RE: Dual-signed certificates
"Hiroyuki Sakakibara" <sakaki@iss.isl.melco.co.jp> Tue, 01 August 2000 03:17 UTC
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA14607 for <pkix-archive@odin.ietf.org>; Mon, 31 Jul 2000 23:17:28 -0400 (EDT)
Received: from localhost (daemon@localhost) by ns.secondary.com (8.9.3/8.9.3) with SMTP id UAA08378; Mon, 31 Jul 2000 20:13:30 -0700 (PDT)
Received: by mail.imc.org (bulk_mailer v1.12); Mon, 31 Jul 2000 20:13:28 -0700
Received: from florida.melco.co.jp (florida.melco.co.jp [192.218.140.46]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA08343 for <ietf-pkix@imc.org>; Mon, 31 Jul 2000 20:13:26 -0700 (PDT)
Received: by florida.melco.co.jp (3.7W-florida) id MAA27638; Tue, 1 Aug 2000 12:17:00 +0900 (JST)
Received: by mailgw.melco.co.jp (3.7W-mailgw) id MAA02508; Tue, 1 Aug 2000 12:16:59 +0900 (JST)
Received: by inetgw.melco.co.jp (8.8.8+2.7Wbeta7/3.7W-inetgw) id MAA07512; Tue, 1 Aug 2000 12:16:59 +0900 (JST)
Received: from islgw.isl.melco.co.jp by elgw.isl.melco.co.jp (8.8.8/3.6W) id MAA08346; Tue, 1 Aug 2000 12:16:58 +0900 (JST)
Received: from iss.isl.melco.co.jp by islgw.isl.melco.co.jp (8.8.8/3.6W) id MAA19874; Tue, 1 Aug 2000 12:16:57 +0900 (JST)
Received: from belize by iss.isl.melco.co.jp (8.8.8/3.6W) id MAA04733; Tue, 1 Aug 2000 12:16:55 +0900 (JST)
Message-ID: <003101bffb67$2f2f8570$78054a0a@iss.isl.melco.co.jp>
From: Hiroyuki Sakakibara <sakaki@iss.isl.melco.co.jp>
To: ietf-pkix@imc.org
Subject: RE: Dual-signed certificates
Date: Tue, 01 Aug 2000 12:18:37 +0900
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Content-Transfer-Encoding: 7bit
I have two questions related to this topic. [Question 1] May "issuance agreement or receipt of certificate included in or attached to a public key certificate" be used for protecting against following attack ? Because a CA publishes his certificate, someone can know the profile of it, and create the CA's certificates including the same public key, same issuer/serialnumber, subject and same or different extension values, "fake certs", and publishes them to a public repository or attaches to protocol messages etc... Also he can create not only CA's fake certs but also fake long pathes. If an attacker sends these fake pathes with many messages to a server ( i.e a shopping server, a validation server etc ... ), this strengthens a Denial Of Service attack against the server, because the server will validate the fake pathes. Of course, the server would notice that those fake certs, and fake pathes are invalid, because verification of the signatures are failed at his trust anchor. If a top down path construction is applied, with checking signatures, the attack will be defeated immediately, but, bottom up path construction ... RP will not notice it fake until the path reaches to his trust anchor. [Question 2] In a cross-certificate environment, a certificate path may contain several CA certificates in different domains. For example, CA_a cert(trust anchor) --> CA_b cert --> CA_c cert --> CA_d cert --> EE cert if CA_a, CA_b, CA_c, CA_d are in differnt PKI domains, Supposing that CA_c issues a new certificate "CA_d cert ' " ( after issuing CA_d cert ) to CA_d which includes the same public key as in "CA_d cert" WITHOUT AGREEMENT of CA_d. Even if CA_d cert ' includes the same extensions as the original one, is this a valid path ? CA_a cert(trust anchor) --> CA_b cert --> CA_c cert --> "CA_d cert ' "--> EE cert If "CA_d cert ' " includes additional extensions, i.e, additional policies, CRL Distribution Points etc, which the original one does not include, a path validation function based on RFC2459 or X.509 ver3 will succeed ? for example CA_d cert includes policy1, policy2, CDP1, CDP2 CA_d cert' includes policy1, policy2, policy3, CDP1, CDP2, CDP3 other certificate elements are the same. In this case, CA_c may be a rough CA, but, I think that path validation will succeed, because there is no proof of agreement or receipt of certificate issuance. This CA_c' odd issuance of certificate seems no-benefical to CA_c, however, I think that RP needs to notice this odd path during path validation processing. --------------------------------------- Hiroyuki Sakakibara MITSUBISHI ELECTRIC CORPORATION Information Technology R&D Center 5-1-1 Ofuna, Kamakura, Kanagawa, Japan PHONE: +81-467-41-2183 FAX: +81-467-41-2185 E-mail : sakaki@iss.isl.melco.co.jp Received: from florida.melco.co.jp (florida.melco.co.jp [192.218.140.46]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA08343 for <ietf-pkix@imc.org>; Mon, 31 Jul 2000 20:13:26 -0700 (PDT) Received: by florida.melco.co.jp (3.7W-florida) id MAA27638; Tue, 1 Aug 2000 12:17:00 +0900 (JST) Received: by mailgw.melco.co.jp (3.7W-mailgw) id MAA02508; Tue, 1 Aug 2000 12:16:59 +0900 (JST) Received: by inetgw.melco.co.jp (8.8.8+2.7Wbeta7/3.7W-inetgw) id MAA07512; Tue, 1 Aug 2000 12:16:59 +0900 (JST) Received: from islgw.isl.melco.co.jp by elgw.isl.melco.co.jp (8.8.8/3.6W) id MAA08346; Tue, 1 Aug 2000 12:16:58 +0900 (JST) Received: from iss.isl.melco.co.jp by islgw.isl.melco.co.jp (8.8.8/3.6W) id MAA19874; Tue, 1 Aug 2000 12:16:57 +0900 (JST) Received: from belize by iss.isl.melco.co.jp (8.8.8/3.6W) id MAA04733; Tue, 1 Aug 2000 12:16:55 +0900 (JST) Message-ID: <003101bffb67$2f2f8570$78054a0a@iss.isl.melco.co.jp> From: "Hiroyuki Sakakibara" <sakaki@iss.isl.melco.co.jp> To: <ietf-pkix@imc.org> Subject: RE: Dual-signed certificates Date: Tue, 1 Aug 2000 12:18:37 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 I have two questions related to this topic. [Question 1] May "issuance agreement or receipt of certificate included in or attached to a public key certificate" be used for protecting against following attack ? Because a CA publishes his certificate, someone can know the profile of it, and create the CA's certificates including the same public key, same issuer/serialnumber, subject and same or different extension values, "fake certs", and publishes them to a public repository or attaches to protocol messages etc... Also he can create not only CA's fake certs but also fake long pathes. If an attacker sends these fake pathes with many messages to a server ( i.e a shopping server, a validation server etc ... ), this strengthens a Denial Of Service attack against the server, because the server will validate the fake pathes. Of course, the server would notice that those fake certs, and fake pathes are invalid, because verification of the signatures are failed at his trust anchor. If a top down path construction is applied, with checking signatures, the attack will be defeated immediately, but, bottom up path construction ... RP will not notice it fake until the path reaches to his trust anchor. [Question 2] In a cross-certificate environment, a certificate path may contain several CA certificates in different domains. For example, CA_a cert(trust anchor) --> CA_b cert --> CA_c cert --> CA_d cert --> EE cert if CA_a, CA_b, CA_c, CA_d are in differnt PKI domains, Supposing that CA_c issues a new certificate "CA_d cert ' " ( after issuing CA_d cert ) to CA_d which includes the same public key as in "CA_d cert" WITHOUT AGREEMENT of CA_d. Even if CA_d cert ' includes the same extensions as the original one, is this a valid path ? CA_a cert(trust anchor) --> CA_b cert --> CA_c cert --> "CA_d cert ' "--> EE cert If "CA_d cert ' " includes additional extensions, i.e, additional policies, CRL Distribution Points etc, which the original one does not include, a path validation function based on RFC2459 or X.509 ver3 will succeed ? for example CA_d cert includes policy1, policy2, CDP1, CDP2 CA_d cert' includes policy1, policy2, policy3, CDP1, CDP2, CDP3 other certificate elements are the same. In this case, CA_c may be a rough CA, but, I think that path validation will succeed, because there is no proof of agreement or receipt of certificate issuance. This CA_c' odd issuance of certificate seems no-benefical to CA_c, however, I think that RP needs to notice this odd path during path validation processing. --------------------------------------- Hiroyuki Sakakibara MITSUBISHI ELECTRIC CORPORATION Information Technology R&D Center 5-1-1 Ofuna, Kamakura, Kanagawa, Japan PHONE: +81-467-41-2183 FAX: +81-467-41-2185 E-mail : sakaki@iss.isl.melco.co.jp Received: from florida.melco.co.jp (florida.melco.co.jp [192.218.140.46]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA07542 for <ietf-pkix@imc.org>; Mon, 31 Jul 2000 20:05:54 -0700 (PDT) Received: by florida.melco.co.jp (3.7W-florida) id MAA25563; Tue, 1 Aug 2000 12:09:19 +0900 (JST) Received: by mailgw.melco.co.jp (3.7W-mailgw) id MAA00394; Tue, 1 Aug 2000 12:09:19 +0900 (JST) Received: by inetgw.melco.co.jp (8.8.8+2.7Wbeta7/3.7W-inetgw) id MAA05315; Tue, 1 Aug 2000 12:09:18 +0900 (JST) Received: from islgw.isl.melco.co.jp by elgw.isl.melco.co.jp (8.8.8/3.6W) id MAA07851; Tue, 1 Aug 2000 12:09:17 +0900 (JST) Received: from iss.isl.melco.co.jp by islgw.isl.melco.co.jp (8.8.8/3.6W) id MAA19407; Tue, 1 Aug 2000 12:09:17 +0900 (JST) Received: from belize by iss.isl.melco.co.jp (8.8.8/3.6W) id MAA04615; Tue, 1 Aug 2000 12:09:15 +0900 (JST) Message-ID: <002a01bffb66$1c9c1410$78054a0a@iss.isl.melco.co.jp> From: "Hiroyuki Sakakibara" <sakaki@iss.isl.melco.co.jp> To: <ietf-pkix@imc.org> Subject: RE: Dual-signed certificates Date: Tue, 1 Aug 2000 12:10:56 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Mr. Tony Bartoletti Thank you for your comments. Date: Fri, 28 Jul 2000 14:57:39 -0700 Mr. Tony Bartoletti wrote <snip> >However, this method involves a near-duplication of information that >"must be preserved", and would seem to require the relying party >retrieve/check the "Issuance Agreement" against the actual elements >of the certificate, in order to preclude some claim by the subject >that they (plausibly) never agreed to the certificate terms. Yes, RP needs to check that "signed Issuance Agreement" extension which includes public key value, issuer name, subject name, and other extensions indicate the actual elements of certificates. Therefore, as Mr. Bartoletti commented, it is near-duplication of certificate, but it could be in X.509 ver3 certifcate as an extension. Or applying a hash function, it might be reduced ? <snip> >A protocol that provided the subject "sign first" seems very elegant, >in that you get POP on the key, and POA (proof of acceptance) on the >(pre)certificate, all in one shot. And no duplication of the data. "sign first", a certificate can include the "subject sign" as an extension, however, a new protocol may be needed ... Hiroyuki Sakakibara MITSUBISHI ELECTRIC Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA22464 for <ietf-pkix@imc.org>; Mon, 31 Jul 2000 14:42:06 -0700 (PDT) Received: from mega (t5o69p50.telia.com [213.64.110.50]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id XAA29234; Mon, 31 Jul 2000 23:44:23 +0200 (CEST) Message-ID: <000a01bffb40$be0af0d0$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Date: Tue, 1 Aug 2000 00:43:25 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id OAA22465 David, I don't expect too many persons in this list to agree on this and my previous posting as they invalidate most organizational PKI-schemes in development! <snip> >> I.e. regardless if you are doing manual selections based om various attributes >> or doing automated access control, a cert with just CN and a (within the >> naming domain unique) Serial Number is the way to go for 99.999% of all >> closed PKI-systems. > >The key to the last sentence is "within the naming domain unique". If >the certificate subject name is <naming domain><serial number><common name>, >the naming domain for organizational persons certainly contains an >Organization, and may well contain a department/division if individual >divisions autonomously maintain their own administrative systems and >directories. That is a popular way of creating an organizational identity. Unfortunately, it dies immediately when you reorganize! See "Conclusions". <snip> >Not all people doing manual selection will find CN and SN sufficient. Probably no one. But assisted by directories or other databases they can get what they want. >For those people, the cost (possibly reduced lifetime) of including >additional information in the cert is weighed against the cost >(bandwidth, latency, lesser assurance if unsigned) of obtaining the >additional information from other sources. What you are saying is that the current directory-trend could be on the road to nowhere. Bob J/Novell may want to comment on that? > For additional attributes >to be useful, applications must be able to display them - it is >inconsistent for an application to be designed to retrieve and display an >attribute from a directory but not to be able to display the identical >information from a certificate SDA. Apparently we must add new stuff to X509.3? It lacks a lot of useful attributes like salary, vaction-period, hired-date etc. >Conclusions: > >1) Some attributes may be necessary to uniquely identify the naming >domain. These must be included in the subject name. I do not agree. Multiple naming domains are essentially equivalent to multiple RAs if you have a single CA. For a single CA it is preferable to let the CA maintain an organization-independent name space and only keep RA-information within the CA registry (which it must keep anyway using a multiple RA arrangement). At least if you plan to reorganize every now and then, which sometimes causes a local naming domain/RA to completely dissapear because it was "downsized" or merged with another unit. The naming domain/RA may BTW not have anything with the actual organizational unit you are hired by, so putting such information in the subject of a cert is not particularly useful. Smells like a genuine TTP, don't it? :-) <snip> Anders Received: from roadblock.missi.ncsc.mil (roadblock.missi.ncsc.mil [144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA18511 for <ietf-pkix@imc.org>; Mon, 31 Jul 2000 11:25:00 -0700 (PDT) Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id OAA21639 for <ietf-pkix@imc.org>; Mon, 31 Jul 2000 14:15:45 -0400 (EDT) Message-Id: <200007311815.OAA21532@roadblock.missi.ncsc.mil> Date: Mon, 31 Jul 2000 14:24:10 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: Qy0JZJfvVhwhDAWM8QczkQ== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc > From: "Anders Rundgren" <anders.rundgren@telia.com> > > If you looked closely to what Steve wrote, he promoted the idea to inser > additional information about subjects in certificates due his opinion that > you can't trust directories. Right or wrong, the market is clearly going > to use directories as a general cross-platform solution for storing > employee information, account information etc. > PKI will not change this powerful paradigm, just provide a better "key". > > I.e. regardless if you are doing manual selections based om various attributes > or doing automated access control, a cert with just CN and a (within the > naming domain unique) Serial Number is the way to go for 99.999% of all > closed PKI-systems. The key to the last sentence is "within the naming domain unique". If the certificate subject name is <naming domain><serial number><common name>, the naming domain for organizational persons certainly contains an Organization, and may well contain a department/division if individual divisions autonomously maintain their own administrative systems and directories. Even if the naming authority is at the enterprise-wide level, there may be benefit to including additional identifying information in certificates. If an attribute is stable, it is both less disruptive to the lifetime of the certificate and more useful as a name. "Dave in accounting" might have been a good identifying name for a person in an era when accounting was not just a department but a career choice. Rfc822 names, if assigned by a naming authority at a high level, can be useful as static identifying information in certificates as long as applications don't make the mistake of trying to enforce rfc822names as email addresses. Not all people doing manual selection will find CN and SN sufficient. For those people, the cost (possibly reduced lifetime) of including additional information in the cert is weighed against the cost (bandwidth, latency, lesser assurance if unsigned) of obtaining the additional information from other sources. For additional attributes to be useful, applications must be able to display them - it is inconsistent for an application to be designed to retrieve and display an attribute from a directory but not to be able to display the identical information from a certificate SDA. Conclusions: 1) Some attributes may be necessary to uniquely identify the naming domain. These must be included in the subject name. 2) Some subject attributes may be useful to human RPs selecting an individual or to automated RPs doing group-based access control. If these attributes have minimal impact on certificate lifetime, they are suitable for inclusion in the certificate. They should not be included in the subject name except if necessary to accommodate lame applications. 3) It is not possible to make a general statement that any given attribute is justified under 1) or 2). Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.102]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA19805 for <ietf-pkix@imc.org>; Sun, 30 Jul 2000 19:34:23 -0700 (PDT) Received: from santesson.accurata.se (atl-tgn-yfw-vty19.as.wcom.net [216.192.207.19]) by popmail.inbox.se (8.9.3/8.9.3) with ESMTP id EAA01920; Mon, 31 Jul 2000 04:37:40 +0200 Message-Id: <4.3.2.7.2.20000730135334.00c4b610@mail.addtrust.com> X-Sender: mb517@mail.accurata.se X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 30 Jul 2000 20:39:23 -0600 To: Denis Pinkas <Denis.Pinkas@bull.net> From: Stefan Santesson <stefan@accurata.se> Subject: Denis remaining QC comments Cc: ietf-pkix@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Denis, I'm working on my "Make Denis Happy" list, to which I dedicate all my best efforts right know. In this mail I will try to clean up in the somewhat messy debate. Generally we disagree about everything we debate here, but since we only debate less than 1% of the document, it must mean that we agree on more than 99% of the stuff :-). Lets see if we can increase that positive factor and get over the finish line. My summary is: COMMENT 1 Issue: Uniqueness of DN over the lifetime of the CA Fixed in qc-05 COMMENT 2 Issue: Use of the term "registered name" for Issuer DN You want the term removed and I think it serves a purpose to keep it. Basically I don't understand the SERIOUS problem with this.. I think that the current text is OK but I could live with having this removed. COMMENT 3 Issue: Legal Jurisdiction We basically agree that the legal jurisdiction of the CA should be consistent with the issuer DN. We argue however about wordings. Right? COMMENT 4 Issue: Use of policy OID to state that a QC is a QC Here we agree on the principle that the Issuer should be allowed to communicate the fact that a QC is a QC by just including a policy OID, defining this property. We consequently agree that use of the QCstatements extension for this purpose is optional. There is still some argue about wordings.Right? For your information you fully misunderstood my comment about ETSI's policy OID:s. I'm fully aware that ETSI is producing 2 policy OID:s. What I mean is that I doubt that ETSI will define a 3:rd policy OID that JUST declare conformance with the EU directive Annex I and II and nothing else. COMMENT 5 Issue: definition of a new extension for reliance limit. Here is the first disagreement of concept. Even though I would not oppose a WG consensus on a new extension according to your proposal, I would argue against it. There is NO way that such change will just sneak in without going through a thorough WG debate, followed by a new WG last call and then proceed. This will cost considerable time and I truly doubt that 1) the solution will be better and 2) that it is worth a delay that will permanently kill the ETSI timetable. There is no technical argument either against your solution or the current one, since both will work technically if supported by the market. We will have to remind us though that we standardize the solutions of tomorrow. It will always take some time before a standard gets deployed. Until then CA's will find other quick and dirty ways to display this type of information (such as CA's today commonly use OU attributes in the subject and Issuer field to display disclaimer information) Nor your solution nor the current one can change that. I hope to convince you that changing direction now will only make things worse, due to time delay, not better. COMMENTS 6&7 Issue: Wordings in the security considerations section. Except for the fact that I don't have a clue what you mean when you say that POP is not needed when the NR-bit is set, I see only disagreement of wordings. Since this is just a security section, I hope that this won't be a major problem. --------------------- Finally I would hope that we could agree to advance the document as it is, and then debate the minor wordings disagreements after having an RFC. I mean, even if we fix these comments to your 100% satisfaction, I promise that we will find more to argue about anyway :-) Since the QC document has passed WG-last call I guess we will have to discuss this with Stephen and Warwick and see if we can reach some kind of resolution. Hope to see you here in Pittsburgh /Stefan Received: from smtprch1.nortel.com (smtprch1.nortelnetworks.com [192.135.215.14]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA04350 for <ietf-pkix@imc.org>; Sun, 30 Jul 2000 08:50:33 -0700 (PDT) Received: from zsc4c002.corpwest.baynetworks.com by smtprch1.nortel.com; Sun, 30 Jul 2000 10:53:18 -0500 Received: by zsc4c002.corpwest.baynetworks.com with Internet Mail Service (5.5.2652.35) id <P4TCWS64>; Sun, 30 Jul 2000 08:51:18 -0700 Message-ID: <7D0C2EAEF250D3119BD10008C791823C02A0FA6B@zbl6c008.corpeast.baynetworks.com> From: "David Kurtz" <dkurtz@nortelnetworks.com> To: ietf-pkix@imc.org Subject: Federal Government rulings? Date: Sun, 30 Jul 2000 08:51:12 -0700 Importance: high X-Priority: 1 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2652.35) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFFA3D.FC8D2200" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFFA3D.FC8D2200 Content-Type: text/plain Hello, My name is Dr. David G. Kurtz and I work for Nortel Networks. I have a question for you. Currently Nortel is providing a banking solution for a major bank in the US using PKI. Is there any restriction from either the UCC or Federal Government on the number of networks that can traverse or be certified on one network? Regards, David G. Kurtz Ph.D. Security Segment & Practice Technology Home Office 303-494-0297 Voice Mail 303-605-2186 Global Cell Telephone 303-961-5354 Global Pager/Text Message 3039615354@page.nextel.com ------_=_NextPart_001_01BFFA3D.FC8D2200 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>Federal Government rulings?</TITLE> </HEAD> <BODY> <P><FONT FACE=3D"Univers (W1)">Hello,</FONT> </P> <P><FONT FACE=3D"Univers (W1)">My name is Dr. David G. Kurtz and I work = for Nortel Networks. I have a question for you. Currently Nortel is = providing a banking solution for a major bank in the US using PKI. Is = there any restriction from either the UCC or Federal Government on the = number of networks that can traverse or be certified on one = network?</FONT></P> <BR> <P><FONT SIZE=3D2 FACE=3D"Arial">Regards,</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Tahoma">David G. Kurtz Ph.D.</FONT> <BR><FONT SIZE=3D2 FACE=3D"Tahoma">Security Segment & Practice = Technology</FONT> <BR><FONT SIZE=3D2 FACE=3D"Tahoma">Home Office = 303-494-0297</FONT> <BR><FONT SIZE=3D2 FACE=3D"Tahoma">Voice = Mail = = 303-605-2186</FONT> <BR><FONT SIZE=3D2 FACE=3D"Tahoma">Global Cell Telephone = 303-961-5354 </FONT> <BR><FONT SIZE=3D2 FACE=3D"Tahoma">Global Pager/Text = Message = 3039615354@page.nextel.com</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFFA3D.FC8D2200-- Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA19891 for <ietf-pkix@imc.org>; Sat, 29 Jul 2000 08:45:06 -0700 (PDT) Received: from mega (t6o69p46.telia.com [213.64.110.166]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id RAA21980; Sat, 29 Jul 2000 17:48:22 +0200 (CEST) Message-ID: <002e01bff97c$ae2b08a0$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: <tgindin@us.ibm.com>, "Stephen Kent" <kent@bbn.com> Cc: "PKIX-List" <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Date: Sat, 29 Jul 2000 18:47:26 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id IAA19892 Tom & Steve > My point is that in very many cases, an employee serial number or >something like that is just as good for the RP's as a department. Its >greater stability compensates for its lack of user-friendliness. This is of course right but actually serial numbers do not have to be user-friendly as they are almost only digested by computers. > As you rightly pointed out to Anders, if manual selection of one user from a list >of choices is the primary scenario in which an extra attribute is used, >serial numbers aren't the best way to make such a selection. If you looked closely to what Steve wrote, he promoted the idea to insert additional information about subjects in certificates due his opinion that you can't trust directories. Right or wrong, the market is clearly going to use directories as a general cross-platform solution for storing employee information, account information etc. PKI will not change this powerful paradigm, just provide a better "key". I.e. regardless if you are doing manual selections based om various attributes or doing automated access control, a cert with just CN and a (within the naming domain unique) Serial Number is the way to go for 99.999% of all closed PKI-systems. For open PKIs and TTPs we can just speculate as there is so little substance in that market currently. But you already know my position here :-) Anders Received: from mail.arabtrust.com (mail.arabtrust.com [216.247.149.19]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id WAA10285 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 22:26:37 -0700 (PDT) Received: from jean [195.39.160.81] by mail.arabtrust.com (SMTPD32-6.00) id AC2D65F011C; Sat, 29 Jul 2000 01:31:25 -0400 From: "Jean Abraham" <jean.med@arabtrust.com> To: <ietf-pkix@imc.org> Subject: unsubscribe Date: Sat, 29 Jul 2000 08:27:23 +0300 Message-ID: <LPBBLAPIGLOAGIHKOOGDEEBOCCAA.jean.med@arabtrust.com> MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <LPBBLAPIGLOAGIHKOOGDMEOKCBAA.jean.med@arabtrust.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal unsubscribe jean.med@arabtrust.com Received: from e1.ny.us.ibm.com (e1.ny.us.ibm.com [32.97.182.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA23270 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 16:23:25 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id TAA59172; Fri, 28 Jul 2000 19:26:41 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id TAA25398; Fri, 28 Jul 2000 19:26:37 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 8525692A.0080C5B9 ; Fri, 28 Jul 2000 19:26:32 -0400 X-Lotus-FromDomain: IBMUS To: Stephen Kent <kent@bbn.com> cc: "PKIX-List" <ietf-pkix@imc.org> Message-ID: <8525692A.0080C532.00@D51MTA04.pok.ibm.com> Date: Fri, 28 Jul 2000 19:26:30 -0400 Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline My point is that in very many cases, an employee serial number or something like that is just as good for the RP's as a department. Its greater stability compensates for its lack of user-friendliness. As you rightly pointed out to Anders, if manual selection of one user from a list of choices is the primary scenario in which an extra attribute is used, serial numbers aren't the best way to make such a selection. However, they may well be more useful for access control lists or for non-repudiation. Tom Gindin Stephen Kent <kent@bbn.com> on 07/28/2000 06:47:32 PM To: Tom Gindin/Watson/IBM@IBMUS cc: "PKIX-List" <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Tom, > Without getting into the question of whether bureaucratic organization >is obsolete (personally, I doubt that it is all that obsolete), you can >just cite the non-quantitative and almost undisputed version of the Rule of >Revocation: "Every additional attribute or extension added to a >certificate shortens its life expectancy". Leaving out which department a >given subject belongs to has to increase the life expectancy of the >certificate. If an ID is assigned by an organization for as long as the >subject is associated with the organization, then it doesn't really >decrease the life expectancy of a certificate that already contains that >organization's name, while organizational details or place of residence do. > While it's heartening to hear variants of "Steve's Rule of revocation" cited, there is still an issue of whether the name assert in the subject address the fundamental needs of the RPs. If not, then the reduced revocation frequency is irrelevant. Steve Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA22172 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 15:48:45 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA13984; Fri, 28 Jul 2000 18:52:02 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v0422081eb5a7bd8f11fb@[171.78.30.107]> In-Reply-To: <8525692A.007C7D81.00@D51MTA04.pok.ibm.com> References: <8525692A.007C7D81.00@D51MTA04.pok.ibm.com> Date: Fri, 28 Jul 2000 18:47:32 -0400 To: tgindin@us.ibm.com From: Stephen Kent <kent@bbn.com> Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Cc: "PKIX-List" <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" Tom, > Without getting into the question of whether bureaucratic organization >is obsolete (personally, I doubt that it is all that obsolete), you can >just cite the non-quantitative and almost undisputed version of the Rule of >Revocation: "Every additional attribute or extension added to a >certificate shortens its life expectancy". Leaving out which department a >given subject belongs to has to increase the life expectancy of the >certificate. If an ID is assigned by an organization for as long as the >subject is associated with the organization, then it doesn't really >decrease the life expectancy of a certificate that already contains that >organization's name, while organizational details or place of residence do. > While it's heartening to hear variants of "Steve's Rule of revocation" cited, there is still an issue of whether the name assert in the subject address the fundamental needs of the RPs. If not, then the reduced revocation frequency is irrelevant. Steve Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA22171 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 15:48:45 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA13980; Fri, 28 Jul 2000 18:52:01 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v0422081db5a7bb9d9cc4@[171.78.30.107]> In-Reply-To: <001d01bff8e9$c05e57e0$0201a8c0@mega.vincent.se> References: <001d01bff8e9$c05e57e0$0201a8c0@mega.vincent.se> Date: Fri, 28 Jul 2000 18:44:41 -0400 To: "Anders Rundgren" <anders.rundgren@telia.com> From: Stephen Kent <kent@bbn.com> Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Cc: "PKIX-List" <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" Anders, >Steve, > > >Anders, > > > >There are no ID forms that are both globally unique and globally > >meaningful. We use names in contexts, and relate to people by names > >in context. That's why a name structured along org and dept lines is > >attractive, despite the fact that it requires more frequent > >revocation and re-issuance of certs. > >I never said I don't understand why people make such certs but I believe >they are applying PKI in a less than optimal way. To *have to* >revoke a certificate >due to a changed department seems like a bad solution. I usually get new business cards when my job changes (internally), so why not just consider this to be another item I have to change? >Directories (and other external databases) ought to be a much better >way to look >for additional information concerning a subject within a certain >domain than trying to >squeeze in unstable data such as department in a certificate. But directories are not viewed as secure, and hence they are not reliable sources of such data, unless the data is signed. If one uses attribute certs this is manageable for access control purposes, but it still does not address the fundamental issue of mapping certs to entities in the real world, which requires context. > >And outside the organization domain, departments does not mean that much. > >There is also a great risk that you during the transitional phase between two >departments can find yourself be stuck with a useless or revoked certificate. > >By leaving out department you can even be a valid member of more than >one department! > >My conclusion: Departments and such stuff are just relics from the >*almost* extinct, static, off-line world. We disagree, as usual. Maybe too much emphasis on departments. Still, an example may help. In our company we have a voice recognition system that listens to a name and dials the phone number of the person we want to call. How do we differentiate between two people with the same first and last names? We don't add in the middle name, because most people would not know it and so, even though it would serve to make more names unique, it would fail to be meaningful to the caller. Instead we add in a qualifier such as office locale (city) or department, etc. This is not a PKI problem, its a general "how do you name the individual meaningfully and uniquely" problem. Steve Received: from e1.ny.us.ibm.com (e1.ny.us.ibm.com [32.97.182.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA21806 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 15:36:39 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id SAA49526; Fri, 28 Jul 2000 18:39:55 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id SAA41028; Fri, 28 Jul 2000 18:39:55 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 8525692A.007C7F06 ; Fri, 28 Jul 2000 18:39:49 -0400 X-Lotus-FromDomain: IBMUS To: "Anders Rundgren" <anders.rundgren@telia.com> cc: "Stephen Kent" <kent@bbn.com>, "PKIX-List" <ietf-pkix@imc.org> Message-ID: <8525692A.007C7D81.00@D51MTA04.pok.ibm.com> Date: Fri, 28 Jul 2000 18:39:45 -0400 Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Without getting into the question of whether bureaucratic organization is obsolete (personally, I doubt that it is all that obsolete), you can just cite the non-quantitative and almost undisputed version of the Rule of Revocation: "Every additional attribute or extension added to a certificate shortens its life expectancy". Leaving out which department a given subject belongs to has to increase the life expectancy of the certificate. If an ID is assigned by an organization for as long as the subject is associated with the organization, then it doesn't really decrease the life expectancy of a certificate that already contains that organization's name, while organizational details or place of residence do. Tom Gindin "Anders Rundgren" <anders.rundgren@telia.com> on 07/28/2000 07:15:40 PM To: "Stephen Kent" <kent@bbn.com> cc: "PKIX-List" <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Steve, >Anders, > >There are no ID forms that are both globally unique and globally >meaningful. We use names in contexts, and relate to people by names >in context. That's why a name structured along org and dept lines is >attractive, despite the fact that it requires more frequent >revocation and re-issuance of certs. I never said I don't understand why people make such certs but I believe they are applying PKI in a less than optimal way. To *have to* revoke a certificate due to a changed department seems like a bad solution. Directories (and other external databases) ought to be a much better way to look for additional information concerning a subject within a certain domain than trying to squeeze in unstable data such as department in a certificate. And outside the organization domain, departments does not mean that much. There is also a great risk that you during the transitional phase between two departments can find yourself be stuck with a useless or revoked certificate. By leaving out department you can even be a valid member of more than one department! My conclusion: Departments and such stuff are just relics from the *almost* extinct, static, off-line world. <snip> Anders Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id PAA21360 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 15:22:00 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Fri, 28 Jul 2000 16:24:43 -0600 Message-Id: <s981b3cb.039@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 5.5.3.1 Date: Fri, 28 Jul 2000 16:24:43 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <ietf-pkix@imc.org>, <sakaki@iss.isl.melco.co.jp>, <azb@llnl.gov> Cc: <housley@spyrus.com> Subject: RE: Dual-signed certificates Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id PAA21363 Exactly. Nicely summarized, Tony. Bob >>> Tony Bartoletti <azb@llnl.gov> 07/28/00 03:57PM >>> At 04:11 PM 7/27/00 +0900, Hiroyuki Sakakibara wrote: >A self-signed certificate that contains the original >certificate as an extension within it, or, a dual-signed >certificate using CMS SignedData are recommended in this-list. > >On Mon, 24 Jul 2000 Mr. Russ Housley wrote: > >Bob: > > >There are some significant technical issues here. The subject cannot sign > >first because it does not know the values that will be assigned for several > >fields, like the serial number. The subject cannot sign second > >either. The insertion of an additional extension will break the issuer > >signature. > > >Thus, to proceed in this vain, complex processing must be defined that says > >which parts of the certificate are covered by the subject signature in the > >extension. I think that the processing is complex enough.... > > >Russ > >Is a X.509 ver3 certificate, >including such as "Issuance Agreement"extension signed by a subject >not feasible ? > >Extension : Issuance Agreement >means that "Subject agrees with issuance of his certificate >which includes fields and values described in this agreement." >Fields and values include public key, issuer name, subject name, >extensions etc..., but DO NOT include CA's signature. A subject-signed "Issuance Agreement" extension would seem to work from the CA's point of view. The subject data could be signed by the subject (prior to encryption by the root-public-key) as part of a certificate request. Then, as I understand Hiroyuki's suggestion, this "submission" would become a certificate extension. However, this method involves a near-duplication of information that "must be preserved", and would seem to require the relying party retrieve/check the "Issuance Agreement" against the actual elements of the certificate, in order to preclude some claim by the subject that they (plausibly) never agreed to the certificate terms. Why (really) cannot the CA supply the "pre" (unsigned) certificate for the subject review and signature, prior to the final CA signature? I do not understand the argument "subject cannot sign first" because some values (e.g., serial number) cannot be pre-assigned. Absent the CA-signature, the certificate is merely a string of bytes that anyone can generate. It cannot have value prior to this CA-signature. And I can't believe the market is suffering a shortage of serial numbers. A protocol that provided the subject "sign first" seems very elegant, in that you get POP on the key, and POA (proof of acceptance) on the (pre)certificate, all in one shot. And no duplication of the data. Is there a really compelling reason why "subject-sign-first" is a bad idea? Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id PAA21187 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 15:20:25 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Fri, 28 Jul 2000 16:22:54 -0600 Message-Id: <s981b35e.080@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 5.5.3.1 Date: Fri, 28 Jul 2000 16:22:45 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <ietf-pkix@imc.org>, <dpkemp@missi.ncsc.mil> Subject: RE: Dual-signed certificates Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id PAA21188 David, > The point is that in many respects we tend to grant an excessive > amount of authority to the CA in terms of establishing policy, etc., > and yet in most cases (other than some closed user groups) the CA is > not in a position to be able to enforce those policies against a > particular user. So the real issue is what terms and conditions the > subscriber has agreed to, and how that acceptance can be reliably made > known. > > (This point of view may of course be anathema to those who espouse a > top-down, authoritarian control structure, including many European > countries and perhaps the US DOD. Chacun a son gout.:-) >Bob, you're starting to sound like Peter Williams. Take that as a compliment if you wish. :-). But what will Peter say! :-) >Any non-commercial PKI exists solely to serve Relying Parties - the benefit to the RPs must exceed the cost of operating the CAs and outfitting (and inconveniencing) the Subscribers. Any obligations a DoD CA imposes on its Subscribers exist to provide evidence to RPs that the contents of a certificate are accurate (to the level of assurance advertised within the certificate). >The DoD Certificate Policy is maintained by, surprisingly, the DoD Certificate Policy Management Working Group, which has representatives from all the Services and Agencies which make up the Subscriber and RP population. DoD CAs have no independent authority; they only do what the customers have agreed should be done. >Can you cite from the DoD Certificate Policy or elsewhere a Subscriber Obligation which you feel is unnecessary, excessive, or gratuitously authoritarian? If not, perhaps you should eschew the gratuitous flame bait. Seriously, the above was not intended as flame bait, nor intended to derogate the role of DoD, or even other countries with more top-down and/or authoritarian cultures and legal traditions, e.g., Sweden or Germany, and the civil law countries in general. Top-down policy controls may be perfectly suitable for hierarchical organizations, which certainly includes the Executive branch of the US Government. And in that kind of structure it is perfectly appropriate that the services and agencies decide what the policy should be, and how they are going to interoperate, and especially so for servers and other functions under the direct control of those agencies and services. And as for the individual employees or servicemen within those organizations, they will do what they are told, or face a court martial, presumably. And by the way, it is also perfectly appropriate for intra-organization PKI, and for closed, limited-purpose organizations such as stock brokers, and maybe (not clear) for credit card applications. such organizations can establish rules, and fully expect people within that organization to play by them All that I was trying to suggest was that for less structured organizations, such as the organized anarchy that constitutes the Internet community and the consumer marketplace, or even the business-to-business market, relying on the CA to enforce policy conditions upon the subscribers is probably not realistic in terms of expectations, and in addition is on very shaky legal ground. If A and B both have a contract with C, then B cannot sue C just because A fails to carry out its obligations to C. And if B (the relying party) does not have a contract with C (the CA), as is typically the case in the broad PKI industry, then B's reliance on C to hold A to a certain code of conduct is even more shaky. So in that less-well structured environment, I am much less interested in what the CA knows or thinks about the subscriber's conduct -- I want to know directly from the subscriber, with whom I do have a direct legal relationship, and I can sue if necessary. So I don't think we are disagreeing -- we are just talking about two radically different environments. Bob Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA20879 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 15:13:23 -0700 (PDT) Received: from mega (t5o69p21.telia.com [213.64.110.21]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id AAA24583; Sat, 29 Jul 2000 00:16:37 +0200 (CEST) Message-ID: <001d01bff8e9$c05e57e0$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Stephen Kent" <kent@bbn.com> Cc: "PKIX-List" <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Date: Sat, 29 Jul 2000 01:15:40 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id PAA20880 Steve, >Anders, > >There are no ID forms that are both globally unique and globally >meaningful. We use names in contexts, and relate to people by names >in context. That's why a name structured along org and dept lines is >attractive, despite the fact that it requires more frequent >revocation and re-issuance of certs. I never said I don't understand why people make such certs but I believe they are applying PKI in a less than optimal way. To *have to* revoke a certificate due to a changed department seems like a bad solution. Directories (and other external databases) ought to be a much better way to look for additional information concerning a subject within a certain domain than trying to squeeze in unstable data such as department in a certificate. And outside the organization domain, departments does not mean that much. There is also a great risk that you during the transitional phase between two departments can find yourself be stuck with a useless or revoked certificate. By leaving out department you can even be a valid member of more than one department! My conclusion: Departments and such stuff are just relics from the *almost* extinct, static, off-line world. <snip> Anders Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA19861 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 14:47:09 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id OAA11489; Fri, 28 Jul 2000 14:49:54 -0700 (PDT) Message-Id: <4.2.2.20000728141723.00a81a90@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 28 Jul 2000 14:57:39 -0700 To: "Hiroyuki Sakakibara" <sakaki@iss.isl.melco.co.jp>, <ietf-pkix@imc.org> From: Tony Bartoletti <azb@llnl.gov> Subject: RE: Dual-signed certificates Cc: Russ Housley <housley@spyrus.com>, "Bob Jueneman" <bjueneman@novell.com> In-Reply-To: <00d401bff799$e85191a0$78054a0a@iss.isl.melco.co.jp> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 04:11 PM 7/27/00 +0900, Hiroyuki Sakakibara wrote: >A self-signed certificate that contains the original >certificate as an extension within it, or, a dual-signed >certificate using CMS SignedData are recommended in this-list. > >On Mon, 24 Jul 2000 Mr. Russ Housley wrote: > >Bob: > > >There are some significant technical issues here. The subject cannot sign > >first because it does not know the values that will be assigned for several > >fields, like the serial number. The subject cannot sign second > >either. The insertion of an additional extension will break the issuer > >signature. > > >Thus, to proceed in this vain, complex processing must be defined that says > >which parts of the certificate are covered by the subject signature in the > >extension. I think that the processing is complex enough.... > > >Russ > >Is a X.509 ver3 certificate, >including such as "Issuance Agreement"extension signed by a subject >not feasible ? > >Extension : Issuance Agreement >means that "Subject agrees with issuance of his certificate >which includes fields and values described in this agreement." >Fields and values include public key, issuer name, subject name, >extensions etc..., but DO NOT include CA's signature. A subject-signed "Issuance Agreement" extension would seem to work from the CA's point of view. The subject data could be signed by the subject (prior to encryption by the root-public-key) as part of a certificate request. Then, as I understand Hiroyuki's suggestion, this "submission" would become a certificate extension. However, this method involves a near-duplication of information that "must be preserved", and would seem to require the relying party retrieve/check the "Issuance Agreement" against the actual elements of the certificate, in order to preclude some claim by the subject that they (plausibly) never agreed to the certificate terms. Why (really) cannot the CA supply the "pre" (unsigned) certificate for the subject review and signature, prior to the final CA signature? I do not understand the argument "subject cannot sign first" because some values (e.g., serial number) cannot be pre-assigned. Absent the CA-signature, the certificate is merely a string of bytes that anyone can generate. It cannot have value prior to this CA-signature. And I can't believe the market is suffering a shortage of serial numbers. A protocol that provided the subject "sign first" seems very elegant, in that you get POP on the key, and POA (proof of acceptance) on the (pre)certificate, all in one shot. And no duplication of the data. Is there a really compelling reason why "subject-sign-first" is a bad idea? Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from roadblock.missi.ncsc.mil (roadblock.missi.ncsc.mil [144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA17797 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 13:24:44 -0700 (PDT) Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id QAA06850 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 16:15:35 -0400 (EDT) Message-Id: <200007282015.QAA06846@roadblock.missi.ncsc.mil> Date: Fri, 28 Jul 2000 16:23:56 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: RE: Dual-signed certificates To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: kVlmSJqGaGRO9wVTtuaIWQ== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc > From: "Bob Jueneman" <bjueneman@novell.com> > > Denis proposed: > > ><There exists a way, including by a procedure that is verifiable for > > every received signature by any relying party. In the stuff that got > > signed, you include the identifier of the certificate. This may be > > done by using CMS (or is mandated in ES 201733). There is no need to > > invent a double-signed certificate. > > The point is that this procedure works for every legitimate document > that I signed, but is not enforceable AS AN EXPECTATION against some > illegitimate use of my certificate/key. > > Now I grant that a CA can easily create a key pair and a certificate > that would impersonate me for some small number of documents. But I > would attempt to repudiate that so-called signature by saying, "That > signature and key is not mine, and I have never sees or made beneficial > use of that key. My key is xxxxxxx, and in fact I _have_ made > extensive use of that key, and I have signalled my acceptance of that > key, the certificate, and the terms and conditions of that certificate > by counter-signing it and distributing widely in that counter-signed > format." > > The rogue CA could claim the same thing, of coruse, but then I would > ask to see demonstrated beneficial use on my behalf, for example > goods that were ordered and delivered (and accepted) to my address, > based on that key. > > A dual-signed certificate would also be beneficial to the good CAs, > because it would provide a degree of proof that I had in fact accepted > the certificate. If you use a CMS-signed transactions with the signingCertificate attribute as proposed by Denis, you have a degree of proof that the user has accepted the cert by virtue of his use of the private key to sign the transaction. This is no weaker than accepting the certificate by using the same private key to dual-sign the certificate, and it has the additional benefit of binding the cert to the transaction. A simple signed message of acceptance (the message body could be empty) signed by the client would be just as beneficial to the CA as a dual-signature on the cert, and as Denis points out, it requires no new data formats to be defined. In fact, you could define the dual-signature format to be a CMS message with a null message body if you insist on having an object you could call a "dual-signed certificate". > The point is that in many respects we tend to grant an excessive > amount of authority to the CA in terms of establishing policy, etc., > and yet in most cases (other than some closed user groups) the CA is > not in a position to be able to enforce those policies against a > particular user. So the real issue is what terms and conditions the > subscriber has agreed to, and how that acceptance can be reliably made > known. > > (This point of view may of course be anathema to those who espouse a > top-down, authoritarian control structure, including many European > countries and perhaps the US DOD. Chacun a son gout.:-) Bob, you're starting to sound like Peter Williams. Take that as a compliment if you wish. :-). Any non-commercial PKI exists solely to serve Relying Parties - the benefit to the RPs must exceed the cost of operating the CAs and outfitting (and inconveniencing) the Subscribers. Any obligations a DoD CA imposes on its Subscribers exist to provide evidence to RPs that the contents of a certificate are accurate (to the level of assurance advertised within the certificate). The DoD Certificate Policy is maintained by, surprisingly, the DoD Certificate Policy Management Working Group, which has representatives from all the Services and Agencies which make up the Subscriber and RP population. DoD CAs have no independent authority; they only do what the customers have agreed should be done. Can you cite from the DoD Certificate Policy or elsewhere a Subscriber Obligation which you feel is unnecessary, excessive, or gratuitously authoritarian? If not, perhaps you should eschew the gratuitous flame bait. Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA16793 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 12:58:13 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Fri, 28 Jul 2000 14:00:56 -0600 Message-Id: <s9819218.008@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 5.5.3.1 Date: Fri, 28 Jul 2000 14:00:53 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <ietf-pkix@imc.org>, <simon@onthenet.com.au> Subject: Re: Dual-signed certificates Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id MAA16794 Simon, Both of your points are valid, and I'm not going to fall on my sword if this notion doesn't take off. I guess my fundamental points were that it would be nice to have some way to indicate to the relying party directly that the subscriber had agreed to the terms of the certificate and the policy requirements behind it; and that I am increasingly uncomfortable with the continuing and eternal reliance on the CA to drive policy, hang on to all of the evidence, etc. CAs to date have just not established the fact that then can successfully handle those on-going responsibilities. As a legal matter, I'm not at all sure that I can sue the CA for some failing of the subscriber, and so I would like to minibike my reliance on the CA for an on-going relationship. I'm willing to trust the CA for the initial identity/binding confirmation, but for any on-going issues of trust (with the except of a certificate revocation) I would prefer deal on a two-party relationship rather than a triangular deal. Maybe that's just me. Bob >>> "Simon McMahon" <simon@onthenet.com.au> 07/28/00 02:42AM >>> Hi Bob, > The present, more or less-well-accepted CA model is that the subscriber goes to a local RA and requests a certificate be issued in his name. That RA is then free to add or modify whatever it likes to the certificate request, and sends it on to the CA to be certified. > > But the CA, depending on its CP and CPS, may add, modify, or delete information in the certificate request to suit its own purposes. It could add DN qualification to make the DN unique, it could add various policy OIDs and policy constraints -- whatever it wishes to do. > > It then sends the certificate back to the user, or posts it in a repository, but with no nonrepudiable evidence that either the RA or the subscriber had in fact agreed to those changes or additions! > How well accepted is that model ? You are suggesting that a certificate may bare little resemblance to what the subscriber asked for. Of course that will require the subject to acknowledge / accept the certificate. An alternative model is where all the conditions are decided upon at registration time and the RA and CA do not mess about with any policy OIDs so that the cert is accepted by virtue of the fact that it (at least the policy relevant parts) are derived solely from request. > Moreover, a rogue CA could create two such certificates, one containing terms favorable to it, and another closer to what the subscriber had originally requested. Now, because the inclusion of the certificate in a transaction to be signed is (1) optional, and (2) only applies to transactions per se and not to session authentication or encryption, the relying party has no way of knowing whether the user in fact agreed to those terms.. > > This is why relying on a signed CMS object won't work -- the RP has no good way of knowing whether that format was expected or not. > RPs that trust rogue CAs shouldn't be considered a valid argument for PKI architecture discussions. If you build complexity into the protocols to try and accomidate every such thing then it will not get deployed widely and people will consider alternatives. Look what happened to SET. Regards, Simon McMahon ERACOM Pty. Ltd. Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA28538 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 08:01:30 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id LAA11912; Fri, 28 Jul 2000 11:04:44 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v04220807b5a74f342460@[171.78.30.107]> In-Reply-To: <002501bff8a3$6f0eecb0$0201a8c0@mega.vincent.se> References: <002501bff8a3$6f0eecb0$0201a8c0@mega.vincent.se> Date: Fri, 28 Jul 2000 10:58:04 -0400 To: "Anders Rundgren" <anders.rundgren@telia.com> From: Stephen Kent <kent@bbn.com> Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Cc: <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" Anders, There are no ID forms that are both globally unique and globally meaningful. We use names in contexts, and relate to people by names in context. That's why a name structured along org and dept lines is attractive, despite the fact that it requires more frequent revocation and re-issuance of certs. It is also why no single cert is likely to be appropriate for identifying individuals in all contexts. Moreover, we often use name in certs as inputs for access control decisions. because many such decisions are made based on organizational structure, it is convenient to embed that structure in subject names, e.g, it allows for structured ACL entries. Steve Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA22325 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 06:50:04 -0700 (PDT) Received: from mega (t4o69p32.telia.com [62.20.145.152]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id PAA24599; Fri, 28 Jul 2000 15:53:16 +0200 (CEST) Message-ID: <002501bff8a3$6f0eecb0$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Denis Pinkas" <Denis.Pinkas@bull.net> Cc: "Stefan Santesson" <stefan@accurata.se>, <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Date: Fri, 28 Jul 2000 16:52:20 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA22329 Denis, >> >There is no specific rule that you can apply to a Swedish >> >certificate to bear a different semantics of *one* component of the >> >DN (ie. the Swedish civic registration number, which is the last >> >component of the name). The same rules apply to all certificates, >> >hence there is no notion of "context". > >> Stefan is right. Unfortunately you must know a lot of things before you >> can treat certs in such a way. This usage is wrong according to some notable people >> on this list but this is also the reality. > >You cannot say "Stefan is right" while you say just after "this >usage is wrong". :-) >Neither RFC2459, nor son-of-RFC2459, nor QC-05 makes such an >interpretation of the serial number component of the DN. In my opinion it does not matter what the spec. says as an interpretation of this kind is needed to re-create the *functionality* of the Swedish ID-system in PKI. In Sweden, names are in principle variable attributes, civic registration number is identity. Of course they could have put the names in SubjectAltNames but that would look awful when you see the cert in Internet Explorer or Navigator. Admittely the Swedish solution is not rocket-science or very clean, but the culprit is really X509/PKIX that lacks proper support for schemes like that. I am also 100% sure that this is also performed in many organization-oriented PKIs as it is just plain stupid to lose or have to renew a link to a "numbered person" beacuse they changed name or department. Why then bother with names and departments in the first place one could argue? Well, it is the old way of doing things (hard to change) and when you got that first contact with a new RP it helps a bit to know that you are not only "6575765" but also "Marion Anderson" >> Is not this almost the sole reason you and Tim work with the PI-specification? >This is one of the reasons, but not the single one. Enlighten me! What are the other *major* reasons (i.e. beyond limiting the need for "smart", non-standard DN iterpretation)? Anders Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.102]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA21193 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 06:45:16 -0700 (PDT) Received: from santesson.accurata.se (sfr-qbu-pqn-vty7.as.wcom.net [216.192.22.7]) by popmail.inbox.se (8.9.3/8.9.3) with ESMTP id PAA28017; Fri, 28 Jul 2000 15:48:18 +0200 Message-Id: <4.3.2.7.2.20000728074308.032b0da0@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 28 Jul 2000 07:50:02 -0600 To: "Anders Rundgren" <anders.rundgren@telia.com>, "Denis Pinkas" <Denis.Pinkas@bull.net> From: Stefan Santesson <stefan@accurata.se> Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Cc: <ietf-pkix@imc.org> In-Reply-To: <000c01bff87f$dd26b620$0201a8c0@mega.vincent.se> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 12:37 2000-07-28 +0200, Anders Rundgren wrote: ><snip> > > >> I.e. If you have a Swedish certificate with Swedish civic registration > >> number. Then you can know that the DN represent the same person even if > >> some other data is differing. > > > >There is no specific rule that you can apply to a Swedish > >certificate to bear a different semantics of *one* component of the > >DN (ie. the Swedish civic registration number, which is the last > >component of the name). The same rules apply to all certificates, > >hence there is no notion of "context". This last comment is not correct. Yes it is right that there is no definition of context in the subject field but there are several other ways by which the relying party can determine context. 1) By recognizing an implicit policy for all certificates issued under a certain root CA 2) By implicit knowledge of certificates issued by a certain CA 3) By information defined by a contained policy OID 4) By explicit definition in the QCStatements extension There might be others but these are enough to demonstrate my point. /Stefan Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA13305 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 05:16:06 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id OAA42236; Fri, 28 Jul 2000 14:23:13 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id OAA20454; Fri, 28 Jul 2000 14:18:41 +0200 Message-ID: <39817A24.E1B0C618@bull.net> Date: Fri, 28 Jul 2000 14:18:44 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Frank Balluffi <frankb@valicert.com> CC: ietf-pkix@imc.org Subject: Re: OCSP request References: <27FF4FAEA8CDD211B97E00902745CBE20177B010@seine.valicert.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Frank, > > This is wrong. A chain of time stamps protects against key > > compromise, as well as weak algorithms, as long as the > > timestamps have been > > applied before the key has been compromised or the algorithm > > has been found > > weak. So there is no need to ask the CA. > > I agree. It may be desirable to include OCSP responses in the data to be > timestamped. For example, a construct like a CMS/PKCS #7 SignedData that > includes OCSP responses might be very useful. Your example is perfectly right. This is exactly one of the options currently defined in: http://www.ietf.org/internet-drafts/draft-ietf-smime-esformats-01.txt Denis > Frank Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA01635 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 02:57:29 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id MAA41404; Fri, 28 Jul 2000 12:04:41 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id MAA38966; Fri, 28 Jul 2000 12:00:08 +0200 Message-ID: <398159AB.C98D9F3A@bull.net> Date: Fri, 28 Jul 2000 12:00:11 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Anders Rundgren <anders.rundgren@telia.com> CC: Stefan Santesson <stefan@accurata.se>, ietf-pkix@imc.org Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt References: <000c01bff87f$dd26b620$0201a8c0@mega.vincent.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Anders, > <snip> > >> I.e. If you have a Swedish certificate with Swedish civic registration > >> number. Then you can know that the DN represent the same person even if > >> some other data is differing. > >There is no specific rule that you can apply to a Swedish > >certificate to bear a different semantics of *one* component of the > >DN (ie. the Swedish civic registration number, which is the last > >component of the name). The same rules apply to all certificates, > >hence there is no notion of "context". > Denis, > Stefan is right. Unfortunately you must know a lot of things before you > can treat certs in such a way. This usage is wrong according to some notable people > on this list but this is also the reality. You cannot say "Stefan is right" while you say just after "this usage is wrong". :-) Neither RFC2459, nor son-of-RFC2459, nor QC-05 makes such an interpretation of the serial number component of the DN. > Is not this almost the sole reason you and Tim work with the PI-specification? This is one of the reasons, but not the single one. Denis > Anders Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA29826 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 02:35:26 -0700 (PDT) Received: from mega (t6o69p82.telia.com [213.64.110.202]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id LAA11813; Fri, 28 Jul 2000 11:38:38 +0200 (CEST) Message-ID: <000c01bff87f$dd26b620$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Denis Pinkas" <Denis.Pinkas@bull.net>, "Stefan Santesson" <stefan@accurata.se> Cc: <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Date: Fri, 28 Jul 2000 12:37:42 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id CAA29827 <snip> >> I.e. If you have a Swedish certificate with Swedish civic registration >> number. Then you can know that the DN represent the same person even if >> some other data is differing. > >There is no specific rule that you can apply to a Swedish >certificate to bear a different semantics of *one* component of the >DN (ie. the Swedish civic registration number, which is the last >component of the name). The same rules apply to all certificates, >hence there is no notion of "context". Denis, Stefan is right. Unfortunately you must know a lot of things before you can treat certs in such a way. This usage is wrong according to some notable people on this list but this is also the reality. Is not this almost the sole reason you and Tim work with the PI-specification? Anders Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id BAA26129 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 01:31:16 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id SAA70376; Fri, 28 Jul 2000 18:34:18 +1000 (EST) Message-ID: <04a601bff86f$dcb522e0$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: "Bob Jueneman" <bjueneman@novell.com>, <ietf-pkix@imc.org> References: <s97f1741.027@prv-mail20.provo.novell.com> Subject: Re: Dual-signed certificates Date: Fri, 28 Jul 2000 18:42:40 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Hi Bob, > The present, more or less-well-accepted CA model is that the subscriber goes to a local RA and requests a certificate be issued in his name. That RA is then free to add or modify whatever it likes to the certificate request, and sends it on to the CA to be certified. > > But the CA, depending on its CP and CPS, may add, modify, or delete information in the certificate request to suit its own purposes. It could add DN qualification to make the DN unique, it could add various policy OIDs and policy constraints -- whatever it wishes to do. > > It then sends the certificate back to the user, or posts it in a repository, but with no nonrepudiable evidence that either the RA or the subscriber had in fact agreed to those changes or additions! > How well accepted is that model ? You are suggesting that a certificate may bare little resemblance to what the subscriber asked for. Of course that will require the subject to acknowledge / accept the certificate. An alternative model is where all the conditions are decided upon at registration time and the RA and CA do not mess about with any policy OIDs so that the cert is accepted by virtue of the fact that it (at least the policy relevant parts) are derived solely from request. > Moreover, a rogue CA could create two such certificates, one containing terms favorable to it, and another closer to what the subscriber had originally requested. Now, because the inclusion of the certificate in a transaction to be signed is (1) optional, and (2) only applies to transactions per se and not to session authentication or encryption, the relying party has no way of knowing whether the user in fact agreed to those terms.. > > This is why relying on a signed CMS object won't work -- the RP has no good way of knowing whether that format was expected or not. > RPs that trust rogue CAs shouldn't be considered a valid argument for PKI architecture discussions. If you build complexity into the protocols to try and accomidate every such thing then it will not get deployed widely and people will consider alternatives. Look what happened to SET. Regards, Simon McMahon ERACOM Pty. Ltd. Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id BAA25040 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 01:15:24 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA38398; Fri, 28 Jul 2000 10:22:35 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id KAA39064; Fri, 28 Jul 2000 10:18:03 +0200 Message-ID: <398141BE.FEFAACD0@bull.net> Date: Fri, 28 Jul 2000 10:18:06 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Stefan Santesson <stefan@accurata.se> CC: ietf-pkix@imc.org Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt References: <14716.17757.863072.996773@xedia.com> <001201bff55f$457cac80$0201a8c0@mega.vincent.se> <14716.17757.863072.996773@xedia.com> <4.3.2.7.2.20000724233736.031ace98@mail.accurata.se> <4.3.2.7.2.20000726165850.036b04b8@mail.accurata.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Stefan, > Denis, > > Let me first say that I'm glad that you liked the change in QC-05 regarding DN. :-) > Many of the other issues you raise though are things that has been > discussed in detail and where consensus has been reached in accordance with > the current wording. > > I hope you agree that it is generally would to change a reached consensus > decision just based on a single "late" comment from someone that didn't > participate in the discussion when it took place. At least not unless the > suggested change fix a serious problem that was not known at time of > original discussion. > > That is why I make much resistance here if I don't see that your requests > means MAJOR improvements or fix SERIOUS and REAL problems. I did observed your resistance. :-) However the issues raised are SERIOUS and REAL. > Generally I think that all your issues, except for the discussion of new > extensions, could be discussed on the road between proposed to draft > standard. There is no reason to uphold the RFC process over wordings that > does not change the syntax of the standard. > > I give more specific comments in line; > > At 08:36 2000-07-26 +0200, you wrote: > >Stefan, > > > > > May I draw your attention to the updated QC 05 where the uniqueness > > > requirement stated in RFC 2459 (and son of) has been clarified to count for > > > the whole lifetime of the CA. > > > > > > section 2.4 now states: > > > "The distinguished name MUST be unique for each subject > > > entity certified by the one CA as defined by the issuer name field, > > > during the whole life time of the CA." > > > > > > This is actually nothing new, rather a clarification of the existing > > > technical concept of DNs. > > > An compliant implementation can simply not be based on CA's using the same > > > DN for several different entities. It is reasonable to assume that this is > > > the intent behind the original X.501 definition of DNs. > > > "Distinguished name is originally defined in X.501 [X.501] as a > > > representation of a directory name, defined as a construct that > > > identifies a particular object from among the set of all objects." > > > > > >This is fine with me and solves one of the seven issues I have > >posted on July 13 th. So COMMENT 1 is now solved. I re-post the six > >other comments, which up to now have not yet been answered: > > > >COMMENT 2 > > > >Section 3.1.1. Issuer states: "The issuer field SHALL identify the > >organization responsible for issuing the certificate, and SHALL > >include a registered name of the organization". > > > >The basic question is what is the meaning of a "registered" name. > >Who should be the registration authority ? Do we have such an > >authority for registered names in the IETF ? Is this authority > >adequate for such a usage ? Instead of trying to answer the > >question, it makes more sense to omit the second part of the > >sentence which leads to the following sentence: "The issuer field > >SHALL identify the organization responsible for issuing the > >certificate". > > I disagree. > > The meaning is to avoid organizations from specifying other names than they > have registered for the organization. I have practical experiences with > this when name collisions occur caused by organizations using common > abbreviations or shorter versions of their name. > > Typically we would like to avoid names as e.g. "RSV" and "DSP" unless > these organizations have registered these names. > What "registered" actually means is not important from a tecnical point of > view. It is asumed that all organization names are "registered" according > to local law. > > We had a major discussion around this concluding in the current wording. I > would like to keep it as it is. I disagree as well. Should the organization be registered at the ICC ? At an ISO body like ANSI, AFNOR, DIN, BIS ? At a country specific registration authority ? Anyway, this will NOT prevent name collisions as you might think, since anyway the name is only meaningful for the CA that issues the certificate. > >COMMENT 3 > > > >Section 3.1.1. Issuer states: "The legal jurisdiction for the > >issuing CA SHOULD be consistent with the issuer name.". However the > >abstract says: " The goal of this document is to define a general > >syntax independent of local legal requirements." and also "It is > >important to note that the profile does not define any legal > >requirements for Qualified Certificates.". This is contradictory. > > No I don't think that this is contradictory. The text above is putting > requirements on the contet of the listed attributes which include the > geographical attributes > > countryName; > stateOrProvinceName; and > localityName; > > What we say is that the content of these attributes SHOULD be consistent > with the legal jurisdiction. This means that it is not in line with this > requirement to state Sweden as country if the CA is operating under French law. The legal jurisdiction of what ? I think you mean the legal jurisdiction where the CA is established. If this is the case, then this depends from the country where the CA is established, hence the reason to speak of the country where the CA is established and avoid in a technical specification legal aspects, as indicated above. > I think that this is a legitimate requirement of content and fullfilles the > need you express below. > > > >From the discussions that recently took place in Stockholm, the > >agreement was to mandate the inclusion of the country where from the > >CA is operating. In this way, by indirection, the country where the > >CA is established may implement a supervision scheme, if required. > > > >The text should be modified to reflect this. > > See above. > > The text DOES reflect this by saying that the name should be consistent > with the legal jurisdiction. > > >It should be noticed > >that taking this into consideration, the first element of a DN for > >an issuer must then be a country name. This should be reflected in > >the text. > > No. There are organizations that does not sort under a country. This > standard is not only there for European CA operators. > > This has been discussed, consensus has been reached and the issue closed. > > >Full text proposal replacement for 3.1.1: > > > >3.1.1 Issuer > > > >The issuer field SHALL identify the organization responsible for > >issuing the certificate. > > > >The identity of the issuer SHALL be specified using an appropriate > >subset of the following attributes: > > > > domainComponent; > > countryName; > > stateOrProvinceName; > > organizationName; > > localityName; and > > serialNumber. > > > >Additional attributes MAY be present but they SHOULD NOT be > >necessary to identify the issuing organization. The first element of > >the DN shall be the country where the CA is operating from. > > Disagree according to reasons above. The same for me. > >COMMENT 4 > > > >The text is not consistent when talking about certificate policies > >and public statements. > > > >In section 2.2. Statement of Purpose, the text says: > > > >"For a certificate to serve the purpose of being a Qualified > >Certificate, this profile assumes that the CA will have to include > >in the certificate a public statement that explicitly defines this > >intent." > > Clarification: This says nothing about what method to use and this is > further just part of the "scope section" > > This is a EU directive requirement. So I see nothing wrong with it. > > >In section 3.2.2.Certificate Policies, the text says: > > > >" A statement by the issuer stating the purpose of the certificate > >as discussed in Section 2.2 SHOULD be evident through indicated > >policies." > > This means that the policy should indicate that the certificate is a QC. > I.e. regardless of any QCStatamenet extension information. > > >The later statement is not that "evident" at all, in particular > >since from section 2.2. any certificate policy may be used, provided > >that it is consistent with the policy for a QC. > > > >The basic question is the following: How is it possible to know that > >a certificate is a QC ? > > By > > 1) Recognizing the policy OID and understanding that this is a QC; and/or > 2) Recognizing a statement included in the QCStatement extension (if present). > > >There are two possible answers: > > > >a) use a QC statement to tell it (and this "costs" a new extension), > > > >b) use some pre-defined Certificate Policy OID to tell it (and this > >costs no new extension). > > > >The text from section 2.2. mandates the inclusion of a QC statement. > > Absolutely not: > 1) Section 2.2 is just a scope section. It does not mandate anything > 2) The wording in 2.2. says "assumes" > 3) Section 3.2.2 makes it clear that such statement can be evident from a > policy OID > > >However, all current software is able to test for the presence of > >any Certificate Policy OID in a certificate and thus the current > >software could easily check for the presence of pre-defined > >Certificate Policy OIDs for QCs. The QC statement mandates the use > >of a new extension, that > >no one has yet implemented, both for the construction of the > >certificate and the checking of a certification path. > > > >Should we really mandate the presence of the QC statement (as being > >the only way to indicate that a certificate is a QC) or should we > >also allow the use of pre-defined Certificate Policy OID (making the > >QC statement non mandatory) ? > > > >I think both options should be mentioned as possible > > They are. Fine. In that case we both agree in principle. :-) However, what can be proven from that discussion is that the text is ambiguous and thus needs to be clarified. > Still there is a flaw in your logic with policy OID:s. > IETF will never issue such a policy, and I doubt that ETSI will. You should take a look at a draft document from ETSI called : Policy Requirements for Certification Service Providers Issuing Qualified Certificates ETSI STF 155 T1 Draft H 15th July 2000. In that document on page 8, section 5.2 the text says: " 5.2 Identification The identifiers for the Qualified Certificate Policies specified in the current document are: a) QCP Public: A Certificate Policy for Qualified Certificates issued to the public, Editorial note: Object identifier to be added. c) QCP Public + SSCD: A Certificate Policy for Qualified Certificates issued to the public, requiring use of secure signature creation devices. Editorial note: Object identifier to be added." So it is apparent that two OIDs from the ETSI arc will be defined, since this is an ETSI document. > Still, there is nothing that prevents it from being defined but it's use > may not be as efficient and general as you think. > > >Note: I must recognise that the following text belonging to section > >3.2.2 is not understandable to me: > > > >" In order to enhance path validation based on policy object > >identifiers any statement related to Qualified Certificates, as > >defined in 3.2.5, SHOULD also be defined by included certificate > >policies." > > This means that you should not include policy statement in the QCStatements > ext. that are not also defined by present policies. I still do not understand. Are you thinking of a possible coliision with PolicyQualifier (that are not used, but would have been the "natural place" for making extension to policies). This sentence either needs clarification or should be deleted. > Also note that this is a SHOULD requirement. > > The reason is that any relying party that doesn't care about QCStatement > extensions should be fully informed by the policy. You cannot say that anymore. In version QC-05, the text now says that the Qualified Certificate Statements extension may be critical or non-critical. When it is, then the application MUST understand it. > This is the fundamentals > of handling policies in path validation, i.e. that each policy OID > identifies a complete set of policy requirements. > > >COMMENT 5 > > > >Section 3.2.5. Qualified Certificate Statements, defines an > >extension for inclusion of defined statements related to Qualified > >Certificates. However, there is a major problem with the way the > >extension is built. It is constructed as: > > > > QCStatements ::= SEQUENCE OF QCStatement > > > >Since nothing is said in the text about the criticality this > >extension is, by implication, non critical. This means that any > >individual QCStatement is not mandatory to understand. So unless an > >application specifically looks for some pre-defined statement, it > >will miss the others and is not required to "understand them. Also > >remember that only ONE such extension may be present. > > > >In a profile of this document (not a PKIX document) this extension > >is being used to specify the maximum amount of money which is > >permissible for one transaction, this is what is referred in QC-04 > >as "a maximum reliance limit for the certificate indicating > >restrictions on CA's liability". > > > >The basic question is whether we should have a separate extension > >for a maximum reliance from a CA. > > > >If the maximum reliance limit statement is part of the new > >extension, there is no guarantee that it will ever be seen or > >recognized. In principle any QCStatement in a non critical extension > >may be ignored by the application. > > > >If the maximum reliance limit statement is in a separate extension > >marked critical, no application could miss it, if it is present. > > > >The requirement comes from an annex of the European Directive. The > >definition of a maximum reliance limit is optional and it makes > >sense to have a dedicated extension to support it. > > > >I would thus propose to suppress the following sentence from 3.2.5: > >"As an example this MAY include a maximum reliance limit for the > >certificate indicating restrictions on CA's liability." > > > >Instead I would propose to define a separate extension to support a > >maximum reliance limit. > > I completely disagree. > > The QCStatement extension works just like the policy extension. Why didn't you use PolicyQualifier ? > It includes > OID:s defining the statement (compare with an OID that define a policy). > This OID can further be combined with some qualifying data. > > The criticality bit does not give what you want anyway. It does only make > sure that the relying party RECOGNIZE the extension. It doesn't even > guarantee that the relying party recognize any of the information stored in > the extension. I do not share your interpretation of the sentence which is in RFC 2459, i.e. "A certificate using system MUST reject the certificate if it encounters a critical extension it does not recognize; " For me it clearly means that the RP must understand the semantics of the extension. > The criticality bit, when set, makes sure that the relying party knows what > type of information he ignores, if he choose to ignore it. > If we would follow your logic then there would also be a "problem" with > many other extensions, e.g. key usage. What if some key usage information > is regarded as critical and other as informational? This is not the case. The key usage extension, when present is critical. > Should we then have > different extensions for different key usages? I doubt it. > > I don't think that we should litter the standard with yet another > extension. The QC Statements ext works just fine. > > There was also a big discussion in ETSI on this. Everybody in the ETSI > discussion (except you) agreed to go forward with the current solution. > > >COMMENT 6 > > > >Section 4, Security considerations. This section has major problems. > >It uses some arguments to provide wrong conclusions. The current > >text is as follows: > > > >" Since the public keys are for public use with legal implications > >for involved parties, certain conditions should exist before CAs > >issues certificates as Qualified Certificates. The associated > >private keys must be unique for the subject, and must be maintained > >under the subject's sole control. That is, a CA should not issue a > >qualified certificate if the private key is shared among entities, > >or the means to use the private key is not protected against > >unintended usage. This implies that the CA must perform > >proof-of-possession of the private key. In addition, it implies that > >the CA have some knowledge about the subject's cryptographic > >module." > > > >The text says that a "CA should not issue a qualified certificate if > >the private key is shared among entities". This is fine, but the CA > >has no way to know whether the private key has been given to someone > >else. Proof-of-possession of the private key does not solve the > >issue as well, since everyone who has been given the private key > >could provide proof-of-possession. > > > >What is transparent from the text, but not said correctly, is that > >if a physical device is used, then it becomes "more difficult" to > >share the private key. Proposed text full replacement for the text > >above: > > > >"The private keys must be maintained under the subject's sole > >control. That is, a CA should not issue a qualified certificate if > >the means to use the private key is not protected against unintended > >usage. It implies that the CA should have some knowledge about the > >subject's cryptographic module." You forgot to answer to that text replacement proposal. > >It should be realized also that proof-of-possession is NOT needed at > >all what using good cryptography practice. As soon as the identifier > >of the certificate being used is protected by the digital signature, > >then proof-of-possession becomes unnecessary. Why not say it ? > > Well. POP must be performed and what I read in your wordings, you agree to > that. It seams that you are locked on the idea that POP requires a separate > protocol and to me that's NOT the case. A signed request, signed with the > subject private key, also provides POP. I think you missed the point. I am not arguing whether a separate protocol is necessary or not, I say that POP *towards a CA* is unecessary for keys that have the NR bit set, as soon as "a good usage of cryptography" is being used at the time the private key is being used. > >COMMENT 7 > > > >Section 4, Security considerations. The current text is as follows: > > > >"Comparing two qualified certificates to determine if they represent > >the same physical entity may provide misleading results and should > >be performed with care." > > > >This sentence does not help. Replace by: > > > >"Comparing two qualified certificates, that contain different DNs, > >to determine if they represent the same physical entity cannot be > >made." > > No you can't say that. > > It may be very possible, in cases where the certificate context allows it. How do you know the "context" ? > I.e. If you have a Swedish certificate with Swedish civic registration > number. Then you can know that the DN represent the same person even if > some other data is differing. There is no specific rule that you can apply to a Swedish certificate to bear a different semantics of *one* component of the DN (ie. the Swedish civic registration number, which is the last component of the name). The same rules apply to all certificates, hence there is no notion of "context". Denis > It's simply dependent on context. This is a security consideration section > with the purpose of informing implementers of possible security problems > that they should be aware of in order to avoid them. > > I think that in that context the current existing wording is better. > > /Stefan > > >Denis > > > > > We are not talking about unintentional mistakes here (which always can > > > happen) but the concept of operation. > > > > > > /Stefan Received: from unimur.um.es (unimur.um.es [155.54.1.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA22082 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 00:37:03 -0700 (PDT) Received: from aries.dif.um.es (aries.dif.um.es [155.54.210.253]) by unimur.um.es (8.9.1b+Sun/8.9.1) with ESMTP id JAA22786 for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 09:40:17 +0200 (MET DST) Received: from dif.um.es (pirania.dif.um.es [155.54.210.33]) by aries.dif.um.es (Postfix) with ESMTP id F1EC6EC1A for <ietf-pkix@imc.org>; Fri, 28 Jul 2000 09:39:48 +0200 (MET DST) Sender: root@aries.dif.um.es Message-ID: <39813910.7C5D2597@dif.um.es> Date: Fri, 28 Jul 2000 09:41:04 +0200 From: Gabriel Lopez Millan <gabilm@dif.um.es> X-Mailer: Mozilla 4.72 [es] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: policy representation Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi all. Where can I get information about policy representation? There is any RFC? Thanks, Gabi. Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.102]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA08786 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 20:58:17 -0700 (PDT) Received: from santesson.accurata.se (sfr-qbu-pqm-vty8.as.wcom.net [216.192.55.8]) by popmail.inbox.se (8.9.3/8.9.3) with ESMTP id GAA25830; Fri, 28 Jul 2000 06:01:27 +0200 Message-Id: <4.3.2.7.2.20000727215828.031ddb00@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 27 Jul 2000 22:03:10 -0600 To: "Stefan Kelm" <kelm@secorvo.de> From: Stefan Santesson <stefan@accurata.se> Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Cc: ietf-pkix@imc.org In-Reply-To: <200007261519.RAA10343@rom.antech.de> References: <397E86EF.167E64B6@bull.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 17:34 2000-07-26 +0200, you wrote: >Denis, > > > Should we really mandate the presence of the QC statement (as being > > the only way to indicate that a certificate is a QC) or should we > > also allow the use of pre-defined Certificate Policy OID (making the > > QC statement non mandatory) ? > > > > I think both options should be mentioned as possible > >I wholeheartedly agree with you. The QCStatement, as useful as >it might be, should not be mandatory. > So do I But this is no issue since this already is optional in the current profile. /Stefan >Cheers, > > Stefan. > > >-------------------------------------------------------- >PKI-Symposium, 10.-11.Oktober 2000, www.pki-symposium.de >-------------------------------------------------------- >Dipl.-Inform. Stefan Kelm >Security Consultant > >Secorvo Security Consulting GmbH >Albert-Nestler-Strasse 9, D-76131 Karlsruhe > >Tel. +49 721 6105-461, Fax +49 721 6105-455 >E-Mail kelm@secorvo.de, http://www.secorvo.de >------------------------------------------------------- >PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA11561 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 13:11:08 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id QAA27392; Thu, 27 Jul 2000 16:14:17 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v0422080cb5a646102b19@[171.78.30.107]> In-Reply-To: <3.0.5.32.20000727114042.00a8b8a0@localhost> References: <3.0.5.32.20000726164011.04531100@localhost> <3.0.5.32.20000726164011.04531100@localhost> <3.0.5.32.20000727114042.00a8b8a0@localhost> Date: Thu, 27 Jul 2000 16:12:34 -0400 To: Juergen Brauckmann <brauckmann@trustcenter.de> From: Stephen Kent <kent@bbn.com> Subject: RE: OCSP request Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 11:40 AM +0200 7/27/00, Juergen Brauckmann wrote: >At 16:52 26.07.00 +0200, Michael Fritscher wrote: > >The problem in this context is not so much to be able to rely upon the > >OCSP response, but rather that you may have a relyable OCSP response on a > >certificate that can have been "easily faked" in the meantime... > >And therefore you need trusted, reliable directory services that can >confirm the existence of a certificate, e.g., OCSP with extensions, and >that can give the user a chance to validate that the certificate the >directory service is talking about is the certificate he has (this can be >done by letting the OCSP responder send a hash of the cert in the response). Whenever I hear someone talk about needing to trust directory services, I worry. We generally do not want to rely strongly on directories, because on can imagine many ways in which directory security could be compromised. The distributed, replicated nature of directories increases the potential for compromise of (unsigned) data stored there. Even the model that calls for a certificate to be time stamped as part of being stored in a directory entry is questionable, in my mind. The fundamental notion is that a second, presumably independent signature has been applied to a cert when stored in this fashion. The independence part of this is a good notion, but it might also be achieved by a CA that uses dual, independent crypto devices to sign certs in the first place. Thus the insistence on this specific means of ensuring dual signature controls seems unduly implementation-specific and seems to ignore other, equivalently good means of effecting the same sort of security. Steve Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA09517 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 12:23:23 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FYD00501F58V3@ext-mail.valicert.com> for ietf-pkix@imc.org; Thu, 27 Jul 2000 12:23:31 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FYD005C9F4UTH@ext-mail.valicert.com>; Thu, 27 Jul 2000 12:22:08 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <36007H5W>; Thu, 27 Jul 2000 07:44:28 -0700 Content-return: allowed Date: Thu, 27 Jul 2000 07:44:26 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: OCSP request To: "'Juergen Brauckmann'" <brauckmann@trustcenter.de> Cc: ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE2B4175A@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 8BIT Hi Juergen, Originally, OCSP had the following states (I do this from memory, so I might be a little off): - good - revoked - expired - notIssued - unknown (maybe) The problem with having this set of return states, is you then need to ask: does "revoked" also mean not-expired, but issued? What does "issued" say about the revocation status? Does "good" imply that is was issued? What if the responder doesn't know about that? This topic was discussed in gory detail, and I had suggested one of two approaches: 1. The current way of doing things 2. Have 3 orthogonal statuses in the response, referring to the revocation, expiration and issuance status of the cert. While proposing the second question, I had also asked why it was important to figure out the expiration/issuance status in OCSP - couldn't the client figure this out on their own. Pretty much all the people agreed that they could and that is why we went with solution #1. Yes, as far as I can see, your certHash mechanism will work. However, I still don't see exactly what problem you are solving with it. Are you trying to take care of the issue of CA key compromise/misuse? That was not the problem we were trying to solve with OCSP. If the CA key is compromised, I could also issue a OCSP-signing certificate to a fake OCSP responder controlled by me and then issue incorrect responses to my heart's content. Couldn't I? It is really important that you specify very, very clearly what problem you are trying to solve and the kind of scenario you are operating in (direct trust of the responder, CA delegated trust, ...). Then, a better analysis of your proposed solution is possible. Hope this helps, Regards, Ambarish P.S. What is the status of the ISIS solution? Is it already a "rule/law"? Is it open to review/comments/suggestions? A --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com Mountain View, CA 94043 > -----Original Message----- > From: Juergen Brauckmann [mailto:brauckmann@trustcenter.de] > Sent: Thursday, July 27, 2000 2:34 AM > To: Ambarish Malpani > Cc: ietf-pkix@imc.org > Subject: RE: OCSP request > > > Hello Ambarish. > > At 07:10 26.07.00 -0700, Ambarish Malpani wrote: > >1. OCSP responses are not meant to be weak at all. The meaning of > >good is "not revoked" or "still good" (as long as the certificate > >was correctly issued and hadn't expired before the ArchiveCutoff > >date). > > From RFC 2560: > The "good" state indicates a positive response to the > status inquiry. > At a minimum, this positive response indicates that the certificate > is not revoked, but does not necessarily mean that the certificate > was ever issued > > By saying that OCSP responses are "weak" I had the last > sentence in mind. > An OCSP responder can give me a "good" even if the CA did not > issue the > certificate. Minimum-RFC2560-OCSP-responses with "Good" don't tell me > whether the certificate ever existed. > > "Weak" is probably a bad word for it. > > >The problem you might run into, > >is say, somebody builds an ISIS OCSP server and somebody else > >tries to use it with say a Netscape Communicator OCSP client. The > >two products will claim to talk OCSP, but will actually be saying > >different things in their requests and responses and nobody else > >will ever know. > > Yes, I see. > > One question (mainly an attempt to try to understand rfc > 2560): Why didn't > you include specifications for the issuance questions into rfc 2560? > Obviously you were aware of the problem because the > description of "good" > says that such information may be delivered by extensions. > And why isn't > there a fourth state "noSuchCert" besides good,revoked,unknown? I > understand that it was the intention to be able to build > CRL-based OCSP > Responders, but I don't see why it should have been > impossible to combine > the two things. > > >b. The reason why the change ISIS has proposed is "wrong" is: > >In an OCSP request, you identify a cert by the hash of the CA's > >public key [and the hash of the CA's name] and the certificate > >serial number. If somebody had compromised the CA's public key, > >all they would need to do, is create a new certificate with a > >serial number that corresponds to a legitimate serial number, but > >a different subject public key and there goes the ability of the > >OCSP responder to tell you anything useful. > > Yes. Therefore the OCSP Response should contain a hash of the > certificate > in an extension, see my mail > from yesterday "good in OCSP Responses. Was: Re: OCSP > request". This is the > ISIS certHash extensions Simon is refering to in his mail > from 10:28 today. > > >Part of why it is valuable to at least pose desires to change the > >interpretations of RFCs on this kind of a list, is you might > >actually get some useful input from others, who might think about > >a problem in different ways. > > > >Does that make sense? > > Well one problem is that it's difficult to see what the > interpretation of > RFC2560 is that the authors had in mind... . > > >P.S. Again, if you do pose the problems you want to solve, there > >might be other reasonable ways of extending OCSP [within the > >framework of the protocol], that might better fit in with the RFC > >itself. > > We try that, see the certHash extension... . > > Regards, > Juergen > -- > Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 > TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 > Sonninstraße 24-28 mailto:brauckmann@trustcenter.de > D-20097 Hamburg http://www.trustcenter.de > Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA09519 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 12:23:23 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FYD00501F60V5@ext-mail.valicert.com> for ietf-pkix@imc.org; Thu, 27 Jul 2000 12:24:11 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FYD0055FF5XUX@ext-mail.valicert.com>; Thu, 27 Jul 2000 12:22:47 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <PY1WTWMD>; Thu, 27 Jul 2000 11:09:18 -0700 Content-return: allowed Date: Thu, 27 Jul 2000 11:09:16 -0700 From: Frank Balluffi <frankb@valicert.com> Subject: RE: OCSP request To: "'tgindin@us.ibm.com'" <tgindin@us.ibm.com>, Denis Pinkas <Denis.Pinkas@bull.net> Cc: Juergen Brauckmann <brauckmann@trustcenter.de>, ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE20177B010@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Tom Ginden wrote: > This is wrong. A chain of time stamps protects against key > compromise, as well as weak algorithms, as long as the > timestamps have been > applied before the key has been compromised or the algorithm > has been found > weak. So there is no need to ask the CA. I agree. It may be desirable to include OCSP responses in the data to be timestamped. For example, a construct like a CMS/PKCS #7 SignedData that includes OCSP responses might be very useful. Frank Received: from e1.ny.us.ibm.com (e1.ny.us.ibm.com [32.97.182.