … Peter Palfrader
- Re: [keyassure] CN/SAN matching (was: End entity … Paul Wouters
- Re: [keyassure] CN/SAN matching (was: End entity … Peter Palfrader
- Re: [keyassure] CN/SAN matching (was: End entity … Stephen Kent
- Re: [keyassure] CN/SAN matching (was: End entity … Richard L. Barnes
- Re: [keyassure] CN/SAN matching (was: End entity … Jay Daley
- Re: [keyassure] CN/SAN matching (was: End entity … Richard L. Barnes
- Re: [keyassure] CN/SAN matching (was: End entity … Jay Daley
- Re: [keyassure] CN/SAN matching (was: End entity … Eric Rescorla
- Re: [keyassure] CN/SAN matching (was: End entity … Richard L. Barnes
- Re: [keyassure] CN/SAN matching (was: End entity … Martin Rex