IETF Logo Mail Archive

Re: [keyassure] Interpreting certificates (and summary)

Zack Weinberg <zack.weinberg@sv.cmu.edu> Wed, 23 February 2011 22:19 UTC

Return-Path: <zack.weinberg@gmail.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F47E3A695F for <keyassure@core3.amsl.com>; Wed, 23 Feb 2011 14:19:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ueEOENEBn6P for <keyassure@core3.amsl.com>; Wed, 23 Feb 2011 14:19:54 -0800 (PST)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id 7B5943A692B for <keyassure@ietf.org>; Wed, 23 Feb 2011 14:19:54 -0800 (PST)
Received: by wyb42 with SMTP id 42so3174342wyb.31 for <keyassure@ietf.org>; Wed, 23 Feb 2011 14:20:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=atYxK0Hv6xQ9+QaYgNVm8yo764QN2ZDX/agx6QQVzyU=; b=XNEwWc1LimbKdcR18x5xrbp62Z9jfOsPCjSb7BITx9AolyIEXhpw6aRTQhvFlRQVbs UbZ5T3+GqAA1Oi4fDvtj1vHtS418BmM79y9e1Gib4ZvhnL4Nk4gszgKYNTsbbPzIFsyN 1a8OmzmZBPKE7+CobJX1/uHwrDHphqBQsQOE0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=oyYcmnmM6/dyMeXQVDDTsWl66TnCsKAV58PfR3mF1O82Q4Ik317LZ3Un68vlgXMHv2 IsRvWkgrC47/UzWlcAK+wx0ui9AUghQym2bZ1ZhFct/CRrj++YcI+HQyhdZc6ZqIToIX x8VjvVSL6N4Lbq/5t8ixKS9VpLogk2ozDqVDQ=
MIME-Version: 1.0
Received: by 10.227.24.69 with SMTP id u5mr20323wbb.223.1298499641938; Wed, 23 Feb 2011 14:20:41 -0800 (PST)
Sender: zack.weinberg@gmail.com
Received: by 10.227.155.85 with HTTP; Wed, 23 Feb 2011 14:20:41 -0800 (PST)
In-Reply-To: <4D6583AD.80801@vpnc.org>
References: <AANLkTi=-bGc1ws0VvrsudV55GRk6KasSsydtiWMTNyua@mail.gmail.com> <201102232039.p1NKdXR2008868@fs4113.wdf.sap.corp> <AANLkTikXbsQuLRaaj54ZcH6=Be8JYZjEnXs5GkwHPKAa@mail.gmail.com> <4D6583AD.80801@vpnc.org>
Date: Wed, 23 Feb 2011 14:20:41 -0800
X-Google-Sender-Auth: Yt8ZuwdpNOIVGk7S0ruzW-yPAHM
Message-ID: <AANLkTi=oCto+o52h-fTAns4OOw8gvowyq6Y=2VSxgQ02@mail.gmail.com>
From: Zack Weinberg <zack.weinberg@sv.cmu.edu>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="UTF-8"
Cc: keyassure@ietf.org
Subject: Re: [keyassure] Interpreting certificates (and summary)
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Feb 2011 22:19:55 -0000

On Wed, Feb 23, 2011 at 2:01 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> On 2/23/11 1:03 PM, Zack Weinberg wrote:
>>
>> Could we short-circuit this entire argument by deferring to the
>> protocol being secured for the certificate format?
>
> The WG already agreed that "the protocol being secured" is TLS, as the
> current draft states. TLS has exactly one certificate type: PKIX
> certificates in the format given in RFC 5280. (There is a
> non-standards-track extension to allow OpenPGP certificates.)

Right.  My suggested edit isn't meant to be a semantic change, just to
arrange that we can stop arguing about what that certificate format is
called.

... It does also mean that OpenPGP-cert extension, if it ever becomes
popular, could also be accomodated by cert types 1 and 2, because they
would still be "certificates in the wire format used by the protocol".
 Personally I see that as a good thing, because (one fervently hopes)
the OpenPGP format is unambiguously distinguishable from the X.509
format, so putting that information into the RR metadata would be a
redundancy and open the possibility of the two being out of sync.

... Come to think of it, the distinction between cert types 1 and 2
(end entity or CA) is *also* a redundancy (with the isCA field and/or
the key usage restrictions) that should perhaps be eliminated.  Why
not just use type 1 for both, and have the client's processing pay
attention to the cert's self-description?  (This is not a rhetorical
question; maybe there's a good reason I don't know about.)

zw

v2.23.0 | Report a Bug | By Email