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA06067 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 10:04:25 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id NAA135274; Thu, 27 Jul 2000 13:07:34 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id NAA39618; Thu, 27 Jul 2000 13:07:34 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256929.005E115A ; Thu, 27 Jul 2000 13:07:27 -0400 X-Lotus-FromDomain: IBMUS To: Denis Pinkas <Denis.Pinkas@bull.net> cc: Juergen Brauckmann <brauckmann@trustcenter.de>, ietf-pkix@imc.org Message-ID: <85256929.005E0DF7.00@D51MTA04.pok.ibm.com> Date: Thu, 27 Jul 2000 13:07:18 -0400 Subject: Re: OCSP request Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline One slight clarification about TS chains below :-) (snip) > It is also not sufficient for long term > validation of signatures, where you might have, e.g., a signature and a > certificate with an expired crypto algorithm, and a chain of timestamps > with valid algorithms, and where you want to verify the state of the > certificate that made the signature. In this situation you cannot rely on > the certificate itself as an evidence that a CA ever issued it, you must > ask the CA. This is wrong. A chain of time stamps protects against key compromise, as well as weak algorithms, as long as the timestamps have been applied before the key has been compromised or the algorithm has been found weak. So there is no need to ask the CA. [Tom Gindin] If I remember your presentation at IETF 46 correctly, the actual claim is that a chain of time stamps protects against both key compromise (of a time stamp) and weak algorithms as long as there was no time T at which the most recently applied stamp (as of time T) had been rendered questionable - whether by key compromise or by weak algorithm. Key compromise or algorithm break only bring a chain into question if they are claimed to have occurred before the next time stamp in the chain. Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.102]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA26102 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 08:06:35 -0700 (PDT) Received: from santesson.accurata.se (sfr-qbu-pqn-vty8.as.wcom.net [216.192.22.8]) by popmail.inbox.se (8.9.3/8.9.3) with ESMTP id RAA24016; Thu, 27 Jul 2000 17:09:29 +0200 Message-Id: <4.3.2.7.2.20000726165850.036b04b8@mail.accurata.se> X-Sender: mb517@mail.accurata.se (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 27 Jul 2000 17:11:02 +0200 To: Denis Pinkas <Denis.Pinkas@bull.net> From: Stefan Santesson <stefan@accurata.se> Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Cc: ietf-pkix@imc.org In-Reply-To: <397E86EF.167E64B6@bull.net> References: <14716.17757.863072.996773@xedia.com> <001201bff55f$457cac80$0201a8c0@mega.vincent.se> <14716.17757.863072.996773@xedia.com> <4.3.2.7.2.20000724233736.031ace98@mail.accurata.se> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Denis, Let me first say that I'm glad that you liked the change in QC-05 regarding DN. Many of the other issues you raise though are things that has been discussed in detail and where consensus has been reached in accordance with the current wording. I hope you agree that it is generally would to change a reached consensus decision just based on a single "late" comment from someone that didn't participate in the discussion when it took place. At least not unless the suggested change fix a serious problem that was not known at time of original discussion. That is why I make much resistance here if I don't see that your requests means MAJOR improvements or fix SERIOUS and REAL problems. Generally I think that all your issues, except for the discussion of new extensions, could be discussed on the road between proposed to draft standard. There is no reason to uphold the RFC process over wordings that does not change the syntax of the standard. I give more specific comments in line; At 08:36 2000-07-26 +0200, you wrote: >Stefan, > > > May I draw your attention to the updated QC 05 where the uniqueness > > requirement stated in RFC 2459 (and son of) has been clarified to count for > > the whole lifetime of the CA. > > > > section 2.4 now states: > > "The distinguished name MUST be unique for each subject > > entity certified by the one CA as defined by the issuer name field, > > during the whole life time of the CA." > > > > This is actually nothing new, rather a clarification of the existing > > technical concept of DNs. > > An compliant implementation can simply not be based on CA's using the same > > DN for several different entities. It is reasonable to assume that this is > > the intent behind the original X.501 definition of DNs. > > "Distinguished name is originally defined in X.501 [X.501] as a > > representation of a directory name, defined as a construct that > > identifies a particular object from among the set of all objects." > > >This is fine with me and solves one of the seven issues I have >posted on July 13 th. So COMMENT 1 is now solved. I re-post the six >other comments, which up to now have not yet been answered: > >COMMENT 2 > >Section 3.1.1. Issuer states: "The issuer field SHALL identify the >organization responsible for issuing the certificate, and SHALL >include a registered name of the organization". > >The basic question is what is the meaning of a "registered" name. >Who should be the registration authority ? Do we have such an >authority for registered names in the IETF ? Is this authority >adequate for such a usage ? Instead of trying to answer the >question, it makes more sense to omit the second part of the >sentence which leads to the following sentence: "The issuer field >SHALL identify the organization responsible for issuing the >certificate". I disagree. The meaning is to avoid organizations from specifying other names than they have registered for the organization. I have practical experiences with this when name collisions occur caused by organizations using common abbreviations or shorter versions of their name. Typically we would like to avoid names as e.g. "RSV" and "DSP" unless these organizations have registered these names. What "registered" actually means is not important from a tecnical point of view. It is asumed that all organization names are "registered" according to local law. We had a major discussion around this concluding in the current wording. I would like to keep it as it is. >COMMENT 3 > >Section 3.1.1. Issuer states: "The legal jurisdiction for the >issuing CA SHOULD be consistent with the issuer name.". However the >abstract says: " The goal of this document is to define a general >syntax independent of local legal requirements." and also "It is >important to note that the profile does not define any legal >requirements for Qualified Certificates.". This is contradictory. No I don't think that this is contradictory. The text above is putting requirements on the contet of the listed attributes which include the geographical attributes countryName; stateOrProvinceName; and localityName; What we say is that the content of these attributes SHOULD be consistent with the legal jurisdiction. This means that it is not in line with this requirement to state Sweden as country if the CA is operating under French law. I think that this is a legitimate requirement of content and fullfilles the need you express below. > >From the discussions that recently took place in Stockholm, the >agreement was to mandate the inclusion of the country where from the >CA is operating. In this way, by indirection, the country where the >CA is established may implement a supervision scheme, if required. > >The text should be modified to reflect this. See above. The text DOES reflect this by saying that the name should be consistent with the legal jurisdiction. >It should be noticed >that taking this into consideration, the first element of a DN for >an issuer must then be a country name. This should be reflected in >the text. No. There are organizations that does not sort under a country. This standard is not only there for European CA operators. This has been discussed, consensus has been reached and the issue closed. >Full text proposal replacement for 3.1.1: > >3.1.1 Issuer > >The issuer field SHALL identify the organization responsible for >issuing the certificate. > >The identity of the issuer SHALL be specified using an appropriate >subset of the following attributes: > > domainComponent; > countryName; > stateOrProvinceName; > organizationName; > localityName; and > serialNumber. > >Additional attributes MAY be present but they SHOULD NOT be >necessary to identify the issuing organization. The first element of >the DN shall be the country where the CA is operating from. Disagree according to reasons above. >COMMENT 4 > >The text is not consistent when talking about certificate policies >and public statements. > >In section 2.2. Statement of Purpose, the text says: > >"For a certificate to serve the purpose of being a Qualified >Certificate, this profile assumes that the CA will have to include >in the certificate a public statement that explicitly defines this >intent." Clarification: This says nothing about what method to use and this is further just part of the "scope section" This is a EU directive requirement. So I see nothing wrong with it. >In section 3.2.2.Certificate Policies, the text says: > >" A statement by the issuer stating the purpose of the certificate >as discussed in Section 2.2 SHOULD be evident through indicated >policies." This means that the policy should indicate that the certificate is a QC. I.e. regardless of any QCStatamenet extension information. >The later statement is not that "evident" at all, in particular >since from section 2.2. any certificate policy may be used, provided >that it is consistent with the policy for a QC. > >The basic question is the following: How is it possible to know that >a certificate is a QC ? By 1) Recognizing the policy OID and understanding that this is a QC; and/or 2) Recognizing a statement included in the QCStatement extension (if present). >There are two possible answers: > >a) use a QC statement to tell it (and this "costs" a new extension), > >b) use some pre-defined Certificate Policy OID to tell it (and this >costs no new extension). > >The text from section 2.2. mandates the inclusion of a QC statement. Absolutely not: 1) Section 2.2 is just a scope section. It does not mandate anything 2) The wording in 2.2. says "assumes" 3) Section 3.2.2 makes it clear that such statement can be evident from a policy OID >However, all current software is able to test for the presence of >any Certificate Policy OID in a certificate and thus the current >software could easily check for the presence of pre-defined >Certificate Policy OIDs for QCs. The QC statement mandates the use >of a new extension, that >no one has yet implemented, both for the construction of the >certificate and the checking of a certification path. > >Should we really mandate the presence of the QC statement (as being >the only way to indicate that a certificate is a QC) or should we >also allow the use of pre-defined Certificate Policy OID (making the >QC statement non mandatory) ? > >I think both options should be mentioned as possible They are. Still there is a flaw in your logic with policy OID:s. IETF will never issue such a policy, and I doubt that ETSI will. Still, there is nothing that prevents it from being defined but it's use may not be as efficient and general as you think. >Note: I must recognise that the following text belonging to section >3.2.2 is not understandable to me: > >" In order to enhance path validation based on policy object >identifiers any statement related to Qualified Certificates, as >defined in 3.2.5, SHOULD also be defined by included certificate >policies." This means that you should not include policy statement in the QCStatements ext. that are not also defined by present policies. Also note that this is a SHOULD requirement. The reason is that any relying party that doesn't care about QCStatement extensions should be fully informed by the policy. This is the fundamentals of handling policies in path validation, i.e. that each policy OID identifies a complete set of policy requirements. >COMMENT 5 > >Section 3.2.5. Qualified Certificate Statements, defines an >extension for inclusion of defined statements related to Qualified >Certificates. However, there is a major problem with the way the >extension is built. It is constructed as: > > QCStatements ::= SEQUENCE OF QCStatement > >Since nothing is said in the text about the criticality this >extension is, by implication, non critical. This means that any >individual QCStatement is not mandatory to understand. So unless an >application specifically looks for some pre-defined statement, it >will miss the others and is not required to "understand them. Also >remember that only ONE such extension may be present. > >In a profile of this document (not a PKIX document) this extension >is being used to specify the maximum amount of money which is >permissible for one transaction, this is what is referred in QC-04 >as "a maximum reliance limit for the certificate indicating >restrictions on CA's liability". > >The basic question is whether we should have a separate extension >for a maximum reliance from a CA. > >If the maximum reliance limit statement is part of the new >extension, there is no guarantee that it will ever be seen or >recognized. In principle any QCStatement in a non critical extension >may be ignored by the application. > >If the maximum reliance limit statement is in a separate extension >marked critical, no application could miss it, if it is present. > >The requirement comes from an annex of the European Directive. The >definition of a maximum reliance limit is optional and it makes >sense to have a dedicated extension to support it. > >I would thus propose to suppress the following sentence from 3.2.5: >"As an example this MAY include a maximum reliance limit for the >certificate indicating restrictions on CA's liability." > >Instead I would propose to define a separate extension to support a >maximum reliance limit. I completely disagree. The QCStatement extension works just like the policy extension. It includes OID:s defining the statement (compare with an OID that define a policy). This OID can further be combined with some qualifying data. The criticality bit does not give what you want anyway. It does only make sure that the relying party RECOGNIZE the extension. It doesn't even guarantee that the relying party recognize any of the information stored in the extension. The criticality bit, when set, makes sure that the relying party knows what type of information he ignores, if he choose to ignore it. If we would follow your logic then there would also be a "problem" with many other extensions, e.g. key usage. What if some key usage information is regarded as critical and other as informational? Should we then have different extensions for different key usages? I doubt it. I don't think that we should litter the standard with yet another extension. The QC Statements ext works just fine. There was also a big discussion in ETSI on this. Everybody in the ETSI discussion (except you) agreed to go forward with the current solution. >COMMENT 6 > >Section 4, Security considerations. This section has major problems. >It uses some arguments to provide wrong conclusions. The current >text is as follows: > >" Since the public keys are for public use with legal implications >for involved parties, certain conditions should exist before CAs >issues certificates as Qualified Certificates. The associated >private keys must be unique for the subject, and must be maintained >under the subject's sole control. That is, a CA should not issue a >qualified certificate if the private key is shared among entities, >or the means to use the private key is not protected against >unintended usage. This implies that the CA must perform >proof-of-possession of the private key. In addition, it implies that >the CA have some knowledge about the subject's cryptographic >module." > >The text says that a "CA should not issue a qualified certificate if >the private key is shared among entities". This is fine, but the CA >has no way to know whether the private key has been given to someone >else. Proof-of-possession of the private key does not solve the >issue as well, since everyone who has been given the private key >could provide proof-of-possession. > >What is transparent from the text, but not said correctly, is that >if a physical device is used, then it becomes "more difficult" to >share the private key. Proposed text full replacement for the text >above: > >"The private keys must be maintained under the subject's sole >control. That is, a CA should not issue a qualified certificate if >the means to use the private key is not protected against unintended >usage. It implies that the CA should have some knowledge about the >subject's cryptographic module." > >It should be realized also that proof-of-possession is NOT needed at >all what using good cryptography practice. As soon as the identifier >of the certificate being used is protected by the digital signature, >then proof-of-possession becomes unnecessary. Why not say it ? Well. POP must be performed and what I read in your wordings, you agree to that. It seams that you are locked on the idea that POP requires a separate protocol and to me that's NOT the case. A signed request, signed with the subject private key, also provides POP. >COMMENT 7 > >Section 4, Security considerations. The current text is as follows: > >"Comparing two qualified certificates to determine if they represent >the same physical entity may provide misleading results and should >be performed with care." > >This sentence does not help. Replace by: > >"Comparing two qualified certificates, that contain different DNs, >to determine if they represent the same physical entity cannot be >made." No you can't say that. It may be very possible, in cases where the certificate context allows it. I.e. If you have a Swedish certificate with Swedish civic registration number. Then you can know that the DN represent the same person even if some other data is differing. It's simply dependent on context. This is a security consideration section with the purpose of informing implementers of possible security problems that they should be aware of in order to avoid them. I think that in that context the current existing wording is better. /Stefan >Denis > > > We are not talking about unintentional mistakes here (which always can > > happen) but the concept of operation. > > > > /Stefan Received: from mystic1.trustcenter.de (mystic1.trustcenter.de [193.194.157.34]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA25139 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 07:54:56 -0700 (PDT) Received: by mystic1.trustcenter.de; id QAA09512; Thu, 27 Jul 2000 16:55:24 +0200 Received: from nodnsquery(192.168.200.3) by mystic1.trustcenter.de via smap (V5.0) id xma009506; Thu, 27 Jul 00 16:54:40 +0200 Received: from ew-jbr (titan.trustcenter.de [192.168.200.244]) by callisto.trustcenter.de (8.9.3/8.9.3) with SMTP id QAA21018; Thu, 27 Jul 2000 16:56:20 +0200 (MET DST) Message-Id: <3.0.5.32.20000727165620.0376c5e0@localhost> X-Sender: jbr@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 27 Jul 2000 16:56:20 +0200 To: Denis Pinkas <Denis.Pinkas@bull.net> From: Juergen Brauckmann <brauckmann@trustcenter.de> Subject: Re: OCSP request Cc: ietf-pkix@imc.org In-Reply-To: <398045FD.A49B295D@bull.net> References: <3.0.5.32.20000726145755.03772bc0@localhost> <3.0.5.32.20000727140550.00a858f0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAA25141 At 16:23 27.07.00 +0200, Denis Pinkas wrote: >> The ISIS specification is for use with the German Signature Law. > >I heard that the German Signature Law was in the process of being >revised. As far as I know the revision will have no impact on the interpretation of the validity model by the RegTP. >> The root >> CA operated by the "Regulierungsbehoerde fuer Telekommunikation und Post" >> <http://www.regtp.de/en> originally wanted to enforce a chain model, where >To give a name to that "other model", should we call, for the time >being, the "ISIS model" ? Hm, regtp-model? >No. Since, as you said, the reference to the certificate includes >the hash of that certificate, this is not necessary to ask anything >to the CA. Ups. You are right, sorry... . Juergen -- Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 Sonninstraße 24-28 mailto:brauckmann@trustcenter.de D-20097 Hamburg http://www.trustcenter.de Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA23421 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 07:21:45 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id QAA41838; Thu, 27 Jul 2000 16:28:32 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id QAA05212; Thu, 27 Jul 2000 16:23:56 +0200 Message-ID: <398045FD.A49B295D@bull.net> Date: Thu, 27 Jul 2000 16:23:57 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Juergen Brauckmann <brauckmann@trustcenter.de> CC: ietf-pkix@imc.org Subject: Re: OCSP request References: <3.0.5.32.20000726145755.03772bc0@localhost> <3.0.5.32.20000727140550.00a858f0@localhost> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Juergen, > Hi Denis. > > At 11:00 27.07.00 +0200, Denis Pinkas wrote: > >> This means that a client *never* can get an authoritive answer that the > >> certificate is faked (by the way of a CA key compromise) because a client > >> has no way of knowing whether he talked to all OCSP Responders that may > >> know something about the certificate. > > > >This is incorrect. You need to query an OCSP server you trust, > >either directly (indicated by out-of-bands means), or because it is > >indicated within the user certificate. > > So a user must be sure that he configured his client software with all OCSP > responders that a CA may have. > > How is he informed if the CA adds another OCSP responder? > > >This is pretty different from RF 2459. > > The ISIS specification is for use with the German Signature Law. I heard that the German Signature Law was in the process of being revised. > The root > CA operated by the "Regulierungsbehoerde fuer Telekommunikation und Post" > <http://www.regtp.de/en> originally wanted to enforce a chain model, where > a certificate may be valid at time T even if its CA certificate is revoked > at T. They did this by revoking not any longer used CA certificates when > they performed a regular certificate and key rollover. So all certificates > under the old CA certificate were suddenly invalid with RFC2459 > verification procedures. > > This means that there is some chance that we(=ISIS) must deal with > non-RFC2459 validity models. To give a name to that "other model", should we call, for the time being, the "ISIS model" ? > Most involved CAs are, eh, not *really* happy with this situation. The > discussion with the RegTP is going on... . > > >> It is also not sufficient for long term > >> validation of signatures, where you might have, e.g., a signature and a > >> certificate with an expired crypto algorithm, and a chain of timestamps > >> with valid algorithms, and where you want to verify the state of the > >> certificate that made the signature. In this situation you cannot rely on > >> the certificate itself as an evidence that a CA ever issued it, you must > >> ask the CA. > > > >This is wrong. A chain of time stamps protects against key > >compromise, > > You are right if the timestamp is made over the signature and the > certificate. If the timestamp secures only the signature and a reference to > the certificate (like issuerDN/serialnumber and hash), then the CA must be > asked. OK, that's perhaps not too realistic... . No. Since, as you said, the reference to the certificate includes the hash of that certificate, this is not necessary to ask anything to the CA. Denis > Juergen > -- > Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 > TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 > Sonninstraße 24-28 mailto:brauckmann@trustcenter.de > D-20097 Hamburg http://www.trustcenter.de Received: from ns.celocom.se (firewall-user@ns.celocom.se [212.209.40.66]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA22962 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 07:15:02 -0700 (PDT) Received: by ns.celocom.se; id QAA13052; Thu, 27 Jul 2000 16:18:12 +0200 (CEST) Received: from seexchange.celocom.se(10.10.10.11) by ns.celocom.se via smap (4.1) id xma010312; Thu, 27 Jul 00 15:31:37 +0200 Received: from celocom.se (levitte.celocom.se [10.10.10.124]) by seexchange.celocom.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 3YLHHJHH; Thu, 27 Jul 2000 15:34:59 +0200 Sender: levitte@celocom.se Message-ID: <398039A0.3A0FC783@celocom.se> Date: Thu, 27 Jul 2000 15:31:12 +0200 From: Richard Levitte <richard.levitte@celocom.se> Organization: Celo Communications, Ltd. X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: Juergen Brauckmann <brauckmann@trustcenter.de> CC: Denis Pinkas <Denis.Pinkas@bull.net>, ietf-pkix@imc.org Subject: Re: OCSP request References: <3.0.5.32.20000726145755.03772bc0@localhost> <3.0.5.32.20000727140550.00a858f0@localhost> Content-Type: multipart/mixed; boundary="------------78F69466A02B9F683A20A7BE" This is a multi-part message in MIME format. --------------78F69466A02B9F683A20A7BE Content-Type: multipart/alternative; boundary="------------DFAA3542CBD93B647622E320" --------------DFAA3542CBD93B647622E320 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Juergen Brauckmann wrote: > >This is incorrect. You need to query an OCSP server you trust, > >either directly (indicated by out-of-bands means), or because it is > >indicated within the user certificate. > > So a user must be sure that he configured his client software with all OCSP > responders that a CA may have. Hmm, I think "or because it is indicated within the user certificate" might be a key phrase here... The other alternative is some kind of global trusted responder that does the work for others. > How is he informed if the CA adds another OCSP responder? I think that a CA has to think carefully before they do that, by making sure the new responder is reachable through already known names and transports. This is not really a hard issue, it's just a question of using using other technologies correctly and optimally, no? Using DNS, The SRV RR could help a lot here, for example. Then again, perhaps I misunderstand what you mean... In any case, if a CA doesn't make sure the new OCSP responder is reachable through already known means, they either didn't want it to be reachable for anything than possibly new certs with info about the new OCSP responder in an AuthorityInfoAccess, or it has made a fool of itself. Or some other alternative I'm not thinking of... -- Richard Levitte !!! New cell phone number !!! richard.levitte@celocom.se /* You might enjoy viewing the complete vCard */ --------------DFAA3542CBD93B647622E320 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> Juergen Brauckmann wrote: <blockquote TYPE=CITE>>This is incorrect. You need to query an OCSP server you trust, <br>>either directly (indicated by out-of-bands means), or because it is <br>>indicated within the user certificate. <p>So a user must be sure that he configured his client software with all OCSP <br>responders that a CA may have.</blockquote> Hmm, I think "or because it is indicated within the user certificate" might be a key phrase here... The other alternative is some kind of global trusted responder that does the work for others. <blockquote TYPE=CITE>How is he informed if the CA adds another OCSP responder?</blockquote> I think that a CA has to think carefully before they do that, by making sure the new responder is reachable through already known names and transports. This is not really a hard issue, it's just a question of using using other technologies correctly and optimally, no? Using DNS, The SRV RR could help a lot here, for example. Then again, perhaps I misunderstand what you mean... <p>In any case, if a CA doesn't make sure the new OCSP responder is reachable through already known means, they either didn't want it to be reachable for anything than possibly new certs with info about the new OCSP responder in an AuthorityInfoAccess, or it has made a fool of itself. Or some other alternative I'm not thinking of... <pre>-- Richard Levitte !!! New cell phone number !!! richard.levitte@celocom.se /* You might enjoy viewing the complete vCard */</pre> </html> --------------DFAA3542CBD93B647622E320-- --------------78F69466A02B9F683A20A7BE Content-Type: text/x-vcard; charset=us-ascii; name="richard.levitte.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Richard Levitte Content-Disposition: attachment; filename="richard.levitte.vcf" begin:vcard n:Levitte;Richard tel;cell:+46-733-72 8811 tel;work:+46-8-58 72 8811 x-mozilla-html:FALSE org:<A HREF="http://www.celocom.com">Celo Communications</A> version:2.1 email;internet:richard.levitte@celocom.se title:Software Artist adr;quoted-printable:;;Sveav=E4gen 145, 5tr=0D=0AStockholm;;;;SWEDEN note;quoted-printable:<br>=0D=0A<table border=3D0>=0D=0A<tr>=0D=0A <td bgcolor=3D"#00ffff">c=EAlo, =E2vi, =E2tum, (latin) 1,v.a.=0D=0A to hide something from one, to keep secret, to conceal.=0D=0A </td>=0D=0A</tr>=0D=0A</table>=0D=0A<br>=0D=0A<table border=3D3>=0D=0A<tr>=0D=0A <td>=0D=0A <table>=0D=0A <tr>=0D=0A <td valign=3Dtop>o/~</td>=0D=0A <td><font size=3D-1>Coding, coding, coding</font><br>=0D=0A Keep'em hackers coding<br>=0D=0A <font size=3D+1>And When They're Done Coding</font><br>=0D=0A <font size=3D7>COMPIIIIIIILE!!</font></td>=0D=0A </tr>=0D=0A </table>=0D=0A </td>=0D=0A</tr>=0D=0A</table> fn:Richard Levitte end:vcard --------------78F69466A02B9F683A20A7BE-- Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA20320 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 06:21:48 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id PAA13038; Thu, 27 Jul 2000 15:28:55 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id PAA40672; Thu, 27 Jul 2000 15:24:19 +0200 Message-ID: <39803805.7D37F3FC@bull.net> Date: Thu, 27 Jul 2000 15:24:21 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Simon Tardell <simon.tardell@iD2tech.com> CC: IETF PKIX Mailing List <ietf-pkix@imc.org> Subject: Re: OCSP request References: <C0E81C20AD21D311BDB200805FCCD9412F62EF@aunt9.ausys.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Simon, (deleted text) > Eh? This was a rational FOR time stamping (as is evident by the next two > sentences). I did not see it this way. This is a rational for an *extension* to the current *basic* definition of a Time Stamping Service. >> A practical system has to protect itself from >> that somehow. Enters time stamping. A time stamping service would >> probably check the revocation status of the signatory cert and store >> that together with the time stamp. >> This is certainly not the definition of a time stamping service >> within the PKIX WG. The TSA does NOT "check the revocation status of >> the signatory cert and store that together with the time stamp". > draft-ietf-pkix-time-stamp-09.txt: > extensions is a generic way to add additional information in the > future. Extensions is defined in [RFC 2459]. > Particular extension field types may be specified in standards or > may be defined and registered by any organization or community. > > Seems like a definite "MAY" to me. You may *add* anything else you like. Since we were talking of basic features and optional features about OCSP it is important not to mix basic features and options. Denis > > Simon. > > Simon Tardell, Software Architect, iD2 Technologies > voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 > simon.tardell@iD2tech.com, http://www.iD2tech.com > Securing the Internet economy Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA19761 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 06:14:11 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id PAA13264; Thu, 27 Jul 2000 15:21:11 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id PAA40630; Thu, 27 Jul 2000 15:16:40 +0200 Message-ID: <3980363A.620F9732@bull.net> Date: Thu, 27 Jul 2000 15:16:42 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Simon Tardell <simon.tardell@iD2tech.com> CC: Juergen Brauckmann <brauckmann@trustcenter.de>, ietf-pkix@imc.org Subject: Re: OCSP request References: <C0E81C20AD21D311BDB200805FCCD9412F62EE@aunt9.ausys.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Simon, > Denis, > > > > This is not sufficient for systems that must be robust/tolerant > > > against CA key compromise or such things. > > Key compromise is an exceptional event (that should not happen, but > > might happen) that must be addressed under a disaster recovery plan > > (i.e. revoke the CA whose key has been compromised in all the > > certificates that has been issued for that CA by other CAs). > I see the disaster, but I don't see the recovery in this. > As I see it, the problem the German model tries to tackle is that a CA which Someone from Germany told me not to call it the "German model". Let us talk of that *other* model, which means that this model is different from the current X.509/PKIX model and therefore is using mechanisms that are different from PKIX. I am not saying that the other model is bad or good, simply that it is different. > has issued lots of certificates to the public (say millions) gets it keys > compromised somehow. Time-stamping services secure documents signed before > this moment, but there is another problem. Millions of germans are now > unable to go about their daily business. Potentially the German economy > grinds to a halt while the CA reissues millions of smart cards. Ambarish said: "P.S. Again, if you do pose the problems you want to solve, there might be other reasonable ways of extending OCSP [within the framework of the protocol], that might better fit in with the RFC itself". Juergen responded: "We try that, see the certHash extension ..." . My comments is that the certHash extension is one *solution* to the real *problem* that you describe. > Obviously > this would be a very bad thing. I'd hate to know that this scenario has not > been prepared in advance. Since the end-user keys did not get compromised > they can still be trusted. True. > What is a problem is the linkage between the > holder and his keys, embodied in the certificates. The "directory service > (SigG)" essentially works as a time-stamping service for certificates, > ensuring that the certificates may still be used after the "big bang", just > as a general time-stamping service may protect signed documents against > problems that occur after the original signature, so that they may still be > used. This is *one* solution to the problem, ... but not the single solution. That solution is also not compatible with RFC 2560, section 2.2. where it is stated: "All definitive response messages SHALL be digitally signed. The key used to sign the response MUST belong to one of the following: -- the CA who issued the certificate in question -- a Trusted Responder whose public key is trusted by the requester -- a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA". This means that the OSCP server is either directly known by out of bands means or designated by the CA. For that "other model" to work, the OCSP would need to be designated by an *upper* CA. This is not allowed with the current text, because in the current PKIX model only the CA that has issued the certificate is allowed to nominate the server in charge of providing revocation status information. We are pretty far away of deciding whether we should add or not a certHash to an OCSP response, but whether this WG is ready to develop a model that is not compatible with PKIX. In the past we had SPKI. The basic question might be whether some interrested people would like to form a BOF for developping such a new model. > There are some obvious requirements following from this line of reasoning, > e.g. that the keys for OCSP responses have to be independent from the > issuing keys, and you have to have direct trust in the OCSP responder. > > > This > > does not mean using means that *permanently* address that case. If > > you mandate an OCSP response in the sense you mention, then this > > means two things: > > > > 1) you deny the use of CRLs, and > > For this purpose, yes. > > > 2) you also deny the local checking of the digital signature > > from a CA over any certificate (it means that a local checking > > by a RP is never sufficient since anyway an access to a trusted > > copy certificate is necessary in a trusted database from the CA > > which has issued it). So your model is *very* different from the > > path validation model that is currently described in RFC 2459 > > (or its successor). > > Definitely an extra step, and different from "ordinary PKI". So we strongly agree that this *other* model is fairly different from "ordinary PKI". Denis > Simon. > > Simon Tardell, Software Architect, iD2 Technologies > voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 > simon.tardell@iD2tech.com, http://www.iD2tech.com > Securing the Internet economy Received: from mystic1.trustcenter.de (mystic1.trustcenter.de [193.194.157.34]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id FAA16532 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 05:04:46 -0700 (PDT) Received: by mystic1.trustcenter.de; id OAA07973; Thu, 27 Jul 2000 14:05:12 +0200 Received: from nodnsquery(192.168.200.3) by mystic1.trustcenter.de via smap (V5.0) id xma007966; Thu, 27 Jul 00 14:04:12 +0200 Received: from ew-jbr (titan.trustcenter.de [192.168.200.244]) by callisto.trustcenter.de (8.9.3/8.9.3) with SMTP id OAA11245; Thu, 27 Jul 2000 14:05:51 +0200 (MET DST) Message-Id: <3.0.5.32.20000727140550.00a858f0@localhost> X-Sender: jbr@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 27 Jul 2000 14:05:50 +0200 To: Denis Pinkas <Denis.Pinkas@bull.net> From: Juergen Brauckmann <brauckmann@trustcenter.de> Subject: Re: OCSP request Cc: ietf-pkix@imc.org In-Reply-To: <397FFA26.BC47A149@bull.net> References: <3.0.5.32.20000726145755.03772bc0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id FAA16533 Hi Denis. At 11:00 27.07.00 +0200, Denis Pinkas wrote: >> This means that a client *never* can get an authoritive answer that the >> certificate is faked (by the way of a CA key compromise) because a client >> has no way of knowing whether he talked to all OCSP Responders that may >> know something about the certificate. > >This is incorrect. You need to query an OCSP server you trust, >either directly (indicated by out-of-bands means), or because it is >indicated within the user certificate. So a user must be sure that he configured his client software with all OCSP responders that a CA may have. How is he informed if the CA adds another OCSP responder? >This is pretty different from RF 2459. The ISIS specification is for use with the German Signature Law. The root CA operated by the "Regulierungsbehoerde fuer Telekommunikation und Post" <http://www.regtp.de/en> originally wanted to enforce a chain model, where a certificate may be valid at time T even if its CA certificate is revoked at T. They did this by revoking not any longer used CA certificates when they performed a regular certificate and key rollover. So all certificates under the old CA certificate were suddenly invalid with RFC2459 verification procedures. This means that there is some chance that we(=ISIS) must deal with non-RFC2459 validity models. Most involved CAs are, eh, not *really* happy with this situation. The discussion with the RegTP is going on... . >> It is also not sufficient for long term >> validation of signatures, where you might have, e.g., a signature and a >> certificate with an expired crypto algorithm, and a chain of timestamps >> with valid algorithms, and where you want to verify the state of the >> certificate that made the signature. In this situation you cannot rely on >> the certificate itself as an evidence that a CA ever issued it, you must >> ask the CA. > >This is wrong. A chain of time stamps protects against key >compromise, You are right if the timestamp is made over the signature and the certificate. If the timestamp secures only the signature and a reference to the certificate (like issuerDN/serialnumber and hash), then the CA must be asked. OK, that's perhaps not too realistic... . Juergen -- Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 Sonninstraße 24-28 mailto:brauckmann@trustcenter.de D-20097 Hamburg http://www.trustcenter.de Received: from naigwy (void1.ausys.se [62.20.78.253]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id EAA16222 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 04:55:00 -0700 (PDT) Received: FROM aunt15.ausys.se BY naigwy ; Thu Jul 27 13:56:11 2000 +0200 Received: by aunt15.ausys.se with Internet Mail Service (5.5.2650.21) id <PXJF9ZNJ>; Thu, 27 Jul 2000 13:57:38 +0200 Message-ID: <C0E81C20AD21D311BDB200805FCCD9412F62F0@aunt9.ausys.se> From: Simon Tardell <simon.tardell@iD2tech.com> To: "'Bob Jueneman'" <bjueneman@novell.com>, richard.levitte@celocom.se, Simon Tardell <simon.tardell@iD2tech.com>, brauckmann@trustcenter.de Cc: Karl.Scheibelhofer@iaik.at, ietf-pkix@imc.org Subject: RE: OCSP request Date: Thu, 27 Jul 2000 13:57:42 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Bob, > I don't mean to pick on Simon twice in one day, but his > assertions regarding the benefit of timestamping don't make > legal sense. That is a very categorical statement. And I don't see where you contradict what I say. There may be legal systems, and business practices, as well as technical circumstances that makes timestamping of no benefit. OTOH the reverse is also true. In fact, the rest of your reasoning about who stands the risk if there is a dispute only serves to underline that. Paying with bank cards in Sweden and in the US is an analogue world example of such differences in business practices (more that than law). In Sweden the merchant forces you to show photo ID, because the bank will make him stand the risk if he doesn't. And he has to (sort of) prove that he did (by writing the ID card number on the slip, and signing). It seems perfectly reasonable to me that a translation to our world would be the bank forcing the merchant to check your certificate and time stamp that together with the transaction. Or the time stamping service doing that step for him. Note, even though the imposter that tries to use my bank card is responsible for doing so, that does not relieve the merchant of the obligation to check ID. Liability doesn't have to be connected to business risk (the imposter may never show up to pay the money he owes). So, yes, laws and business practices do make a difference, I agree. And technology does to, to support laws and business practices. Simon. Simon Tardell, Software Architect, iD2 Technologies voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 simon.tardell@iD2tech.com, http://www.iD2tech.com Securing the Internet economy Received: from naigwy (void1.ausys.se [62.20.78.253]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id EAA14054 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 04:03:53 -0700 (PDT) Received: FROM aunt15.ausys.se BY naigwy ; Thu Jul 27 13:05:05 2000 +0200 Received: by aunt15.ausys.se with Internet Mail Service (5.5.2650.21) id <PXJF9Y61>; Thu, 27 Jul 2000 13:06:32 +0200 Message-ID: <C0E81C20AD21D311BDB200805FCCD9412F62EF@aunt9.ausys.se> From: Simon Tardell <simon.tardell@iD2tech.com> To: "'Denis Pinkas'" <Denis.Pinkas@bull.net>, Simon Tardell <simon.tardell@iD2tech.com> Cc: IETF PKIX Mailing List <ietf-pkix@imc.org> Subject: RE: OCSP request Date: Thu, 27 Jul 2000 13:06:33 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Denis, > Bob picked up the same sentence in one of your E-mails and replied. > I would like to comment on the same sentence. > > (text deleted) > > > Now, if a key gets compromised, you cannot trust *any* signatures by that > > key (before or after compromise), because you cannot trust the signer's > > assertion of what time it was. > > This is untrue. See the paper I co-wrote with Hans Nilson about the > rational for using a time stamp. If the key of the TSA is not > compromised, then you can prove that a given digital signature was > done after the key compromise. Eh? This was a rational FOR time stamping (as is evident by the next two sentences). > > A practical system has to protect itself from > > that somehow. Enters time stamping. A time stamping service would probably > > check the revocation status of the signatory cert and store that together > > with the time stamp. > > This is certainly not the definition of a time stamping service > within the PKIX WG. The TSA does NOT "check the revocation status of > the signatory cert and store that together with the time stamp". draft-ietf-pkix-time-stamp-09.txt: extensions is a generic way to add additional information in the future. Extensions is defined in [RFC 2459]. Particular extension field types may be specified in standards or may be defined and registered by any organization or community. Seems like a definite "MAY" to me. Simon. Simon Tardell, Software Architect, iD2 Technologies voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 simon.tardell@iD2tech.com, http://www.iD2tech.com Securing the Internet economy Received: from naigwy (void1.ausys.se [62.20.78.253]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id CAA07277 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 02:44:07 -0700 (PDT) Received: FROM aunt15.ausys.se BY naigwy ; Thu Jul 27 11:45:19 2000 +0200 Received: by aunt15.ausys.se with Internet Mail Service (5.5.2650.21) id <PXJF9X6Y>; Thu, 27 Jul 2000 11:46:46 +0200 Message-ID: <C0E81C20AD21D311BDB200805FCCD9412F62EE@aunt9.ausys.se> From: Simon Tardell <simon.tardell@iD2tech.com> To: "'Denis Pinkas'" <Denis.Pinkas@bull.net>, Juergen Brauckmann <brauckmann@trustcenter.de> Cc: ietf-pkix@imc.org Subject: RE: OCSP request Date: Thu, 27 Jul 2000 11:46:49 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Denis, > > This is not sufficient for systems that must be robust/tolerant against CA > > key compromise or such things. > > Key compromise is an exceptional event (that should not happen, but > might happen) that must be addressed under a disaster recovery plan > (i.e. revoke the CA whose key has been compromised in all the > certificates that has been issued for that CA by other CAs). I see the disaster, but I don't see the recovery in this. As I see it, the problem the German model tries to tackle is that a CA which has issued lots of certificates to the public (say millions) gets it keys compromised somehow. Time-stamping services secure documents signed before this moment, but there is another problem. Millions of germans are now unable to go about their daily business. Potentially the German economy grinds to a halt while the CA reissues millions of smart cards. Obviously this would be a very bad thing. I'd hate to know that this scenario has not been prepared in advance. Since the end-user keys did not get compromised they can still be trusted. What is a problem is the linkage between the holder and his keys, embodied in the certificates. The "directory service (SigG)" essentially works as a time-stamping service for certificates, ensuring that the certificates may still be used after the "big bang", just as a general time-stamping service may protect signed documents against problems that occur after the original signature, so that they may still be used. There are some obvious requirements following from this line of reasoning, e.g. that the keys for OCSP responses have to be independent from the issuing keys, and you have to have direct trust in the OCSP responder. > This > does not mean using means that *permanently* address that case. If > you mandate an OCSP response in the sense you mention, then this > means two things: > > 1) you deny the use of CRLs, and For this purpose, yes. > 2) you also deny the local checking of the digital signature > from a CA over any certificate (it means that a local checking > by a RP is never sufficient since anyway an access to a trusted > copy certificate is necessary in a trusted database from the CA > which has issued it). So your model is *very* different from the > path validation model that is currently described in RFC 2459 > (or its successor). Definitely an extra step, and different from "ordinary PKI". Simon. Simon Tardell, Software Architect, iD2 Technologies voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 simon.tardell@iD2tech.com, http://www.iD2tech.com Securing the Internet economy Received: from mystic1.trustcenter.de (mystic1.trustcenter.de [193.194.157.34]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id CAA07031 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 02:38:33 -0700 (PDT) Received: by mystic1.trustcenter.de; id LAA06538; Thu, 27 Jul 2000 11:39:02 +0200 Received: from nodnsquery(192.168.200.3) by mystic1.trustcenter.de via smap (V5.0) id xma006534; Thu, 27 Jul 00 11:39:01 +0200 Received: from ew-jbr (titan.trustcenter.de [192.168.200.244]) by callisto.trustcenter.de (8.9.3/8.9.3) with SMTP id LAA02796; Thu, 27 Jul 2000 11:40:41 +0200 (MET DST) Message-Id: <3.0.5.32.20000727114042.00a8b8a0@localhost> X-Sender: jbr@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 27 Jul 2000 11:40:42 +0200 To: Michael.Fritscher@wu-wien.ac.at From: Juergen Brauckmann <brauckmann@trustcenter.de> Subject: RE: OCSP request Cc: ietf-pkix@imc.org In-Reply-To: <00072617012000.01903@gourmet.wu-wien.ac.at> References: <3.0.5.32.20000726164011.04531100@localhost> <3.0.5.32.20000726164011.04531100@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id CAA07032 At 16:52 26.07.00 +0200, Michael Fritscher wrote: >The problem in this context is not so much to be able to rely upon the >OCSP response, but rather that you may have a relyable OCSP response on a >certificate that can have been "easily faked" in the meantime... And therefore you need trusted, reliable directory services that can confirm the existence of a certificate, e.g., OCSP with extensions, and that can give the user a chance to validate that the certificate the directory service is talking about is the certificate he has (this can be done by letting the OCSP responder send a hash of the cert in the response). Juergen -- Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 Sonninstraße 24-28 mailto:brauckmann@trustcenter.de D-20097 Hamburg http://www.trustcenter.de Received: from mystic1.trustcenter.de (mystic1.trustcenter.de [193.194.157.34]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id CAA06778 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 02:35:04 -0700 (PDT) Received: by mystic1.trustcenter.de; id LAA06477; Thu, 27 Jul 2000 11:36:02 +0200 Received: from nodnsquery(192.168.200.3) by mystic1.trustcenter.de via smap (V5.0) id xma006473; Thu, 27 Jul 00 11:35:24 +0200 Received: from ew-jbr (titan.trustcenter.de [192.168.200.244]) by callisto.trustcenter.de (8.9.3/8.9.3) with SMTP id LAA02568; Thu, 27 Jul 2000 11:37:03 +0200 (MET DST) Message-Id: <3.0.5.32.20000727113704.00a87520@localhost> X-Sender: jbr@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 27 Jul 2000 11:37:04 +0200 To: Frank Balluffi <frankb@valicert.com> From: Juergen Brauckmann <brauckmann@trustcenter.de> Subject: RE: OCSP request Cc: ietf-pkix@imc.org In-Reply-To: <27FF4FAEA8CDD211B97E00902745CBE20177B006@seine.valicert.co m> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id CAA06779 At 07:47 26.07.00 -0700, Frank Balluffi wrote: >In the case you described, why would the timestamper know to use a "chain of >timestamps with valid algorithms", but not the CA (i.e., use a valid >algorithm)? Just curious. Well, if you received an important signature from someone, you can get timestamps from TSAs as often as you like (each time with a fresh algorithm). But it may be difficult/impossible for you to get a new certificate from the person that gave you the signature. Juergen -- Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 Sonninstraße 24-28 mailto:brauckmann@trustcenter.de D-20097 Hamburg http://www.trustcenter.de Received: from mystic1.trustcenter.de (mystic1.trustcenter.de [193.194.157.34]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id CAA06546 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 02:32:02 -0700 (PDT) Received: by mystic1.trustcenter.de; id LAA06452; Thu, 27 Jul 2000 11:33:01 +0200 Received: from nodnsquery(192.168.200.3) by mystic1.trustcenter.de via smap (V5.0) id xma006446; Thu, 27 Jul 00 11:32:25 +0200 Received: from ew-jbr (titan.trustcenter.de [192.168.200.244]) by callisto.trustcenter.de (8.9.3/8.9.3) with SMTP id LAA02412; Thu, 27 Jul 2000 11:34:04 +0200 (MET DST) Message-Id: <3.0.5.32.20000727113404.03a09be0@localhost> X-Sender: jbr@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 27 Jul 2000 11:34:04 +0200 To: Ambarish Malpani <ambarish@valicert.com> From: Juergen Brauckmann <brauckmann@trustcenter.de> Subject: RE: OCSP request Cc: ietf-pkix@imc.org In-Reply-To: <27FF4FAEA8CDD211B97E00902745CBE2B4173E@seine.valicert.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id CAA06547 Hello Ambarish. At 07:10 26.07.00 -0700, Ambarish Malpani wrote: >1. OCSP responses are not meant to be weak at all. The meaning of >good is "not revoked" or "still good" (as long as the certificate >was correctly issued and hadn't expired before the ArchiveCutoff >date). >From RFC 2560: The "good" state indicates a positive response to the status inquiry. At a minimum, this positive response indicates that the certificate is not revoked, but does not necessarily mean that the certificate was ever issued By saying that OCSP responses are "weak" I had the last sentence in mind. An OCSP responder can give me a "good" even if the CA did not issue the certificate. Minimum-RFC2560-OCSP-responses with "Good" don't tell me whether the certificate ever existed. "Weak" is probably a bad word for it. >The problem you might run into, >is say, somebody builds an ISIS OCSP server and somebody else >tries to use it with say a Netscape Communicator OCSP client. The >two products will claim to talk OCSP, but will actually be saying >different things in their requests and responses and nobody else >will ever know. Yes, I see. One question (mainly an attempt to try to understand rfc 2560): Why didn't you include specifications for the issuance questions into rfc 2560? Obviously you were aware of the problem because the description of "good" says that such information may be delivered by extensions. And why isn't there a fourth state "noSuchCert" besides good,revoked,unknown? I understand that it was the intention to be able to build CRL-based OCSP Responders, but I don't see why it should have been impossible to combine the two things. >b. The reason why the change ISIS has proposed is "wrong" is: >In an OCSP request, you identify a cert by the hash of the CA's >public key [and the hash of the CA's name] and the certificate >serial number. If somebody had compromised the CA's public key, >all they would need to do, is create a new certificate with a >serial number that corresponds to a legitimate serial number, but >a different subject public key and there goes the ability of the >OCSP responder to tell you anything useful. Yes. Therefore the OCSP Response should contain a hash of the certificate in an extension, see my mail from yesterday "good in OCSP Responses. Was: Re: OCSP request". This is the ISIS certHash extensions Simon is refering to in his mail from 10:28 today. >Part of why it is valuable to at least pose desires to change the >interpretations of RFCs on this kind of a list, is you might >actually get some useful input from others, who might think about >a problem in different ways. > >Does that make sense? Well one problem is that it's difficult to see what the interpretation of RFC2560 is that the authors had in mind... . >P.S. Again, if you do pose the problems you want to solve, there >might be other reasonable ways of extending OCSP [within the >framework of the protocol], that might better fit in with the RFC >itself. We try that, see the certHash extension... . Regards, Juergen -- Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 Sonninstraße 24-28 mailto:brauckmann@trustcenter.de D-20097 Hamburg http://www.trustcenter.de Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA06077 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 02:10:02 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id LAA11792; Thu, 27 Jul 2000 11:17:09 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id LAA31550; Thu, 27 Jul 2000 11:12:39 +0200 Message-ID: <397FFD09.945AE1E@bull.net> Date: Thu, 27 Jul 2000 11:12:41 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Simon Tardell <simon.tardell@iD2tech.com> CC: IETF PKIX Mailing List <ietf-pkix@imc.org> Subject: Re: OCSP request References: <C0E81C20AD21D311BDB200805FCCD9412F62CF@aunt9.ausys.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Simon, Bob picked up the same sentence in one of your E-mails and replied. I would like to comment on the same sentence. (text deleted) > Now, if a key gets compromised, you cannot trust *any* signatures by that > key (before or after compromise), because you cannot trust the signer's > assertion of what time it was. This is untrue. See the paper I co-wrote with Hans Nilson about the rational for using a time stamp. If the key of the TSA is not compromised, then you can prove that a given digital signature was done after the key compromise. > A practical system has to protect itself from > that somehow. Enters time stamping. A time stamping service would probably > check the revocation status of the signatory cert and store that together > with the time stamp. This is certainly not the definition of a time stamping service within the PKIX WG. The TSA does NOT "check the revocation status of the signatory cert and store that together with the time stamp". Denis > Simon > Simon Tardell, Software Architect, iD2 Technologies > voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 > simon.tardell@iD2tech.com, http://www.iD2tech.com > Securing the Internet economy Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id BAA05712 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 01:57:44 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id LAA20084; Thu, 27 Jul 2000 11:04:50 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id LAA31720; Thu, 27 Jul 2000 11:00:20 +0200 Message-ID: <397FFA26.BC47A149@bull.net> Date: Thu, 27 Jul 2000 11:00:22 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Juergen Brauckmann <brauckmann@trustcenter.de> CC: ietf-pkix@imc.org Subject: Re: OCSP request References: <3.0.5.32.20000726145755.03772bc0@localhost> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Juergen, See my comments below. > Ambarish, Simon, > > I'm a member of the group that worked on the ISIS. Comments below... . > > >> -----Original Message----- > >> From: Simon Tardell [mailto:simon.tardell@iD2tech.com] > >> Sent: Tuesday, July 25, 2000 8:45 AM > >> To: 'Ambarish Malpani'; Simon Tardell; 'Rich Salz'; Joerg Seidel > >> Cc: ietf-pkix@imc.org > >> Subject: RE: OCSP request > [...] > >> Also, in your interpretation (and mine) "unknown" means "I > >> don't know or will not say". As a client a perfectly > >> reasonable reaction to that would be to come back and > >> check later or go to another OCSP responder (assuming I > >> have a list to choose from) and query that responder. > This means that a client *never* can get an authoritive answer that the > certificate is faked (by the way of a CA key compromise) because a client > has no way of knowing whether he talked to all OCSP Responders that may > know something about the certificate. This is incorrect. You need to query an OCSP server you trust, either directly (indicated by out-of-bands means), or because it is indicated within the user certificate. > >> However, it is possible to interpret the "unknown" > >> definition as an assertion that "I know that this > >> certificate is not issued". This is the interpretation > >> taken by the German Trust Center Work Group in their ISIS spec. > RFC2560: > The "unknown" state indicates that the responder doesn't know about > the certificate being requested. > ISIS: > "Such a reply means that the queried directory service (SigG) cannot > provide information about this certificate, since it was not issued > by the corresponding certification authority or was not entered into > the directory service (SigG)." > Let me try to explain why we want to have "hard" responses from directory > services. The minimum requirements to OCSP in RFC2560 are "weak" in the > sense that there is only one real answer ("revoked") and two answers > ("unknown" and "good") which basically mean "Hm, I'm not sure". Minimum > RFC2560-OCSP only provides blacklist functionality. Nearly. It is not a "minimum" requirement, it is a "maximum" requirement. Suppress "Minimum". The right sentence is: "RFC2560-OCSP only provides blacklist functionality". This allows OCSP responders to base their responses using CRLs only and no other information. > This is not sufficient for systems that must be robust/tolerant against CA > key compromise or such things. Key compromise is an exceptional event (that should not happen, but might happen) that must be addressed under a disaster recovery plan (i.e. revoke the CA whose key has been compromised in all the certificates that has been issued for that CA by other CAs). This does not mean using means that *permanently* address that case. If you mandate an OCSP response in the sense you mention, then this means two things: 1) you deny the use of CRLs, and 2) you also deny the local checking of the digital signature from a CA over any certificate (it means that a local checking by a RP is never sufficient since anyway an access to a trusted copy certificate is necessary in a trusted database from the CA which has issued it). So your model is *very* different from the path validation model that is currently described in RFC 2459 (or its successor). This is pretty different from RF 2459. > It is also not sufficient for long term > validation of signatures, where you might have, e.g., a signature and a > certificate with an expired crypto algorithm, and a chain of timestamps > with valid algorithms, and where you want to verify the state of the > certificate that made the signature. In this situation you cannot rely on > the certificate itself as an evidence that a CA ever issued it, you must > ask the CA. This is wrong. A chain of time stamps protects against key compromise, as well as weak algorithms, as long as the timestamps have been applied before the key has been compromised or the algorithm has been found weak. So there is no need to ask the CA. > In such systems a directory service must be able to give real *positive* > answers about certificates ("Yes, my CA issued this certificate."). This > means we need white lists. This can be done by using OCSP and interpreting > "unknown" as "The certificate was not issued by this CA", and by > interpreting "good" as "The certificate was issued by this CA and not > revoked". No. OCSP is not based on the use of white lists. RFC 2459 allows the use of CRLs and also allows the use of on-line methods of revocation notification (like OCSP) as another way of providing the same level of service. Section 3.3 on revocation of RFC 2459 explicitly states the following: " However, this profile does not require CAs to issue CRLs. Message formats and protocols supporting on-line revocation notification may be defined in other PKIX specifications. On-line methods of revocation notification may be applicable in some environments as an alternative to the X.509 CRL." Denis > The semantics of "Good" is left rather unspecified in RFC2560, why > shouldn't also "Unknown" be the subject of profile-specific > interpretations? Why should that be "very, very wrong"? > > Juergen > -- > Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 > TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 > Sonninstraße 24-28 mailto:brauckmann@trustcenter.de > D-20097 Hamburg http://www.trustcenter.de Received: from naigwy (void1.ausys.se [62.20.78.253]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id BAA05433 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 01:55:37 -0700 (PDT) Received: FROM aunt15.ausys.se BY naigwy ; Thu Jul 27 10:56:48 2000 +0200 Received: by aunt15.ausys.se with Internet Mail Service (5.5.2650.21) id <PXJF9X21>; Thu, 27 Jul 2000 10:58:15 +0200 Message-ID: <C0E81C20AD21D311BDB200805FCCD9412F62ED@aunt9.ausys.se> From: Simon Tardell <simon.tardell@iD2tech.com> To: "'Ambarish Malpani'" <ambarish@valicert.com>, "'Juergen Brauckmann'" <brauckmann@trustcenter.de> Cc: ietf-pkix@imc.org Subject: RE: OCSP request Date: Thu, 27 Jul 2000 10:58:17 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Ambarish, > b. The reason why the change ISIS has proposed is "wrong" is: > In an OCSP request, you identify a cert by the hash of the CA's > public key [and the hash of the CA's name] and the certificate > serial number. If somebody had compromised the CA's public key, > all they would need to do, is create a new certificate with a > serial number that corresponds to a legitimate serial number, but > a different subject public key and there goes the ability of the > OCSP responder to tell you anything useful. ISIS defines an extension holding the hash of the certificate for this purpose. Simon. Simon Tardell, Software Architect, iD2 Technologies voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 simon.tardell@iD2tech.com, http://www.iD2tech.com Securing the Internet economy Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA02029 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 00:11:01 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id JAA13118; Thu, 27 Jul 2000 09:18:06 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id JAA30936; Thu, 27 Jul 2000 09:13:35 +0200 Message-ID: <397FE121.538D1C82@bull.net> Date: Thu, 27 Jul 2000 09:13:37 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Bob Jueneman <bjueneman@novell.com> CC: ietf-pkix@imc.org Subject: Re: Dual-signed certificates References: <s97f1741.027@prv-mail20.provo.novell.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Bob, (text deleted) I will only comment on one point. > Denis proposed: > > There exists a way, including by a procedure that is verifiable for > every received signature by any relying party. In the stuff that got > signed, you include the identifier of the certificate. This may be > done by using CMS (or is mandated in ES 201733). There is no need to > invent a double-signed certificate. > The point is that this procedure works for every legitimate > document that I signed, but is not enforceable AS AN EXPECTATION > against some illegitimate use of my certificate/key. > Now I grant that a CA can easily create a key pair and a certificate > that would impersonate me for some small number of documents. But > I would attempt to repudiate that so-called signature by saying, > "That signature and key is not mine, and I have never sees or made > beneficial use of that key. Not exactly. You are going to challenge the CA/RA to prove that you asked for that public key, no matter if the private has been used. If the CA/RA cannot present the right registration information, then you win. > My key is xxxxxxx, and in fact > I _have_ made extensive use of that key, and I have signalled my > acceptance of that key, the certificate, and the terms and > conditions of that certificate by counter-signing it and distributing > widely in that counter-signed format." This would not prove anything in the case you just mention above, because the (bad) CA could do that "for" you. > The rogue CA could claim the same thing, of coruse, but then > I would ask to see demonstrated beneficial use on my behalf, > for example goods that were ordered and delivered (and accepted) > to my address, based on that key. No. This is not necessary. The registration information is essential. Denis (further text deleted) Received: from florida.melco.co.jp (florida.melco.co.jp [192.218.140.46]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA01643 for <ietf-pkix@imc.org>; Thu, 27 Jul 2000 00:06:51 -0700 (PDT) Received: by florida.melco.co.jp (3.7W-florida) id QAA23915; Thu, 27 Jul 2000 16:09:59 +0900 (JST) Received: by mailgw.melco.co.jp (3.7W-mailgw) id QAA15529; Thu, 27 Jul 2000 16:09:59 +0900 (JST) Received: by inetgw.melco.co.jp (8.8.8+2.7Wbeta7/3.7W-inetgw) id QAA27173; Thu, 27 Jul 2000 16:09:59 +0900 (JST) Received: from islgw.isl.melco.co.jp by elgw.isl.melco.co.jp (8.8.8/3.6W) id QAA24318; Thu, 27 Jul 2000 16:09:58 +0900 (JST) Received: from iss.isl.melco.co.jp by islgw.isl.melco.co.jp (8.8.8/3.6W) id QAA27159; Thu, 27 Jul 2000 16:09:58 +0900 (JST) Received: from belize by iss.isl.melco.co.jp (8.8.8/3.6W) id QAA19468; Thu, 27 Jul 2000 16:09:57 +0900 (JST) Message-ID: <00d401bff799$e85191a0$78054a0a@iss.isl.melco.co.jp> From: "Hiroyuki Sakakibara" <sakaki@iss.isl.melco.co.jp> To: <ietf-pkix@imc.org> Subject: RE: Dual-signed certificates Date: Thu, 27 Jul 2000 16:11:38 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Hi. I am interested in this topic. A self-signed certificate that contains the original certificate as an extension within it, or, a dual-signed certificate using CMS SignedData are recommended in this-list. On Mon, 24 Jul 2000 Mr. Russ Housley wrote: >Bob: >There are some significant technical issues here. The subject cannot sign >first because it does not know the values that will be assigned for several >fields, like the serial number. The subject cannot sign second >either. The insertion of an additional extension will break the issuer >signature. >Thus, to proceed in this vain, complex processing must be defined that says >which parts of the certificate a re coved by the subject signature in the >extension. I think that the processing is complex enough.... >Russ Is a X.509 ver3 certificate, including such as "Issuance Agreement"extension signed by a subject not feasible ? Extension : Issuance Agreement means that "Subject agrees with issuance of his certificate which includes fields and values described in this agreement." Fields and values include public key, issuer name, subject name, extensions etc..., but DO NOT include CA's signature. When a CA receives a request from a subject, creates "Issuance Agreement" and shows it to the subject. If the subject agrees it before issuance, he signs it and give it to the CA. The CA issues the subject certificate including "signed Issuance Agreement" as an extension. (I attach more detais to end) I think that this style natural. Because, in this style, CA's signature certifies "the subject public key and the subject's signature on Issance Agreement in the extension", but the subject's signature DOES NOT certifies "CA's signature". "the subject sign second" style, such as a self-signed certificate that contains the original certificate as an extension within it, I think it means that (1) the subject's self-signed signature certifies the CA's signature on the subject certificate inside, (2) the CA's signature on the subject certificate certifies the subject public key. (3) subject public key in (2) can be used to verify the subject's signature (1). Eventhough the subject self-signed certificate contains ID of the original certificate and its hash value, instead of the original itself, this also certifies the CA's signature of the original certificate indirectly. Is this kind of Cross-Certification or nested certification, or the tail wags the dog ? ( Am I misunderstanding ??? ) However, as Mr.Housley wrote, a new protocol, data, the processing must be specified for such as a certificate including "Issuance Agreement" extension. "the subject sign first" style. I attach my idea to end of this mail. Hiroyuki Sakakibara MITSUBISHI ELECTRIC CORPORATION ------------------------------------------------------- Indeed, I think that a new certificate issuance protocol for Issuance Agreement extension is needed in order to solve the chickenAndEgg probolem, like this. 1.Subject -----> CA : Cert request(including Subject PublicKey) 2.Subject <----- CA : Issuance Agreement 3.Subject -----> CA : Signed Issuance Agreement by Subject PrivateKey (Subject confirms that "My cert are going to include information described in Issuance Agreement", if he agrees, then signs it.) 4.Subject <----- CA : Subject Cert including "Signed" Issuance Agreement as a extension of X.509 ver3 Contents of Issuance Agreement : Fields and values in Subject Certificate to be issued in step 4, { version Issuer name Subject name SerialNumber(optional), Algorithm Subject Public Key Information notBefore(optional) notAfter extensions( certPolicies, nameConstraints, keyUsage ... etc ) CA's signature algorithm } If a subject checks the contents in step 2, he can know what his certificate is going to include. Some CAs may assign SerialNumber and notBefore(scheduled) field, some CAs may not, when CAs create Issuance Agreement. If a CA can assign scheduled notBefore value in Issuance Agreement, like, "Your certificate is going to be valid after 200007261200Z", and if the issued subject certificate inculdes the same value in validity notBefore field, I think that it is OK. If RelyingPertiy finds that validity notBefore does not match with notBefore in the Signed Issuance Agreement extension field, then RP can reject it. I think that eventhough the contents does not include SerialNmber field, Subject can know that what his certificate should be avilable for, "My public key is going to be certified by Issuer and I am the holder, and can be used by following these validity, certPolicies, keyUsage etc..." But this Issuance Agreement extension is as large as his certificate itself. So some techinique which can reduce this extension size is needed, for example, applying a hash function etc... ( I think that a self-signed certificate that contains the original certificate as an extension within it has the same problem, maybe, the size would be twice ? ) ------------------------------------------------------------------------ Hiroyuki Sakakibara MITSUBISHI ELECTRIC CORPORATION Information Technology R&D Center 5-1-1 Ofuna, Kamakura, Kanagawa, Japan PHONE: +81-467-41-2183 FAX: +81-467-41-2185 E-mail : sakaki@iss.isl.melco.co.jp Received: from mail-fwd.verio-web.com (mail11a.verio-web.com [161.58.16.57]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id VAA25080 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 21:38:54 -0700 (PDT) Received: from 161.58.117.181 (161.58.117.181) by mail11a.verio-web.com (RS ver 1.0.57s) with SMTP id 02311109; Thu, 27 Jul 2000 00:41:57 -0400 (EDT) Received: from caveosystems.com (lynn1-pm3-s02-87.port.shore.net [204.167.109.87]) by pc1.caveosystems.com (8.9.3/8.9.3) with ESMTP id AAA30801; Thu, 27 Jul 2000 00:42:24 -0400 Message-ID: <397FBE33.4BCE4BCE@caveosystems.com> Date: Thu, 27 Jul 2000 00:44:35 -0400 From: Rich Salz <rsalz@caveosystems.com> X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Ambarish Malpani <ambarish@valicert.com> CC: ietf-pkix@imc.org Subject: Re: OCSP request References: <27FF4FAEA8CDD211B97E00902745CBE2B41741@seine.valicert.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 > I was thinking of something like adding an extension in the > request which asks: isCertInDirectory > and the response is: yes, no, don'tknow sure, all the more reason for my "reply signatures' controls. :) Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA17767 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 19:57:17 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FYC003015O298@ext-mail.valicert.com> for ietf-pkix@imc.org; Wed, 26 Jul 2000 20:00:16 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FYB00KEEAMOD6@ext-mail.valicert.com> for ietf-pkix@imc.org; Wed, 26 Jul 2000 08:49:36 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <36007D4W>; Wed, 26 Jul 2000 08:41:05 -0700 Content-return: allowed Date: Wed, 26 Jul 2000 08:41:03 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: OCSP request To: ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE2B41741@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Hi Rich, I was thinking of something like adding an extension in the request which asks: isCertInDirectory and the response is: yes, no, don'tknow A --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com Mountain View, CA 94043 > -----Original Message----- > From: Rich Salz [mailto:rsalz@caveosystems.com] > Sent: Wednesday, July 26, 2000 7:52 AM > To: Ambarish Malpani > Cc: ietf-pkix@imc.org > Subject: Re: OCSP request > > > > I like the idea of asking a separate question about whether a > > cert is in a directory (or ever issued) and getting a separate > > answer for that. > > But then you need something like draft-salzr-ldap-repsig to > ensure that > nobody has tampered with, or interecepted the communications to/from, > the repository. > /r$ > Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id QAA04634 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 16:17:32 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Wed, 26 Jul 2000 17:19:59 -0600 Message-Id: <s97f1dbf.082@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 5.5.3.1 Date: Wed, 26 Jul 2000 17:20:00 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <richard.levitte@celocom.se>, <simon.tardell@iD2tech.com>, <brauckmann@trustcenter.de> Cc: <Karl.Scheibelhofer@iaik.at>, <ietf-pkix@imc.org> Subject: RE: OCSP request Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id QAA04635 I don't mean to pick on Simon twice in one day, but his assertions regarding the benefit of timestamping don't make legal sense. >Now, if a key gets compromised, you cannot trust *any* signatures by that >key (before or after compromise), because you cannot trust the signer's >assertion of what time it was. A practical system has to protect itself from >that somehow. Enters time stamping. A time stamping service would probably >check the revocation status of the signatory cert and store that together >with the time stamp. If the certificate is revoked for cause, e.g, a change of name, change of status, etc., then (generally speaking) whoever did in fact sign the document is legally liable for the consequences, regardless of the revocation status. (Note that I said whoever in fact signed the document, NOT necessarily the apparent subscriber.) All that the revocation does is to change the reasonableness of the presumption that the transaction was valid -- it doesn't change the _fact_ of who signed it -- they are still personally liable. The other case is where a key compromise is suspected. Depending on the circumstances, that compromise might or might not be known. If a smart card is lost, the time could probably be pinned down to a day or so, but if someone's password for a software-encrypted key were compromised, no one is likely to know IF that occurred, much less when. In the second case, therefore, it may be completely immaterial as to when a given document was signed, and all of the timestamps in the world won't help, if in fact the key was compromised a year earlier, covertly. The real issue is not a technical one, but two legal ones. The first is, in the event of a challenged signature (attempted repudiation), which party bears the burden of proof. Depending upon the specific statutes, the revocation of a certificate MAY serve to transfer the burden of proof to the relying party, to show that the reliance on the transaction was commercially reasonable. Some of the original digital signature statutes, such as the much maligned Utah Act, attempted to answer that question with a rebuttable presumption, assuming that the certificate was issued by a licensed CA. The second issue is, regardless of who has the burden of proof, who bears the risk of loss in the event that the subscriber did not in fact sign the transaction. is the subscriber strictly liable, or is the relying party required to show both commercial reasonableness and perhaps to bear some or all of the risk of loss? Those aren't technical questions, they are legal ones, and OCSP can't help very much. Bob Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id PAA03742 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 15:49:50 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Wed, 26 Jul 2000 16:52:17 -0600 Message-Id: <s97f1741.027@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 5.5.3.1 Date: Wed, 26 Jul 2000 16:52:18 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <ietf-pkix@imc.org> Subject: RE: Dual-signed certificates Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id PAA03743 To respond to several of the Chicken and Egg points raised, obviously the second signature could not be included within the scope of the first. I was remiss in describing this as a certificate attribute, because that would imply that it was embedded within the certificate signed by the issuer. So some new kind of format would have to be devised, where the signature would be appended. I rather like the concept of a self-signed certificate that contains the original certificate as an extension within it. If I trust the signer and his public key through some out of band mechanism, or thorough continued use, I can stop there, but if I haven't received the key any other way I can look inside and proceed from there. After reading the comments by Simon Tardell and Denis Pinckas, I realized that perhaps I hadn't made my original point sufficiently clear. In the meantime, some jocular references to 7-11 and McDonalds providing physical point of presense confirmation to a CA actually helps make my point. The present, more or less-well-accepted CA model is that the subscriber goes to a local RA and requests a certificate be issued in his name. That RA is then free to add or modify whatever it likes to the certificate request, and sends it on to the CA to be certified. But the CA, depending on its CP and CPS, may add, modify, or delete information in the certificate request to suit its own purposes. It could add DN qualification to make the DN unique, it could add various policy OIDs and policy constraints -- whatever it wishes to do. It then sends the certificate back to the user, or posts it in a repository, but with no nonrepudiable evidence that either the RA or the subscriber had in fact agreed to those changes or additions! Moreover, a rogue CA could create two such certificates, one containing terms favorable to it, and another closer to what the subscriber had originally requested. Now, because the inclusion of the certificate in a transaction to be signed is (1) optional, and (2) only applies to transactions per se and not to session authentication or encryption, the relying party has no way of knowing whether the user in fact agreed to those terms.. This is why relying on a signed CMS object won't work -- the RP has no good way of knowing whether that format was expected or not. Denis proposed: ><There exists a way, including by a procedure that is verifiable for every received signature by any relying party. In the stuff that got signed, you include the identifier of the certificate. This may be done by using CMS (or is mandated in ES 201733). There is no need to invent a double-signed certificate. The point is that this procedure works for every legitimate document that I signed, but is not enforceable AS AN EXPECTATION against some illegitimate use of my certificate/key. Now I grant that a CA can easily create a key pair and a certificate that would impersonate me for some small number of documents. But I would attempt to repudiate that so-called signature by saying, "That signature and key is not mine, and I have never sees or made beneficial use of that key. My key is xxxxxxx, and in fact I _have_ made extensive use of that key, and I have signalled my acceptance of that key, the certificate, and the terms and conditions of that certificate by counter-signing it and distributing widely in that counter-signed format." The rogue CA could claim the same thing, of coruse, but then I would ask to see demonstrated beneficial use on my behalf, for example goods that were ordered and delivered (and accepted) to my address, based on that key. A dual-signed certificate would also be beneficial to the good CAs, because it would provide a degree of proof that I had in fact accepted the certificate. I believe that there is another point to be made here as well, and that is that trust accumulates incrementally with every accepted and reliable use of the key. For the very first transaction with a particular subscriber, the relying party has little or no basis for trust, per se, except that if he trusts the CA he can presumably trust that the subscriber is correctly (if not unambiguously) identified. So I know that the subject is "Bob Jones" or maybe "Village Idiot #13", but I don't know that I can trust that particular individual to either do or not do particular things. Even if the certificate claims that the subscriber has agree to certain terms and conditions, I have no way of verifying the fact that that subscriber has really agreed to those terms, and I probably cannot sue the CA to enforce those terms if the subscriber defaults. So I really want to know what representations the subscriber is making to me, directly. However, for every transaction after the first, I have an additional degree of knowledge regarding that user. I may not even care what his name is, or whether he has agreed to this, that, or the other certificate policy, so long as I get paid for the agreed upon transaction. Sooner or later, the original identification by the RA and CA becomes almost irrelevant -- after all, they weren't testifying as to whether the person was financially solvent and a responsible bill payer, but I will come to know that. Likewise, to switch metaphors, if I am a hospital administrator and I decide to revoke a doctor's staff priviledges because too many of his patients have been dying, I really don't care what some public CA happens to think about the validity of that doctor's certificate. The point is that in many respects we tend to grant an excessive amount of authority to the CA in terms of establishing policy, etc., and yet in most cases (other than some closed user groups) the CA is not in a position to be able to enforce those policies against a particular user. So the real issue is what terms and conditions the subscriber has agreed to, and how that acceptance can be reliably made known. (This point of view may of course be anathema to those who espouse a top-down, authoritarian control structure, including many European countries and perhaps the US DOD. Chacun a son gout.:-) Bob >>> Simon Tardell <simon.tardell@iD2tech.com> 07/22/00 06:46AM >>> > However, do people think it appropriate for the real external > certificate to be carried around inside a CMS SignedData or a > self-signed certificate? It certainly can be done, but should it? If I've been reading the thread correctly the physical world analogy of the "threat" that this would countermeasure is that a bank noone ever heard of would issue an ID card with my picture (which they can do, because they saw my ID card once) to someone who doesn't look like me and the question is not whether you can trust the odd-looking fellow, but whether you can trust that bank. When it comes to well-known banks, government branches, etc I assume they won't do this, and I would not trust even my closest friends to be able to assert with any degrees of certitude if a bank is honest or not issuing certs. And no number of assertions that a Mickey Mouse CA issues a certificate to the right guy would make me trust that CA to always do the right thing (even if I would trust the particular certs it issued). I am bit skeptical here, not because web-of-trust models don't have a legitimate use, but rather because they don't mix very well with PKI. Simon Simon Tardell, Software Architect, iD2 Technologies voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 simon.tardell@iD2tech.com, http://www.iD2tech.com Securing the Internet economy Received: from rom.antech.de (dns.antech.de [194.45.12.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA11461 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 08:32:25 -0700 (PDT) Received: from scherbius.secorvo.de (scherbius.secorvo.de [194.45.12.219]) by rom.antech.de (8.9.3/8.9.3) with ESMTP id RAA10343 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 17:19:02 +0200 Message-Id: <200007261519.RAA10343@rom.antech.de> From: "Stefan Kelm" <kelm@secorvo.de> Organization: Secorvo Security Consulting GmbH To: ietf-pkix@imc.org Date: Wed, 26 Jul 2000 17:34:25 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt Priority: normal In-reply-to: <397E86EF.167E64B6@bull.net> X-mailer: Pegasus Mail for Win32 (v3.12b) Denis, > Should we really mandate the presence of the QC statement (as being > the only way to indicate that a certificate is a QC) or should we > also allow the use of pre-defined Certificate Policy OID (making the > QC statement non mandatory) ? > > I think both options should be mentioned as possible I wholeheartedly agree with you. The QCStatement, as useful as it might be, should not be mandatory. Cheers, Stefan. -------------------------------------------------------- PKI-Symposium, 10.-11.Oktober 2000, www.pki-symposium.de -------------------------------------------------------- Dipl.-Inform. Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Albert-Nestler-Strasse 9, D-76131 Karlsruhe Tel. +49 721 6105-461, Fax +49 721 6105-455 E-Mail kelm@secorvo.de, http://www.secorvo.de ------------------------------------------------------- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B Received: from isis.wu-wien.ac.at (isis.wu-wien.ac.at [137.208.3.42]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA07832 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 07:58:27 -0700 (PDT) Received: from gourmet.wu-wien.ac.at (mfritsch@gourmet.wu-wien.ac.at [137.208.224.124]) by isis.wu-wien.ac.at (8.8.7/8.8.7) with SMTP id RAA59374emf Michael.Fritscher@wu-wien.ac.at; Wed, 26 Jul 2000 17:01:37 +0200 From: Michael Fritscher <Michael.Fritscher@wu-wien.ac.at> Reply-To: Michael.Fritscher@wu-wien.ac.at Organization: WU Wien To: Juergen Brauckmann <brauckmann@trustcenter.de> Subject: RE: OCSP request Date: Wed, 26 Jul 2000 16:52:05 +0200 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain Cc: ietf-pkix@imc.org References: <3.0.5.32.20000726164011.04531100@localhost> In-Reply-To: <3.0.5.32.20000726164011.04531100@localhost> MIME-Version: 1.0 Message-Id: <00072617012000.01903@gourmet.wu-wien.ac.at> Content-Transfer-Encoding: 8bit On Wed, 26 Jul 2000, Juergen Brauckmann wrote: > At 07:20 26.07.00 -0700, Frank Balluffi wrote: > >Juergen, > > > >If by an "expired crypto algorithm" you mean an algorithm that is known to > >be insecure, then it may also not be possible to rely upon signed OCSP > >responses. This sounds like a red herring to me. > > Simple example: Certificate from 1990 with 512-bit RSA signature by the CA, > OCSP Response with an up-to-date certificate with 1024 or 2048 bit RSA key. > > You cannot necessarily rely on the 512-bit signature, but you could rely > upon the OCSP response signature. > The problem in this context is not so much to be able to rely upon the OCSP response, but rather that you may have a relyable OCSP response on a certificate that can have been "easily faked" in the meantime... Michael -- ------------------------------------------------------------ | Michael Fritscher Michael.Fritscher@wu-wien.ac.at | Department of Information Systems, New Media | Vienna University of Economics and Business Administration | http://wwwi.wu-wien.ac.at/people/Fritscher.html | "A computer without windows NT is like a fish without a | bicycle." ------------------------------------------------------------ Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA07536 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 07:53:01 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FYB00L0185K00@ext-mail.valicert.com> for ietf-pkix@imc.org; Wed, 26 Jul 2000 07:56:08 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FYB00KC785JDE@ext-mail.valicert.com>; Wed, 26 Jul 2000 07:56:07 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <36007DRR>; Wed, 26 Jul 2000 07:47:37 -0700 Content-return: allowed Date: Wed, 26 Jul 2000 07:47:35 -0700 From: Frank Balluffi <frankb@valicert.com> Subject: RE: OCSP request To: "'Juergen Brauckmann'" <brauckmann@trustcenter.de>, Frank Balluffi <frankb@valicert.com> Cc: ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE20177B006@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAA07537 Juergen, Thank you for the clarification. I assumed that you meant an OCSP response from around the same time that the certificate was issued. In this case, the use of red herring inappropriate. In the case you described, why would the timestamper know to use a "chain of timestamps with valid algorithms", but not the CA (i.e., use a valid algorithm)? Just curious. Frank > -----Original Message----- > From: Juergen Brauckmann [mailto:brauckmann@trustcenter.de] > Sent: Wednesday, July 26, 2000 10:40 AM > To: Frank Balluffi > Cc: ietf-pkix@imc.org > Subject: RE: OCSP request > > > At 07:20 26.07.00 -0700, Frank Balluffi wrote: > >Juergen, > > > >If by an "expired crypto algorithm" you mean an algorithm > that is known to > >be insecure, then it may also not be possible to rely upon > signed OCSP > >responses. This sounds like a red herring to me. > > Simple example: Certificate from 1990 with 512-bit RSA > signature by the CA, > OCSP Response with an up-to-date certificate with 1024 or > 2048 bit RSA key. > > You cannot necessarily rely on the 512-bit signature, but you > could rely > upon the OCSP response signature. > > Juergen > -- > Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 > TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 > Sonninstraße 24-28 mailto:brauckmann@trustcenter.de > D-20097 Hamburg http://www.trustcenter.de > Received: from mail-fwd.verio-web.com (mail11a.verio-web.com [161.58.16.57]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA07293 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 07:49:19 -0700 (PDT) Received: from 161.58.117.181 (161.58.117.181) by mail11a.verio-web.com (RS ver 1.0.57s) with SMTP id 02121978; Wed, 26 Jul 2000 10:51:57 -0400 (EDT) Sender: rsalz Message-ID: <397EFB22.A91959A6@caveosystems.com> Date: Wed, 26 Jul 2000 10:52:18 -0400 From: Rich Salz <rsalz@caveosystems.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: Ambarish Malpani <ambarish@valicert.com> CC: ietf-pkix@imc.org Subject: Re: OCSP request References: <27FF4FAEA8CDD211B97E00902745CBE2B4173F@seine.valicert.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 > I like the idea of asking a separate question about whether a > cert is in a directory (or ever issued) and getting a separate > answer for that. But then you need something like draft-salzr-ldap-repsig to ensure that nobody has tampered with, or interecepted the communications to/from, the repository. /r$ Received: from mystic1.trustcenter.de (mystic1.trustcenter.de [193.194.157.34]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA06819 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 07:38:37 -0700 (PDT) Received: by mystic1.trustcenter.de; id QAA29986; Wed, 26 Jul 2000 16:39:30 +0200 Received: from nodnsquery(192.168.200.3) by mystic1.trustcenter.de via smap (V5.0) id xma029975; Wed, 26 Jul 00 16:38:33 +0200 Received: from ew-jbr (titan.trustcenter.de [192.168.200.244]) by callisto.trustcenter.de (8.9.3/8.9.3) with SMTP id QAA23740; Wed, 26 Jul 2000 16:40:11 +0200 (MET DST) Message-Id: <3.0.5.32.20000726164011.04531100@localhost> X-Sender: jbr@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 26 Jul 2000 16:40:11 +0200 To: Frank Balluffi <frankb@valicert.com> From: Juergen Brauckmann <brauckmann@trustcenter.de> Subject: RE: OCSP request Cc: ietf-pkix@imc.org In-Reply-To: <27FF4FAEA8CDD211B97E00902745CBE20177B005@seine.valicert.co m> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAA06820 At 07:20 26.07.00 -0700, Frank Balluffi wrote: >Juergen, > >If by an "expired crypto algorithm" you mean an algorithm that is known to >be insecure, then it may also not be possible to rely upon signed OCSP >responses. This sounds like a red herring to me. Simple example: Certificate from 1990 with 512-bit RSA signature by the CA, OCSP Response with an up-to-date certificate with 1024 or 2048 bit RSA key. You cannot necessarily rely on the 512-bit signature, but you could rely upon the OCSP response signature. Juergen -- Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 Sonninstraße 24-28 mailto:brauckmann@trustcenter.de D-20097 Hamburg http://www.trustcenter.de Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA06264 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 07:26:01 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FYB00K016WJVD@ext-mail.valicert.com> for ietf-pkix@imc.org; Wed, 26 Jul 2000 07:29:08 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FYB00KA26WJDE@ext-mail.valicert.com>; Wed, 26 Jul 2000 07:29:07 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <36007D35>; Wed, 26 Jul 2000 07:20:36 -0700 Content-return: allowed Date: Wed, 26 Jul 2000 07:20:34 -0700 From: Frank Balluffi <frankb@valicert.com> Subject: RE: OCSP request To: "'Juergen Brauckmann'" <brauckmann@trustcenter.de>, Ambarish Malpani <ambarish@valicert.com>, "'Simon Tardell'" <simon.tardell@iD2tech.com>, "'Rich Salz'" <rsalz@caveosystems.com> Cc: ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE20177B005@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAA06265 Juergen, If by an "expired crypto algorithm" you mean an algorithm that is known to be insecure, then it may also not be possible to rely upon signed OCSP responses. This sounds like a red herring to me. Frank > -----Original Message----- > From: Juergen Brauckmann [mailto:brauckmann@trustcenter.de] > Sent: Wednesday, July 26, 2000 8:58 AM > To: Ambarish Malpani; 'Simon Tardell'; 'Rich Salz' > Cc: ietf-pkix@imc.org > Subject: RE: OCSP request > > > Ambarish, Simon, > > I'm a member of the group that worked on the ISIS. Comments below... . > > >> -----Original Message----- > >> From: Simon Tardell [mailto:simon.tardell@iD2tech.com] > >> Sent: Tuesday, July 25, 2000 8:45 AM > >> To: 'Ambarish Malpani'; Simon Tardell; 'Rich Salz'; Joerg Seidel > >> Cc: ietf-pkix@imc.org > >> Subject: RE: OCSP request > >> > [...] > >> Also, in your interpretation (and mine) "unknown" means "I > >> don't know or > >> will not say". As a client a perfectly reasonable reaction to > >> that would be > >> to come back and check later or go to another OCSP responder > >> (assuming I > >> have a list to choose from) and query that responder. > > This means that a client *never* can get an authoritive > answer that the > certificate is faked (by the way of a CA key compromise) > because a client > has no way of knowing whether he talked to all OCSP > Responders that may > know something about the certificate. > > >> However, it is > >> possible to interpret the "unknown" definition as an > >> assertion that "I know > >> that this certificate is not issued". This is the > >> interpretation taken by > >> the German Trust Center Work Group in their ISIS spec. > > RFC2560: > The "unknown" state indicates that the responder doesn't know about > the certificate being requested. > > ISIS: > "Such a reply means that the queried directory service > (SigG) cannot > provide information about this certificate, since it > was not issued > by the corresponding certification authority or was not > entered into > the directory service (SigG)." > > Let me try to explain why we want to have "hard" responses > from directory > services. The minimum requirements to OCSP in RFC2560 are > "weak" in the > sense that there is only one real answer ("revoked") and two answers > ("unknown" and "good") which basically mean "Hm, I'm not > sure". Minimum > RFC2560-OCSP only provides blacklist functionality. > > This is not sufficient for systems that must be > robust/tolerant against CA > key compromise or such things. It is also not sufficient for long term > validation of signatures, where you might have, e.g., a > signature and a > certificate with an expired crypto algorithm, and a chain of > timestamps > with valid algorithms, and where you want to verify the state of the > certificate that made the signature. In this situation you > cannot rely on > the certificate itself as an evidence that a CA ever issued > it, you must > ask the CA. > > In such systems a directory service must be able to give real > *positive* > answers about certificates ("Yes, my CA issued this > certificate."). This > means we need white lists. This can be done by using OCSP and > interpreting > "unknown" as "The certificate was not issued by this CA", and by > interpreting "good" as "The certificate was issued by this CA and not > revoked". > > > The semantics of "Good" is left rather unspecified in RFC2560, why > shouldn't also "Unknown" be the subject of profile-specific > interpretations? Why should that be "very, very wrong"? > > Juergen > -- > Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 > TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 > Sonninstraße 24-28 mailto:brauckmann@trustcenter.de > D-20097 Hamburg http://www.trustcenter.de > Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA06114 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 07:24:25 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FYB00K016TWV9@ext-mail.valicert.com> for ietf-pkix@imc.org; Wed, 26 Jul 2000 07:27:32 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FYB00K9Z6TVDE@ext-mail.valicert.com>; Wed, 26 Jul 2000 07:27:31 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <36007D3Y>; Wed, 26 Jul 2000 07:19:01 -0700 Content-return: allowed Date: Wed, 26 Jul 2000 07:18:59 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: OCSP request To: "'Simon Tardell'" <simon.tardell@iD2tech.com> Cc: ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE2B4173F@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAA06115 Hi Simon, Again, we mostly agree... :-) I like the idea of asking a separate question about whether a cert is in a directory (or ever issued) and getting a separate answer for that. However, I don't agree that the B-and-W approach taken by ISIS is reasonable, because of the hole I talked about in my previous mail. Also, it is unclear that the "big bang" thing works where somebody uses the compomised CA's private key to issue a cert to an "imposter OCSP responder". Now, if a CA's key is compromised, the client still won't know, because it will see an OCSP response issued by an apparantly legitimate responder [unless you insist on the Direct Trust model in OCSP]. --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com Mountain View, CA 94043 > -----Original Message----- > From: Simon Tardell [mailto:simon.tardell@iD2tech.com] > Sent: Wednesday, July 26, 2000 7:16 AM > To: 'Juergen Brauckmann'; Ambarish Malpani; Simon Tardell; 'Rich Salz' > Cc: ietf-pkix@imc.org > Subject: RE: OCSP request > > > Jürgen, > > The black-list AND white-list approach taken by German > signature legislation > is good by me. It addresses the potential "big-bang" of CA > key compromise in > ways that are reasonable. However, I don't think you need to > change OCSP > semantics to do this. I see the German ISIS OCSP variety as a > change rather > than a profile, because an OCSP client has to behave differently when > talking to an ISIS OCSP responder than when talking to a world OCSP > responder. > > > The semantics of "Good" is left rather unspecified in RFC2560, why > > shouldn't also "Unknown" be the subject of profile-specific > > interpretations? Why should that be "very, very wrong"? > > One problem with altering the definition of "unknown" from "I > don't know" to > the assertion "I know this certificate has not been issued" > is that you may > have several OCSP responders to choose from (for availability > reasons) and > if one of them is unable to answer one or more of the > requests in an OCSP > request, it should be possible to go down the list, or come > back later. If > you don't distinguish between the "no" and "???" answer, you > don't have that > possibility. Even if an ISIS compliant PKI may not use this, > the end-user > may be part of other PKIs that do, and it'd be convenient to > be able to use > the same clients. > > Basically there are two independent assertions: revoked - > yes/no/don't-know > and issued - yes/no/don't-know. My suggestion is to treat > them on equal > footing. Restrict CertStatus to represent the first assertion > (yes/no/don't-know on revocation) and introduce an extension > for the second > assertion ("being inserted into the directory (SigG)") with the same > structure (yes/no/don't-know). Let this extension be critical > if the value > is "no" or "don't-know". In this way, non-ISIS compliant > clients will work > together with ISIS PKIs and vice versa, without losses. Of > course, some > combinations are unreasonable (you hardly revoke a > certificate that was > never issued) or may be disallowed by policy (maybe the > "don't-know" answers > are not possible due to policy). > > Orthogonality between assertions means that further > assertions ("was valid > at time X" was suggested) can be introduced in the same > manner, without > breaking unaware clients. That is probably the biggest advantage. > > One more comment: > > > >> Also, in your interpretation (and mine) "unknown" means > "I don't know > or > > >> will not say". As a client a perfectly reasonable > reaction to that > would be > > >> to come back and check later or go to another OCSP > responder (assuming > I > > >> have a list to choose from) and query that responder. > > > > This means that a client *never* can get an authoritive > answer that the > > certificate is faked (by the way of a CA key compromise) > because a client > > has no way of knowing whether he talked to all OCSP > Responders that may > > know something about the certificate. > > Sure he can. It's a matter of policy. Since you can't trust > the list of > responders in the AIA extension (because you fear CA key > compromise) you > have to have a hard-coded list. This is true whether you > allow for one or > several responders. > > Regards, > > Simon > > > Simon Tardell, Software Architect, iD2 Technologies > voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 > simon.tardell@iD2tech.com, http://www.iD2tech.com > Securing the Internet economy > > Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA05514 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 07:16:08 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FYB00K016G3UJ@ext-mail.valicert.com> for ietf-pkix@imc.org; Wed, 26 Jul 2000 07:19:15 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FYB00K7B6G3D6@ext-mail.valicert.com>; Wed, 26 Jul 2000 07:19:15 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <36007D3M>; Wed, 26 Jul 2000 07:10:44 -0700 Content-return: allowed Date: Wed, 26 Jul 2000 07:10:43 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: OCSP request To: "'Juergen Brauckmann'" <brauckmann@trustcenter.de> Cc: ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE2B4173E@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 8BIT Hi Juergen, A few issues: 1. OCSP responses are not meant to be weak at all. The meaning of good is "not revoked" or "still good" (as long as the certificate was correctly issued and hadn't expired before the ArchiveCutoff date). 2. The meaning on unknown is "I don't know [or am not saying]" By changing these meanings, you do the following: a. You aren't doing OCSP any more - at least not as most of the rest of the world interprets it. The problem you might run into, is say, somebody builds an ISIS OCSP server and somebody else tries to use it with say a Netscape Communicator OCSP client. The two products will claim to talk OCSP, but will actually be saying different things in their requests and responses and nobody else will ever know. b. The reason why the change ISIS has proposed is "wrong" is: In an OCSP request, you identify a cert by the hash of the CA's public key [and the hash of the CA's name] and the certificate serial number. If somebody had compromised the CA's public key, all they would need to do, is create a new certificate with a serial number that corresponds to a legitimate serial number, but a different subject public key and there goes the ability of the OCSP responder to tell you anything useful. Part of why it is valuable to at least pose desires to change the interpretations of RFCs on this kind of a list, is you might actually get some useful input from others, who might think about a problem in different ways. Does that make sense? Regards, Ambarish P.S. Again, if you do pose the problems you want to solve, there might be other reasonable ways of extending OCSP [within the framework of the protocol], that might better fit in with the RFC itself. A --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com Mountain View, CA 94043 > -----Original Message----- > From: Juergen Brauckmann [mailto:brauckmann@trustcenter.de] > Sent: Wednesday, July 26, 2000 5:58 AM > To: Ambarish Malpani; 'Simon Tardell'; 'Rich Salz' > Cc: ietf-pkix@imc.org > Subject: RE: OCSP request > > > Ambarish, Simon, > > I'm a member of the group that worked on the ISIS. Comments below... . > > >> -----Original Message----- > >> From: Simon Tardell [mailto:simon.tardell@iD2tech.com] > >> Sent: Tuesday, July 25, 2000 8:45 AM > >> To: 'Ambarish Malpani'; Simon Tardell; 'Rich Salz'; Joerg Seidel > >> Cc: ietf-pkix@imc.org > >> Subject: RE: OCSP request > >> > [...] > >> Also, in your interpretation (and mine) "unknown" means "I > >> don't know or > >> will not say". As a client a perfectly reasonable reaction to > >> that would be > >> to come back and check later or go to another OCSP responder > >> (assuming I > >> have a list to choose from) and query that responder. > > This means that a client *never* can get an authoritive > answer that the > certificate is faked (by the way of a CA key compromise) > because a client > has no way of knowing whether he talked to all OCSP > Responders that may > know something about the certificate. > > >> However, it is > >> possible to interpret the "unknown" definition as an > >> assertion that "I know > >> that this certificate is not issued". This is the > >> interpretation taken by > >> the German Trust Center Work Group in their ISIS spec. > > RFC2560: > The "unknown" state indicates that the responder doesn't know about > the certificate being requested. > > ISIS: > "Such a reply means that the queried directory service > (SigG) cannot > provide information about this certificate, since it > was not issued > by the corresponding certification authority or was not > entered into > the directory service (SigG)." > > Let me try to explain why we want to have "hard" responses > from directory > services. The minimum requirements to OCSP in RFC2560 are > "weak" in the > sense that there is only one real answer ("revoked") and two answers > ("unknown" and "good") which basically mean "Hm, I'm not > sure". Minimum > RFC2560-OCSP only provides blacklist functionality. > > This is not sufficient for systems that must be > robust/tolerant against CA > key compromise or such things. It is also not sufficient for long term > validation of signatures, where you might have, e.g., a > signature and a > certificate with an expired crypto algorithm, and a chain of > timestamps > with valid algorithms, and where you want to verify the state of the > certificate that made the signature. In this situation you > cannot rely on > the certificate itself as an evidence that a CA ever issued > it, you must > ask the CA. > > In such systems a directory service must be able to give real > *positive* > answers about certificates ("Yes, my CA issued this > certificate."). This > means we need white lists. This can be done by using OCSP and > interpreting > "unknown" as "The certificate was not issued by this CA", and by > interpreting "good" as "The certificate was issued by this CA and not > revoked". > > > The semantics of "Good" is left rather unspecified in RFC2560, why > shouldn't also "Unknown" be the subject of profile-specific > interpretations? Why should that be "very, very wrong"? > > Juergen > -- > Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 > TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 > Sonninstraße 24-28 mailto:brauckmann@trustcenter.de > D-20097 Hamburg http://www.trustcenter.de > Received: from naigwy (void1.ausys.se [62.20.78.253]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA05361 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 07:13:48 -0700 (PDT) Received: FROM aunt15.ausys.se BY naigwy ; Wed Jul 26 16:14:55 2000 +0200 Received: by aunt15.ausys.se with Internet Mail Service (5.5.2650.21) id <PLMLF8VK>; Wed, 26 Jul 2000 16:16:21 +0200 Message-ID: <C0E81C20AD21D311BDB200805FCCD9412F62EA@aunt9.ausys.se> From: Simon Tardell <simon.tardell@iD2tech.com> To: "'Juergen Brauckmann'" <brauckmann@trustcenter.de>, Ambarish Malpani <ambarish@valicert.com>, Simon Tardell <simon.tardell@iD2tech.com>, "'Rich Salz'" <rsalz@caveosystems.com> Cc: ietf-pkix@imc.org Subject: RE: OCSP request Date: Wed, 26 Jul 2000 16:16:10 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAA05369 Jürgen, The black-list AND white-list approach taken by German signature legislation is good by me. It addresses the potential "big-bang" of CA key compromise in ways that are reasonable. However, I don't think you need to change OCSP semantics to do this. I see the German ISIS OCSP variety as a change rather than a profile, because an OCSP client has to behave differently when talking to an ISIS OCSP responder than when talking to a world OCSP responder. > The semantics of "Good" is left rather unspecified in RFC2560, why > shouldn't also "Unknown" be the subject of profile-specific > interpretations? Why should that be "very, very wrong"? One problem with altering the definition of "unknown" from "I don't know" to the assertion "I know this certificate has not been issued" is that you may have several OCSP responders to choose from (for availability reasons) and if one of them is unable to answer one or more of the requests in an OCSP request, it should be possible to go down the list, or come back later. If you don't distinguish between the "no" and "???" answer, you don't have that possibility. Even if an ISIS compliant PKI may not use this, the end-user may be part of other PKIs that do, and it'd be convenient to be able to use the same clients. Basically there are two independent assertions: revoked - yes/no/don't-know and issued - yes/no/don't-know. My suggestion is to treat them on equal footing. Restrict CertStatus to represent the first assertion (yes/no/don't-know on revocation) and introduce an extension for the second assertion ("being inserted into the directory (SigG)") with the same structure (yes/no/don't-know). Let this extension be critical if the value is "no" or "don't-know". In this way, non-ISIS compliant clients will work together with ISIS PKIs and vice versa, without losses. Of course, some combinations are unreasonable (you hardly revoke a certificate that was never issued) or may be disallowed by policy (maybe the "don't-know" answers are not possible due to policy). Orthogonality between assertions means that further assertions ("was valid at time X" was suggested) can be introduced in the same manner, without breaking unaware clients. That is probably the biggest advantage. One more comment: > >> Also, in your interpretation (and mine) "unknown" means "I don't know or > >> will not say". As a client a perfectly reasonable reaction to that would be > >> to come back and check later or go to another OCSP responder (assuming I > >> have a list to choose from) and query that responder. > > This means that a client *never* can get an authoritive answer that the > certificate is faked (by the way of a CA key compromise) because a client > has no way of knowing whether he talked to all OCSP Responders that may > know something about the certificate. Sure he can. It's a matter of policy. Since you can't trust the list of responders in the AIA extension (because you fear CA key compromise) you have to have a hard-coded list. This is true whether you allow for one or several responders. Regards, Simon Simon Tardell, Software Architect, iD2 Technologies voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 simon.tardell@iD2tech.com, http://www.iD2tech.com Securing the Internet economy Received: from mystic1.trustcenter.de (mystic1.trustcenter.de [193.194.157.34]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id FAA00428 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 05:55:28 -0700 (PDT) Received: by mystic1.trustcenter.de; id OAA29055; Wed, 26 Jul 2000 14:56:20 +0200 Received: from nodnsquery(192.168.200.3) by mystic1.trustcenter.de via smap (V5.0) id xma029044; Wed, 26 Jul 00 14:56:16 +0200 Received: from ew-jbr (titan.trustcenter.de [192.168.200.244]) by callisto.trustcenter.de (8.9.3/8.9.3) with SMTP id OAA17975; Wed, 26 Jul 2000 14:57:55 +0200 (MET DST) Message-Id: <3.0.5.32.20000726145755.03772bc0@localhost> X-Sender: jbr@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 26 Jul 2000 14:57:55 +0200 To: Ambarish Malpani <ambarish@valicert.com>, "'Simon Tardell'" <simon.tardell@iD2tech.com>, "'Rich Salz'" <rsalz@caveosystems.com> From: Juergen Brauckmann <brauckmann@trustcenter.de> Subject: RE: OCSP request Cc: ietf-pkix@imc.org In-Reply-To: <27FF4FAEA8CDD211B97E00902745CBE2B41727@seine.valicert.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id FAA00429 Ambarish, Simon, I'm a member of the group that worked on the ISIS. Comments below... . >> -----Original Message----- >> From: Simon Tardell [mailto:simon.tardell@iD2tech.com] >> Sent: Tuesday, July 25, 2000 8:45 AM >> To: 'Ambarish Malpani'; Simon Tardell; 'Rich Salz'; Joerg Seidel >> Cc: ietf-pkix@imc.org >> Subject: RE: OCSP request >> [...] >> Also, in your interpretation (and mine) "unknown" means "I >> don't know or >> will not say". As a client a perfectly reasonable reaction to >> that would be >> to come back and check later or go to another OCSP responder >> (assuming I >> have a list to choose from) and query that responder. This means that a client *never* can get an authoritive answer that the certificate is faked (by the way of a CA key compromise) because a client has no way of knowing whether he talked to all OCSP Responders that may know something about the certificate. >> However, it is >> possible to interpret the "unknown" definition as an >> assertion that "I know >> that this certificate is not issued". This is the >> interpretation taken by >> the German Trust Center Work Group in their ISIS spec. RFC2560: The "unknown" state indicates that the responder doesn't know about the certificate being requested. ISIS: "Such a reply means that the queried directory service (SigG) cannot provide information about this certificate, since it was not issued by the corresponding certification authority or was not entered into the directory service (SigG)." Let me try to explain why we want to have "hard" responses from directory services. The minimum requirements to OCSP in RFC2560 are "weak" in the sense that there is only one real answer ("revoked") and two answers ("unknown" and "good") which basically mean "Hm, I'm not sure". Minimum RFC2560-OCSP only provides blacklist functionality. This is not sufficient for systems that must be robust/tolerant against CA key compromise or such things. It is also not sufficient for long term validation of signatures, where you might have, e.g., a signature and a certificate with an expired crypto algorithm, and a chain of timestamps with valid algorithms, and where you want to verify the state of the certificate that made the signature. In this situation you cannot rely on the certificate itself as an evidence that a CA ever issued it, you must ask the CA. In such systems a directory service must be able to give real *positive* answers about certificates ("Yes, my CA issued this certificate."). This means we need white lists. This can be done by using OCSP and interpreting "unknown" as "The certificate was not issued by this CA", and by interpreting "good" as "The certificate was issued by this CA and not revoked". The semantics of "Good" is left rather unspecified in RFC2560, why shouldn't also "Unknown" be the subject of profile-specific interpretations? Why should that be "very, very wrong"? Juergen -- Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 Sonninstraße 24-28 mailto:brauckmann@trustcenter.de D-20097 Hamburg http://www.trustcenter.de Received: from sonne.darmstadt.gmd.de (sonne.darmstadt.gmd.de [141.12.62.20]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id EAA27352 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 04:56:53 -0700 (PDT) Received: from secude.com ([141.12.207.27]) by sonne.darmstadt.gmd.de (8.8.8/8.8.5) with ESMTP id NAA02114; Wed, 26 Jul 2000 13:59:24 +0200 (MET DST) Message-ID: <397ED290.E85F34C7@secude.com> Date: Wed, 26 Jul 2000 13:59:12 +0200 From: Hans Schupp <schupp@secude.com> Organization: SECUDE GmbH X-Mailer: Mozilla 4.7 [de] (WinNT; U) X-Accept-Language: de MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: CRMF problems Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms318D14A5D9E1A9AD9E371545" Dies ist eine kryptographisch unterzeichnete Nachricht im MIME-Format. --------------ms318D14A5D9E1A9AD9E371545 Content-Type: multipart/mixed; boundary="------------E34C9A8BC25B1F7F047294CE" Dies ist eine mehrteilige Nachricht im MIME-Format. --------------E34C9A8BC25B1F7F047294CE Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello, we just stepped over some possible problems with CRMF regInfo encoding. The format of the regInfo-utf8Pairs value is defined in appendix B.1 to be "[name?value][%name?value]*%", i.e. the percent sign is the delimiter of each pair. Two sentences later, the percent sign is "overloaded" to be used in the escaping of reserved characters (with reference to URL-encoding). IMHO this is a serious mistake and doesn't really work. Is there already a fix/amendment, or did nobody come across this problem yet? Why was such a kludge-like solution ([UTF-8]-encoding inside [ASN.1]-encoding) chosen in the first place? best regards, Hans Schupp PS: In RFC 2511, there is a slight inconsistency regarding the naming of the following OID: The first definition is id-regInfo-asciiPairs OBJECT IDENTIFIER ::= { id-regInfo 1 } later, it's defined as id-regInfo-utf8Pairs OBJECT IDENTIFIER ::= { id-regInfo 1 } --------------E34C9A8BC25B1F7F047294CE Content-Type: text/x-vcard; charset=us-ascii; name="schupp.vcf" Content-Transfer-Encoding: 7bit Content-Description: Visitenkarte für Hans Schupp Content-Disposition: attachment; filename="schupp.vcf" begin:vcard n:Schupp;Hans tel;cell:(+49) 177 / 2452088 (private) tel;fax:(+49) 6151 / 82897 - 26 tel;work:(+49) 6151 / 82897 - 37 x-mozilla-html:FALSE url:http://www.secude.com org:<hr size=1><p align=right><b><font color=green>SECUDE</font></b> <i>Sicherheitstechnologie<br>Informationssysteme GmbH<br><font color=green>e-security for e-business</font></i> version:2.1 email;internet:schupp@secude.com adr;quoted-printable:;;NEW ADDRESS:=0D=0ADolivostr. 11=0D=0A;Darmstadt;;D-64293;Germany fn:Hans Schupp end:vcard --------------E34C9A8BC25B1F7F047294CE-- --------------ms318D14A5D9E1A9AD9E371545 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: Kryptographische Unterschrift mit S/MIME MIIFGAYJKoZIhvcNAQcCoIIFCTCCBQUCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC AzEwggMtMIICFaADAgECAgFOMA0GCSqGSIb3DQEBBQUAMFAxCzAJBgNVBAYTAkRFMRQwEgYD VQQKEwtTRUNVREUgR21iSDErMCkGA1UECxMiU0VDVURFIFRydXN0RmFjdG9yeSBJbmRpdmlk dWFscyBDQTAeFw05OTEwMjgxNTI2MzNaFw0wMTEwMjgxNTI2MzNaMDkxCzAJBgNVBAYTAkRF MRQwEgYDVQQKEwtTRUNVREUgR21iSDEUMBIGA1UEAxMLSGFucyBTY2h1cHAwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBAP4CQoNsxm0rCW/ncYHxEGE9H4IStq2k0sAUJrKzBXvA1gkn c1jrMoQDEORcPjdIVoppbgt4xcmGz59GbGzrHQLDYX4wWtbpeuRQ5p//Dpw+ilA+dfH2WvOi v/OT4q04anv4tI1bHmfHjX0K/T9JoWJNduV1mhhBOvi+G/XG6VgjAgMBAAGjgawwgakwDgYD VR0PAQH/BAQDAgTwMBwGA1UdEQQVMBOBEXNjaHVwcEBzZWN1ZGUuY29tMFgGA1UdEgRRME+B F3RydXN0ZmFjdG9yeUBzZWN1ZGUuY29thjRodHRwOi8vd3d3LnNlY3VkZS5jb20vdHJ1c3Rm YWN0b3J5L2luZGl2aWR1YWxzY2EuY3J0MAwGA1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEBBAQD AgCgMA0GCSqGSIb3DQEBBQUAA4IBAQDB4naym+cwkZ9vjIIAJzoiNzsuywA1QiSElOnfnADa dD7NH3DyfRGjI5sjZBKpFuj2GDHXQBQnZikMxWI1H/J14IyZhv8CORIli8OboSfjavpMlQiJ oQOzO8FDk0j2dJBhOsBxkhGoO/GxTMy+xOdFHsBWsHHyQAFWlgdaCSPrgpq9fSDZ8+Kt5XIj pkyiWjkwnGr7espfevPB1weHlrO5tmD+KFKyVZ+cuDjf0ABAQDXP29HFWxve246Ga2SBnv0Y DTdDfIpVkeHbPd9n8LPGte7MNxM4s2GSJ7lY+p/z33TW0na+ZNmhdhaz8jmXSI/BP0Qvjy/b xKYfAKwvBFvLMYIBrzCCAasCAQEwVTBQMQswCQYDVQQGEwJERTEUMBIGA1UEChMLU0VDVURF IEdtYkgxKzApBgNVBAsTIlNFQ1VERSBUcnVzdEZhY3RvcnkgSW5kaXZpZHVhbHMgQ0ECAU4w CQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0wMDA3MjYxMTU5MTdaMCMGCSqGSIb3DQEJBDEWBBQ3cey2tgXZCVRDBvvEmzU46MjdozBS BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzAN BggqhkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgEptbGKbSUHu zvMdBL3YQzrS/AHOPa1NBjnL6hBoXqLewnrWTvbUq474Efs8KOUk+PNl7txTFAUpL1EEzmZ3 zNs3WDubqm7YULuaqZ32ofTaqzvsoJN9S5esIZAyuLcDadCdIA/jjgTuCIYrgEs5190tosQg sihv4OPLsQJ5wP9K --------------ms318D14A5D9E1A9AD9E371545-- Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA13396 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 00:24:45 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id JAA42032; Wed, 26 Jul 2000 09:31:41 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id JAA40478; Wed, 26 Jul 2000 09:27:13 +0200 Message-ID: <397E92D2.6D468EA2@bull.net> Date: Wed, 26 Jul 2000 09:27:14 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Ambarish Malpani <ambarish@valicert.com> CC: "'Simon Tardell'" <simon.tardell@iD2tech.com>, "'Rich Salz'" <rsalz@caveosystems.com>, Joerg Seidel <seidel@maz-hh.de>, ietf-pkix@imc.org Subject: Re: OCSP request References: <27FF4FAEA8CDD211B97E00902745CBE2B41727@seine.valicert.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Ambarish, > Hi Simon, > Yes, we do, violently agree! > > I didn't know of the German ISIS interpretation of "unknown". That > is *not* the interpretation that any other group is taking. Do > you know who I can contact to help sort this out? I think it is > very, very wrong! I support your last assertion. As you stated "unknown" means "I don't know or will not say". This means I also agree with Simon. :-) Denis > Given this interpretation, I agree, the > wording could and should have been more explicit. > > Regards, > Ambarish > > --------------------------------------------------------------------- > Ambarish Malpani > Architect 650.567.5457 > ValiCert, Inc. ambarish@valicert.com > 339 N. Bernardo Ave. http://www.valicert.com > Mountain View, CA 94043 > > > -----Original Message----- > > From: Simon Tardell [mailto:simon.tardell@iD2tech.com] > > Sent: Tuesday, July 25, 2000 8:45 AM > > To: 'Ambarish Malpani'; Simon Tardell; 'Rich Salz'; Joerg Seidel > > Cc: ietf-pkix@imc.org > > Subject: RE: OCSP request > > > > > > Ambarish, > > > > Let me just start by pointing out that I agree with you > > (mostly). But not > > everybody agrees with me.... > > > > > Hi Simon, > > > Here is the text from RFC 2560: > > > > > > ---------------Start quote from RFC---------------------- > > > The "good" state indicates a positive response to the > > status inquiry. > > > At a minimum, this positive response indicates that the > > certificate > > > is not revoked, but does not necessarily mean that the > > certificate > > > was ever issued or that the time at which the response > > was produced > > > is within the certificate's validity interval. Response > > extensions > > > may be used to convey additional information on > > assertions made by > > > the responder regarding the status of the certificate such as > > > positive statement about issuance, validity, etc. > > > > > > The "revoked" state indicates that the certificate has > > been revoked > > > (either permanantly or temporarily (on hold)). > > > > > > The "unknown" state indicates that the responder doesn't > > know about > > > the certificate being requested. > > > > > > ---------------End quote from RFC---------------------- > > > > > > > > > Good means that it is not on the revoked list. If you wish to > > > assert other things, you can do so with extensions. > > > > > > Revoked means that it is on the revoked list (you can still assert > > > other things with extensions - nothing says you can't do that, > > > although I agree, it would have been better to say so explicitly. > > > > > > Unknown means you don't know - aren't willing to say either good > > > or bad (again, you can still use extensions to say more things). > > > > > > I am not sure which part of the language you are objecting > > > to. > > > > The problem I have is that a responder may through "good" > > assert that any > > number properties are true, *without* qualifying with > > extensions. On the > > other hand "revoked" means a negative assertion to only one of these > > properties. > > > > Also, in your interpretation (and mine) "unknown" means "I > > don't know or > > will not say". As a client a perfectly reasonable reaction to > > that would be > > to come back and check later or go to another OCSP responder > > (assuming I > > have a list to choose from) and query that responder. However, it is > > possible to interpret the "unknown" definition as an > > assertion that "I know > > that this certificate is not issued". This is the > > interpretation taken by > > the German Trust Center Work Group in their ISIS spec. Under those > > semantics, I can't expect any other responder to have better > > information. > > > > > Would it have > > > been satisfactory if we had the line starting "Response > > extensions... > > > validity, etc." in each of the 3 states? Would you have > > > preferred that we not have allowed for any extensions in responses? > > > > The preferred way would have been to restrict CertStatus to carry > > information only on revocation and force issuance, validity > > or any other > > property that you want to assert into extensions. Preferrably those > > extensions should have the same structure (assertion true, > > assertion false, > > i-don't-know). > > > > Simon. > > > > > > Simon Tardell, Software Architect, iD2 Technologies > > voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 > > simon.tardell@iD2tech.com, http://www.iD2tech.com > > Securing the Internet economy > > Received: from iaik.tu-graz.ac.at (excalibur.iaik.tu-graz.ac.at [129.27.152.30]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA11362 for <ietf-pkix@imc.org>; Wed, 26 Jul 2000 00:05:55 -0700 (PDT) Received: from hades [129.27.152.143] by iaik.tu-graz.ac.at (SMTPD32-6.00) id AE8B87D013C; Wed, 26 Jul 2000 09:08:59 +0200 Received: from localhost [127.0.0.1] by hades (IAIK S/MIME Mapper 2.0beta1 14/January/2000); Wed, 26 Jul 2000 09:08:24 +0100 From: "Karl Scheibelhofer" <Karl.Scheibelhofer@iaik.at> To: "IETF PKIX Mailing List" <ietf-pkix@imc.org> Subject: OCSP request Date: Wed, 26 Jul 2000 09:08:23 +0200 Message-ID: <NDBBJJNFOMNNKFDPLCDJEEJHCCAA.Karl.Scheibelhofer@iaik.at> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal if a certificate can only have the simple histories (issue)-valid-expired and (issue)-valid-revoked, there is no problem. generalized: when a certificate becomes invalid (revoked or expired) it remains invalid forever. but, if a certificate can be suspended (= invalid for some time), i cannot use OCSP as is to find that out later on when the certificate is no longer suspended. what i would like to have: from the client's point of view, i want to ask the OCSP server: was this certificate valid during the whole time interval [t1,t2]? in case of successful processing of request the server should respone: - certificate was valid during whole time interval [t1,t2] - certificate was invalid during whole time interval [t1,t2], because of (revocation,suspension,...) - status of certificate changed during time interval [t1,t2], type of change was (valid-suspended, valid-revoked, suspended-valid, ...) in case of unsuccessful processing the server should tell the reason (certificate unknown, , unsupported certificate format, internal error,...) this approach would support any life-cycle of certificates. by now, it seems to me that a lot of protocols assume implicitly that certificates can become invalid just once, and once they are invalid they can never become valid once again. i agree that this is mostly the case. does this idea also make sense to others? best regards, Karl Scheibelhofer -- Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at> Institute for Applied Information Processing and Communications (IAIK) at Technical University of Graz, Austria, http://www.iaik.at Phone: (+43) (316) 873-5540 Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA10754 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 23:54:43 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id JAA42992; Wed, 26 Jul 2000 09:01:32 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id IAA19240; Wed, 26 Jul 2000 08:57:01 +0200 Message-ID: <397E8BBE.C0FA94D1@bull.net> Date: Wed, 26 Jul 2000 08:57:02 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Oscar Jacobsson <oscar.jacobsson@celocom.com> CC: Joerg Seidel <seidel@maz-hh.de>, ietf-pkix@imc.org Subject: Re: OCSP request References: <3.0.5.32.20000725152251.00aac160@localhost> <3.0.5.32.20000725155017.03aee580@localhost> <397D9EAA.192DBF85@maz-hh.de> <397DA1FB.5139587C@celocom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Oscar, > Joerg Seidel wrote: > > Or as Karl puts it you need "to > > attach all this verification stuff to all signed documents." > > Which is the method ETSI have selected for their ES-C (Electronic > Signature with Complete validation data) electronic signature format, > IIRC. To reply to your question, ETSI (in ES 201733) has chosen to keep the *references* (including a hash code of the referenced data) together with the electronic signature, i.e. not the actual data. The idea was to make the verification stuff kept with the signature short. The referenced data can be stored: 1) either with the signed message, or 2) anywhere else (e.g. in a data base), where you can find it again. Denis > //oscar Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA09635 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 23:34:03 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id IAA35776; Wed, 26 Jul 2000 08:41:02 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id IAA39494; Wed, 26 Jul 2000 08:36:30 +0200 Message-ID: <397E86EF.167E64B6@bull.net> Date: Wed, 26 Jul 2000 08:36:31 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Stefan Santesson <stefan@accurata.se> CC: ietf-pkix@imc.org Subject: Re: QC DN "qualities". Was: I-DACTION:draft-ietf-pkix-qc-04.txt References: <14716.17757.863072.996773@xedia.com> <001201bff55f$457cac80$0201a8c0@mega.vincent.se> <14716.17757.863072.996773@xedia.com> <4.3.2.7.2.20000724233736.031ace98@mail.accurata.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Stefan, > May I draw your attention to the updated QC 05 where the uniqueness > requirement stated in RFC 2459 (and son of) has been clarified to count for > the whole lifetime of the CA. > > section 2.4 now states: > "The distinguished name MUST be unique for each subject > entity certified by the one CA as defined by the issuer name field, > during the whole life time of the CA." > > This is actually nothing new, rather a clarification of the existing > technical concept of DNs. > An compliant implementation can simply not be based on CA's using the same > DN for several different entities. It is reasonable to assume that this is > the intent behind the original X.501 definition of DNs. > "Distinguished name is originally defined in X.501 [X.501] as a > representation of a directory name, defined as a construct that > identifies a particular object from among the set of all objects." This is fine with me and solves one of the seven issues I have posted on July 13 th. So COMMENT 1 is now solved. I re-post the six other comments, which up to now have not yet been answered: COMMENT 2 Section 3.1.1. Issuer states: "The issuer field SHALL identify the organization responsible for issuing the certificate, and SHALL include a registered name of the organization". The basic question is what is the meaning of a "registered" name. Who should be the registration authority ? Do we have such an authority for registered names in the IETF ? Is this authority adequate for such a usage ? Instead of trying to answer the question, it makes more sense to omit the second part of the sentence which leads to the following sentence: "The issuer field SHALL identify the organization responsible for issuing the certificate". COMMENT 3 Section 3.1.1. Issuer states: "The legal jurisdiction for the issuing CA SHOULD be consistent with the issuer name.". However the abstract says: " The goal of this document is to define a general syntax independent of local legal requirements." and also "It is important to note that the profile does not define any legal requirements for Qualified Certificates.". This is contradictory. >From the discussions that recently took place in Stockholm, the agreement was to mandate the inclusion of the country where from the CA is operating. In this way, by indirection, the country where the CA is established may implement a supervision scheme, if required. The text should be modified to reflect this. It should be noticed that taking this into consideration, the first element of a DN for an issuer must then be a country name. This should be reflected in the text. Full text proposal replacement for 3.1.1: 3.1.1 Issuer The issuer field SHALL identify the organization responsible for issuing the certificate. The identity of the issuer SHALL be specified using an appropriate subset of the following attributes: domainComponent; countryName; stateOrProvinceName; organizationName; localityName; and serialNumber. Additional attributes MAY be present but they SHOULD NOT be necessary to identify the issuing organization. The first element of the DN shall be the country where the CA is operating from. COMMENT 4 The text is not consistent when talking about certificate policies and public statements. In section 2.2. Statement of Purpose, the text says: "For a certificate to serve the purpose of being a Qualified Certificate, this profile assumes that the CA will have to include in the certificate a public statement that explicitly defines this intent." In section 3.2.2.Certificate Policies, the text says: " A statement by the issuer stating the purpose of the certificate as discussed in Section 2.2 SHOULD be evident through indicated policies." The later statement is not that "evident" at all, in particular since from section 2.2. any certificate policy may be used, provided that it is consistent with the policy for a QC. The basic question is the following: How is it possible to know that a certificate is a QC ? There are two possible answers: a) use a QC statement to tell it (and this "costs" a new extension), b) use some pre-defined Certificate Policy OID to tell it (and this costs no new extension). The text from section 2.2. mandates the inclusion of a QC statement. However, all current software is able to test for the presence of any Certificate Policy OID in a certificate and thus the current software could easily check for the presence of pre-defined Certificate Policy OIDs for QCs. The QC statement mandates the use of a new extension, that no one has yet implemented, both for the construction of the certificate and the checking of a certification path. Should we really mandate the presence of the QC statement (as being the only way to indicate that a certificate is a QC) or should we also allow the use of pre-defined Certificate Policy OID (making the QC statement non mandatory) ? I think both options should be mentioned as possible Note: I must recognise that the following text belonging to section 3.2.2 is not understandable to me: " In order to enhance path validation based on policy object identifiers any statement related to Qualified Certificates, as defined in 3.2.5, SHOULD also be defined by included certificate policies." COMMENT 5 Section 3.2.5. Qualified Certificate Statements, defines an extension for inclusion of defined statements related to Qualified Certificates. However, there is a major problem with the way the extension is built. It is constructed as: QCStatements ::= SEQUENCE OF QCStatement Since nothing is said in the text about the criticality this extension is, by implication, non critical. This means that any individual QCStatement is not mandatory to understand. So unless an application specifically looks for some pre-defined statement, it will miss the others and is not required to "understand them. Also remember that only ONE such extension may be present. In a profile of this document (not a PKIX document) this extension is being used to specify the maximum amount of money which is permissible for one transaction, this is what is referred in QC-04 as "a maximum reliance limit for the certificate indicating restrictions on CA's liability". The basic question is whether we should have a separate extension for a maximum reliance from a CA. If the maximum reliance limit statement is part of the new extension, there is no guarantee that it will ever be seen or recognized. In principle any QCStatement in a non critical extension may be ignored by the application. If the maximum reliance limit statement is in a separate extension marked critical, no application could miss it, if it is present. The requirement comes from an annex of the European Directive. The definition of a maximum reliance limit is optional and it makes sense to have a dedicated extension to support it. I would thus propose to suppress the following sentence from 3.2.5: "As an example this MAY include a maximum reliance limit for the certificate indicating restrictions on CA's liability." Instead I would propose to define a separate extension to support a maximum reliance limit. COMMENT 6 Section 4, Security considerations. This section has major problems. It uses some arguments to provide wrong conclusions. The current text is as follows: " Since the public keys are for public use with legal implications for involved parties, certain conditions should exist before CAs issues certificates as Qualified Certificates. The associated private keys must be unique for the subject, and must be maintained under the subject's sole control. That is, a CA should not issue a qualified certificate if the private key is shared among entities, or the means to use the private key is not protected against unintended usage. This implies that the CA must perform proof-of-possession of the private key. In addition, it implies that the CA have some knowledge about the subject's cryptographic module." The text says that a "CA should not issue a qualified certificate if the private key is shared among entities". This is fine, but the CA has no way to know whether the private key has been given to someone else. Proof-of-possession of the private key does not solve the issue as well, since everyone who has been given the private key could provide proof-of-possession. What is transparent from the text, but not said correctly, is that if a physical device is used, then it becomes "more difficult" to share the private key. Proposed text full replacement for the text above: "The private keys must be maintained under the subject's sole control. That is, a CA should not issue a qualified certificate if the means to use the private key is not protected against unintended usage. It implies that the CA should have some knowledge about the subject's cryptographic module." It should be realized also that proof-of-possession is NOT needed at all what using good cryptography practice. As soon as the identifier of the certificate being used is protected by the digital signature, then proof-of-possession becomes unnecessary. Why not say it ? COMMENT 7 Section 4, Security considerations. The current text is as follows: "Comparing two qualified certificates to determine if they represent the same physical entity may provide misleading results and should be performed with care." This sentence does not help. Replace by: "Comparing two qualified certificates, that contain different DNs, to determine if they represent the same physical entity cannot be made." Denis > We are not talking about unintentional mistakes here (which always can > happen) but the concept of operation. > > /Stefan Received: from mail.arabtrust.com (mail.arabtrust.com [216.247.149.19]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id WAA03429 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 22:39:39 -0700 (PDT) Received: from jean [195.39.160.127] by mail.arabtrust.com (SMTPD32-6.00) id AAE21B000FE; Wed, 26 Jul 2000 01:45:06 -0400 From: "Jean Abraham" <jean.med@arabtrust.com> To: <ietf-pkix@imc.org> Subject: unsubscribe Date: Wed, 26 Jul 2000 08:41:04 +0300 Message-ID: <LPBBLAPIGLOAGIHKOOGDKEBECCAA.jean.med@arabtrust.com> MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 unsubscribe Received: from ts16-a550.dial.sovam.com (ts16-a550.dial.sovam.com [195.239.7.42]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id PAA15071 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 15:33:54 -0700 (PDT) From: <unsubscribe@nm.ru> To: <ietf-pkix@imc.org> Date: ×ò, 06 èþë 2000 12:01:05 +0400 Message-ID: <36105065817246173@ts16-a550.dial.sovam.com> Subject: Hi, its for you ! Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi! We are Russian girls - Lilia, Alyona, Natalia. We would like to correspond with you. Visit our site and see our photos. http://www.rusladies.h1.ru With interest, Lilia, Alyona, Natalia. P.S. This is not spam. You can unsubscribe at any time by sending an email to freelist@nm.ru with the subject UNSUBSCRIBE. P.P.S. This message is being sent to you in compliance with the proposed Federal legislation for commercial e-mail (S.1618-SECTION 301). "Pursuant to Section 301, Paragraph (a)(2)(C) of S. 1618, further transmissions to you by the sender of this e-mail may be stopped at no cost to you by clicking mailto:sngl@soon.com and placing REMOVE in the subject. Received: from blue.identrus.com ([216.213.93.121]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA11108 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 11:15:13 -0700 (PDT) Received: by blue.identrus.com with Internet Mail Service (5.5.2650.21) id <N9QAN2RK>; Tue, 25 Jul 2000 14:18:09 -0400 Message-ID: <A105E1C02F5DD31181A500508B5519EC3062AC@blue.identrus.com> From: Khaja Ahmed <Khaja.Ahmed@identrus.com> To: "'Karl Scheibelhofer '" <Karl.Scheibelhofer@iaik.at>, "'IETF PKIX Mailing List '" <ietf-pkix@imc.org> Subject: RE: OCSP request Date: Tue, 25 Jul 2000 14:18:03 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF664.AFC29920" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF664.AFC29920 Content-Type: text/plain; charset="iso-8859-1" Karl, I would like to second your request for this capability. This is a very important feature/capability and should really be added to the standard. To answer your question, I am aware of work being done to add this to OCSP. However, it is in the way of proprietary implementations. The proprietary nature of any soluion poses it's challenges and so it is best if this body could take this on as an enhancement to the standard. It would be great if someone could propose a revision to the protocol to included this capability. It is probably not much more than: - Stating that a signer may make an OCSP reqest for the status of his certificate and attach the response to the signature in a specified format. - Requiring that a relying party OCSP client recognize the proof that the certificate was not revoked when the signature was made (or within some reasonable tolerances). Some other things that would need to be and could easiliy be accomodated are: -If the relying party does not trust the OCSP response (Freshness Proof) attached to the signature it may do it's own checking regardless. The nice thing about this is that along with the signed data (which may be archived) exists proof that the signature was valid when it was made. An example application that would benefit greatly is: A notebook user / travellers who downloads her e-mail and reads it off line. No online access to OCSP server is needed. The "Freshness Proof" with each message shows that the certificate was good when the message was signed. I recognize that that this will not accomodate all needs and cover all cases but it covers enough cases that it would constitute a substantial iimprovement. Khaja -----Original Message----- From: Karl Scheibelhofer To: IETF PKIX Mailing List Sent: 7/25/00 9:03 AM Subject: OCSP request to verify a signature, it is necessary to find out, if the certificate used for signing was valid when the signature was created. normally it is only possible to fix the time the signature was created in a time interval; e.g. between two timestamps. to find out, if the certificate was valid during this time interval, i see two options: 1. i can get the certificate status information when i create the signature, timestamp it, and attach the whole thing to the signed document. 2. have a extended OCSP protocol that allows to request this information are there any attempts to integrate such a feature to OCSP? i think that this would be a valuable feature for OCSP. it would avoid the necessity to attach all this verification stuff to all signed documents. with best regards, Karl Scheibelhofer -- Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at> Institute for Applied Information Processing and Communications (IAIK) at Technical University of Graz, Austria, http://www.iaik.at Phone: (+43) (316) 873-5540 ------_=_NextPart_001_01BFF664.AFC29920 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: OCSP request</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Karl,</FONT> </P> <P><FONT SIZE=3D2>I would like to second your request for this = capability. This is a very important feature/capability and = should really be added to the standard. </FONT></P> <P><FONT SIZE=3D2>To answer your question, I am aware of work being = done to add this to OCSP. However, it is in the way of = proprietary implementations. The proprietary nature of any = soluion poses it's challenges and so it is best if this body could take = this on as an enhancement to the standard. </FONT></P> <P><FONT SIZE=3D2>It would be great if someone could propose a revision = to the protocol to included this capability.</FONT> </P> <P><FONT SIZE=3D2>It is probably not much more than:</FONT> </P> <P><FONT SIZE=3D2>- Stating that a signer may make an OCSP reqest for = the status of his certificate and attach the response to the signature = in a specified format.</FONT></P> <P><FONT SIZE=3D2>- Requiring that a relying party OCSP client = recognize the proof that the certificate was not revoked when the = signature was made (or within some reasonable tolerances).</FONT></P> <P><FONT SIZE=3D2>Some other things that would need to be and could = easiliy be accomodated are:</FONT> </P> <P><FONT SIZE=3D2>-If the relying party does not trust the OCSP = response (Freshness Proof) attached to the signature it may do it's own = checking regardless. </FONT></P> <P><FONT SIZE=3D2>The nice thing about this is that along with the = signed data (which may be archived) exists proof that the signature was = valid when it was made.</FONT></P> <P><FONT SIZE=3D2>An example application that would benefit greatly is: = A notebook user / travellers who downloads her e-mail and reads = it off line. No online access to OCSP server is needed. The = "Freshness Proof" with each message shows that the = certificate was good when the message was signed.</FONT></P> <P><FONT SIZE=3D2>I recognize that that this will not accomodate all = needs and cover all cases but it covers enough cases that it would = constitute a substantial iimprovement.</FONT></P> <P><FONT SIZE=3D2>Khaja</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Karl Scheibelhofer</FONT> <BR><FONT SIZE=3D2>To: IETF PKIX Mailing List</FONT> <BR><FONT SIZE=3D2>Sent: 7/25/00 9:03 AM</FONT> <BR><FONT SIZE=3D2>Subject: OCSP request</FONT> </P> <P><FONT SIZE=3D2>to verify a signature, it is necessary to find out, = if the certificate</FONT> <BR><FONT SIZE=3D2>used</FONT> <BR><FONT SIZE=3D2>for signing was valid when the signature was = created. normally it is</FONT> <BR><FONT SIZE=3D2>only</FONT> <BR><FONT SIZE=3D2>possible to fix the time the signature was created = in a time interval;</FONT> <BR><FONT SIZE=3D2>e.g.</FONT> <BR><FONT SIZE=3D2>between two timestamps.</FONT> <BR><FONT SIZE=3D2>to find out, if the certificate was valid during = this time interval, i</FONT> <BR><FONT SIZE=3D2>see</FONT> <BR><FONT SIZE=3D2>two options:</FONT> </P> <P><FONT SIZE=3D2>1. i can get the certificate status information when = i create the</FONT> <BR><FONT SIZE=3D2>signature,</FONT> <BR><FONT SIZE=3D2>timestamp it, and attach the whole thing to the = signed document.</FONT> </P> <P><FONT SIZE=3D2>2. have a extended OCSP protocol that allows to = request this information</FONT> </P> <P><FONT SIZE=3D2>are there any attempts to integrate such a feature to = OCSP?</FONT> <BR><FONT SIZE=3D2>i think that this would be a valuable feature for = OCSP. it would avoid</FONT> <BR><FONT SIZE=3D2>the</FONT> <BR><FONT SIZE=3D2>necessity to attach all this verification stuff to = all signed documents.</FONT> </P> <P><FONT SIZE=3D2>with best regards,</FONT> </P> <P><FONT SIZE=3D2> Karl Scheibelhofer</FONT> </P> <P><FONT SIZE=3D2>--</FONT> </P> <P><FONT SIZE=3D2>Karl Scheibelhofer, <<A = HREF=3D"mailto:Karl.Scheibelhofer@iaik.at">mailto:Karl.Scheibelhofer@iai= k.at</A>></FONT> <BR><FONT SIZE=3D2>Institute for Applied Information Processing and = Communications (IAIK)</FONT> <BR><FONT SIZE=3D2>at Technical University of Graz, Austria, <A = HREF=3D"http://www.iaik.at" = TARGET=3D"_blank">http://www.iaik.at</A></FONT> <BR><FONT SIZE=3D2>Phone: (+43) (316) 873-5540</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFF664.AFC29920-- Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA10142 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 10:19:43 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FY900F01K9XKH@ext-mail.valicert.com> for ietf-pkix@imc.org; Tue, 25 Jul 2000 10:22:45 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FY900F7YK9X7D@ext-mail.valicert.com>; Tue, 25 Jul 2000 10:22:45 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <3600606P>; Tue, 25 Jul 2000 10:14:17 -0700 Content-return: allowed Date: Tue, 25 Jul 2000 10:14:17 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: OCSP request To: "'Simon Tardell'" <simon.tardell@iD2tech.com>, "'Rich Salz'" <rsalz@caveosystems.com>, Joerg Seidel <seidel@maz-hh.de> Cc: ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE2B41727@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Hi Simon, Yes, we do, violently agree! I didn't know of the German ISIS interpretation of "unknown". That is *not* the interpretation that any other group is taking. Do you know who I can contact to help sort this out? I think it is very, very wrong! Given this interpretation, I agree, the wording could and should have been more explicit. Regards, Ambarish --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com Mountain View, CA 94043 > -----Original Message----- > From: Simon Tardell [mailto:simon.tardell@iD2tech.com] > Sent: Tuesday, July 25, 2000 8:45 AM > To: 'Ambarish Malpani'; Simon Tardell; 'Rich Salz'; Joerg Seidel > Cc: ietf-pkix@imc.org > Subject: RE: OCSP request > > > Ambarish, > > Let me just start by pointing out that I agree with you > (mostly). But not > everybody agrees with me.... > > > Hi Simon, > > Here is the text from RFC 2560: > > > > ---------------Start quote from RFC---------------------- > > The "good" state indicates a positive response to the > status inquiry. > > At a minimum, this positive response indicates that the > certificate > > is not revoked, but does not necessarily mean that the > certificate > > was ever issued or that the time at which the response > was produced > > is within the certificate's validity interval. Response > extensions > > may be used to convey additional information on > assertions made by > > the responder regarding the status of the certificate such as > > positive statement about issuance, validity, etc. > > > > The "revoked" state indicates that the certificate has > been revoked > > (either permanantly or temporarily (on hold)). > > > > The "unknown" state indicates that the responder doesn't > know about > > the certificate being requested. > > > > ---------------End quote from RFC---------------------- > > > > > > Good means that it is not on the revoked list. If you wish to > > assert other things, you can do so with extensions. > > > > Revoked means that it is on the revoked list (you can still assert > > other things with extensions - nothing says you can't do that, > > although I agree, it would have been better to say so explicitly. > > > > Unknown means you don't know - aren't willing to say either good > > or bad (again, you can still use extensions to say more things). > > > > I am not sure which part of the language you are objecting > > to. > > The problem I have is that a responder may through "good" > assert that any > number properties are true, *without* qualifying with > extensions. On the > other hand "revoked" means a negative assertion to only one of these > properties. > > Also, in your interpretation (and mine) "unknown" means "I > don't know or > will not say". As a client a perfectly reasonable reaction to > that would be > to come back and check later or go to another OCSP responder > (assuming I > have a list to choose from) and query that responder. However, it is > possible to interpret the "unknown" definition as an > assertion that "I know > that this certificate is not issued". This is the > interpretation taken by > the German Trust Center Work Group in their ISIS spec. Under those > semantics, I can't expect any other responder to have better > information. > > > Would it have > > been satisfactory if we had the line starting "Response > extensions... > > validity, etc." in each of the 3 states? Would you have > > preferred that we not have allowed for any extensions in responses? > > The preferred way would have been to restrict CertStatus to carry > information only on revocation and force issuance, validity > or any other > property that you want to assert into extensions. Preferrably those > extensions should have the same structure (assertion true, > assertion false, > i-don't-know). > > Simon. > > > Simon Tardell, Software Architect, iD2 Technologies > voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 > simon.tardell@iD2tech.com, http://www.iD2tech.com > Securing the Internet economy > Received: from mailserver2.hrz.tu-darmstadt.de (root@mailserver2.hrz.tu-darmstadt.de [130.83.22.129]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA09941 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 10:18:51 -0700 (PDT) Received: from hrz2.hrz.tu-darmstadt.de (hrz2.hrz.tu-darmstadt.de [130.83.47.115]) by mailserver2.hrz.tu-darmstadt.de (8.9.1a/8.9.1) with ESMTP id TAA21611 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 19:21:22 +0200 (MET DST) Received: from HRZ2/SpoolDir by hrz2.hrz.tu-darmstadt.de (Mercury 1.47); 25 Jul 00 19:20:17 +0200 Received: from SpoolDir by HRZ2 (Mercury 1.47); 25 Jul 00 18:08:29 +0200 Received: from pc132 (130.83.244.93) by hrz2.hrz.tu-darmstadt.de (Mercury 1.47); 25 Jul 00 18:08:22 +0200 From: "Markus Ruppert" <mr01@hrz2.hrz.tu-darmstadt.de> To: <ietf-pkix@imc.org> Subject: OCSP - Transportprotocol? Date: Tue, 25 Jul 2000 18:13:30 +0200 Message-ID: <000101bff653$45bb8960$5df45382@pc132.cdc-nt.cdc.informatik.tu-darmstadt.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2377.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2120.0 Hallo, does anybody know if there is an other transport protocol than http implemented and in use for OCSP? Where are other protocols specified? Is there anything like Transport Protocols for CMP <draft-ietf-pkix-cmp-transport-protocols-01.txt> available for OCSP? Thanks Markus Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA09609 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 10:10:11 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FY900F01JU1IA@ext-mail.valicert.com> for ietf-pkix@imc.org; Tue, 25 Jul 2000 10:13:13 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FY900F6FJU17D@ext-mail.valicert.com>; Tue, 25 Jul 2000 10:13:13 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <3600605L>; Tue, 25 Jul 2000 10:04:45 -0700 Content-return: allowed Date: Tue, 25 Jul 2000 10:04:43 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: OCSP request To: "'Rich Salz'" <rsalz@caveosystems.com>, Joerg Seidel <seidel@maz-hh.de> Cc: ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE2B41726@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Hi Rich, Not true. We have the ability to say unknown also. We can also do secondary checks, where you actually look for the existance of a cert in a directory, if that is what people want. People just need to decide that they want that functionality. Regards, Ambarish --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com Mountain View, CA 94043 > -----Original Message----- > From: Rich Salz [mailto:rsalz@caveosystems.com] > Sent: Tuesday, July 25, 2000 7:13 AM > To: Joerg Seidel > Cc: ietf-pkix@imc.org > Subject: Re: OCSP request > > > > The problem is that OCSP does not tell you whether the > certificate was already > > issued at the time of the signature. It only says it was > not revoked. > > Depends on the OCSP implementation. Some (e.g., Valicert > last I looked) > can only say "not revoked" while some (e.g., CertCo last I looked) can > also say "not known" > /r$ > Received: from mail-fwd.verio-web.com (mail11a.verio-web.com [161.58.16.57]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id IAA07701 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 08:59:34 -0700 (PDT) Received: from 161.58.117.181 (161.58.117.181) by mail11a.verio-web.com (RS ver 1.0.57s) with SMTP id 01855087; Tue, 25 Jul 2000 12:02:29 -0400 (EDT) Sender: rsalz Message-ID: <397DBA22.7FAC1035@caveosystems.com> Date: Tue, 25 Jul 2000 12:02:42 -0400 From: Rich Salz <rsalz@caveosystems.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: Richard Levitte <richard.levitte@celocom.se> CC: ietf-pkix@imc.org Subject: Re: OCSP request References: <3.0.5.32.20000725152251.00aac160@localhost> <3.0.5.32.20000725155017.03aee580@localhost> <397D9EAA.192DBF85@maz-hh.de> <397DA065.ACE1D1A4@caveosystems.com> <397DB184.3BA19828@celocom.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 > I just made a request with a cert they > have no chance of knowing, and I got the status "unknown". Make a request for a mythical cert with a CA that they know about -- i.e., take a CertID where you got a "good" answer, and change only the serialNumber to something likely to be unissued (e.g., 99999999992). As the discussion here (yet again :) shows, full understanding of the OCSP standard is tricky, and requires subtlety that is probably beyond most potential PKI customers. /r$ Received: from naigwy (void1.ausys.se [62.20.78.253]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id IAA06503 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 08:41:55 -0700 (PDT) Received: FROM aunt15.ausys.se BY naigwy ; Tue Jul 25 17:43:21 2000 +0200 Received: by aunt15.ausys.se with Internet Mail Service (5.5.2650.21) id <PLMLFS0F>; Tue, 25 Jul 2000 17:44:46 +0200 Message-ID: <C0E81C20AD21D311BDB200805FCCD9412F62D4@aunt9.ausys.se> From: Simon Tardell <simon.tardell@iD2tech.com> To: "'Ambarish Malpani'" <ambarish@valicert.com>, Simon Tardell <simon.tardell@iD2tech.com>, "'Rich Salz'" <rsalz@caveosystems.com>, Joerg Seidel <seidel@maz-hh.de> Cc: ietf-pkix@imc.org Subject: RE: OCSP request Date: Tue, 25 Jul 2000 17:45:20 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Ambarish, Let me just start by pointing out that I agree with you (mostly). But not everybody agrees with me.... > Hi Simon, > Here is the text from RFC 2560: > > ---------------Start quote from RFC---------------------- > The "good" state indicates a positive response to the status inquiry. > At a minimum, this positive response indicates that the certificate > is not revoked, but does not necessarily mean that the certificate > was ever issued or that the time at which the response was produced > is within the certificate's validity interval. Response extensions > may be used to convey additional information on assertions made by > the responder regarding the status of the certificate such as > positive statement about issuance, validity, etc. > > The "revoked" state indicates that the certificate has been revoked > (either permanantly or temporarily (on hold)). > > The "unknown" state indicates that the responder doesn't know about > the certificate being requested. > > ---------------End quote from RFC---------------------- > > > Good means that it is not on the revoked list. If you wish to > assert other things, you can do so with extensions. > > Revoked means that it is on the revoked list (you can still assert > other things with extensions - nothing says you can't do that, > although I agree, it would have been better to say so explicitly. > > Unknown means you don't know - aren't willing to say either good > or bad (again, you can still use extensions to say more things). > > I am not sure which part of the language you are objecting > to. The problem I have is that a responder may through "good" assert that any number properties are true, *without* qualifying with extensions. On the other hand "revoked" means a negative assertion to only one of these properties. Also, in your interpretation (and mine) "unknown" means "I don't know or will not say". As a client a perfectly reasonable reaction to that would be to come back and check later or go to another OCSP responder (assuming I have a list to choose from) and query that responder. However, it is possible to interpret the "unknown" definition as an assertion that "I know that this certificate is not issued". This is the interpretation taken by the German Trust Center Work Group in their ISIS spec. Under those semantics, I can't expect any other responder to have better information. > Would it have > been satisfactory if we had the line starting "Response extensions... > validity, etc." in each of the 3 states? Would you have > preferred that we not have allowed for any extensions in responses? The preferred way would have been to restrict CertStatus to carry information only on revocation and force issuance, validity or any other property that you want to assert into extensions. Preferrably those extensions should have the same structure (assertion true, assertion false, i-don't-know). Simon. Simon Tardell, Software Architect, iD2 Technologies voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 simon.tardell@iD2tech.com, http://www.iD2tech.com Securing the Internet economy Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA05409 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 08:37:51 -0700 (PDT) Received: from bag-wts.UK.Sun.COM ([129.156.81.5]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id IAA24271; Tue, 25 Jul 2000 08:40:48 -0700 (PDT) Received: from uk.sun.com ([129.156.134.64]) by bag-wts.UK.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.9) with ESMTP id QAA15451; Tue, 25 Jul 2000 16:40:45 +0100 (BST) Message-ID: <397DB5BE.BD5BA644@uk.sun.com> Date: Tue, 25 Jul 2000 16:43:59 +0100 From: Jonathan Sowler <jonathan.sowler@uk.sun.com> X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Simon Tardell <simon.tardell@iD2tech.com> CC: "'Rich Salz'" <rsalz@caveosystems.com>, Joerg Seidel <seidel@maz-hh.de>, ietf-pkix@imc.org Subject: Re: OCSP request References: <C0E81C20AD21D311BDB200805FCCD9412F62D1@aunt9.ausys.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Good point - the language consistently causes a problem - "good" implies some sort of judgement that you can take proceed with a transaction/session based on the status of the certificate. It would be good to define the response "issued and not revoked" and avoid more loaded terms - as dull as it may make reading PKIX specs! If a certificate has been revoked and the reason for revocation is benign, I may still chose to proceed with a signed transaction on the basis that there is minimal risk to me - i.e. interpret the OCSP response as good. Simon Tardell wrote: > > > The problem is that OCSP does not tell you whether the > > certificate was already > > > issued at the time of the signature. It only says it was > > not revoked. > > > > Depends on the OCSP implementation. Some (e.g., Valicert > > last I looked) > > can only say "not revoked" while some (e.g., CertCo last I looked) can > > also say "not known" > > The problem with the OCSP protocol is that there are three non-orthogonal > answers: good, revoked, unknown. It'd all be well if "good" was identical to > "not revoked" and "unknown" meant "I can't tell if it is either, go ask > someone else, or come back later, I might find out". But that is not the way > it is expressed in the RFC. In the RFC "good" is an assertion that A && B && > C .. any number of conditions is true, while revoked only means !B and > unknown could be interpreted to mean !C ("I KNOW this cert was never > issued"). Different groups have different requirements and will want to > include different assertions in OCSP or something very similar (e.g. some > want to assert that a cert was ever issued) in a way that will make the > clients un-interoperable. That is, they will comply in the sense that the > bits on the wire are the same, but the intended interpretation is different. > Since end-users may very well be members of different PKIs this is > unfortunate. > > Simon. > > Simon Tardell, Software Architect, iD2 Technologies > voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 > simon.tardell@iD2tech.com, http://www.iD2tech.com > Securing the Internet economy -- Best Regards, Jonathan Sowler Product Management Group ------------------------------------------------------------- ------------------------------------------------------------- TRUSTBASE HAS MOVED!! The new contact details are: For more information about iPlanet's Trustbase products visit: http://www.trustbase.com iPlanet Electronic Commerce Solutions Tel: +44 (0) 20 7337 9200 A Sun-Netscape Alliance Ext: 29916 Equitable House Fax: +44 (0) 20 7337 9201 47/51 King William Street E-Mail: jonathan.sowler@sun.com London EC4R 9AF United Kingdom ------------------------------------------------------------- "Trust only those who stand to lose as much as you when things go wrong." Bralek's Rule for Success, in Arthur Bloch, comp. "Expertsmanship," Murphy's Law: Book Three, 1982 ------------------------------------------------------------- Received: from ns.celocom.se (firewall-user@ns.celocom.se [212.209.40.66]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA01449 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 08:24:02 -0700 (PDT) Received: by ns.celocom.se; id RAA10278; Tue, 25 Jul 2000 17:27:03 +0200 (CEST) Received: from seexchange.celocom.se(10.10.10.11) by ns.celocom.se via smap (4.1) id xma010263; Tue, 25 Jul 00 17:26:24 +0200 Received: from celocom.se (levitte.celocom.se [10.10.10.124]) by seexchange.celocom.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 3YLHH2Q1; Tue, 25 Jul 2000 17:29:44 +0200 Sender: levitte@celocom.se Message-ID: <397DB184.3BA19828@celocom.se> Date: Tue, 25 Jul 2000 17:25:56 +0200 From: Richard Levitte <richard.levitte@celocom.se> Organization: Celo Communications, Ltd. X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: Rich Salz <rsalz@caveosystems.com> CC: Joerg Seidel <seidel@maz-hh.de>, ietf-pkix@imc.org Subject: Re: OCSP request References: <3.0.5.32.20000725152251.00aac160@localhost> <3.0.5.32.20000725155017.03aee580@localhost> <397D9EAA.192DBF85@maz-hh.de> <397DA065.ACE1D1A4@caveosystems.com> Content-Type: multipart/mixed; boundary="------------5B042D65A07B5E4A482951C7" This is a multi-part message in MIME format. --------------5B042D65A07B5E4A482951C7 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Rich Salz wrote: > Depends on the OCSP implementation. Some (e.g., Valicert last I looked) > can only say "not revoked" In that case, they've corrected themselves. I just made a request with a cert they have no chance of knowing, and I got the status "unknown". -- Richard Levitte !!! New cell phone number !!! richard.levitte@celocom.se /* You might enjoy viewing the complete vCard */ --------------5B042D65A07B5E4A482951C7 Content-Type: text/x-vcard; charset=us-ascii; name="richard.levitte.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Richard Levitte Content-Disposition: attachment; filename="richard.levitte.vcf" begin:vcard n:Levitte;Richard tel;cell:+46-733-72 8811 tel;work:+46-8-58 72 8811 x-mozilla-html:FALSE org:<A HREF="http://www.celocom.com">Celo Communications</A> version:2.1 email;internet:richard.levitte@celocom.se title:Software Artist adr;quoted-printable:;;Sveav=E4gen 145, 5tr=0D=0AStockholm;;;;SWEDEN note;quoted-printable:<br>=0D=0A<table border=3D0>=0D=0A<tr>=0D=0A <td bgcolor=3D"#00ffff">c=EAlo, =E2vi, =E2tum, (latin) 1,v.a.=0D=0A to hide something from one, to keep secret, to conceal.=0D=0A </td>=0D=0A</tr>=0D=0A</table>=0D=0A<br>=0D=0A<table border=3D3>=0D=0A<tr>=0D=0A <td>=0D=0A <table>=0D=0A <tr>=0D=0A <td valign=3Dtop>o/~</td>=0D=0A <td><font size=3D-1>Coding, coding, coding</font><br>=0D=0A Keep'em hackers coding<br>=0D=0A <font size=3D+1>And When They're Done Coding</font><br>=0D=0A <font size=3D7>COMPIIIIIIILE!!</font></td>=0D=0A </tr>=0D=0A </table>=0D=0A </td>=0D=0A</tr>=0D=0A</table> fn:Richard Levitte end:vcard --------------5B042D65A07B5E4A482951C7-- Received: from thalia.fm.intel.com (thalia.fm.intel.com [132.233.247.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA29489 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 08:13:49 -0700 (PDT) Received: from fmsmsx28.FM.INTEL.COM (fmsmsx28.fm.intel.com [132.233.42.28]) by thalia.fm.intel.com (8.9.1a+p1/8.9.1/d: relay.m4,v 1.30 2000/06/08 18:25:35 dmccart Exp $) with ESMTP id PAA13297 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 15:17:46 GMT Received: by fmsmsx28.fm.intel.com with Internet Mail Service (5.5.2650.21) id <PSGSBZMS>; Tue, 25 Jul 2000 08:16:49 -0700 Message-ID: <8DCFE693DDFFD111AC4100A0C9B8DB940156621F@hdsmsx33.hd.intel.com> From: "Eissa, Mohamed" <mohamed.eissa@intel.com> To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: OCSP, SCVP vendors Date: Tue, 25 Jul 2000 08:16:47 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Hi all, I need to know if there are any vendors doing interoperability tests for OCSP and SCVP, and where to get more information about the products passed the tests. Mohamed A. Eissa Intel of Canada, Ltd. (416) 622-7175 2 Eva Road, Suite 220 Toronto, Ontario, M9C 2A8 Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA28664 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 08:01:39 -0700 (PDT) Received: from [192.168.1.71] ([208.233.228.110]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FY900L8DDQGMJ@mta5.snfc21.pbi.net> for ietf-pkix@imc.org; Tue, 25 Jul 2000 08:01:30 -0700 (PDT) Date: Tue, 25 Jul 2000 08:02:25 -0700 From: Aram Perez <aram@pacbell.net> Subject: Re: A Real Rationale for Dedicated Keys In-reply-to: <03bd01bff605$887f3290$8802a8c0@eracom.com.au> To: PKIX <ietf-pkix@imc.org> Message-id: <B5A2FA11.18F5%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Hi Simon M., > Hi Aram, >> >> I haven't tried, but I believe that you can open up a bank account with > one >> of the "Internet Banks" without physically showing up. >> > They must depend on some existing on-line identity that they can > authenticate you against or not care about your identity just the amount of > $$ you can deposit with them. How safe are your funds with these banks ? How > much credit do they give you ? In the US I believe they are as "safe" as a brick and mortar bank. They will give you as much credit as the credit reporting agencies deem you are worth. >> >> Again, I don't want to regurgitate last year's discussion on the validity > of >> the NR bit. I believe that you can have non-repudiation without NR=1, and >> that I can repudiate, whether or not NR=1. >> > Fair enough but this list has been discussing two uses of certificates, that > is NR-type signatures and authentication type ones (non-NR). Whether the > NR-bit is the mechanism to support that or not I dont know but it sounds > like something that should be decided soon to prevent implementations > diverging on this point and becoming less interoperable. I totally agree with you. An we (PKIX) better hurry up before the legal system overrides whatever we produce (no offense to the lawyers on the list). Regards, Aram Perez Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA28520 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 08:01:19 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FY900E01DV4LM@ext-mail.valicert.com> for ietf-pkix@imc.org; Tue, 25 Jul 2000 08:04:16 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FY900E5YDV4GN@ext-mail.valicert.com>; Tue, 25 Jul 2000 08:04:16 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <360060GA>; Tue, 25 Jul 2000 07:55:48 -0700 Content-return: allowed Date: Tue, 25 Jul 2000 07:55:38 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: OCSP request To: "'Simon Tardell'" <simon.tardell@iD2tech.com>, "'Rich Salz'" <rsalz@caveosystems.com>, Joerg Seidel <seidel@maz-hh.de> Cc: ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE2B41725@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Hi Simon, Here is the text from RFC 2560: ---------------Start quote from RFC---------------------- The "good" state indicates a positive response to the status inquiry. At a minimum, this positive response indicates that the certificate is not revoked, but does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate's validity interval. Response extensions may be used to convey additional information on assertions made by the responder regarding the status of the certificate such as positive statement about issuance, validity, etc. The "revoked" state indicates that the certificate has been revoked (either permanantly or temporarily (on hold)). The "unknown" state indicates that the responder doesn't know about the certificate being requested. ---------------End quote from RFC---------------------- Good means that it is not on the revoked list. If you wish to assert other things, you can do so with extensions. Revoked means that it is on the revoked list (you can still assert other things with extensions - nothing says you can't do that, although I agree, it would have been better to say so explicitly. Unknown means you don't know - aren't willing to say either good or bad (again, you can still use extensions to say more things). I am not sure which part of the language you are objecting to. Would it have been satisfactory if we had the line starting "Response extensions... validity, etc." in each of the 3 states? Would you have preferred that we not have allowed for any extensions in responses? I agree that we should have indicated that extensions could be used to convey additional information in any type of a response (which was the whole point of using extensions in responses IMHO). I disagree that we should not have allowed people to put extensions in responses that are not defined in the RFC - people are using OCSP for a wide variety of applications that have different needs - I would not want them to discard OCSP because they can't convey anything other than revocation status in responses. As a server or client, my attitude to extensions is: If the information in the extension is something that you don't want the recipient to ignore, mark it critical. Otherwise mark it non-critical. Regards, Ambarish --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com Mountain View, CA 94043 > -----Original Message----- > From: Simon Tardell [mailto:simon.tardell@iD2tech.com] > Sent: Tuesday, July 25, 2000 7:41 AM > To: 'Rich Salz'; Joerg Seidel > Cc: ietf-pkix@imc.org > Subject: RE: OCSP request > > > > > The problem is that OCSP does not tell you whether the > > certificate was already > > > issued at the time of the signature. It only says it was > > not revoked. > > > > Depends on the OCSP implementation. Some (e.g., Valicert > > last I looked) > > can only say "not revoked" while some (e.g., CertCo last I > looked) can > > also say "not known" > > The problem with the OCSP protocol is that there are three > non-orthogonal > answers: good, revoked, unknown. It'd all be well if "good" > was identical to > "not revoked" and "unknown" meant "I can't tell if it is > either, go ask > someone else, or come back later, I might find out". But that > is not the way > it is expressed in the RFC. In the RFC "good" is an assertion > that A && B && > C .. any number of conditions is true, while revoked only means !B and > unknown could be interpreted to mean !C ("I KNOW this cert was never > issued"). Different groups have different requirements and > will want to > include different assertions in OCSP or something very > similar (e.g. some > want to assert that a cert was ever issued) in a way that > will make the > clients un-interoperable. That is, they will comply in the > sense that the > bits on the wire are the same, but the intended > interpretation is different. > Since end-users may very well be members of different PKIs this is > unfortunate. > > Simon. > > > Simon Tardell, Software Architect, iD2 Technologies > voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 > simon.tardell@iD2tech.com, http://www.iD2tech.com > Securing the Internet economy > Received: from mystic1.trustcenter.de (mystic1.trustcenter.de [193.194.157.34]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id IAA28414 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 08:00:57 -0700 (PDT) Received: by mystic1.trustcenter.de; id RAA21433; Tue, 25 Jul 2000 17:01:46 +0200 Received: from nodnsquery(192.168.200.3) by mystic1.trustcenter.de via smap (V5.0) id xma021425; Tue, 25 Jul 00 17:00:55 +0200 Received: from ew-jbr (titan.trustcenter.de [192.168.200.244]) by callisto.trustcenter.de (8.9.3/8.9.3) with SMTP id RAA03707; Tue, 25 Jul 2000 17:02:35 +0200 (MET DST) Message-Id: <3.0.5.32.20000725170235.00a9ca50@localhost> X-Sender: jbr@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 25 Jul 2000 17:02:35 +0200 To: Rich Salz <rsalz@caveosystems.com>, ietf-pkix@imc.org From: Juergen Brauckmann <brauckmann@trustcenter.de> Subject: good in OCSP Responses. Was: Re: OCSP request In-Reply-To: <397DA065.ACE1D1A4@caveosystems.com> References: <3.0.5.32.20000725152251.00aac160@localhost> <3.0.5.32.20000725155017.03aee580@localhost> <397D9EAA.192DBF85@maz-hh.de> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id IAA28415 At 10:12 25.07.00 -0400, Rich Salz wrote: >Depends on the OCSP implementation. Some (e.g., Valicert last I looked) >can only say "not revoked" while some (e.g., CertCo last I looked) can >also say "not known" BTW: We think that theres is a real need for OCSP responders to be able to say "Yes, I know this cert" instead of the normal OCSP "good=not revoked". It is necessary to extend OCSP so real positive answers can be expressed in the OCSP response. The extension of the protocol must be made in such a way that existing clients can still understand "new" OCSP responses, so changing or extending the CertStatus field is probably not really a good thing. It would work as follows: Let's first define a OCSP Extension certHash, which contains the hash of the certificate as an OCTET STRING. This extension may be present (flagged non critical) in OCSP Responses, but SHOULD NOT be present in OCSP requests. Now if an OCSP responder can present the certHash in it's response as part of the singleExtensions, a client can be sure that the OCSP Responder knows what it's talking about, because it can check the hash from the server against the certificate. The hash is a real proof, not just a vague assurance. OCSP Responder can include the certHash extension in all responses, because OCSP clients must be able to handle arbitrary extensions anyway. Clients which don't understand certHash can ignore it without any risk. The idea was developed with people from some other German CAs, it is planned to make something like an internet draft from it. What do you think? Juergen -- Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 Sonninstraße 24-28 mailto:brauckmann@trustcenter.de D-20097 Hamburg http://www.trustcenter.de Received: from naigwy (void1.ausys.se [62.20.78.253]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA27505 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 07:38:19 -0700 (PDT) Received: FROM aunt15.ausys.se BY naigwy ; Tue Jul 25 16:39:24 2000 +0200 Received: by aunt15.ausys.se with Internet Mail Service (5.5.2650.21) id <PLMLFSKM>; Tue, 25 Jul 2000 16:40:49 +0200 Message-ID: <C0E81C20AD21D311BDB200805FCCD9412F62D1@aunt9.ausys.se> From: Simon Tardell <simon.tardell@iD2tech.com> To: "'Rich Salz'" <rsalz@caveosystems.com>, Joerg Seidel <seidel@maz-hh.de> Cc: ietf-pkix@imc.org Subject: RE: OCSP request Date: Tue, 25 Jul 2000 16:41:22 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" > > The problem is that OCSP does not tell you whether the > certificate was already > > issued at the time of the signature. It only says it was > not revoked. > > Depends on the OCSP implementation. Some (e.g., Valicert > last I looked) > can only say "not revoked" while some (e.g., CertCo last I looked) can > also say "not known" The problem with the OCSP protocol is that there are three non-orthogonal answers: good, revoked, unknown. It'd all be well if "good" was identical to "not revoked" and "unknown" meant "I can't tell if it is either, go ask someone else, or come back later, I might find out". But that is not the way it is expressed in the RFC. In the RFC "good" is an assertion that A && B && C .. any number of conditions is true, while revoked only means !B and unknown could be interpreted to mean !C ("I KNOW this cert was never issued"). Different groups have different requirements and will want to include different assertions in OCSP or something very similar (e.g. some want to assert that a cert was ever issued) in a way that will make the clients un-interoperable. That is, they will comply in the sense that the bits on the wire are the same, but the intended interpretation is different. Since end-users may very well be members of different PKIs this is unfortunate. Simon. Simon Tardell, Software Architect, iD2 Technologies voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 simon.tardell@iD2tech.com, http://www.iD2tech.com Securing the Internet economy Received: from mail.arabtrust.com (mail.arabtrust.com [216.247.149.19]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA27190 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 07:33:15 -0700 (PDT) Received: from jean [195.39.160.204] by mail.arabtrust.com (SMTPD32-6.00) id A6391FA008E; Tue, 25 Jul 2000 10:37:45 -0400 From: "Jean Abraham" <jean.med@arabtrust.com> To: <ietf-pkix@imc.org> Subject: unsubscribe Date: Tue, 25 Jul 2000 17:33:42 +0300 Message-ID: <LPBBLAPIGLOAGIHKOOGDIEBBCCAA.jean.med@arabtrust.com> MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal unsubscribe Received: from ns.celocom.se (firewall-user@ns.celocom.se [212.209.40.66]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA26047 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 07:17:03 -0700 (PDT) Received: by ns.celocom.se; id QAA05269; Tue, 25 Jul 2000 16:20:03 +0200 (CEST) Received: from zap.celocom.se(10.10.10.1) by ns.celocom.se via smap (4.1) id xma005252; Tue, 25 Jul 00 16:19:40 +0200 Received: from celocom.com (dhcp121.celocom.se [10.10.11.21]) by zap.celocom.se (8.8.7/8.8.7) with ESMTP id QAA12622; Tue, 25 Jul 2000 16:19:40 +0200 Message-ID: <397DA1FB.5139587C@celocom.com> Date: Tue, 25 Jul 2000 16:19:39 +0200 From: Oscar Jacobsson <oscar.jacobsson@celocom.com> Organization: Celo Communications X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Joerg Seidel <seidel@maz-hh.de> CC: ietf-pkix@imc.org Subject: Re: OCSP request References: <3.0.5.32.20000725152251.00aac160@localhost> <3.0.5.32.20000725155017.03aee580@localhost> <397D9EAA.192DBF85@maz-hh.de> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms37DFA3252E5CB540AA82D9AB" This is a cryptographically signed message in MIME format. --------------ms37DFA3252E5CB540AA82D9AB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Joerg Seidel wrote: > Or as Karl puts it you need "to > attach all this verification stuff to all signed documents." Which is the method ETSI have selected for their ES-C (Electronic Signature with Complete validation data) electronic signature format, IIRC. //oscar --------------ms37DFA3252E5CB540AA82D9AB Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIH/gYJKoZIhvcNAQcCoIIH7zCCB+sCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC Bc8wggKzMIICHKADAgECAgMCjYUwDQYJKoZIhvcNAQEEBQAwgZQxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZU aGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25h bCBGcmVlbWFpbCBSU0EgMTk5OS45LjE2MB4XDTAwMDUxMzAwMDEzOVoXDTAxMDUxMzAwMDEz OVowTTEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEqMCgGCSqGSIb3DQEJARYb b3NjYXIuamFjb2Jzc29uQGNlbG9jb20uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQCZB2URw+NGaMMV/cSk9JoOb4OGMunL44lk/ioXoBR5brSVUcVaB+s+8UmcqOmi9RAAc+Uy wY69hjPn/LWS3HzN4N4KW6jTEiDm0jPE1aVyxMg7un4rjRSGe9htdPL0ut8QoKXLCjafLKIo v/pyudWgC1PxSglWECgKyKVVMl13KwIDAQABo1kwVzAmBgNVHREEHzAdgRtvc2Nhci5qYWNv YnNzb25AY2Vsb2NvbS5jb20wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSIq/Fgg2ZV9ORY x0YdwGG9I9fDjDANBgkqhkiG9w0BAQQFAAOBgQB8NkKsoEJaIAfecEv+NJp6bBs3xM+ynX5F qJ/ave0p7v2eBBO/fovRoMsmFjF0jHf4RFJqxm9NrpoZWlhehM5nOdS0AyPwFIMEWl7PdSxO pKkxGS8wgEsVammWQc8MAwULu4qy8SdL9LnszsvEKtrsJFG+bILsOf1qBkC6UuSR4DCCAxQw ggJ9oAMCAQICAQswDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1 bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNV BAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29u YWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw05OTA5MTYxNDAxNDBaFw0wMTA5MTUxNDAxNDBa MIGUMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJi YW52aWxsZTEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNl czEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDE5OTkuOS4xNjCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAs2lal9TQFgt6tcVd6SGcI3LNEkxL937Px/vKciT0QlKsV5Xj e2F6F4Tn/XI5OJS06u1lp5IGXr3gZfYZu5R5dkw+uWhwdYQc9BF0ALwFLE8JAxcxzPRB1HLG pl3iiESwiy7ETfHw1oU+bPOVlHiRfkDpnNGNFVeOwnPlMN5G9U8CAwEAAaM3MDUwEgYDVR0T AQH/BAgwBgEB/wIBADAfBgNVHSMEGDAWgBRyScJzNMZV9At2coF+d/SH58ayDjANBgkqhkiG 9w0BAQQFAAOBgQBrxlnpMfrptuyxA9jfcnL+kWBI6sZV3XvwZ47GYXDnbcKlN9idtxcoVgWL 3Vx1b8aRkMZsZnET0BB8a5FvhuAhNi3B1+qyCa3PLW3Gg1Kb+7v+nIed/LfpdJLkXJeu/H6s yg1vcnpnLGtz9Yb5nfUAbvQdB86dnoJjKe+TCX5V3jGCAfcwggHzAgEBMIGcMIGUMQswCQYD VQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEP MA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDE5OTkuOS4xNgIDAo2FMAkGBSsOAwIaBQCggbEw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDAwNzI1MTQxOTQw WjAjBgkqhkiG9w0BCQQxFgQUha3f19z0GxCaeHDzmGZjpjlpdP8wUgYJKoZIhvcNAQkPMUUw QzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAw DQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYBMdeYtcPlry/gsDEHfhg46Nai3Rw4K x+u6NOaXwQwA/xVeiauDXPfra/dbxaeaJ+pUWXCmeP2G82ZNSC6n0UJIdwQd1bgkxwEBsDyY gEGJIcOX2znw8iAe/yETxz8O3Xwkj6RN8Cx7lxsxnPXb4CO/2wNOBIMolrWmlEMXSlIFiA== --------------ms37DFA3252E5CB540AA82D9AB-- Received: from mail-fwd.verio-web.com (mail11a.verio-web.com [161.58.16.57]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA25413 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 07:09:51 -0700 (PDT) Received: from 161.58.117.181 (161.58.117.181) by mail11a.verio-web.com (RS ver 1.0.57s) with SMTP id 01831958; Tue, 25 Jul 2000 10:12:40 -0400 (EDT) Sender: rsalz Message-ID: <397DA065.ACE1D1A4@caveosystems.com> Date: Tue, 25 Jul 2000 10:12:53 -0400 From: Rich Salz <rsalz@caveosystems.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: Joerg Seidel <seidel@maz-hh.de> CC: ietf-pkix@imc.org Subject: Re: OCSP request References: <3.0.5.32.20000725152251.00aac160@localhost> <3.0.5.32.20000725155017.03aee580@localhost> <397D9EAA.192DBF85@maz-hh.