Re: draft-turner-caclearanceconstraints-01.txt
Yoav Nir <ynir@checkpoint.com> Fri, 10 October 2008 20:51 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 539BA3A6A39 for <ietfarch-pkix-archive@core3.amsl.com>; Fri, 10 Oct 2008 13:51:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.503
X-Spam-Level:
X-Spam-Status: No, score=-2.503 tagged_above=-999 required=5 tests=[AWL=0.095, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TCHcJmrzCuV3 for <ietfarch-pkix-archive@core3.amsl.com>; Fri, 10 Oct 2008 13:51:08 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id E1FE83A6810 for <pkix-archive@ietf.org>; Fri, 10 Oct 2008 13:51:06 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9AKHgHc018244 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 10 Oct 2008 13:17:42 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9AKHgWs018243; Fri, 10 Oct 2008 13:17:42 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9AKHTPj018233 for <ietf-pkix@imc.org>; Fri, 10 Oct 2008 13:17:39 -0700 (MST) (envelope-from ynir@checkpoint.com)
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 0D81F294003; Fri, 10 Oct 2008 22:17:18 +0200 (IST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 46354294001 for <ietf-pkix@imc.org>; Fri, 10 Oct 2008 22:17:16 +0200 (IST)
Received: from [172.31.21.116] (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id m9AKHAke009557 for <ietf-pkix@imc.org>; Fri, 10 Oct 2008 22:17:10 +0200 (IST)
Message-Id: <61DF61CA-7EA9-4394-9B42-0AC45CBCC712@checkpoint.com>
From: Yoav Nir <ynir@checkpoint.com>
To: ietf-pkix@imc.org
In-Reply-To: <9F11911AED01D24BAA1C2355723C3D3218DDA55C66@EA-EXMSG-C332.europe.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-1-549493758"
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: draft-turner-caclearanceconstraints-01.txt
Date: Fri, 10 Oct 2008 22:17:09 +0200
References: <p0624051bc5098b483ca0@[128.89.89.71]> <9F11911AED01D24BAA1C2355723C3D3218DDA55C66@EA-EXMSG-C332.europe.corp.microsoft.com>
X-Mailer: Apple Mail (2.929.2)
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
+1 On Oct 7, 2008, at 5:40 PM, Stefan Santesson wrote: > I vote NO to adopting this work as a PKIX work item. > > I do vote for a continued debate on the rationale for this proposal > but I have yet not seen any good motivation for doing this work. > > The rational for my NO vote is: > > 1) To start with, a certificate is a very bad place to manage > clearance. I can at most agree to it’s use in AA certificates but > clearance is in its nature fundamentally different from Public Key > certificates as the certificate is an assertion of an entity’s key > and identity, which is generic and static, while clearance is > context specific and dynamic. > 2) If clearance would make it into certificates, then that > should be more than enough that we reasonable could handle as a > standard. To specify constraints for such information is to ask for > big trouble. > > Elaborating on the difficulties to specify clearance constraints I > would like to highlight some quotes from the draft: > > The draft is taking several shortcuts when it comes to clearance > constraints processing. > The class list is specified but at the same time defined within the > context of PolicyId. This means that there is no generic way to > compare ClassList bits, This is highlighted by the following quote > from 4.1.1.3: > > -- Calculate securityCategories intersection in accordance with > guidelines associated with the security policy represented > by > the policyID. > > So the logic for clearance constraints processing is performed per > PolicyId but the logic may be different for every PolicyId. > In my world, this does not fly and is not implementable. > > I also have a number of other problems: > > · This draft makes clearance processing authoritative over > accepting certificate paths. I foresee problems with legacy > implementations of PKI: > > If more than one entry with > the same policyId is present in AuthorityClearanceConstraints > certificate extension, the certification path is rejected. > > · This draft mandates processing of extensions in TA > certificates (root) which can be argued to be incompatible with RFC > 3280 > > > Conclusion: > Before this work is accepted as work group item, it must show that > clearance constraints processing is possible in a reasonable and > meaningful manner, and hence is worth working on. > If we decide to work on this item, I foresee a major design > commitment for the PKIX group and an even bigger commitment on > behalf of implementers. > As such, I also encourage use cases that motivates the effort. > > > > Stefan Santesson > Senior Program Manager > Windows Security, Standards > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org > ] On Behalf Of Stephen Kent > Sent: den 1 oktober 2008 22:24 > To: ietf-pkix@imc.org > Subject: draft-turner-caclearanceconstraints-01.txt > > It appears to have been two months since there was any PKIX list > discussion of this document. In Dublin it was agreed that we would > conduct a straw poll on whether to adopt this as a WG item, but I > failed to do so prior to leaving for a week-long meeting in NZ and 3- > week vacation in KE. My bad. > > So, I'd like to initiate a 1-week straw poll starting 10/3. > > Sean, the minutes indicated that you would tell me what status you > are seeking for the document, and I have no record of a message from > you on that topic, so please provide that vital piece of info to the > list before we start the poll. > > Thanks, > > Steve > > > Scanned by Check Point Total Security Gateway. >
- draft-turner-caclearanceconstraints-01.txt Stephen Kent
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Reddy, Raksha Patel
- RE: draft-turner-caclearanceconstraints-01.txt Russ Housley
- Re: draft-turner-caclearanceconstraints-01.txt Kurt Zeilenga
- RE: draft-turner-caclearanceconstraints-01.txt Ashmore, Samuel R.
- Re: draft-turner-caclearanceconstraints-01.txt Stephen Farrell
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Denis Pinkas
- Re: draft-turner-caclearanceconstraints-01.txt Yoav Nir
- What are certificates fundamentally all about? [w… Stephen Wilson
- RE: draft-turner-caclearanceconstraints-01.txt Carl Wallace
- Re: What are certificates fundamentally all about… Timothy J. Miller
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: What are certificates fundamentally all about… Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: What are certificates fundamentally all about… Stephen Wilson
- Re: What are certificates fundamentally all about… Stephen Kent
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Russ Housley
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin