IETF Logo Mail Archive

Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item

"Denis Pinkas" <denis.pinkas@bull.net> Fri, 07 September 2007 09:41 UTC

Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITaLU-0005Ag-Gu for pkix-archive@lists.ietf.org; Fri, 07 Sep 2007 05:41:48 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ITaLT-00040d-1y for pkix-archive@lists.ietf.org; Fri, 07 Sep 2007 05:41:48 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l878cpo4046132 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 7 Sep 2007 01:38:51 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l878cpmU046131; Fri, 7 Sep 2007 01:38:51 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l878cm5a046123 for <ietf-pkix@imc.org>; Fri, 7 Sep 2007 01:38:50 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-001.frcl.bull.fr [129.184.87.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA57326 for <ietf-pkix@imc.org>; Fri, 7 Sep 2007 10:45:34 +0200
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2007090710381974:91324 ; Fri, 7 Sep 2007 10:38:19 +0200
Date: Fri, 07 Sep 2007 10:38:17 +0200
From: Denis Pinkas <denis.pinkas@bull.net>
To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 07/09/2007 10:38:19, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 07/09/2007 10:38:46, Serialize complete at 07/09/2007 10:38:46
Message-ID: <OF3876B698.C80CC9A9-ONC125734F.002F7456@frcl.bull.fr>
Content-Type: text/plain; charset="iso-8859-1"
X-MIME-Autoconverted: from base64 to 8bit by balder-227.proper.com id l878cp5a046126
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by balder-227.proper.com id l878cpo4046132
X-Spam-Score: 2.1 (++)
X-Scan-Signature: dbb8771284c7a36189745aa720dc20ab

David,

I have three major concerns with this draft:

1 - The current proposal is insecure, unless HTTPS is mandated.


2 - Even, if HTTPS is mandated, the proposal is still insecure 
     unless the relying parties may securely know which trust anchor 
    shall be used to verify the certification path of the webdav server.  
    That information MUST be provided by the CA that has issued the certificate, 
    and NOT by "other means".

3 - The text states:

“Whilst a certificate might exist, i.e. from its time of first issuing until it validity period finishes,
 one of the pages SHOULD exist, although some implementations MAY choose to treat 
 a revoked certificate the same as a certificate that has never existed”.

I would be worthwhile to phrase this differently and move the sentence 
once the webdavCert accessMethod has been introduced and state:

“If only the webdavCert accessMethod is supported, then the scheme is only able 
to provide real-time revocation status of certificates.  In order to support a non-repudiation service, 
the webdavRev accessMethod must be supported”.

This means that Certificates issuers may choose to support:

a)	only the webdavRev accessMethod, or
b)	only the webdavCert accessMethod, or
c)	both the webdavRev accessMethod and the webdavCert accessMethod.

This is not clearly stated in the draft.

In addition, I have the following concerns:

4 - The text states:

“When a certificate exists, it has a unique web page (the certificate URL) at which it MUST be found”.

I would be worthwhile to phrase this differently and move the sentence 
once the webdavCert accessMethod has been introduced and state:

“If the webdavCert accessMethod is supported, then when a certificate exists, 
it has a unique web page (the certificate URL) at which the revocation list (of length one) 
MUST be found”.

This means that the following sentence is not appropriate:

"When a certificate is revoked, it has a unique web page (revocation URL) 
at which the revocation list (of length one) SHOULD be found".


5 - The text states:

“Optionally the revocation page MAY exist after the validity period of a certificate has expired”.

Using RFC 3280, there is no way to know for a relying party (unless out of bands mechanisms 
are being used), if the CA has chosen to do so or not, so such a feature would be unusable.  
In addition, there is no need to maintain such information once a certificate has expired.


6 – In the security considerations section, the text states:

“Consequently, if the certificates are not meant to be publicly available or stronger security 
is required, then secure access should be provided using HTTP with TLS".

The use of HTTPS has nothing to do with “publicly available” certificates.

Denis


>I am very interested in the construction of a systematic framework for
>webdav based publication protocols to be used to publish into
>repositories. Other WG areas of work are considering adoption of
>certificate based models which require large, distributed repositories
>to be maintained, and will imply a repository provisioning protocol.
>
>I therefore wish to propose the WG adopt draft-chadwick-webdav-00.txt as a work item.
>
>I would also like to ask that the document be slightly modified, to
>present two distinct parts in the proposal
>
>1) that part which documents use of WEBDAV as a repository publication
>   protocol and the use of a REST model.
>
>2) that part which discusses naming of the repository objects in the
>   repository, eg for use in the SIA and AIA fields, and the related
>   REST model name mapping.
>
>The reason I ask that it be re-worked in this way is that there are
>other models of repository naming architecture which do not have
>'deep' RDN name structure in the certificate Subject name, and are less
>ameanable to a deterministic mapping as Dave has proposed. If the
>document is re-worked slightly to make it plain that this is only one
>of many repository naming models, it will be easier for related work to
>cite this document in reference to part 1) use of WEBDAV and to draw up
>a distinct repository name mapping function reflecting part 2) in
>spirit.
>
>I have some very minor concerns with stipulating the correct TLS
>version to support virtual webhost naming in a secured connection to
>the server during WEBDAV binding. I am sure these can be very easily
>addressed.
>
>Thanks to Dave Chadwick for writing this draft, and presenting it at
>IETF69 Chicago.
>
>-George
>
>

Regards,

Denis Pinkas

v2.23.0 | Report a Bug | By Email