Re: [keyassure] Objective: Restrictive versus Supplementary Models

Martin Rex <mrex@sap.com> Thu, 31 March 2011 13:07 UTC

From: Martin Rex <mrex@sap.com>
Message-Id: <201103311309.p2VD9UwK021068@fs4113.wdf.sap.corp>
To: ynir@checkpoint.com
Date: Thu, 31 Mar 2011 15:09:30 +0200
In-Reply-To: <8FA34510-B4BA-4DD2-B1D3-49D7100D7F62@checkpoint.com> from "Yoav Nir" at Mar 31, 11 03:01:19 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Cc: keyassure@ietf.org
Subject: Re: [keyassure] Objective: Restrictive versus Supplementary Models
Precedence: list
Reply-To: mrex@sap.com

Yoav Nir wrote:
> 
> On Mar 31, 2011, at 2:38 PM, Michael Richardson wrote:
> > 
> >    Yoav> Cert-lock (and CA-lock) are what EKR calls supplementary,
> >    Yoav> while the others are the restrictive. While the sever (and
> >    Yoav> domain owner) can't dictate client policy, they should be able
> >    Yoav> to indicate whether the Certificate (TA or EE) that's in the
> >    Yoav> TLSA record is supposed to be validatable or not. The client
> >    Yoav> (relying party) may have a policy to ignore records that push
> >    Yoav> a non-valid certificate, but if you're going to publish a
> >    Yoav> record with a certificate that you have just issued using
> >    Yoav> openssl on your laptop and expires in 1975, the TLSA record
> >    Yoav> had better reflect that this certificate is just a container
> >    Yoav> for a public key, not something you can chain and validate. 
> > 
> > So, you are arguing that the protocol must signal the intent.
> 
> It's not strictly speaking "intent". It's more of an attribute.
> Either "this certificate of mine, you can use your regular validation
> techniques" or "this certificate of mine, just make sure you get this one."

I also think that leaving it up to the client to make assumptions
about what type of TLS Server cert validation scheme should be used
is likely going to result in a lot of bad decisions among the
implementors.

If the TLSA record includes the information on the intended validation
scheme for this information, then there is going to be more consistency
among the implementations.

When a particular HTML page renders without apparent problems in
one particular web browser, this is no proof that the page is correctly
formed and can be expected to render without problems in other
browsers as well.

-Martin

[keyassure] Objective: Restrictive versus Supplem… Eric Rescorla
Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
Re: [keyassure] Objective: Restrictive versus Sup… Stephen Kent
Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
Re: [keyassure] Objective: Restrictive versus Sup… Michael Richardson
Re: [keyassure] Objective: Restrictive versus Sup… James Cloos
Re: [keyassure] Objective: Restrictive versus Sup… James Cloos
Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
Re: [keyassure] Objective: Restrictive versus Sup… Jay Daley
Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
Re: [keyassure] Objective: Restrictive versus Sup… James Cloos
Re: [keyassure] Objective: Restrictive versus Sup… Jay Daley
Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
Re: [keyassure] Objective: Restrictive versus Sup… Warren Kumari
Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
Re: [keyassure] Objective: Restrictive versus Sup… Eric Rescorla
Re: [keyassure] Objective: Restrictive versus Sup… Michael Richardson
Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
Re: [keyassure] Objective: Restrictive versus Sup… Michael Richardson
Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
Re: [keyassure] Objective: Restrictive versus Sup… Richard L. Barnes
Re: [keyassure] Objective: Restrictive versus Sup… Martin Rex
Re: [keyassure] Objective: Restrictive versus Sup… James Cloos
Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
Re: [keyassure] Objective: Restrictive versus Sup… Yoav Nir
Re: [keyassure] Objective: Restrictive versus Sup… Paul Wouters
Re: [keyassure] Objective: Restrictive versus Sup… Jim Schaad