RE: DPV Request Policy Inputs
"Yuriy Dzambasow" <yuriy@trustdst.com> Tue, 05 March 2002 15:22 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA04282 for <pkix-archive@odin.ietf.org>; Tue, 5 Mar 2002 10:22:34 -0500 (EST)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g25ESxR13372 for ietf-pkix-bks; Tue, 5 Mar 2002 06:28:59 -0800 (PST)
Received: from bach.digsigtrust.com (host65-54.digsigtrust.com [208.30.65.54]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g25ESr813363 for <ietf-pkix@imc.org>; Tue, 5 Mar 2002 06:28:53 -0800 (PST)
Received: from smtp.digsigtrust.com by smtp1.digsigtrust.com with ESMTP id g25ESna21195; Tue, 5 Mar 2002 07:28:49 -0700 (MST)
Received: from cc474623a (chr152dhcp1050.chrchv01.md.comcast.net [68.33.156.26]) by smtp.digsigtrust.com with SMTP id g25EQNk20283; Tue, 5 Mar 2002 07:26:23 -0700 (MST)
Reply-To: yuriy@trustdst.com
From: Yuriy Dzambasow <yuriy@trustdst.com>
To: "Housley, Russ" <rhousley@rsasecurity.com>
Cc: ietf-pkix@imc.org
Subject: RE: DPV Request Policy Inputs
Date: Tue, 05 Mar 2002 09:27:37 -0500
Message-ID: <JEEPKOOLEPLIDOKNKEFMGEAMCEAA.yuriy@trustdst.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-reply-to: <5.1.0.14.2.20020304082434.02075a18@exna07.securitydynamics.com>
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit
Russ: > > Yuriy: > > >2. Section 4 3rd paragraph > > > >The requirements document should not forbid specification > >of the policy with a request. If the protocol writers find that > >specifying the policy (or a subset of the policy) with the > >request is too burdensome, let them make that decision. Allowing > >a client to specify a frequently changing part of the policy > >with every request wouldn't be a bad decision > > > >[Denis Answer 11] > > > >Validation policies are usually not defined by end-users but by > >administrators. So why a separate protocol should be used, the > policy is not > >locally defined. Clients should not define policies. As we know, policy > >parameters are quite complex. > >Yuriy> But clients can specify which trusted roots to use and certain > >constraints. I believe it would be beneficial in some cases > (where policy > >is easily defined) for a client to specify these things as part of a DPV > >request, and not have to make a separate PDP request (which is > more suitable > >for complex policies). > > When I think of policy elements, I think of the inputs to the > certification > path validation algorithm in Son-of-2459. Do you think that the protocol > needs to include OPTIONAL fields that allow the client to specify all of > these inputs on a per-request basis? > > Russ > Yes; however, it probably makes sense to examine the set of inputs defined in son of 2459. From section 6.1.1 in draft-ietf-pkix-new-part1-12, the defined inputs are (followed by my comments): a) a perspective certification path of length n I don't believe it makes sense for a client to define this in a request to a server, as the client probably has no knowledge of certificate path length b) the current date/time Rather than the current date/time, allow the client to specify some specified date/time c) user-initial-policy-set Allow the client to specify this to a server. I know of many environments where relying parties use policy OIDs to determine a grade/level of certificate to control access to applications and resources. The validation server typically is not aware of these specific relying party policy requirements, and therefore the relying party client must be able to specify this to the validation server. d) trust anchor information Allow the client to specify this to a server, for obvious reasons. e) initial-policy-mapping-inhibit Do not allow a client to specify this to a server, as policy mapping is typically controlled by higher authorities. f) initial-explicit-policy I do not personally see a need for a client to specify this to a server, but there probably exists a need somewhere. 3) initial-any-policy-inhibit I do not personally see a need for a client to specify this to a server, but there probably exists a need somewhere. To summarize, the date/time, user-initial-policy-set, and trust anchor information would be useful OPTIONAL parameters to pass from a client to a server in a DPV/DPD request. Yuriy
- Comments on the DPV-DPD req doc Ambarish Malpani
- Re: Comments on the DPV-DPD req doc Denis Pinkas
- Re: Comments on the DPV-DPD req doc Peter Sylvester
- RE: Comments on the DPV-DPD req doc Yuriy Dzambasow
- RE: Comments on the DPV-DPD req doc Yuriy Dzambasow
- DPV Request Policy Inputs Housley, Russ
- RE: DPV Request Policy Inputs Yuriy Dzambasow