Re: [pkix] An alternative proposal Was: Fwd: New Version Notification for draft-hamilton-cmr-00.txt
"Miller, Timothy J." <tmiller@mitre.org> Thu, 03 November 2011 12:23 UTC
Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0DD41F0C5F for <pkix@ietfa.amsl.com>; Thu, 3 Nov 2011 05:23:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cS7nBcRQVS5Q for <pkix@ietfa.amsl.com>; Thu, 3 Nov 2011 05:23:12 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id B6F951F0C61 for <pkix@ietf.org>; Thu, 3 Nov 2011 05:23:12 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 602BD21B091A; Thu, 3 Nov 2011 08:23:10 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 536F921B048B; Thu, 3 Nov 2011 08:23:10 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.57]) by IMCCAS01.MITRE.ORG ([129.83.29.78]) with mapi id 14.01.0339.001; Thu, 3 Nov 2011 08:23:09 -0400
From: "Miller, Timothy J." <tmiller@mitre.org>
To: Phillip Hallam-Baker <hallam@gmail.com>
Thread-Topic: [pkix] An alternative proposal Was: Fwd: New Version Notification for draft-hamilton-cmr-00.txt
Thread-Index: AQHMmOR+3o6yhaO2SES0DD1Qj9f8npWZbmMAgAEZQACAAHyAAA==
Date: Thu, 03 Nov 2011 12:23:09 +0000
Message-ID: <CAD7ED0F.1FBF%tmiller@mitre.org>
In-Reply-To: <CAMm+Lwi4eQkk8FdTNZr8fojNCK62GN_n8opOCbgQX6V3PZztLQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.13.0.110805
x-originating-ip: [172.31.62.101]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <50388300CC4B0E4993A0437BD2FF039E@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] An alternative proposal Was: Fwd: New Version Notification for draft-hamilton-cmr-00.txt
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2011 12:23:14 -0000
So let me summarize the problem(s) that I think you're trying to address: 1. A CA is defrauded and issues certificates (e.g. Verisign, 2001). 2. A CA is compromised and issues certificates (e.g. DigiNotar et.al., 2011). 3. A Subscriber certificate fraudulently claims to be issued from a CA where it was not, in fact, issued. In (1), blacklisting the issued certificates works; whitelisting gains you nothing. When the fraud is detected, the certificates are revoked, the CRL works its way through the infrastructure, and eventually no-one trusts the fraudulent certificates. Whitelisting is ineffective because the fraudulent certificates *are on the whitelist* (at least until they are discovered, at which point they move to the blacklist). In (2), neither blacklisting nor whitelisting the issued certificates is effective because the CA is authoritative for the both. A malicious trusted user of the CA can remove revoked certificates from the CRL, and can insert certificate records into the database. The only effective response in this case is to blacklist the CA, which invalidates anything that CA has issued. In (3), the fraud should be detected by certificate path discovery. The claimed issuer won't be in the discovered path, and the whitelist is never referenced. What they relying party does with this information is their own decision. CRLs may be insufficient in some cases; e.g., the Verisign incident involved code signing certificates which for good or ill have a special validation logic, and a general lack of CRL checking meant that DigiNotar CA revocation weren't being honored. However, the 'fix' for both cases was just another form of blacklisting (e.g., see "Untrusted Certificates" in any Windows CAPI instance). Finally, we know with CRLs that too many relying parties simply ignore them. Why would whitelists (CVLs? NegaCRLs?) be any different? What compels a relying party to check a whitelist when it currently doesn't check a blacklist? And on a personal note, I'm not trying to 'veto' anything. IETF doesn't work that way. I'm just trying to understand what the goal is and give my opinion. -- T
- [pkix] An alternative proposal Was: Fwd: New Vers… Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … denis.pinkas
- Re: [pkix] An alternative proposal Was: Fwd: New … Trevor Freeman
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] OCSP stapling Michael Myers
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Wilson
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Yoav Nir
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- [pkix] Proposed new singleExtension for OCSP denis.pinkas
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Sylvester
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] Proposed new singleExtension for OCSP Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Phillip Hallam-Baker
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Martin Rex
- Re: [pkix] Proposed new singleExtension for OCSP Tom Ritter
- Re: [pkix] Proposed new singleExtension for OCSP Kemp, David P.
- Re: [pkix] Proposed new singleExtension for OCSP denis.pinkas
- Re: [pkix] Proposed new singleExtension for OCSP Liaquat Khan
- Re: [pkix] Proposed new singleExtension for OCSP Paul Hoffman
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Tom Gindin
- [pkix] Malaysian CA (Was: An alternative proposal… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Rob Stradling
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- [pkix] CRL Whitelist Requirements Was An alternat… Tom Gindin
- Re: [pkix] Malaysian CA (Was: An alternative prop… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- Re: [pkix] Malaysian CA (Was: An alternative prop… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses