IETF Logo Mail Archive

Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15

"Piyush Jain" <piyush@ditenity.com> Tue, 02 April 2013 21:09 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B98821F8D28 for <pkix@ietfa.amsl.com>; Tue, 2 Apr 2013 14:09:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.075
X-Spam-Level:
X-Spam-Status: No, score=-3.075 tagged_above=-999 required=5 tests=[AWL=0.524, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hMNoIxN6SdV0 for <pkix@ietfa.amsl.com>; Tue, 2 Apr 2013 14:09:07 -0700 (PDT)
Received: from mail-ye0-f171.google.com (mail-ye0-f171.google.com [209.85.213.171]) by ietfa.amsl.com (Postfix) with ESMTP id 961E121F8D0D for <pkix@ietf.org>; Tue, 2 Apr 2013 14:09:07 -0700 (PDT)
Received: by mail-ye0-f171.google.com with SMTP id r10so135394yen.30 for <pkix@ietf.org>; Tue, 02 Apr 2013 14:09:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=7Iy5t61e4ATNOmsGPuWwN36P5hjzTO85yz125bwnSY8=; b=RsGXQuuj0PsPVRKeKk9LnHawES/D80cSZx5c6bBoBVnKgr4iLLuzrJUvrBKxFozdsZ nc/3dOBkDT/mQcvvl+QT0eG+Do+3bZ70ogy7x3lDF6vtqaV2KrOj8FFgf7UPDS5N5DXI 2RmXxb8JINw1i8/5jRm/yYKFACULcG95xAdKhhGo42KIZrHFLGlPn/UXZYYaPiqHuyNu fXlaJdIo1rz1eoM1tqXDwpJ5TQBpRJlvFDIy72OGGgkXTD/LFKP08IWhKMHx8kjFhlPr cwj2Iv72OpRh1vH9aOXVT/BkcC4CQEVPo1nJFmKuwY6j/BLtIhDvZ9YxmdflUjMV26IP xHWQ==
X-Received: by 10.236.207.198 with SMTP id n46mr16365478yho.153.1364936947056; Tue, 02 Apr 2013 14:09:07 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id o64sm5488203yhd.16.2013.04.02.14.09.05 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 02 Apr 2013 14:09:06 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: 'Stefan Santesson' <stefan@aaa-sec.com>, mrex@sap.com
References: <033501ce2fcf$ac7f4240$057dc6c0$@ditenity.com> <CD80F854.5F38D%stefan@aaa-sec.com>
In-Reply-To: <CD80F854.5F38D%stefan@aaa-sec.com>
Date: Tue, 02 Apr 2013 14:08:56 -0700
Message-ID: <036001ce2fe6$4af66b90$e0e342b0$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIzsGHGFoJibOkN7x8aJsr2M/BDN5f4ZIZQ
Content-Language: en-us
X-Gm-Message-State: ALoCoQnKo5qz1OCQ/gWqDp/BNm73Ae2yoZgVoDb2ia5tEg9oM/jPbbL+B3pGYx94kXMtCub084tw
Cc: pkix@ietf.org, sts@aaa-sec.com
Subject: Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 21:09:08 -0000

http://dictionary.reference.com/browse/correspond also lists the meaning as
"to be in agreement or conformity" and this is how responder implementations
interpret it today (at least for good and revoked certificates).
The reason these specs are created is to avoid ambiguity and have
implementers interpret it in a consistent way.

> It is obviously the most recent time when this information was known to be
> correct, as per definition.
Is this based on your understanding of how existing responders set
thisUpdate in OCSP response or is it based on the dictionary meaning of
"correspond"?

For this boundary case where revoked cannot be tied to the CRL, implementers
have to think about what value to put in this field.
You seem to be saying that the right value for this field is current time. 




> -----Original Message-----
> From: Stefan Santesson [mailto:stefan@aaa-sec.com]
> Sent: Tuesday, April 02, 2013 1:14 PM
> To: Piyush Jain; mrex@sap.com
> Cc: sts@aaa-sec.com; pkix@ietf.org
> Subject: Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15
> 
> On 4/2/13 7:27 PM, "Piyush Jain" <piyush@ditenity.com> wrote:
> 
> >[Piyush] Which original guidance? There is a note that says that these
> >values correspond to the values in the CRL.
> 
> They do.
> 
> Correspond = to be similar or analogous; be equivalent in function,
position,
> amount, etc.
> (http://dictionary.reference.com/browse/correspond)
> 
> ThisUpdate in CRL (http://tools.ietf.org/html/rfc5280#section-5.1.2.4)
> 
> So it is analogous to the issuance date of a CRL, not necessarily THE
issuance
> date of a CRL.
> 
> 
> This is all inherited from RFC 2560 and has not caused confusion to my
> knowledge.
> 
> /Stefan
>

v2.23.0 | Report a Bug | By Email