Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt
Tom Gindin <tgindin@us.ibm.com> Wed, 30 July 2008 00:23 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6D79628C19A for <ietfarch-pkix-archive@core3.amsl.com>; Tue, 29 Jul 2008 17:23:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FH34luSrUqMV for <ietfarch-pkix-archive@core3.amsl.com>; Tue, 29 Jul 2008 17:23:06 -0700 (PDT)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id 662C93A67E4 for <pkix-archive@ietf.org>; Tue, 29 Jul 2008 17:23:06 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m6TNaqGx026160 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Jul 2008 16:36:52 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m6TNaqhd026159; Tue, 29 Jul 2008 16:36:52 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from e5.ny.us.ibm.com (e5.ny.us.ibm.com [32.97.182.145]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m6TNaiQF026148 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-pkix@imc.org>; Tue, 29 Jul 2008 16:36:51 -0700 (MST) (envelope-from tgindin@us.ibm.com)
Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by e5.ny.us.ibm.com (8.13.8/8.13.8) with ESMTP id m6TNagU3017459 for <ietf-pkix@imc.org>; Tue, 29 Jul 2008 19:36:42 -0400
Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay04.pok.ibm.com (8.13.8/8.13.8/NCO v9.0) with ESMTP id m6TNagXP205660 for <ietf-pkix@imc.org>; Tue, 29 Jul 2008 19:36:42 -0400
Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id m6TNag1Z023319 for <ietf-pkix@imc.org>; Tue, 29 Jul 2008 19:36:42 -0400
Received: from d01ml062.pok.ibm.com (d01ml062.pok.ibm.com [9.56.228.115]) by d01av04.pok.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id m6TNagfx023311; Tue, 29 Jul 2008 19:36:42 -0400
In-Reply-To: <488F2DAB.8060607@cs.dartmouth.edu>
To: Massimiliano Pala <pala@cs.dartmouth.edu>
Cc: ietf-pkix@imc.org
MIME-Version: 1.0
Subject: Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt
X-Mailer: Lotus Notes Release 7.0 HF277 June 21, 2006
From: Tom Gindin <tgindin@us.ibm.com>
Message-ID: <OF3858F0CB.DB5A7654-ON85257495.00544FAB-85257495.0081B3DB@us.ibm.com>
Date: Tue, 29 Jul 2008 19:36:41 -0400
X-MIMETrack: Serialize by Router on D01ML062/01/M/IBM(Release 8.0.1|February 07, 2008) at 07/29/2008 19:36:42, Serialize complete at 07/29/2008 19:36:42
Content-Type: text/plain; charset="US-ASCII"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Max: The DNS Name has to go into a specific extension to be used. I don't think that putting a DNS Name into IssuerAltName means "look here for SRV records associated with PKI management", and its most common meaning in SubjectAltName is "expect to see this certificate when you connect to this DNS Name", but an AccessDescription could easily be assigned to mean that it's a pointer to SRV records. There are General Names associated with AKI, CRL Distribution Point, and Name Constraint as well, but they clearly are not appropriate for such purposes. An argument that "DNS is not the right mechanism for this, and it's worth a new protocol to avoid using DNS" is different than the one you made in the first version of your draft. It looks to me like the argument against DNS usage would rely heavily on the perception that DNS isn't secure enough, especially for revocation information. Is that really a strong enough reason to expect typical relying parties to implement a new client protocol? Tom Gindin Massimiliano Pala <pala@cs.dartmouth.edu> 07/29/2008 10:48 AM To Tom Gindin/Watson/IBM@IBMUS cc ietf-pkix@imc.org Subject Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Hi Tom, I do not understand how this actually applies. The dnsName is just one type of GeneralNames (if I do remember correctly), therefore considerations about AIA and SIA are not actually affected. I do, anyway, understand your point: can we add a reference in the certificate so that we know which DNS domain we shall query for DNS SRV records related to PKI resources ? I considered this, and I do really think it is a viable solution. I do have some personal concerns about using DNS for this purpose. I think DNS SRV records work great for services provided within an organization (eg., within a university .example.edu - I am not aware of anyone who is actually using DNS SRV records on public DNSs) but having PKI managers to modify the DNS servers can be painful in certain environments. Besides this, having a separate service allows us to provide signed messages (both client and server) with NONCE. Moreover, a service that is decoupled from DNS can be easier to maintain, especially in a trusted-responder multi-CAs mode. But if other people share your opinion, please let me know, so we can update the document properly. Later, Max Tom Gindin wrote: > Section 2.1 of this draft gives an overview of existing solutions > and their limitations. It does not appear that any consideration was > given to adding a new AccessDescription (to the SIA and/or AIA extensions) > for SRV record access. The argument against the use of SRV records given > in 2.1.2 is that there is not generally a fixed mapping between the > certificate and a DNS space, which does not apply to a DNSName within an > AIA or SIA extension.
- I-D ACTION:draft-ietf-pkix-prqp-00.txt Internet-Drafts
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Tom Gindin
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Massimiliano Pala
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Tom Gindin
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Massimiliano Pala
- Re: I-D ACTION:draft-ietf-pkix-prqp-00.txt Anders Rundgren