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 > The problem is that OCSP does not tell you whether the certificate was already > issued at the time of the signature. It only says it was not revoked. Depends on the OCSP implementation. Some (e.g., Valicert last I looked) can only say "not revoked" while some (e.g., CertCo last I looked) can also say "not known" /r$ Received: from naigwy (void1.ausys.se [62.20.78.253]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA24850 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 07:03:32 -0700 (PDT) Received: FROM aunt15.ausys.se BY naigwy ; Tue Jul 25 16:04:36 2000 +0200 Received: by aunt15.ausys.se with Internet Mail Service (5.5.2650.21) id <PLMLFRZ0>; Tue, 25 Jul 2000 16:06:01 +0200 Message-ID: <C0E81C20AD21D311BDB200805FCCD9412F62CF@aunt9.ausys.se> From: Simon Tardell <simon.tardell@iD2tech.com> To: "'Richard Levitte'" <richard.levitte@celocom.se>, Juergen Brauckmann <brauckmann@trustcenter.de> Cc: Karl Scheibelhofer <Karl.Scheibelhofer@iaik.at>, IETF PKIX Mailing List <ietf-pkix@imc.org> Subject: RE: OCSP request Date: Tue, 25 Jul 2000 16:06:34 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" > > Why isn't it sufficient to get a fresh OCSP response? The OCSP response > > itself contains either a revocation date or "good". The first you can > > compare against your time interval, and in the latter case you have the > > validity period of the certificate... . > > If I understand everything correctly, Karl is after verifying > the signature of a > > document that was signed, say, 3 months ago. 2 months ago, the certificate > got compromised and is therefore not "good" anymore, but it may still be > interesting to check if the certificate was valid at the time of signature, and > from what I understand item 2 above, Karl would like to see > the possibility to do that kind of check with OCSP. If you don't allow for certificate suspension there is no problem. If the certificate revocation date is less than two months ago, it's ok. If the certificate is expired now, you also have to know if and for how long the status of the certificate will be kept in the database. Certificate suspension is not allowed under German signature law, and perhaps also not Austrian, so if we're talking SigG compliant certs there is no such need. Now, if a key gets compromised, you cannot trust *any* signatures by that key (before or after compromise), because you cannot trust the signer's assertion of what time it was. A practical system has to protect itself from that somehow. Enters time stamping. A time stamping service would probably check the revocation status of the signatory cert and store that together with the time stamp. If you are willing to take the consequences reverse time effects of key compromise (you don't do timestamping), and if you allow for certificate suspension, the question "was this certificate valid at this time" makes sense. Simon Simon Tardell, Software Architect, iD2 Technologies voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 simon.tardell@iD2tech.com, http://www.iD2tech.com Securing the Internet economy Received: from mail-relay-1.maz.net (mail-relay-1.maz.net [194.163.252.17]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA24673 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 07:02:36 -0700 (PDT) Received: from sysiphos.maz-hh.de (sysiphos.maz-hh.de [192.109.56.14]) by mail-relay-1.maz.net (8.9.3) with ESMTP id <QAA04080> for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 16:05:36 +0200 (MET DST) Received: from maz-hh.de (sp-pc-sej.maz-hh.de [192.109.56.145]) by sysiphos.maz-hh.de (8.9.3/8.9.3) with ESMTP id QAA26181 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 16:05:06 +0200 (MEST) Message-ID: <397D9EAA.192DBF85@maz-hh.de> Date: Tue, 25 Jul 2000 16:05:30 +0200 From: Joerg Seidel <seidel@maz-hh.de> Organization: timeproof X-Mailer: Mozilla 4.5 [de] (WinNT; U) X-Accept-Language: de MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: OCSP request References: <3.0.5.32.20000725152251.00aac160@localhost> <3.0.5.32.20000725155017.03aee580@localhost> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Juergen Brauckmann schrieb: > > At 15:43 25.07.00 +0200, Richard Levitte wrote: > >document that was signed, say, 3 months ago. 2 months ago, the certificate > >got compromised and is therefore not "good" anymore, but it may still be > >interesting to check if the certificate was valid at the time of signature, > > And this is possible with plain OCSP because the OCSP response contains the > state "revoked" and the date of the revocation, which would hopefully be > *after* the assumed signature generation date. The problem is that OCSP does not tell you whether the certificate was already issued at the time of the signature. It only says it was not revoked. OCSP can therefore not answer "historical questions". You need to keep a timestamped certificate yourself besides the signature. Or as Karl puts it you need "to attach all this verification stuff to all signed documents." Joerg -- __________________________________________________________________ Jörg Seidel phone +49-40-76629-1911 Director Technology fax +49-40-76629-551 timeproof GmbH Harburger Schloßstraße 6-12 mailto:seidel@timeproof.de DE 21079 Hamburg http://www.timeproof.de __________________________________________________________________ Received: from mail-fwd.verio-web.com (mail11a.verio-web.com [161.58.16.57]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id GAA24091 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 06:55:45 -0700 (PDT) Received: from 161.58.117.181 (161.58.117.181) by mail11a.verio-web.com (RS ver 1.0.57s) with SMTP id 01804917; Tue, 25 Jul 2000 09:58:12 -0400 (EDT) Sender: rsalz Message-ID: <397D9CFF.4DA191DC@caveosystems.com> Date: Tue, 25 Jul 2000 09:58:23 -0400 From: Rich Salz <rsalz@caveosystems.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: Richard Levitte <richard.levitte@celocom.se> CC: Juergen Brauckmann <brauckmann@trustcenter.de>, Karl Scheibelhofer <Karl.Scheibelhofer@iaik.at>, IETF PKIX Mailing List <ietf-pkix@imc.org> Subject: Re: OCSP request References: <3.0.5.32.20000725152251.00aac160@localhost> <397D9970.F082BD32@celocom.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 What about the OCSP "archive cutoff" extension? A signer who wishes proof of validity could generate an OCSP query on himself, using a NONCE which is the "real" signature. The signed OCSP reply could then "be" the signature, right? Received: from mystic1.trustcenter.de (mystic1.trustcenter.de [193.194.157.34]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id GAA23188 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 06:47:51 -0700 (PDT) Received: by mystic1.trustcenter.de; id PAA20620; Tue, 25 Jul 2000 15:48:42 +0200 Received: from nodnsquery(192.168.200.3) by mystic1.trustcenter.de via smap (V5.0) id xma020614; Tue, 25 Jul 00 15:48:39 +0200 Received: from ew-jbr (titan.trustcenter.de [192.168.200.244]) by callisto.trustcenter.de (8.9.3/8.9.3) with SMTP id PAA29640; Tue, 25 Jul 2000 15:50:18 +0200 (MET DST) Message-Id: <3.0.5.32.20000725155017.03aee580@localhost> X-Sender: jbr@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 25 Jul 2000 15:50:17 +0200 To: ietf-pkix@imc.org From: Juergen Brauckmann <brauckmann@trustcenter.de> Subject: Re: OCSP request Cc: Karl Scheibelhofer <Karl.Scheibelhofer@iaik.at> In-Reply-To: <397D9970.F082BD32@celocom.se> References: <3.0.5.32.20000725152251.00aac160@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA23191 At 15:43 25.07.00 +0200, Richard Levitte wrote: >document that was signed, say, 3 months ago. 2 months ago, the certificate >got compromised and is therefore not "good" anymore, but it may still be >interesting to check if the certificate was valid at the time of signature, And this is possible with plain OCSP because the OCSP response contains the state "revoked" and the date of the revocation, which would hopefully be *after* the assumed signature generation date. Juergen -- Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 Sonninstraße 24-28 mailto:brauckmann@trustcenter.de D-20097 Hamburg http://www.trustcenter.de Received: from ns.celocom.se (firewall-user@ns.celocom.se [212.209.40.66]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA22304 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 06:41:04 -0700 (PDT) Received: by ns.celocom.se; id PAA03400; Tue, 25 Jul 2000 15:44:04 +0200 (CEST) Received: from seexchange.celocom.se(10.10.10.11) by ns.celocom.se via smap (4.1) id xma003332; Tue, 25 Jul 00 15:43:40 +0200 Received: from celocom.se (levitte.celocom.se [10.10.10.124]) by seexchange.celocom.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 3YLHH2NK; Tue, 25 Jul 2000 15:47:00 +0200 Sender: levitte@celocom.se Message-ID: <397D9970.F082BD32@celocom.se> Date: Tue, 25 Jul 2000 15:43:12 +0200 From: Richard Levitte <richard.levitte@celocom.se> Organization: Celo Communications, Ltd. X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: Juergen Brauckmann <brauckmann@trustcenter.de> CC: Karl Scheibelhofer <Karl.Scheibelhofer@iaik.at>, IETF PKIX Mailing List <ietf-pkix@imc.org> Subject: Re: OCSP request References: <3.0.5.32.20000725152251.00aac160@localhost> Content-Type: multipart/mixed; boundary="------------BF1F32DEA19E9ED875CC6C81" This is a multi-part message in MIME format. --------------BF1F32DEA19E9ED875CC6C81 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Juergen Brauckmann wrote: > At 15:03 25.07.00 +0200, Karl Scheibelhofer wrote: > >to verify a signature, it is necessary to find out, if the certificate used > >for signing was valid when the signature was created. normally it is only > >possible to fix the time the signature was created in a time interval; e.g. > >between two timestamps. > >to find out, if the certificate was valid during this time interval, i see > >two options: > > > >1. i can get the certificate status information when i create the signature, > >timestamp it, and attach the whole thing to the signed document. > > > >2. have a extended OCSP protocol that allows to request this information > > Why isn't it sufficient to get a fresh OCSP response? The OCSP response > itself contains either a revocation date or "good". The first you can > compare against your time interval, and in the latter case you have the > validity period of the certificate... . If I understand everything correctly, Karl is after verifying the signature of a document that was signed, say, 3 months ago. 2 months ago, the certificate got compromised and is therefore not "good" anymore, but it may still be interesting to check if the certificate was valid at the time of signature, and from what I understand item 2 above, Karl would like to see the possibility to do that kind of check with OCSP. Karl, have I understood you correctly? -- Richard Levitte !!! New cell phone number !!! richard.levitte@celocom.se /* You might enjoy viewing the complete vCard */ --------------BF1F32DEA19E9ED875CC6C81 Content-Type: text/x-vcard; charset=us-ascii; name="richard.levitte.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Richard Levitte Content-Disposition: attachment; filename="richard.levitte.vcf" begin:vcard n:Levitte;Richard tel;cell:+46-733-72 8811 tel;work:+46-8-58 72 8811 x-mozilla-html:FALSE org:<A HREF="http://www.celocom.com">Celo Communications</A> version:2.1 email;internet:richard.levitte@celocom.se title:Software Artist adr;quoted-printable:;;Sveav=E4gen 145, 5tr=0D=0AStockholm;;;;SWEDEN note;quoted-printable:<br>=0D=0A<table border=3D0>=0D=0A<tr>=0D=0A <td bgcolor=3D"#00ffff">c=EAlo, =E2vi, =E2tum, (latin) 1,v.a.=0D=0A to hide something from one, to keep secret, to conceal.=0D=0A </td>=0D=0A</tr>=0D=0A</table>=0D=0A<br>=0D=0A<table border=3D3>=0D=0A<tr>=0D=0A <td>=0D=0A <table>=0D=0A <tr>=0D=0A <td valign=3Dtop>o/~</td>=0D=0A <td><font size=3D-1>Coding, coding, coding</font><br>=0D=0A Keep'em hackers coding<br>=0D=0A <font size=3D+1>And When They're Done Coding</font><br>=0D=0A <font size=3D7>COMPIIIIIIILE!!</font></td>=0D=0A </tr>=0D=0A </table>=0D=0A </td>=0D=0A</tr>=0D=0A</table> fn:Richard Levitte end:vcard --------------BF1F32DEA19E9ED875CC6C81-- Received: from mystic1.trustcenter.de (mystic1.trustcenter.de [193.194.157.34]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id GAA20880 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 06:21:22 -0700 (PDT) Received: by mystic1.trustcenter.de; id PAA20416; Tue, 25 Jul 2000 15:21:42 +0200 Received: from nodnsquery(192.168.200.3) by mystic1.trustcenter.de via smap (V5.0) id xma020409; Tue, 25 Jul 00 15:21:11 +0200 Received: from ew-jbr (titan.trustcenter.de [192.168.200.244]) by callisto.trustcenter.de (8.9.3/8.9.3) with SMTP id PAA28438; Tue, 25 Jul 2000 15:22:51 +0200 (MET DST) Message-Id: <3.0.5.32.20000725152251.00aac160@localhost> X-Sender: jbr@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 25 Jul 2000 15:22:51 +0200 To: "Karl Scheibelhofer" <Karl.Scheibelhofer@iaik.at>, "IETF PKIX Mailing List" <ietf-pkix@imc.org> From: Juergen Brauckmann <brauckmann@trustcenter.de> Subject: Re: OCSP request In-Reply-To: <NDBBJJNFOMNNKFDPLCDJGEIOCCAA.Karl.Scheibelhofer@iaik.at> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA20881 At 15:03 25.07.00 +0200, Karl Scheibelhofer wrote: >to verify a signature, it is necessary to find out, if the certificate used >for signing was valid when the signature was created. normally it is only >possible to fix the time the signature was created in a time interval; e.g. >between two timestamps. >to find out, if the certificate was valid during this time interval, i see >two options: > >1. i can get the certificate status information when i create the signature, >timestamp it, and attach the whole thing to the signed document. > >2. have a extended OCSP protocol that allows to request this information Why isn't it sufficient to get a fresh OCSP response? The OCSP response itself contains either a revocation date or "good". The first you can compare against your time interval, and in the latter case you have the validity period of the certificate... . Juergen -- Juergen Brauckmann Tel.: +49 (0)40 / 80 80 26-3 11 TC TrustCenter GmbH Fax.: +49 (0)40 / 80 80 26-1 26 Sonninstraße 24-28 mailto:brauckmann@trustcenter.de D-20097 Hamburg http://www.trustcenter.de Received: from iaik.tu-graz.ac.at (excalibur.iaik.tu-graz.ac.at [129.27.152.30]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA19903 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 06:00:39 -0700 (PDT) Received: from hades [129.27.152.143] by iaik.tu-graz.ac.at (SMTPD32-6.00) id A02C3580094; Tue, 25 Jul 2000 15:03:40 +0200 Received: from localhost [127.0.0.1] by hades (IAIK S/MIME Mapper 2.0beta1 14/January/2000); Tue, 25 Jul 2000 15:03:01 +0100 From: "Karl Scheibelhofer" <Karl.Scheibelhofer@iaik.at> To: "IETF PKIX Mailing List" <ietf-pkix@imc.org> Subject: OCSP request Date: Tue, 25 Jul 2000 15:03:01 +0200 Message-ID: <NDBBJJNFOMNNKFDPLCDJGEIOCCAA.Karl.Scheibelhofer@iaik.at> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal to verify a signature, it is necessary to find out, if the certificate used for signing was valid when the signature was created. normally it is only possible to fix the time the signature was created in a time interval; e.g. between two timestamps. to find out, if the certificate was valid during this time interval, i see two options: 1. i can get the certificate status information when i create the signature, timestamp it, and attach the whole thing to the signed document. 2. have a extended OCSP protocol that allows to request this information are there any attempts to integrate such a feature to OCSP? i think that this would be a valuable feature for OCSP. it would avoid the necessity to attach all this verification stuff to all signed documents. with best regards, Karl Scheibelhofer -- Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.at> Institute for Applied Information Processing and Communications (IAIK) at Technical University of Graz, Austria, http://www.iaik.at Phone: (+43) (316) 873-5540 Received: from auemlsrv.firewall.lucent.com (auemail1.lucent.com [192.11.223.161]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id EAA11372 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 04:12:27 -0700 (PDT) Received: from auemlsrv.firewall.lucent.com (localhost [127.0.0.1]) by auemlsrv.firewall.lucent.com (Pro-8.9.3/8.9.3) with ESMTP id HAA09557 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 07:15:24 -0400 (EDT) Received: from anuxc.mv.lucent.com (h135-13-160-12.lucent.com [135.13.160.12]) by auemlsrv.firewall.lucent.com (Pro-8.9.3/8.9.3) with ESMTP id HAA09552; Tue, 25 Jul 2000 07:15:23 -0400 (EDT) Received: from irene by anuxc.mv.lucent.com (8.8.8+Sun/EMS-1.5 sol2) id HAA05125; Tue, 25 Jul 2000 07:12:46 -0400 (EDT) Message-Id: <4.1.20000725065615.03592b80@anuxc.mv.lucent.com> X-Sender: irg@anuxc.mv.lucent.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 25 Jul 2000 07:02:05 -0400 To: Aram Perez <aram@pacbell.net> From: Irene Gassko <gassko@lucent.com> Subject: Re: A Real Rationale for Dedicated Keys Cc: PKIX <ietf-pkix@imc.org> In-Reply-To: <B5A1F8E8.161D%aram@pacbell.net> References: <02fb01bff529$10467360$8802a8c0@eracom.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Hi folks, At 01:45 PM 07/24/2000 -0700, Aram Perez wrote: >Hi Simon M., >> Hi Aram, >>>> Much more likely is that the owner *will* show up to the CA or one of its >>>> RAs to get a NR certificate. Anything less will probably fail to meet the >>>> legal requirements for NR and be worth no more than a NR=0 cert. >>> While I mostly agree, what you are stating is impractical. Very few will use >>> digital signatures that "meet the legal requirements for NR" if they have to >>> physically show up to the CA. >> They just have to show up to an RA. You cant open a bank account without >> showing up to a bank branch and authenticating yourself yourself. Bank staff >> are required to sight authentication documentation usually including photo >> ID such as a passport. >I haven't tried, but I believe that you can open up a bank account with one >of the "Internet Banks" without physically showing up. > This this true. I opened a bank account by mail just by filling out an application they sent me and sending them a check. I believe that a money order would also be fine with them. Irene ---------------------------------------------------------------------------- ------------------------------------------------------- Irene Gassko Bell Laboratories http://www.lucent.com Lucent Technologies Secure Technologies Dept. 1600 Osgood Street phone: (978) 960-5767 Room 30-2-A31 e-mail: gassko@lucent.com N. Andover, MA 01845 fax: (978) 960-3240 Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA08578 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 03:35:10 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA24645; Tue, 25 Jul 2000 06:38:09 -0400 (EDT) Message-Id: <200007251038.GAA24645@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-technr-01.txt Date: Tue, 25 Jul 2000 06:38:09 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Technical Requirements for a non-Repudiation Service Author(s) : T. Gindin Filename : draft-ietf-pkix-technr-01.txt Pages : 7 Date : 24-Jul-00 This document describes those features of a service which processes signed documents which must be present in order for that service to constitute a 'technical non-repudiation' service. A technical non-repudiation service must permit an independent verifier to determine whether a given signature was applied to a given data object by the private key associated with a given valid certificate, at a time later than the signature. The features of a technical non- repudiation service are expected to be necessary for a full non- repudiation service, although they may not be sufficient. This document is intended to clarify the definition of the 'non-repudiation' service in RFC 2459. It should thus serve as a guide to when the nonRepudiation bit of the keyUsage extension should be set and to when a Certificate Authority is required to archive CRL's. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-technr-01.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-technr-01.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-technr-01.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000724142618.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-technr-01.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-technr-01.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000724142618.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from prithvi.psi.soft.net (prithvi.psi.soft.net [164.164.48.3]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA22534 for <ietf-pkix@imc.org>; Tue, 25 Jul 2000 00:31:35 -0700 (PDT) Received: from psi.soft.net ([164.164.48.70]) by prithvi.psi.soft.net (8.9.0/8.9.0) with ESMTP id MAA15470; Tue, 25 Jul 2000 12:56:36 +0500 Message-ID: <397D438F.597DB6EF@psi.soft.net> Date: Tue, 25 Jul 2000 13:06:47 +0530 From: Venkateswara Reddy A <avenkat@pulastya.csa.iisc.ernet.in> X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Jean Abraham <jean.med@arabtrust.com>, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <LPBBLAPIGLOAGIHKOOGDCEONCBAA.jean.med@arabtrust.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Jean Abraham wrote: > Paul, > > Private keys are also embeded in the browser as well as on a Luna Token. > > MD5 or hash.... are algorithms that generate the public key and private key > and also used for encryption purposes. MD5 or hash algos generate public key and private key. huh absolutely wrong stmt regards Venkat > Now if a application has to be > subverted it can only be done with the operators knowledge or the creator of > the application. Regarding the virus, a virus cannot attack a private key. > The virus creator needs to know the algorithm of the private key or the > public key which will enable the virus to act. Which is why any CA that > generates end-user certificates are generated or created with utmost > security in mind. > > I hope that clears everything > > Jean > > -----Original Message----- > From: Paul Koning [mailto:pkoning@xedia.com] > Sent: Wednesday, July 19, 2000 4:53 PM > To: jean.med@arabtrust.com > Cc: ietf-pkix@imc.org > Subject: RE: Signing what you don't understand > > >>>>> "Jean" == Jean Abraham <jean.med@arabtrust.com> writes: > > Jean> Digital signatures generation or creation is not based on the > Jean> O/S of a particular PC but on the software that is used to > Jean> generate it. The most important apsect in a digital > Jean> certificate(which is used to create a digital signature - end > Jean> user) is that the private key is always with the owner and > Jean> never in transist. > > You're entirely missing the issue that started this long string of > notes. > > First of all, the private key is "always with the owner" *only* if you > have a smartcard with embedded PKI engine. Those exist but there > certainly are plenty of PK signing scenarios where they are not used. > > Second, and this is what started things, the data being signed (hash > or whatever) are supplied to the signing engine by application > software. If the application is subverted (easy to do with a number > of very popular applications) OR the underlying OS is subverted, an > attacker can supply different data to be signed from what you thought > you were signing. > > So the OS is absolutely part of the puzzle; it is not sufficient to > consider only "the software that is used to generate [the > signature]". The application may well be the weakest link, of course; > certainly in a number of well-known cases the application is indeed > the open barn door through which the viruses enter. But it is by no > means the only possible barn door. > > paul Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA19902 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 23:52:40 -0700 (PDT) Received: from mega (t6o69p18.telia.com [213.64.110.138]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id IAA21804; Tue, 25 Jul 2000 08:55:31 +0200 (CEST) Message-ID: <002001bff60d$971d70c0$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Stephen Kent" <kent@bbn.com>, "Stefan Santesson" <stefan@accurata.se> Cc: <ietf-pkix@imc.org> Subject: Re: I-D ACTION:draft-ietf-pkix-qc-05.txt Date: Tue, 25 Jul 2000 09:54:35 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id XAA19905 Stefan, some comments¨ >May I draw your attention to the updated QC 05 where the uniqueness >requirement stated in RFC 2459 (and son of) has been clarified to count for >the whole lifetime of the CA. Congratulations! To me it seems that it is now actually possible to express a software algorithm for comparing certificates for *equality*. I.e. removing "handled with care" to case A: do this (if you like). cases B: don't try this at home kids! >From the same section (security considerations) "This implies that the CA must perform proof-of-possession of the private key. In addition, it implies that the CA have some knowledge about the subject's cryptographic module." Why is there not a pre-defined policy attribute for specifying something about the key container? The Germans have it already AFIK. It seems possible that a single QC CA could allow different container types but some RPs may not accept soft containers. A commercial CA is highly likely to have to do some compromizes like that and let "the market decide". Then this "market" needs a way to qualify products in a *simple* way. It would probably work in such a way that *if* a user ever got a soft certificate the "account" as a whole will be treated as "soft" due to lowered security standards. Anders Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA19153 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 23:45:32 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id QAA13398; Tue, 25 Jul 2000 16:47:54 +1000 (EST) Message-ID: <03bd01bff605$887f3290$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: "Aram Perez" <aram@pacbell.net>, "PKIX" <ietf-pkix@imc.org> References: <B5A1F8E8.161D%aram@pacbell.net> Subject: Re: A Real Rationale for Dedicated Keys Date: Tue, 25 Jul 2000 16:56:08 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Hi Aram, > > I haven't tried, but I believe that you can open up a bank account with one > of the "Internet Banks" without physically showing up. > They must depend on some existing on-line identity that they can authenticate you against or not care about your identity just the amount of $$ you can deposit with them. How safe are your funds with these banks ? How much credit do they give you ? > > Again, I don't want to regurgitate last year's discussion on the validity of > the NR bit. I believe that you can have non-repudiation without NR=1, and > that I can repudiate, whether or not NR=1. > Fair enough but this list has been discussing two uses of certificates, that is NR-type signatures and authentication type ones (non-NR). Whether the NR-bit is the mechanism to support that or not I dont know but it sounds like something that should be decided soon to prevent implementations diverging on this point and becoming less interoperable. Regards, Simon Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.102]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA23891 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 14:47:31 -0700 (PDT) Received: from santesson.accurata.se (t3o68p118.telia.com [62.20.139.118]) by popmail.inbox.se (8.9.3/8.9.3) with ESMTP id XAA08299; Mon, 24 Jul 2000 23:50:16 +0200 Message-Id: <4.3.2.7.2.20000724233736.031ace98@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 24 Jul 2000 23:51:04 +0200 To: Stephen Kent <kent@bbn.com>, Paul Koning <pkoning@xedia.com> From: Stefan Santesson <stefan@accurata.se> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Cc: ietf-pkix@imc.org In-Reply-To: <v04220801b5a1fc3cfe4f@[171.78.30.107]> References: <14716.17757.863072.996773@xedia.com> <001201bff55f$457cac80$0201a8c0@mega.vincent.se> <14716.17757.863072.996773@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed May I draw your attention to the updated QC 05 where the uniqueness requirement stated in RFC 2459 (and son of) has been clarified to count for the whole lifetime of the CA. section 2.4 now states: "The distinguished name MUST be unique for each subject entity certified by the one CA as defined by the issuer name field, during the whole life time of the CA." This is actually nothing new, rather a clarification of the existing technical concept of DNs. An compliant implementation can simply not be based on CA's using the same DN for several different entities. It is reasonable to assume that this is the intent behind the original X.501 definition of DNs. "Distinguished name is originally defined in X.501 [X.501] as a representation of a directory name, defined as a construct that identifies a particular object from among the set of all objects." We are not talking about unintentional mistakes here (which always can happen) but the concept of operation. /Stefan At 10:02 2000-07-24 -0400, Stephen Kent wrote: >At 9:32 AM -0400 7/24/00, Paul Koning wrote: >> >>>>> "Anders" == Anders Rundgren <anders.rundgren@telia.com> writes: >> >> Anders>... >> Anders> Pardon the flaming tone, but I think that this discussion is >> Anders> purely theoretical (=totally uninteresting) as long as no >> Anders> representatives from any CAs have confirmed that they will >> Anders> reuse DNs. Cowards? No, pure reality.... Not a single >> Anders> serious CA will reuse DNs! >> >>I don't believe that for a moment. >> >>The only plausible requirement on DNs is that they are unique at a >>given point in time. >> >>It is in no way credible that DNs would be unique over all time. >>That's like saying DNS hostnames are unique over all time (i.e., once >>I pick a name no one else may ever use that name in the future). >> >>To put it differently, I've *never* seen a naming system that >>pretended to implement the "unique for all time" restriction. Numeric >>ID systems, sure. (Consider the UUID in OSF RPC, copied by >>Microsoft.) DNs I've seen tend to consist of the usual combinations >>of organization name, personal name, etc. No sign ever of a >>guaranteed not to be reused sequence number or the like that would >>cause it to act as you claim. >> >>I could imagine that some CA might want to attempt to create such a >>guarantee for some specialized purpose applied to a select set of >>names, but to claim that every CA does this for every DN is something >>I don't see supported by any evidence I've ever come across. > >Although I rarely find myself agreeing with Anders, I must do so here >:-). While the phrase "for all time" may be a bit strong, it is >reasonable to assume that a CA can maintain records on all the subjects >they certify for a very long time. I believe some laws that have evolved >to support the use of digital signatures impose pretty strong requirements >on CAs to do precisely this. > >Steve Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA22891 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 14:04:50 -0700 (PDT) Received: from [192.168.1.71] ([208.233.228.110]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FY7003ROYXX65@mta5.snfc21.pbi.net> for ietf-pkix@imc.org; Mon, 24 Jul 2000 13:44:23 -0700 (PDT) Date: Mon, 24 Jul 2000 13:45:12 -0700 From: Aram Perez <aram@pacbell.net> Subject: Re: A Real Rationale for Dedicated Keys In-reply-to: <02fb01bff529$10467360$8802a8c0@eracom.com.au> To: PKIX <ietf-pkix@imc.org> Message-id: <B5A1F8E8.161D%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Hi Simon M., > Hi Aram, > >>> >>> Much more likely is that the owner *will* show up to the CA or one of > its >>> RAs to get a NR certificate. Anything less will probably fail to meet > the >>> legal requirements for NR and be worth no more than a NR=0 cert. >> >> While I mostly agree, what you are stating is impractical. Very few will > use >> digital signatures that "meet the legal requirements for NR" if they have > to >> physically show up to the CA. >> > They just have to show up to an RA. You cant open a bank account without > showing up to a bank branch and authenticating yourself yourself. Bank staff > are required to sight authentication documentation usually including photo > ID such as a passport. I haven't tried, but I believe that you can open up a bank account with one of the "Internet Banks" without physically showing up. > > I suspect that any commercial CA will partner with some organisation that > has a branch network such as a Bank or Post Office to make showing up less > of a problem. Maybe even McDonalds will get into the RA business :-). Would > you like a certificate with that burger ? The US Post Office has been trying to into the CA business for years without success. And what is McDonalds going to prove? That you ordered a burger ;-) > > You cant support trust to the level where NR is possible without > authenticating the subjects and making them accountable for what they > declare at registration time. E.g. that they understand their obligations > regarding their private key. This really has to happen OOB since most people > and organisations dont have an established authenticatable on-line presence. > Perhaps at some time people and organisations will have a sufficient level > of on-line identity so that they can be authenticated on line but they have > to start off-line somewhere. > > I would suspect that NR=1 quality certificates will start with few big > businesses and filter down to small businesses that wish to participate, > then to individuals who may be used to NR=0 certificates. Again, I don't want to regurgitate last year's discussion on the validity of the NR bit. I believe that you can have non-repudiation without NR=1, and that I can repudiate, whether or not NR=1. Regards, Aram Perez Received: from tholian.securitydynamics.com (tholian.securid.com [204.167.112.129]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id NAA21047 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 13:22:35 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 24 Jul 2000 20:25:21 UT Received: from exna00.securitydynamics.com (exna00.securitydynamics.com [10.2.1.110]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA21331 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 16:24:15 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2448.0) id <PDC2Y976>; Mon, 24 Jul 2000 16:25:30 -0400 Message-ID: <F504A8CEE925D411AF4A00508B8BE90A02DA11@exna07.securitydynamics.com> From: "Linn, John" <jlinn@rsasecurity.com> To: ietf-pkix@imc.org Subject: RE: I-D ACTION:draft-ietf-pkix-ipki-pkalgs-00.txt Date: Mon, 24 Jul 2000 16:25:21 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" A few quick comments re pkalgs-00: Some of the contents of Section 2 seem incongruous, given the algorithm-focused scope of this document. I'm not sure, for example, whether or how the contents of 2.1 (about assumed communications environments) are intended to relate to the algorithms within; this seems a system-level issue which might fit in son-of-2459 but is a higher level of abstraction than the algorithms discussed here. Other subsections of Section 2 have the same character. Also, sections 2.2 and 2.4 describe the document's goals as specific to ECDSA; if retained, they should probably be broadened to cover all of the algorithm families described in the document. Per 3.1.1, an IPR statement posted earlier this year on http://www.ietf.org/ietf/IPR/RSA-MD-all removes the PEM-specific treatment of MD2, permitting (like MD4 and MD5) its implementation independent of usage. Per 3.2.1, suggest updating PKCS #1 reference from RFC-2313 (corresponding to PKCS #1, v. 1.5) to RFC-2437 (corresponding to PKCS #1, v. 2), which obsoleted 2313; the defined signature method and associated OIDs are unchanged between these versions. --jl Received: from enigma.qualcomm.com (enigma.qualcomm.com [129.46.2.228]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA20715 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 13:18:07 -0700 (PDT) Received: (from root@localhost) by enigma.qualcomm.com (8.9.3/8.9.3/8.9) id NAA13405; Mon, 24 Jul 2000 13:20:30 -0700 (PDT) Received: from qualcomm.com (qualcomm.com [192.35.156.11]) by enigma.qualcomm.com (8.9.3/8.9.3/8.9) with ESMTP id NAA13395 for <lgl@qualcomm.com>; Mon, 24 Jul 2000 13:20:29 -0700 (PDT) Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by qualcomm.com with ESMTP id NAA15070 for <lgl@qualcomm.com>; Mon, 24 Jul 2000 13:21:03 -0700 (PDT) Received: from localhost (daemon@localhost) by ns.secondary.com (8.9.3/8.9.3) with SMTP id NAA20434; Mon, 24 Jul 2000 13:12:45 -0700 (PDT) Received: by mail.imc.org (bulk_mailer v1.12); Mon, 24 Jul 2000 13:12:07 -0700 Received: from ntserver2.chrysalis-its.com ([209.47.245.163]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA20325 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 13:12:06 -0700 (PDT) From: FRousseau@chrysalis-its.com Received: by NTSERVER2 with Internet Mail Service (5.5.2650.21) id <PGAB5CB2>; Mon, 24 Jul 2000 16:15:50 -0400 Message-ID: <918C70B01822D411A87400B0D0204DFF04C0C1@panda.chrysalis-its.com> To: housley@spyrus.com Cc: ietf-pkix@imc.org, Peter.Sylvester@edelweb.fr, Denis.Pinkas@bull.net Subject: RE: I-D ACTION:draft-ietf-pkix-new-part1-02.txt Date: Mon, 24 Jul 2000 16:15:35 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF5AB.F534425E" Precedence: bulk List-Archive: http://www.imc.org/ietf-pkix/mail-archive/ List-ID: <ietf-pkix.imc.org> List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF5AB.F534425E Content-Type: text/plain; charset="iso-8859-1" Russ, I agree with Peter, there was a long debate on the Time Stamping draft about the use of AIA extension. It was resolved by replacing the reference to the AIA extension in Section 2.3 of the draft-ietf-pkix-time-stamp-08.txt version to a reference to the Subject Information Access (SIA) extension, which was supposed to be defined in the next version of the son of RFC2459. Francois ___________________________________ Francois Rousseau Director of Standards and Conformance Chrysalis-ITS 1688 Woodward Drive Ottawa, Ontario, CANADA, K2C 3R7 frousseau@chrysalis-its.com Tel. (613) 723-5076 ext. 419 http://www.chrysalis-its.com Fax. (613) 723-5078 -----Original Message----- From: Russ Housley [mailto:housley@spyrus.com] Sent: Monday, July 24, 2000 2:10 PM To: Peter Sylvester Cc: ietf-pkix@imc.org Subject: Re: I-D ACTION:draft-ietf-pkix-new-part1-02.txt It was dropped because no one found a need for the certificate to include a pointer to other information about the subject. AIA is used to locate certificates, OCSP responders, CRLs, and so on, but there is not a similar requirement for the subject. Russ At 01:55 PM 07/24/2000 +0200, Peter Sylvester wrote: >Some time ago I had asked the question about the history >of the Subject Access Information which is mentioned >in the latest time stamping draft and which was available >at least in draft 4 of the rfc 2459, and no longer in draft 6. > >I might have overlooked the message explaining why it had been >dropped. > >My question might also been swamped by many other message, >thus I'd like to repeat to ask one of the document editors >of either 2459bis or the time stamping about the current >situation. > >Thanks in advance ------_=_NextPart_001_01BFF5AB.F534425E Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: I-D ACTION:draft-ietf-pkix-new-part1-02.txt</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Russ,</FONT> </P> <P><FONT SIZE=3D2>I agree with Peter, there was a long debate on the = Time Stamping draft about the use of AIA extension. It was resolved by = replacing the reference to the AIA extension in Section 2.3 of the = draft-ietf-pkix-time-stamp-08.txt version to a reference to the Subject = Information Access (SIA) extension, which was supposed to be defined in = the next version of the son of RFC2459.</FONT></P> <P><FONT SIZE=3D2>Francois</FONT> <BR><FONT SIZE=3D2>___________________________________</FONT> <BR><FONT SIZE=3D2>Francois Rousseau</FONT> <BR><FONT SIZE=3D2>Director of Standards and Conformance</FONT> <BR><FONT SIZE=3D2>Chrysalis-ITS</FONT> <BR><FONT SIZE=3D2>1688 Woodward Drive</FONT> <BR><FONT SIZE=3D2>Ottawa, Ontario, CANADA, K2C 3R7</FONT> <BR><FONT = SIZE=3D2>frousseau@chrysalis-its.com Tel. = (613) 723-5076 ext. 419</FONT> <BR><FONT SIZE=3D2><A HREF=3D"http://www.chrysalis-its.com" = TARGET=3D"_blank">http://www.chrysalis-its.com</A> &nbs= p; Fax. (613) 723-5078</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Russ Housley [<A = HREF=3D"mailto:housley@spyrus.com">mailto:housley@spyrus.com</A>]</FONT>= <BR><FONT SIZE=3D2>Sent: Monday, July 24, 2000 2:10 PM</FONT> <BR><FONT SIZE=3D2>To: Peter Sylvester</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: I-D = ACTION:draft-ietf-pkix-new-part1-02.txt</FONT> </P> <BR> <P><FONT SIZE=3D2>It was dropped because no one found a need for the = certificate to include a </FONT> <BR><FONT SIZE=3D2>pointer to other information about the = subject. AIA is used to locate </FONT> <BR><FONT SIZE=3D2>certificates, OCSP responders, CRLs, and so on, but = there is not a similar </FONT> <BR><FONT SIZE=3D2>requirement for the subject.</FONT> </P> <P><FONT SIZE=3D2>Russ</FONT> </P> <BR> <P><FONT SIZE=3D2>At 01:55 PM 07/24/2000 +0200, Peter Sylvester = wrote:</FONT> </P> <BR> <P><FONT SIZE=3D2>>Some time ago I had asked the question about the = history</FONT> <BR><FONT SIZE=3D2>>of the Subject Access Information which is = mentioned</FONT> <BR><FONT SIZE=3D2>>in the latest time stamping draft and which was = available</FONT> <BR><FONT SIZE=3D2>>at least in draft 4 of the rfc 2459, and no = longer in draft 6.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>I might have overlooked the message explaining = why it had been</FONT> <BR><FONT SIZE=3D2>>dropped.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>My question might also been swamped by many = other message,</FONT> <BR><FONT SIZE=3D2>>thus I'd like to repeat to ask one of the = document editors</FONT> <BR><FONT SIZE=3D2>>of either 2459bis or the time stamping about the = current</FONT> <BR><FONT SIZE=3D2>>situation.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Thanks in advance</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFF5AB.F534425E-- Received: from ntserver2.chrysalis-its.com ([209.47.245.163]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA20325 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 13:12:06 -0700 (PDT) From: FRousseau@chrysalis-its.com Received: by NTSERVER2 with Internet Mail Service (5.5.2650.21) id <PGAB5CB2>; Mon, 24 Jul 2000 16:15:50 -0400 Message-ID: <918C70B01822D411A87400B0D0204DFF04C0C1@panda.chrysalis-its.com> To: housley@spyrus.com Cc: ietf-pkix@imc.org, Peter.Sylvester@EdelWeb.fr, Denis.Pinkas@bull.net Subject: RE: I-D ACTION:draft-ietf-pkix-new-part1-02.txt Date: Mon, 24 Jul 2000 16:15:35 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF5AB.F534425E" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF5AB.F534425E Content-Type: text/plain; charset="iso-8859-1" Russ, I agree with Peter, there was a long debate on the Time Stamping draft about the use of AIA extension. It was resolved by replacing the reference to the AIA extension in Section 2.3 of the draft-ietf-pkix-time-stamp-08.txt version to a reference to the Subject Information Access (SIA) extension, which was supposed to be defined in the next version of the son of RFC2459. Francois ___________________________________ Francois Rousseau Director of Standards and Conformance Chrysalis-ITS 1688 Woodward Drive Ottawa, Ontario, CANADA, K2C 3R7 frousseau@chrysalis-its.com Tel. (613) 723-5076 ext. 419 http://www.chrysalis-its.com Fax. (613) 723-5078 -----Original Message----- From: Russ Housley [mailto:housley@spyrus.com] Sent: Monday, July 24, 2000 2:10 PM To: Peter Sylvester Cc: ietf-pkix@imc.org Subject: Re: I-D ACTION:draft-ietf-pkix-new-part1-02.txt It was dropped because no one found a need for the certificate to include a pointer to other information about the subject. AIA is used to locate certificates, OCSP responders, CRLs, and so on, but there is not a similar requirement for the subject. Russ At 01:55 PM 07/24/2000 +0200, Peter Sylvester wrote: >Some time ago I had asked the question about the history >of the Subject Access Information which is mentioned >in the latest time stamping draft and which was available >at least in draft 4 of the rfc 2459, and no longer in draft 6. > >I might have overlooked the message explaining why it had been >dropped. > >My question might also been swamped by many other message, >thus I'd like to repeat to ask one of the document editors >of either 2459bis or the time stamping about the current >situation. > >Thanks in advance ------_=_NextPart_001_01BFF5AB.F534425E Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: I-D ACTION:draft-ietf-pkix-new-part1-02.txt</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Russ,</FONT> </P> <P><FONT SIZE=3D2>I agree with Peter, there was a long debate on the = Time Stamping draft about the use of AIA extension. It was resolved by = replacing the reference to the AIA extension in Section 2.3 of the = draft-ietf-pkix-time-stamp-08.txt version to a reference to the Subject = Information Access (SIA) extension, which was supposed to be defined in = the next version of the son of RFC2459.</FONT></P> <P><FONT SIZE=3D2>Francois</FONT> <BR><FONT SIZE=3D2>___________________________________</FONT> <BR><FONT SIZE=3D2>Francois Rousseau</FONT> <BR><FONT SIZE=3D2>Director of Standards and Conformance</FONT> <BR><FONT SIZE=3D2>Chrysalis-ITS</FONT> <BR><FONT SIZE=3D2>1688 Woodward Drive</FONT> <BR><FONT SIZE=3D2>Ottawa, Ontario, CANADA, K2C 3R7</FONT> <BR><FONT = SIZE=3D2>frousseau@chrysalis-its.com Tel. = (613) 723-5076 ext. 419</FONT> <BR><FONT SIZE=3D2><A HREF=3D"http://www.chrysalis-its.com" = TARGET=3D"_blank">http://www.chrysalis-its.com</A> &nbs= p; Fax. (613) 723-5078</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Russ Housley [<A = HREF=3D"mailto:housley@spyrus.com">mailto:housley@spyrus.com</A>]</FONT>= <BR><FONT SIZE=3D2>Sent: Monday, July 24, 2000 2:10 PM</FONT> <BR><FONT SIZE=3D2>To: Peter Sylvester</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: I-D = ACTION:draft-ietf-pkix-new-part1-02.txt</FONT> </P> <BR> <P><FONT SIZE=3D2>It was dropped because no one found a need for the = certificate to include a </FONT> <BR><FONT SIZE=3D2>pointer to other information about the = subject. AIA is used to locate </FONT> <BR><FONT SIZE=3D2>certificates, OCSP responders, CRLs, and so on, but = there is not a similar </FONT> <BR><FONT SIZE=3D2>requirement for the subject.</FONT> </P> <P><FONT SIZE=3D2>Russ</FONT> </P> <BR> <P><FONT SIZE=3D2>At 01:55 PM 07/24/2000 +0200, Peter Sylvester = wrote:</FONT> </P> <BR> <P><FONT SIZE=3D2>>Some time ago I had asked the question about the = history</FONT> <BR><FONT SIZE=3D2>>of the Subject Access Information which is = mentioned</FONT> <BR><FONT SIZE=3D2>>in the latest time stamping draft and which was = available</FONT> <BR><FONT SIZE=3D2>>at least in draft 4 of the rfc 2459, and no = longer in draft 6.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>I might have overlooked the message explaining = why it had been</FONT> <BR><FONT SIZE=3D2>>dropped.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>My question might also been swamped by many = other message,</FONT> <BR><FONT SIZE=3D2>>thus I'd like to repeat to ask one of the = document editors</FONT> <BR><FONT SIZE=3D2>>of either 2459bis or the time stamping about the = current</FONT> <BR><FONT SIZE=3D2>>situation.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Thanks in advance</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFF5AB.F534425E-- Received: from mail.spyrus.com (mail.spyrus.com [207.212.34.20]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA17905 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 11:08:09 -0700 (PDT) Received: from rhousley_laptop ([209.172.119.205]) by mail.spyrus.com (8.9.3/8.9.3) with ESMTP id LAA06588; Mon, 24 Jul 2000 11:10:30 -0700 (PDT) Message-Id: <4.2.0.58.20000724140820.00a79a50@mail.spyrus.com> X-Sender: rhousley@mail.spyrus.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Mon, 24 Jul 2000 14:09:54 -0400 To: Peter Sylvester <Peter.Sylvester@EdelWeb.fr> From: Russ Housley <housley@spyrus.com> Subject: Re: I-D ACTION:draft-ietf-pkix-new-part1-02.txt Cc: ietf-pkix@imc.org In-Reply-To: <200007241155.NAA27533@emeriau.edelweb.fr> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed It was dropped because no one found a need for the certificate to include a pointer to other information about the subject. AIA is used to locate certificates, OCSP responders, CRLs, and so on, but there is not a similar requirement for the subject. Russ At 01:55 PM 07/24/2000 +0200, Peter Sylvester wrote: >Some time ago I had asked the question about the history >of the Subject Access Information which is mentioned >in the latest time stamping draft and which was available >at least in draft 4 of the rfc 2459, and no longer in draft 6. > >I might have overlooked the message explaining why it had been >dropped. > >My question might also been swamped by many other message, >thus I'd like to repeat to ask one of the document editors >of either 2459bis or the time stamping about the current >situation. > >Thanks in advance Received: from mail.spyrus.com (mail.spyrus.com [207.212.34.20]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA14715 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 08:44:12 -0700 (PDT) Received: from rhousley_laptop ([209.172.119.205]) by mail.spyrus.com (8.9.3/8.9.3) with ESMTP id IAA04388; Mon, 24 Jul 2000 08:46:01 -0700 (PDT) Message-Id: <4.2.0.58.20000722160845.00a91690@mail.spyrus.com> X-Sender: rhousley@mail.spyrus.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sat, 22 Jul 2000 16:13:04 -0400 To: "Bob Jueneman" <bjueneman@novell.com> From: Russ Housley <housley@spyrus.com> Subject: Re: Dual-signed certificates Cc: <ben@algroup.co.uk>, <thayes@netscape.com>, <ietf-pkix@imc.org> In-Reply-To: <s97828bb.021@prv-mail20.provo.