Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt
Tom Gindin <tgindin@us.ibm.com> Wed, 30 July 2008 00:23 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6D79628C19A for <ietfarch-pkix-archive@core3.amsl.com>; Tue, 29 Jul 2008 17:23:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FH34luSrUqMV for <ietfarch-pkix-archive@core3.amsl.com>; Tue, 29 Jul 2008 17:23:06 -0700 (PDT)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id 662C93A67E4 for <pkix-archive@ietf.org>; Tue, 29 Jul 2008 17:23:06 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m6TNaqGx026160 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Jul 2008 16:36:52 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m6TNaqhd026159; Tue, 29 Jul 2008 16:36:52 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from e5.ny.us.ibm.com (e5.ny.us.ibm.com [32.97.182.145]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m6TNaiQF026148 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-pkix@imc.org>; Tue, 29 Jul 2008 16:36:51 -0700 (MST) (envelope-from tgindin@us.ibm.com)
Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by e5.ny.us.ibm.com (8.13.8/8.13.8) with ESMTP id m6TNagU3017459 for <ietf-pkix@imc.org>; Tue, 29 Jul 2008 19:36:42 -0400
Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay04.pok.ibm.com (8.13.8/8.13.8/NCO v9.0) with ESMTP id m6TNagXP205660 for <ietf-pkix@imc.org>; Tue, 29 Jul 2008 19:36:42 -0400
Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id m6TNag1Z023319 for <ietf-pkix@imc.org>; Tue, 29 Jul 2008 19:36:42 -0400
Received: from d01ml062.pok.ibm.com (d01ml062.pok.ibm.com [9.56.228.115]) by d01av04.pok.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id m6TNagfx023311; Tue, 29 Jul 2008 19:36:42 -0400
In-Reply-To: <488F2DAB.8060607@cs.dartmouth.edu>
To: Massimiliano Pala <pala@cs.dartmouth.edu>
Cc: ietf-pkix@imc.org
MIME-Version: 1.0
Subject: Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt
X-Mailer: Lotus Notes Release 7.0 HF277 June 21, 2006
From: Tom Gindin <tgindin@us.ibm.com>
Message-ID: <OF3858F0CB.DB5A7654-ON85257495.00544FAB-85257495.0081B3DB@us.ibm.com>
Date: Tue, 29 Jul 2008 19:36:41 -0400
X-MIMETrack: Serialize by Router on D01ML062/01/M/IBM(Release 8.0.1|February 07, 2008) at 07/29/2008 19:36:42, Serialize complete at 07/29/2008 19:36:42
Content-Type: text/plain; charset="US-ASCII"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Max:
The DNS Name has to go into a specific extension to be used. I
don't think that putting a DNS Name into IssuerAltName means "look here
for SRV records associated with PKI management", and its most common
meaning in SubjectAltName is "expect to see this certificate when you
connect to this DNS Name", but an AccessDescription could easily be
assigned to mean that it's a pointer to SRV records. There are General
Names associated with AKI, CRL Distribution Point, and Name Constraint as
well, but they clearly are not appropriate for such purposes.
An argument that "DNS is not the right mechanism for this, and
it's worth a new protocol to avoid using DNS" is different than the one
you made in the first version of your draft. It looks to me like the
argument against DNS usage would rely heavily on the perception that DNS
isn't secure enough, especially for revocation information. Is that
really a strong enough reason to expect typical relying parties to
implement a new client protocol?
Tom Gindin
Massimiliano Pala <pala@cs.dartmouth.edu>
07/29/2008 10:48 AM
To
Tom Gindin/Watson/IBM@IBMUS
cc
ietf-pkix@imc.org
Subject
Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt
Hi Tom,
I do not understand how this actually applies. The dnsName is just one
type
of GeneralNames (if I do remember correctly), therefore considerations
about
AIA and SIA are not actually affected.
I do, anyway, understand your point: can we add a reference in the
certificate
so that we know which DNS domain we shall query for DNS SRV records
related
to PKI resources ?
I considered this, and I do really think it is a viable solution. I do
have
some personal concerns about using DNS for this purpose. I think DNS SRV
records work great for services provided within an organization (eg.,
within
a university .example.edu - I am not aware of anyone who is actually using
DNS SRV records on public DNSs) but having PKI managers to modify the DNS
servers can be painful in certain environments. Besides this, having a
separate service allows us to provide signed messages (both client and
server)
with NONCE. Moreover, a service that is decoupled from DNS can be easier
to
maintain, especially in a trusted-responder multi-CAs mode.
But if other people share your opinion, please let me know, so we can
update
the document properly.
Later,
Max
Tom Gindin wrote:
> Section 2.1 of this draft gives an overview of existing
solutions
> and their limitations. It does not appear that any consideration was
> given to adding a new AccessDescription (to the SIA and/or AIA
extensions)
> for SRV record access. The argument against the use of SRV records
given
> in 2.1.2 is that there is not generally a fixed mapping between the
> certificate and a DNS space, which does not apply to a DNSName within an
> AIA or SIA extension.
- I-D ACTION:draft-ietf-pkix-prqp-00.txt Internet-Drafts
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Tom Gindin
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Massimiliano Pala
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Tom Gindin
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Massimiliano Pala
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Anders Rundgren