IETF Logo Mail Archive

Re: Son of RFC3280 path validation rules

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 20 October 2006 10:49 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Garw5-0006BS-ST for pkix-archive@lists.ietf.org; Fri, 20 Oct 2006 06:49:10 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Garuw-0004Qh-V1 for pkix-archive@lists.ietf.org; Fri, 20 Oct 2006 06:48:03 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k9K9hJm2084827; Fri, 20 Oct 2006 02:43:19 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k9K9hJIj084826; Fri, 20 Oct 2006 02:43:19 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from imx2.tcd.ie (imx2.tcd.ie [134.226.1.156]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k9K9hIrn084816 for <ietf-pkix@imc.org>; Fri, 20 Oct 2006 02:43:18 -0700 (MST) (envelope-from stephen.farrell@cs.tcd.ie)
Received: from Vams.imx2 (imx2.tcd.ie [134.226.1.156]) by imx2.tcd.ie (Postfix) with SMTP id 93458681B4; Fri, 20 Oct 2006 10:43:12 +0100 (IST)
Received: from imx2.tcd.ie ([134.226.1.156]) by imx2.tcd.ie ([134.226.1.156]) with SMTP (gateway) id A063E18FFD4; Fri, 20 Oct 2006 10:43:12 +0100
Received: from [127.0.0.1] (cswireless62-73.cs.tcd.ie [134.226.62.73]) by imx2.tcd.ie (Postfix) with ESMTP id 8C317681B4; Fri, 20 Oct 2006 10:43:12 +0100 (IST)
Message-ID: <45389A5D.4090205@cs.tcd.ie>
Date: Fri, 20 Oct 2006 10:43:57 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
MIME-Version: 1.0
To: Denis Pinkas <denis.pinkas@bull.net>
Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: Re: Son of RFC3280 path validation rules
References: <OF9C911E1E.06A28373-ONC125720D.002E992F@frcl.bull.fr>
In-Reply-To: <OF9C911E1E.06A28373-ONC125720D.002E992F@frcl.bull.fr>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiVirus-Status: MessageID = A163E18FFD4
X-AntiVirus-Status: Host: imx2.tcd.ie
X-AntiVirus-Status: Action Taken:
X-AntiVirus-Status: NONE
X-AntiVirus-Status: Checked by TCD Vexira. (version=1.56.3 VDF=8.1366)
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17


Hi Denis,

Denis Pinkas wrote:

> ...the sentence : "The trust anchor for the certification path
> MUST be the same as the trust anchor used to validate the target certificate" does not allow 
> to address the cases where:

As it happens I disagree with you but that was done to death on the
list before I think.

> 
>      a) two CAs in different branches of a certification tree would have the same DN, and
> 
>      b) two CAs in different trees of a certification forest would have the same DN.
> 
> Dave, the text of son-of-RFC328 is currently insufficient to enable secure implementations.

That strikes me as a wild overstatement almost akin to saying that
we should spend forever figuring out how to handle cases where two
CAs end up with the same private key and never mind making any
progress in the meantime.

I think the current text is fine, an improvement on 3280, and well
worth proceeding with.

I suggest that you write up a separate document that says how to
handle the corner cases above.

Stephen.

v2.23.0 | Report a Bug | By Email