Re: Logotypes in certificates
Dean Povey <povey@dstc.qut.edu.au> Thu, 22 March 2001 04:42 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id XAA10679 for <pkix-archive@odin.ietf.org>; Wed, 21 Mar 2001 23:42:39 -0500 (EST)
Received: from localhost (daemon@localhost) by above.proper.com (8.9.3/8.9.3) with SMTP id UAA23512; Wed, 21 Mar 2001 20:39:41 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Wed, 21 Mar 2001 20:39:24 -0800
Received: from thunder.dstc.qut.edu.au (thunder.dstc.qut.edu.au [131.181.71.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id UAA23479 for <ietf-pkix@imc.org>; Wed, 21 Mar 2001 20:39:22 -0800 (PST)
Received: from dstc.qut.edu.au (garnet.dstc.qut.edu.au [131.181.71.36]) by thunder.dstc.qut.edu.au (8.10.1/8.10.1) with ESMTP id f2M4ctm04380; Thu, 22 Mar 2001 14:38:55 +1000 (EST)
Message-Id: <200103220438.f2M4ctm04380@thunder.dstc.qut.edu.au>
X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4
To: Stephen Kent <kent@bbn.com>
cc: Tom Gindin <tgindin@us.ibm.com>, ietf-pkix@imc.org
Subject: Re: Logotypes in certificates
In-Reply-To: Message from Stephen Kent <kent@bbn.com> of "Wed, 21 Mar 2001 18:03:54 EST." <p05010406b6dee2f776b7@[128.33.238.72]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 22 Mar 2001 14:38:55 +1000
From: Dean Povey <povey@dstc.qut.edu.au>
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
While I tend to dislike things like name constraints or actually any top down asserted constraints (they are things that can be easily controlled by external policy controls and they make automated path building a right pain in the butt), I can understand Stephen's concerns, and we need to come up with a sensible approach to this. As far as I can see there is no other sensible way to constrain logos other than to specificaly disallow them in some future certificate(s) in the path chain. Everything else will have to rely on sufficient due-dilligence of the CA to verify they are correct. Let's face it they don't do this already for the things they are supposed to do we are stuffed, regardless of how many constraints a higher level CA imposes. The path validation algorithm is complex as it is, so I would favour an approach that had as little effect on it as possible. I also think that by and large these type of constraints don't get used very often, so I think we also need to consider making the most common case usage the easiest. I can see three options (well actually the fourth one is to say that it is up to the CA policy to enforce constraints): 1. Using an OtherName in subjectAlt has a certain logic to it. I had also envisioned subject only logos but there is nothing to stop issuer's putting theirs in as well. The constraints problem would logically be punted to the NameConstraints extension. Unfortunately X.509/RFC2459/Son-of-RFC2459 doesn't describe any semantics for name constraints with OtherName so vendors will have to fix their path validation anyway. They may also have to fix their implementations to handle the new OID -> type mapping. 2. An uglier but perhaps more pragmatic approach is to create a logo attribute and shove it in a DN (preferably in altName) with either PKCS9String or IA5String type. Unfortunately, unless I have misunderstood the way name constraints works for DNs the only way that I can that a CA could stop a subordinate CA from issuing certificates with a logo is to require that CA to include a logo attribute with a known NULL value, as I can't think of another way of excluding a given attribute from the DN namespace. This would probably work without changing any/much existing code. However given this working groups general aversion to putting stuff in the DN, I can't see this being very popular. 3. Possibly the most elegant approach, but one which unfortunately has the most impact on current standards is to fix the general problem of enforcing constraints on user certs. While logo type has been singled out, the scenario Stephen describes applies to any extension outside a small subset which the path validation explicitly handles. Fixing this is relatively easy. We define can define an ExtensionsConstraints extension which looks something like: extensionsConstraints EXTENSION ::= { SYNTAX ExtensionConstraintSyntax IDENTIFIED BY id-ce-extensionConstraint } ExtensionsConstraintsSyntax ::= SEQUENCE { permittedExtensions SEQUENCE OF ExtensionConstraint (1..MAX) OPTIONAL, excludedExtensions [0] SEQUENCE OF ExtensionConstraint (1..MAX) OPTIONAL, requiredExtensions [1] SEQUENCE OF ExtensionConstraint (1..MAX) OPTIONAL } ExtensionConstraint ::= SEQUENCE { constrainedExtensions SEQUENCE OF OBJECT IDENTIFIER (1..MAX), skipCerts SkipCerts } permittedExtensions lists those extensions which are explicitly allowed to appear after some later point in the certificate path. excludedExtensions lists those extensions which explicitly disallowed to appear after some later point in the certificate path. requiredExtensions lists those extensions which MUST appear at some later point in the certificate path. Each of these lists contains one more ExtensionConstraint which lists the OIDs for which the constraint applies and the number of Certificates to skip before applying the constraint (ala PolicyConstraints). We then define the logo indicator as a simple extension as indicated earlier and then the CA is free to exclude it (or any other extension they don't trust a subordinate CA with). If you wanted to go further you could deprecate PolicyConstraints as this new extension fully supports it. I like this approach best as it is simple, general and fixes this problem for most simple cases. It also allows some more explicit expression of policy in the Certificate in a machine interpretable way. The big downside of course is that this means creating a path validation process incompatible with X.509 and changing a bunch of implementations which is never fun. Anyway just tossing ideas around. Cheers. -- Dean Povey, | e-m: povey@dstc.edu.au | JCSI: Java Crypto Toolkit Research Scientist | ph: +61 7 3864 5120 | uPKI: C PKI toolkit for embedded Security Unit, DSTC | fax: +61 7 3864 1282 | systems Brisbane, Australia | www: security.dstc.com | Oscar: C++ PKI toolkit
- Re: X.509 certificate and its subject name field Marc Branchaud
- Re: X.509 certificate and its subject name field Kepa Zubeldia
- Re: X.509 certificate and its subject name field Kepa Zubeldia
- Re: X.509 certificate and its subject name field Peter Gutmann
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Peter Williams
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Marc Branchaud
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Hal Lockhart
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Kepa Zubeldia
- RE: X.509 certificate and its subject name field Allen, James W
- Re: X.509 certificate and its subject name field dave horvath
- Re: X.509 certificate and its subject name field Peter Williams
- Re: X.509 certificate and its subject name field Peter Gutmann
- Re: X.509 certificate and its subject name field Kathy Konija
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field Anil R. Gangolli
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field Marc Branchaud
- Re: X.509 certificate and its subject name field Marc Branchaud
- Re: X.509 certificate and its subject name field Marc Branchaud
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field David P. Kemp
- Re: X.509 certificate and its subject name field Peter Williams
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field luan
- Re: X.509 certificate and its subject name field Marc Branchaud
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field David P. Kemp
- Re: X.509 certificate and its subject name field David P. Kemp
- Re: X.509 certificate and its subject name field luan
- Re: X.509 certificate and its subject name field David Boyce
- Re: X.509 certificate and its subject name field E. Gerck
- Re: X.509 certificate and its subject name field Nick Pope
- Re: X.509 certificate and its subject name field Hal Lockhart
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field Stephen Kent
- RE: Re[2]: X.509 certificate and its subject name… Sharon Boeyen
- Re: X.509 certificate and its subject name field Miklos, Sue A.
- Re[2]: X.509 certificate and its subject name fie… KESTERSON.H
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re[2]: X.509 certificate and its subject name fie… KESTERSON.H
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- RE: X.509 certificate and its subject name field Charles Moore
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Warwick Ford
- X.509 certificate and its subject name field luan
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field Peter Williams
- Re: X.509 certificate and its subject name field David P. Kemp
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field luan
- Re: X.509 certificate and its subject name field luan
- Re: X.509 certificate and its subject name field David P. Kemp
- Re: X.509 certificate and its subject name field John Lowry
- Re: X.509 certificate and its subject name field Denis Pinkas
- Re: X.509 certificate and its subject name field luan
- Re: X.509 certificate and its subject name field Peter Gutmann
- Re: X.509 certificate and its subject name field Bob Jueneman
- Re: X.509 certificate and its subject name field John Pawling
- Re: X.509 certificate and its subject name field Hal Lockhart
- Re: X.509 certificate and its subject name field Hal Lockhart
- Re: X.509 certificate and its subject name field Mark Wahl
- RE: X.509 certificate and its subject name field Sharon Boeyen
- RE: X.509 certificate and its subject name field Hal Lockhart
- Re: X.509 certificate and its subject name field David P. Kemp
- Re: X.509 certificate and its subject name field Ned Smith
- Re: X.509 certificate and its subject name field Hal Lockhart
- RE: X.509 certificate and its subject name field Sharon Boeyen
- Re: X.509 certificate and its subject name field Denis Pinkas
- unsubscribe jesper@dynas.se Jesper Pettersson
- Re[2]: X.509 certificate and its subject name fie… Housley, Russ
- Re: X.509 certificate and its subject name field David P. Kemp
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field David P. Kemp
- Re: X.509 certificate and its subject name field Hal Lockhart
- Re: X.509 certificate and its subject name field Denis Pinkas
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field E. Gerck
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field E. Gerck
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: X.509 certificate and its subject name field Kepa Zubeldia
- Re: X.509 certificate and its subject name field Bob Jueneman
- Re: X.509 certificate and its subject name field Shyh-Wei Luan
- Re: X.509 certificate and its subject name field luan
- Re: X.509 certificate and its subject name field Peter Williams
- Re: X.509 certificate and its subject name field David P. Kemp
- Re: X.509 certificate and its subject name field David P. Kemp
- Re: X.509 certificate and its subject name field Stephen Kent
- Re: Logotypes in certificates Dean Povey
- Re: Logotypes in certificates jim
- Re: Logotypes in certificates Rich Salz
- Re: Logotypes in certificates Dean Povey