Re: [pkix] Question about RFC 7030 - Enrollment over Secure Transport
Peter Yee <peter@akayla.com> Fri, 05 June 2020 22:16 UTC
Return-Path: <peter@akayla.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A1CF3A0EB2 for <pkix@ietfa.amsl.com>; Fri, 5 Jun 2020 15:16:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QITy_CO2MaGL for <pkix@ietfa.amsl.com>; Fri, 5 Jun 2020 15:16:53 -0700 (PDT)
Received: from p3plsmtpa07-09.prod.phx3.secureserver.net (p3plsmtpa07-09.prod.phx3.secureserver.net [173.201.192.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC0F83A0EB8 for <pkix@ietf.org>; Fri, 5 Jun 2020 15:16:52 -0700 (PDT)
Received: from spectre ([173.8.184.78]) by :SMTPAUTH: with ESMTPSA id hKdwjshjJZQ3PhKdwj7Rm0; Fri, 05 Jun 2020 15:16:52 -0700
X-CMAE-Analysis: v=2.3 cv=L7RjvNb8 c=1 sm=1 tr=0 a=PF7/PIuz6ZQ4FM3W1XNKAQ==:117 a=PF7/PIuz6ZQ4FM3W1XNKAQ==:17 a=DAwyPP_o2Byb1YXLmDAA:9 a=48vgC7mUAAAA:8 a=NCtsWwP4hSsTNKD-ppQA:9 a=QEXdDO2ut3YA:10 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=0PimdZ2lm1ByBP7M:21 a=gKO2Hq4RSVkA:10 a=UiCQ7L4-1S4A:10 a=hTZeC7Yk6K0A:10 a=frz4AuCg-hUA:10 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: peter@akayla.com
From: Peter Yee <peter@akayla.com>
To: 'Reilly James' <james.reilly@kone.com>
Cc: pkix@ietf.org
References: <AM6PR07MB5493360C958292A80FB88E53E3B40@AM6PR07MB5493.eurprd07.prod.outlook.com> <115e01d637d9$348d6180$9da82480$@akayla.com> <5832928C-99C2-444F-BE2E-976168726139@hpe.com> <9525BFCE-BADC-42EA-ABDC-F4EA4F516EBC@cisco.com>
In-Reply-To: <9525BFCE-BADC-42EA-ABDC-F4EA4F516EBC@cisco.com>
Date: Fri, 05 Jun 2020 15:16:46 -0700
Message-ID: <175301d63b87$00894c30$019be490$@akayla.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_1754_01D63B4C.542BFAD0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFTB8rCeLXTjHOcBqAFvRrKlcaWCQG+c2lSAniaDt8ApdGXW6mqFP2A
Content-Language: en-us
X-CMAE-Envelope: MS4wfGMcI7+nklUKW7BU8huWmrxT44tPftHVEs0EGEmqdckiqsK4+aF62443BwSUM3B2dzkvEFVK860Iday91O01jWZWzY62Dn/gVU1eh67DetnrofNvUs4E xsgI2k/KdLDtYPeuynLJq1t17Fs/HVVYmM5QUCc47jH2c+fEhEJWcjoVwrnKN7aOPo7VQ3SQJ/TfKA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/0GmcEZMqXJ8SbyB1UESUjBwl7OQ>
Subject: Re: [pkix] Question about RFC 7030 - Enrollment over Secure Transport
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2020 22:16:54 -0000
James,
I consulted my co-authors. While none of us have a strong recollection of our discussions on this point, our feeling is that to make that statement a MUST would be inconsistent with how many CAs are deployed. Specifically, CA support of rollover is not mandatory. And since there’s a fallback mechanism (manual bootstrap), clients do have the ability to get new CA certs, albeit with a certain amount of effort. Whether CA’s should be required to support rollover is a different question.
-Peter
From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Reilly James
Sent: Friday, May 22, 2020 3:55 AM
To: pkix@ietf.org
Subject: [pkix] Question about RFC 7030 - Enrollment over Secure Transport
Hello
We are looking at RFC 7030 – Enrollment over Secure Transport.
Is there a reason or thought process in section ‘4.1.3 CA Certificates Response’
‘The EST server SHOULD include the three "Root CA Key Update"
certificates OldWithOld, OldWithNew, and NewWithOld in the response
chain. These are defined in Section 4.4 of CMP [RFC4210].’
why SHOULD rather than example MUST was used in the specification by the authors?
James