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Bob: There are some significant technical issues here. The subject cannot sign first because it does not know the values that will be assigned for several fields, like the serial number. The subject cannot sign second either. The insertion of an additional extension will break the issuer signature. Thus, to proceed in this vain, complex processing must be defined that says which parts of the certificate a re coved by the subject signature in the extension. I think that the processing is complex enough.... Russ At 10:41 AM 07/21/2000 -0600, Bob Jueneman wrote: >Ben, > >[snip] > > >Since a certificate is comprised of public information signed by a CA, > >clearly a CA can create a certificate saying more-or-less what they > >want. I suppose this is an argument for having certificates that are > >dual-signed (by the CA and the public key the contain). > >Duh! Head-slapping! What a great idea! I'd love to see this added to >X.509 v3 as an optional, noncritical extension. > >For years, especially within the ABA, we have talked about the need >for the user to explicitly confirm acceptance of the certificate, but at >present >there is no good way to confirm acceptance, except by procedures >that are not verifiable by any relying party. Obviously, having the user >sign the certificate herself would confirm acceptance. > >Now, granted, if a rogue CA wanted to create a bogus certificate >containing my name and their public key, they could also sign the >certificate, since they would possess the private key. > >However, this threat tends to evaporate as soon as the real user signs >something which in all likelihood only that user could have done. >and the more transactions that are signed, the more confidence that >it really is the user -- in fact irrespective of the certificate, because the >confidence in a signature tends to increase though repetitive use. > >As an aside, I sometimes get into arguments with people about whether, >and how, trusted roots should be incorporated within browsers, etc. > >My experience is that I often receive a signed e-mail from someone whose >root is not in my cache of trusted roots. Because in most cases the >authentication >of the user isn't exactly life and death (users who post to this list, for >example), >I tend to click OK and add that root to my cache. Now, one certificate >authenticated by that root doesn't prove much, but by the time I've received >three or four certificates all signed by the US DOD Medium Assurance CA, >for example, I have a greatly increased confidence that that root is bone >fide. > >Bob Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA06758 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 07:00:54 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id KAA10980; Mon, 24 Jul 2000 10:03:45 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v04220801b5a1fc3cfe4f@[171.78.30.107]> In-Reply-To: <14716.17757.863072.996773@xedia.com> References: <001201bff55f$457cac80$0201a8c0@mega.vincent.se> <14716.17757.863072.996773@xedia.com> Date: Mon, 24 Jul 2000 10:02:39 -0400 To: Paul Koning <pkoning@xedia.com> From: Stephen Kent <kent@bbn.com> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 9:32 AM -0400 7/24/00, Paul Koning wrote: > >>>>> "Anders" == Anders Rundgren <anders.rundgren@telia.com> writes: > > Anders>... > Anders> Pardon the flaming tone, but I think that this discussion is > Anders> purely theoretical (=totally uninteresting) as long as no > Anders> representatives from any CAs have confirmed that they will > Anders> reuse DNs. Cowards? No, pure reality.... Not a single > Anders> serious CA will reuse DNs! > >I don't believe that for a moment. > >The only plausible requirement on DNs is that they are unique at a >given point in time. > >It is in no way credible that DNs would be unique over all time. >That's like saying DNS hostnames are unique over all time (i.e., once >I pick a name no one else may ever use that name in the future). > >To put it differently, I've *never* seen a naming system that >pretended to implement the "unique for all time" restriction. Numeric >ID systems, sure. (Consider the UUID in OSF RPC, copied by >Microsoft.) DNs I've seen tend to consist of the usual combinations >of organization name, personal name, etc. No sign ever of a >guaranteed not to be reused sequence number or the like that would >cause it to act as you claim. > >I could imagine that some CA might want to attempt to create such a >guarantee for some specialized purpose applied to a select set of >names, but to claim that every CA does this for every DN is something >I don't see supported by any evidence I've ever come across. Although I rarely find myself agreeing with Anders, I must do so here :-). While the phrase "for all time" may be a bit strong, it is reasonable to assume that a CA can maintain records on all the subjects they certify for a very long time. I believe some laws that have evolved to support the use of digital signatures impose pretty strong requirements on CAs to do precisely this. Steve Received: from dfw7-1.relay.mail.uu.net (dfw7-1.relay.mail.uu.net [199.171.54.106]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA05674 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 06:29:38 -0700 (PDT) Received: from xedia.com by dfw7sosrv11.alter.net with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQizfq09622; Mon, 24 Jul 2000 13:32:15 GMT Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA16626; Mon, 24 Jul 00 09:28:19 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id JAA16355; Mon, 24 Jul 2000 09:32:14 -0400 From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <14716.17757.863072.996773@xedia.com> Date: Mon, 24 Jul 2000 09:32:13 -0400 (EDT) To: anders.rundgren@telia.com Cc: ietf-pkix@imc.org, Peter.Sylvester@EdelWeb.fr, egerck@nma.com Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt References: <001201bff55f$457cac80$0201a8c0@mega.vincent.se> X-Mailer: VM 6.72 under 21.1 (patch 9) "Canyonlands" XEmacs Lucid >>>>> "Anders" == Anders Rundgren <anders.rundgren@telia.com> writes: Anders>... Anders> Pardon the flaming tone, but I think that this discussion is Anders> purely theoretical (=totally uninteresting) as long as no Anders> representatives from any CAs have confirmed that they will Anders> reuse DNs. Cowards? No, pure reality.... Not a single Anders> serious CA will reuse DNs! I don't believe that for a moment. The only plausible requirement on DNs is that they are unique at a given point in time. It is in no way credible that DNs would be unique over all time. That's like saying DNS hostnames are unique over all time (i.e., once I pick a name no one else may ever use that name in the future). To put it differently, I've *never* seen a naming system that pretended to implement the "unique for all time" restriction. Numeric ID systems, sure. (Consider the UUID in OSF RPC, copied by Microsoft.) DNs I've seen tend to consist of the usual combinations of organization name, personal name, etc. No sign ever of a guaranteed not to be reused sequence number or the like that would cause it to act as you claim. I could imagine that some CA might want to attempt to create such a guarantee for some specialized purpose applied to a select set of names, but to claim that every CA does this for every DN is something I don't see supported by any evidence I've ever come across. paul Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA04960 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 06:07:22 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id PAA00306; Mon, 24 Jul 2000 15:10:18 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.3); Mon, 24 Jul 2000 15:10:18 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id PAA12809; Mon, 24 Jul 2000 15:10:16 +0200 (MET DST) From: Peter Sylvester <Peter.Sylvester@EdelWeb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.7.6/8.6.6) id PAA27558; Mon, 24 Jul 2000 15:10:16 +0200 (MET DST) Date: Mon, 24 Jul 2000 15:10:16 +0200 (MET DST) Message-Id: <200007241310.PAA27558@emeriau.edelweb.fr> To: ietf-pkix@imc.org, anders.rundgren@telia.com Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Since I have been CC:ed in this, here it goes. > Peter, > > I have a feeling that this discussion has not much to do with technicalties. Are you negatively criticising or appreaciating this? Do you want to discuss techniques or other things? You are asking for a technical big brother feature that can be exploited by RPs in order to solve a possible organisational problem, and this technical final solution is not exactly acceptable in many places. > It will be the *market* that will tell what is right and what is wrong! Since I do not really know what you mean by market, and since I do not agree with your first sentence I am not sure what I should answer. At least this is not a technical comment. > > I don't think that the guys who sell certs with non-unique/resissued DNs will be very > successful. And that is what counts seen from my $-perspective. IMHO a CA will do what the RPs require, and not the other way around. See below. But this again is not a technical comment, so I don't care. > > You and Ed and other firm believers in other models will have to prove > that there is a market for your ideas otherwise you will just find that your > (probably) home-brewed certificates aren't accepted in too many places. I am not clear of what model you are talking. If your model is that you get a unique ID after birth tatooed on you body in a bar code together with an implanted electronic device inside your body, no I do not believe in that. I believe that technology is a means to help people to live together or alone, and the technology can never require to change organisational and cultural principles. I don't have to prove anything, and I never had talked about what I think would be a market, at least not recently during this thread (threat?) . > > Pardon the flaming tone, but I think that this discussion is purely theoretical > (=totally uninteresting) as long as no representatives from any CAs > have confirmed that they will reuse DNs. Cowards? No, pure reality.... Request accepted, this applies also to me :-) This is theoretical even when CAs will talk; as long as you do not know what the requirement from RPs, = application contexts, the discussion is also useless. > Not a single serious CA will reuse DNs! I have never said the contrary, nor did I confirm that. This depends on the understanding and the context on how DN are constructed. If you allow to rely on that in any application context, you explicitely put a requireemnt on the CA operator in a standard. If in a application context a CA operates the certificate management in that way, RPs may or may not rely on that, for example a tax payer ID is probabaly never allocated twice. But this ID is created in the beginning in such a way that avoids collisions. Or in other words, at least, I do not see that a CA would reuse a DN, if there is anything left to get to the old information by some reasonable means. > > >> Actually the only reason for me requiring that DNs are not reused is to cope with > >> (the highly likely) situation where a user "shows" a newly issued cert containing > >> a DN/CA that the particular RP already knows about. It should be a no-brainer > >> (=pure/simple/stupid software algorithm) to conclude that it is the same person. > >> > >Which can be done differently: You sign with the old cert and the new cert a doc > >explaining that this belongs to the same person. > > Which requires that the old certs still exists which is not the case if you dropt it somewhere. So: get the CA give you that statement of equivalence. This CAN be done by reusing the DN, but you can also be done differently. If you loose everything of your identity, and you go to the RA asking that you need a replacement of something that you do no longer have, what are you doing to prove that your are really the person? > > >Or, in other words, the > >equivalence will be established explicitely by the only interested party, > >and not implicitely in an error prone way. > > In what way (again assuming that the CA "knows" its subjects and do not reissue DNs) > whould my proposal be error-prone? If you don't have to rely on something, you cannot have an error. If you rely on that, and either in the context of successor CAs or multiple CAs, you just have at least moved the 'cert equivalence' problem to a CA cert equivalence problem. How do you know that it is the same CA that issues the data? How do you establish in a correct way the fact that two certs represent the same entity when several CAs are involved? Or, I would like to see the simple algorithm to determine whether two certs are identical, even in case of CA cert roll-over or replacement etc. W /PS Received: from fep03-svc.tin.it (mta03-acc.tin.it [212.216.176.34]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA04521 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 05:51:58 -0700 (PDT) From: stabane@tin.it Received: from fep12-svc.tin.it ([212.216.177.132]) by fep03-svc.tin.it (InterMail vM.4.01.02.27 201-229-119-110) with ESMTP id <20000724125410.HVLG1039.fep03-svc.tin.it@fep12-svc.tin.it> for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 14:54:10 +0200 To: <ietf-pkix@imc.org> Reply-To: stabane@tin.it Subject: Re: Dual-signed certificates: Attribute Certificate ?? MIME-Version: 1.0 Content-Type: text/plain Message-Id: <20000724125410.HVLG1039.fep03-svc.tin.it@fep12-svc.tin.it> Date: Mon, 24 Jul 2000 14:54:10 +0200 Maybe this can be considered out of topic, but following this discussion it came in to my mind a well established procedure that in Italy dramatically speeds up the relationships with public administration bureaucracy, this is called "auto certificazione" (litteraly self certification). In a few words, everyone can self sign and subscribe declarations about his status (civil status, domicile, family status, etc.) and use this declarations, together with Identity card, when interacting with civil autorities. For a digital equivalent my first thought is about attribute certificates, I am not very familiar with AC and I don't know if this can be achieved with present specifications and profile. Perhaps something like self signed AC can be useful not only for public administration but also for enterprise PKI for attributes that are not delegated to specific attribute autorithy but are under the direct responsability of the employee. Sergio Tabanelli Project Manager & Consultant Fabbrica Servizi Telematici (FST) sergio.tabanelli@fst.it Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id EAA03411 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 04:52:28 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id NAA29549 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 13:55:23 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.3); Mon, 24 Jul 2000 13:55:23 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id NAA12294 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 13:55:22 +0200 (MET DST) From: Peter Sylvester <Peter.Sylvester@EdelWeb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.7.6/8.6.6) id NAA27533 for ietf-pkix@imc.org; Mon, 24 Jul 2000 13:55:22 +0200 (MET DST) Date: Mon, 24 Jul 2000 13:55:22 +0200 (MET DST) Message-Id: <200007241155.NAA27533@emeriau.edelweb.fr> To: ietf-pkix@imc.org Subject: Re: I-D ACTION:draft-ietf-pkix-new-part1-02.txt Some time ago I had asked the question about the history of the Subject Access Information which is mentioned in the latest time stamping draft and which was available at least in draft 4 of the rfc 2459, and no longer in draft 6. I might have overlooked the message explaining why it had been dropped. My question might also been swamped by many other message, thus I'd like to repeat to ask one of the document editors of either 2459bis or the time stamping about the current situation. Thanks in advance Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA01680 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 03:35:11 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA09123; Mon, 24 Jul 2000 06:38:06 -0400 (EDT) Message-Id: <200007241038.GAA09123@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-cmp-transport-protocols-01.txt Date: Mon, 24 Jul 2000 06:38:06 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Transport Protocols for CMP Author(s) : A. Kapoor, R. Tschalar Filename : draft-ietf-pkix-cmp-transport-protocols-01.txt Pages : Date : 21-Jul-00 This document describes how to layer Certificate Management Protocols [CMP] over various transport protocols. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-cmp-transport-protocols-01.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-cmp-transport-protocols-01.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-cmp-transport-protocols-01.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000721172335.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-cmp-transport-protocols-01.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-cmp-transport-protocols-01.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000721172335.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA01631 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 03:35:06 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA09111; Mon, 24 Jul 2000 06:38:02 -0400 (EDT) Message-Id: <200007241038.GAA09111@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-pkixrep-00.txt Date: Mon, 24 Jul 2000 06:38:02 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Repository Locator Service Author(s) : S. Boeyen, P. Hallam-Baker Filename : draft-ietf-pkix-pkixrep-00.txt Pages : 3 Date : 21-Jul-00 This document defines a PKI repository locator service. The service makes use of DNS SRV records defined in accordance with RFC 2782. The service enables certificate using systems to locate PKI repositories based on a domain name, identify the protocols that can be used to access the repository, and obtain addresses for the servers that host the repository service. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-pkixrep-00.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-pkixrep-00.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-pkixrep-00.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000721172324.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-pkixrep-00.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-pkixrep-00.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000721172324.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA01569 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 03:35:02 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA09067; Mon, 24 Jul 2000 06:37:57 -0400 (EDT) Message-Id: <200007241037.GAA09067@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-qc-05.txt Date: Mon, 24 Jul 2000 06:37:57 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Qualified Certificates Profile Author(s) : S. Santesson, T. Polk, P. Barzin, M. Nystrom Filename : draft-ietf-pkix-qc-05.txt Pages : 34 Date : 21-Jul-00 This document forms a certificate profile for Qualified Certificates, based on RFC 2459, for use in the Internet. The term Qualified Certificate is used to describe a certificate with a certain qualified status within applicable governing law. Further, Qualified Certificates are issued exclusively to physical persons. The goal of this document is to define a general syntax independent of local legal requirements. The profile is however designed to allow further profiling in order to meet specific local needs. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-qc-05.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-qc-05.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-qc-05.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000721172314.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-qc-05.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-qc-05.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000721172314.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA01556 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 03:34:57 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA09042; Mon, 24 Jul 2000 06:37:53 -0400 (EDT) Message-Id: <200007241037.GAA09042@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-ipki-pkalgs-00.txt Date: Mon, 24 Jul 2000 06:37:52 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Representation of Public Keys and Digital Signatures in Internet X.509 Public Key Infrastructure Certificates Author(s) : L. Bassham, R. Housley, W. Polk Filename : draft-ietf-pkix-ipki-pkalgs-00.txt Pages : 28 Date : 21-Jul-00 This is the first draft of a specification of algorithm identifiers and encoding formats for the representation of cryptographic keys, associated parameters and digital sigantures in Internet Public Key Infrastructure X.509 certificates and certificate revocation lists. This specification was created by combining Section 7, Cryptographic Support, from RFC 2459 with the Internet-Draft 'Representation of Elliptic Curve Digital Signature Algorithm (ECDSA) Keys and Signatures in Internet X.509 Public Key Infrastructure Certificates'. This specification is a companion to the 'son of 2459'; implementations must also conform to 'son of 2459'. This document does not define the cryptographic algorithms themselves; instead, it references other appropriate standards. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-ipki-pkalgs-00.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-ipki-pkalgs-00.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-ipki-pkalgs-00.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000721172301.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-ipki-pkalgs-00.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-ipki-pkalgs-00.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000721172301.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA01544 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 03:34:52 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA08995; Mon, 24 Jul 2000 06:37:48 -0400 (EDT) Message-Id: <200007241037.GAA08995@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-new-part1-02.txt Date: Mon, 24 Jul 2000 06:37:48 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Certificate and CRL Profile Author(s) : R. Housley, W. Ford, W. Polk, D. Solo Filename : draft-ietf-pkix-new-part1-02.txt Pages : 115 Date : 21-Jul-00 This is the first draft of a specification based upon RFC 2459. When complete, this specification will obsolete RFC 2459. This specification includes numerous edits and clarifications. The most notable departures from RFC 2459 are found in Section 6, Path Validation. In RFC 2459, the reader was expected to augment the path validation algorithm, which concentrated upon policy processing, with information embedded in earlier sections. For example, parameter inheritance is discussed in Section 7, Algorithm Support, and can certainly affect the validity of a certification path. However, parameter inheritance was omitted from the path validation algorithm in RFC 2459. In this draft, the path validation algorithm has a comprehensive and extremely detailed description. Details such as parameter inheritance are covered thoroughly. In addition, this draft anticipates certain corrections proposed in the X.509 standard for the policy processing aspects of path validation. A new section 6.3, CRL validation, has been added as well. This section provides a supplement to the path validation algorithm that determines if a particular CRL may be used to verify the status of a particular certificate. (The basic path validation algorithm is, by design, independent of the type and format of status information.) This memo profiles the X.509 v3 certificate and X.509 v2 CRL for use in the Internet. An overview of the approach and model are provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms (e.g., IP addresses). Standard certificate extensions are described and one new Internet-specific extension is defined. A required set of certificate extensions is specified. The X.509 v2 CRL format is described and a required extension set is defined as well. An algorithm for X.509 certificate path validation is described. Supplemental infor A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-new-part1-02.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-new-part1-02.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-new-part1-02.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000721172251.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-new-part1-02.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-new-part1-02.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000721172251.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA28622 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 03:04:52 -0700 (PDT) Received: from mega (t4o69p36.telia.com [62.20.145.156]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id MAA12606; Mon, 24 Jul 2000 12:07:46 +0200 (CEST) Message-ID: <001201bff55f$457cac80$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "PKIX-List" <ietf-pkix@imc.org>, "Peter Sylvester" <Peter.Sylvester@EdelWeb.fr> Cc: "Ed Gerck" <egerck@nma.com> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Mon, 24 Jul 2000 13:06:51 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id DAA28623 Peter, I have a feeling that this discussion has not much to do with technicalties. It will be the *market* that will tell what is right and what is wrong! I don't think that the guys who sell certs with non-unique/resissued DNs will be very successful. And that is what counts seen from my $-perspective. You and Ed and other firm believers in other models will have to prove that there is a market for your ideas otherwise you will just find that your (probably) home-brewed certificates aren't accepted in too many places. Pardon the flaming tone, but I think that this discussion is purely theoretical (=totally uninteresting) as long as no representatives from any CAs have confirmed that they will reuse DNs. Cowards? No, pure reality.... Not a single serious CA will reuse DNs! Anders >> Actually the only reason for me requiring that DNs are not reused is to cope with >> (the highly likely) situation where a user "shows" a newly issued cert containing >> a DN/CA that the particular RP already knows about. It should be a no-brainer >> (=pure/simple/stupid software algorithm) to conclude that it is the same person. >> >Which can be done differently: You sign with the old cert and the new cert a doc >explaining that this belongs to the same person. Which requires that the old certs still exists which is not the case if you dropt it somewhere. >Or, in other words, the >equivalence will be established explicitely by the only interested party, >and not implicitely in an error prone way. In what way (again assuming that the CA "knows" its subjects and do not reissue DNs) whould my proposal be error-prone? Anders Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id CAA27862 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 02:36:48 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id KAA19834; Mon, 24 Jul 2000 10:54:57 +0100 Message-ID: <397C0E9D.B1DC1A29@algroup.co.uk> Date: Mon, 24 Jul 2000 10:38:37 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: tgindin@us.ibm.com CC: pgut001@cs.auckland.ac.nz, bjueneman@novell.com, ietf-pkix@imc.org Subject: Re: Dual-signed certificates References: <85256925.0057AADC.00@D51MTA04.pok.ibm.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit tgindin@us.ibm.com wrote: > > Responses below. I don't think parallel signatures from the CA and > the user are a very good idea, but the user's enveloping signature might be > another matter. Agreed, now I've thought about it some more. > > Getting the acceptance itself into the ordinary certificate would > not > > be feasible. > > Why not? > > [Tom Gindin] Because an acceptance signature comes after the issuer > signature, or else it doesn't cover the issuer signature. In any case, the > current signature format is not designed for dual simultaneous signatures. Right - I was assuming an updated certificate format! Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA27829 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 02:36:39 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id LAA29120; Mon, 24 Jul 2000 11:43:26 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id LAA19228; Mon, 24 Jul 2000 11:39:01 +0200 Message-ID: <397C0EB6.91D7183D@bull.net> Date: Mon, 24 Jul 2000 11:39:02 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Aram Perez <aram@pacbell.net> CC: PKIX <ietf-pkix@imc.org> Subject: Re: Signing what you don't understand References: <B59DBC8C.1587%aram@pacbell.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Aram, > Hi Denis P., > > > ETSI Standard ES 201733 mandates the signature time as a signed > > attribute of the CMS structure. > > How widely implemented/used is this standard? This standard has been published in April 2000. It will take some time before it gets implemented. > Who determines the signature > time? Is the signature time "certified"? Look at the details. Everything is explained within the document. > > An informational draft RFC based on > > that standard is available from: > > > > http://www.ietf.org/internet-drafts/draft-ietf-smime-esformats-01.txt > > How long before this "informational draft RFC" becomes a standard? Since the basic document (i.e. ES 201733) is copyrighted by ETSI, but the IETF has been given the right to publish the document, but not to modify it. Hence the reason why it will stay has INFORMATIONAL. The basic document is available for free from the ETSI site. (http://www.etsi.org) Denis > Regards, > Aram Perez Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id CAA27584 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 02:34:04 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id KAA19824; Mon, 24 Jul 2000 10:53:37 +0100 Message-ID: <397C0E4E.2FFBE520@algroup.co.uk> Date: Mon, 24 Jul 2000 10:37:18 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: Simon Tardell <simon.tardell@iD2tech.com> CC: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: Re: Dual-signed certificates References: <C0E81C20AD21D311BDB200805FCCD9412F62C2@aunt9.ausys.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Simon Tardell wrote: > > > Eh? What does this have to do with web-of-trust? This is to do with > > contracts (i.e. the one between the subject and the issuer). > > It is? If there is a contract involved, the certificate is only half of it, > the other half being your certificate request. Perhaps so, but I don't see how this either invalidates my point or has anything to do with web-of-trust. > Is a driver's license a > contract? Does it put me under any obligations simply having one? Or does > using it put me under obligations? This seems like a red herring to me, but perhaps I'm missing something. > > Anyway, the point you are making appears to reinforce my point, not > > argue against it: no-one can work out whether a CA is honest, but the > > subject signs the cert, they can at least work out that _the subject_ > > trusts them (within the context of the issued cert, of course)! > > The parenthesis is my problem with this. You have to anchor your trust > somewhere, either in the CA, or in the subject. And if you already trust the > subject public key, what use is the cert in the first place (especially > since you don't derive any further trust from it)? A certificate is more than a simple wrapper for a public key - it binds the key to a set of attributes. The fact that I trust the key does not allow me to know that, for example, the issuer has authorised them to perform some actions, but the cert does. > But I think there is a much simpler answer to this. If I don't agree to what > the CA wrote into my cert, I don't use that cert (if you don't agree to the > name that goes with the picture in your driver's license, don't drive on > that license). That would mean that any signature would also have to include (a reference to) the cert(s) that are agreed to by the signer, which would be another way to approach the matter, but doesn't just drop out of existing standards. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id BAA26024 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 01:35:24 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA28140; Mon, 24 Jul 2000 10:42:10 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id KAA37092; Mon, 24 Jul 2000 10:37:45 +0200 Message-ID: <397C005A.1FB74EA4@bull.net> Date: Mon, 24 Jul 2000 10:37:46 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Bob Jueneman <bjueneman@novell.com> CC: ietf-pkix@imc.org Subject: Re: Dual-signed certificates References: <s97828bb.021@prv-mail20.provo.novell.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Bob, Altough there has been other people commenting on your initial message, I re-use it. > Ben, > > [snip] > > >Since a certificate is comprised of public information signed by a CA, > >clearly a CA can create a certificate saying more-or-less what they > >want. I suppose this is an argument for having certificates that are > >dual-signed (by the CA and the public key the contain). > > Duh! Head-slapping! What a great idea! I'd love to see this added to > X.509 v3 as an optional, noncritical extension. > > For years, especially within the ABA, we have talked about the need > for the user to explicitly confirm acceptance of the certificate, but at present > there is no good way to confirm acceptance, except by procedures > that are not verifiable by any relying party. Obviously, having the user > sign the certificate herself would confirm acceptance. There exists a way, including by a procedure that is verifiable for every received signature by any relying party. In the stuff that got signed, you include the identifier of the certificate. This may be done by using CMS (or is mandated in ES 201733). There is no need to invent a double-signed certificate. Denis > Now, granted, if a rogue CA wanted to create a bogus certificate > containing my name and their public key, they could also sign the > certificate, since they would possess the private key. > > However, this threat tends to evaporate as soon as the real user signs > something which in all likelihood only that user could have done. > and the more transactions that are signed, the more confidence that > it really is the user -- in fact irrespective of the certificate, because the > confidence in a signature tends to increase though repetitive use. > > As an aside, I sometimes get into arguments with people about whether, > and how, trusted roots should be incorporated within browsers, etc. > > My experience is that I often receive a signed e-mail from someone whose > root is not in my cache of trusted roots. Because in most cases the authentication > of the user isn't exactly life and death (users who post to this list, for example), > I tend to click OK and add that root to my cache. Now, one certificate > authenticated by that root doesn't prove much, but by the time I've received > three or four certificates all signed by the US DOD Medium Assurance CA, > for example, I have a greatly increased confidence that that root is bone fide. > > Bob Received: from naigwy (void1.ausys.se [62.20.78.253]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id BAA25549 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 01:03:52 -0700 (PDT) Received: FROM aunt15.ausys.se BY naigwy ; Mon Jul 24 10:04:51 2000 +0200 Received: by aunt15.ausys.se with Internet Mail Service (5.5.2650.21) id <PLMLFCBG>; Mon, 24 Jul 2000 10:06:15 +0200 Message-ID: <C0E81C20AD21D311BDB200805FCCD9412F62C2@aunt9.ausys.se> From: Simon Tardell <simon.tardell@iD2tech.com> To: "'Ben Laurie'" <ben@algroup.co.uk>, Simon Tardell <simon.tardell@iD2tech.com> Cc: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: RE: Dual-signed certificates Date: Mon, 24 Jul 2000 10:06:22 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" > Eh? What does this have to do with web-of-trust? This is to do with > contracts (i.e. the one between the subject and the issuer). It is? If there is a contract involved, the certificate is only half of it, the other half being your certificate request. Is a driver's license a contract? Does it put me under any obligations simply having one? Or does using it put me under obligations? > I do find it strange that there seems to be this kind of knee-jerk > reaction that says "if it isn't a CA signing, then it must be > web-of-trust, and that's bad". No, I believe there are perfectly valid domains for web-of-trust. > Anyway, the point you are making appears to reinforce my point, not > argue against it: no-one can work out whether a CA is honest, but the > subject signs the cert, they can at least work out that _the subject_ > trusts them (within the context of the issued cert, of course)! The parenthesis is my problem with this. You have to anchor your trust somewhere, either in the CA, or in the subject. And if you already trust the subject public key, what use is the cert in the first place (especially since you don't derive any further trust from it)? But I think there is a much simpler answer to this. If I don't agree to what the CA wrote into my cert, I don't use that cert (if you don't agree to the name that goes with the picture in your driver's license, don't drive on that license). Cheers, Simon Simon Tardell, Software Architect, iD2 Technologies voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 simon.tardell@iD2tech.com, http://www.iD2tech.com Securing the Internet economy Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA25077 for <ietf-pkix@imc.org>; Mon, 24 Jul 2000 00:46:11 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id JAA34294; Mon, 24 Jul 2000 09:52:57 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id JAA19202; Mon, 24 Jul 2000 09:48:33 +0200 Message-ID: <397BF4D1.FB71C50D@bull.net> Date: Mon, 24 Jul 2000 09:48:33 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Tony Bartoletti <azb@llnl.gov> CC: ietf-pkix@imc.org Subject: Re: A Real Rationale for Dedicated Keys References: <4.2.2.20000719163358.00ab5100@poptop.llnl.gov> <4.2.2.20000719163358.00ab5100@poptop.llnl.gov> <4.2.2.20000720150730.00aa3540@poptop.llnl.gov> <4.2.2.20000721120241.00b1d800@poptop.llnl.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Tony, See my response at the bottom. > At 11:20 AM 7/21/00 +0200, Denis Pinkas wrote: > > > I agree with the main points, and I worked from the assumption that > > > CAs will not certify without POP (certainly not NR without POP!). > > > >This is just the contrary: A CA can issue a certificate without POP, > >if the certificate contains the NR bit. Hence is the reason: That > >certificate shall only be used in a trusted environment (e.g. *not* > >a door lock) where, by some means, there is some assurance of *what* > >is being signed; in particular, which document is being signed and > >which format is being used for the signature. Since the certificate > >shall only be used with a trusted sofwtare, it is possible to > >mandate properties for that trusted software; in particular, that it > >SHALL always include the identifier of the signer's certificate and > >protect it under the digital signature. > > > >As soon as the private key is *only* used with signature formats > >that contain the identifier of the certificate protected under the > >digital signature, this provides "real-time" POP. In other words, > >only the entity owning the private key is able to include the right > >certificate identifier. If a CA has issued a certificate without > >POP, this does not matter anymore, since only the legitimate entity > >able to use the private key will be able to sign under the > >certificate that contains the matching public key. Security is a mix > >of security mechanisms and security procedures. In this case, we > >rely on "good cryptography" rather than security procedures (that > >may be hard and long to verify "after the fact"). > > Denis, > > What you write implies that NR-keys will not be employed by "ordinary > users" for undertaking mid-high level internet transactions. > > Maybe that is a "good thing". > > But while I support the real-time-POP, I question the guarantee that > the "right" person possess the key in the first place. > > Are you suggesting that a CA might create a key-pair (via trusted > key-device) and then create/issue an NR-certificate under your > name, BEFORE (or EVER) ascertaining that the private key/device > is in your hands? No. It is not what I had in mind. The scenario I am think of, does not imply that the CA creates the key-pair. A user will ask the CA to have an identity associated with a public key usable for NR purposes (i.e. with the NR bit set, DS bit not set). The CA will of course keep track of the request (i.e. will keep the registration information provides at that time). In that case, after proper warning of the user, the CA does not need to perform POP. Denis > > ___tony___ > > Tony Bartoletti 925-422-3881 <azb@llnl.gov> > Information Operations, Warfare and Assurance Center > Lawrence Livermore National Laboratory > Livermore, CA 94551-9900 Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA23673 for <ietf-pkix@imc.org>; Sun, 23 Jul 2000 23:54:33 -0700 (PDT) Received: from mega (t2o69p49.telia.com [62.20.144.169]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id IAA11762; Mon, 24 Jul 2000 08:57:22 +0200 (CEST) Message-ID: <002001bff544$acd3dbd0$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Ed Gerck" <egerck@nma.com> Cc: "IETF-PXIX" <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Mon, 24 Jul 2000 09:56:28 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id XAA23674 Ed, short reply >> Probably you don't agree to the idea that a CA/RA should/can keep records of its subjects. >> That makes the discussion somewhat uninteresting as this is the foundation of >> most CAs in the X500-world. > >I don't see the connection between keeping records (which is mandated by law, for >example) and *permanently using* those records. Those records are history, not >present. The problem is that "history" means different things to different people. If someone dies he/she is "history" but not all RPs knows that. I.e. "history" simply *cannot* be a parameter in this ball-game! Or, maybe you could *here and now* describe how CAs should resissue DNs?! Actually the only reason for me requiring that DNs are not reused is to cope with (the highly likely) situation where a user "shows" a newly issued cert containing a DN/CA that the particular RP already knows about. It should be a no-brainer (=pure/simple/stupid software algorithm) to conclude that it is the same person. AGAIN: This requirement is COMPLETELY *independent* of the CA scope. Be it national, federal, local, corporate, customer register etc. Anders Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA22731 for <ietf-pkix@imc.org>; Sun, 23 Jul 2000 23:11:19 -0700 (PDT) Received: from nma.com ([63.204.17.82]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FY600EE7UKWD1@mta6.snfc21.pbi.net> for ietf-pkix@imc.org; Sun, 23 Jul 2000 23:12:32 -0700 (PDT) Date: Sun, 23 Jul 2000 23:13:02 -0700 From: Ed Gerck <egerck@nma.com> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt To: Anders Rundgren <anders.rundgren@telia.com> Cc: IETF-PXIX <ietf-pkix@imc.org> Message-id: <397BDE6E.FF011A65@nma.com> MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; I) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <001801bff534$3317b740$0201a8c0@mega.vincent.se> Anders Rundgren wrote: > Ed, > > I think you take the concept of not reisssuing DNs to a level where it does not belong! I see no difficulties in reissuing DNs. In fact, I see a clear need. Artificially making DNs one-shot names will not work IMO but you are free to try to convince others. > Probably you don't agree to the idea that a CA/RA should/can keep records of its subjects. > That makes the discussion somewhat uninteresting as this is the foundation of > most CAs in the X500-world. I don't see the connection between keeping records (which is mandated by law, for example) and *permanently using* those records. Those records are history, not present. > >Besides, note that creating national IDs in order to uniquely identify people is > >forbidden by the constittution of ALL EC countries. > > I doubt that this can be confitmed as both Finland and Sweden have national IDs! I do not intend to tell you about the constitution of your own country but it is a public fact that the EC demands as condition for countries to enter the EC that they must change their constitution if they do not have the provision I mentioned. Personally, I think that national IDs are a security risk but others may surely think otherwise and see then as a security *gain*. And if to have security you must break everyone's privacy, then you are not making a good choice IMO. Privacy is a long term asset whereas security is a short term goal. Ask yourself -- what has full security but zero privacy? A prison. If you really want to have national IDs and identify people by data in them, then you need first to cope with Tony Bartoletti's suggestion -- that users facing such threat should immediately publish their IDs so that anyone else could use them! > > What would a certificate > >that purports to uniquely identify people within a country be but ... a national ID? > > There are two *big* errors here Again, we diverge. Thanks for the comments. Cheers, Ed Gerck Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA20938 for <ietf-pkix@imc.org>; Sun, 23 Jul 2000 21:56:35 -0700 (PDT) Received: from mega (t3o69p36.telia.com [62.20.145.36]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id GAA00485; Mon, 24 Jul 2000 06:59:26 +0200 (CEST) Message-ID: <001801bff534$3317b740$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Ed Gerck" <egerck@nma.com> Cc: "IETF-PXIX" <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Mon, 24 Jul 2000 07:58:31 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id VAA20940 Ed, I think you take the concept of not reisssuing DNs to a level where it does not belong! Probably you don't agree to the idea that a CA/RA should/can keep records of its subjects. That makes the discussion somewhat uninteresting as this is the foundation of most CAs in the X500-world. <large cutoff> >Besides, note that creating national IDs in order to uniquely identify people is >forbidden by the constittution of ALL EC countries. I doubt that this can be confitmed as both Finland and Sweden have national IDs! > What would a certificate >that purports to uniquely identify people within a country be but ... a national ID? There are two *big* errors here 1. "Uniquely identify" to be useful by RPs requires UIDs which is *not* a QC requirement. Not reissuing DNs does *not* imply that certs will use UIDs. A name distinguisher may even be counting between certs for the same user! But if the real problem is that the CA knows its subjects then you are back to square one... 2. The scope of CAs that knows its subjects is completely arbitrary. >Where is Sweden, BTW? In deep s**t guess... Anders Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA20418 for <ietf-pkix@imc.org>; Sun, 23 Jul 2000 21:27:21 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id OAA87244; Mon, 24 Jul 2000 14:29:47 +1000 (EST) Message-ID: <02fb01bff529$10467360$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: "Aram Perez" <aram@pacbell.net>, <ietf-pkix@imc.org> References: <B59DBB67.1586%aram@pacbell.net> Subject: Re: A Real Rationale for Dedicated Keys Date: Mon, 24 Jul 2000 14:38:04 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Hi Aram, > > > > Much more likely is that the owner *will* show up to the CA or one of its > > RAs to get a NR certificate. Anything less will probably fail to meet the > > legal requirements for NR and be worth no more than a NR=0 cert. > > While I mostly agree, what you are stating is impractical. Very few will use > digital signatures that "meet the legal requirements for NR" if they have to > physically show up to the CA. > They just have to show up to an RA. You cant open a bank account without showing up to a bank branch and authenticating yourself yourself. Bank staff are required to sight authentication documentation usually including photo ID such as a passport. I suspect that any commercial CA will partner with some organisation that has a branch network such as a Bank or Post Office to make showing up less of a problem. Maybe even McDonalds will get into the RA business :-). Would you like a certificate with that burger ? You cant support trust to the level where NR is possible without authenticating the subjects and making them accountable for what they declare at registration time. E.g. that they understand their obligations regarding their private key. This really has to happen OOB since most people and organisations dont have an established authenticatable on-line presence. Perhaps at some time people and organisations will have a sufficient level of on-line identity so that they can be authenticated on line but they have to start off-line somewhere. I would suspect that NR=1 quality certificates will start with few big businesses and filter down to small businesses that wish to participate, then to individuals who may be used to NR=0 certificates. Simon McMahon ERACOM Pty. Ltd. Received: from aspams52.cai.com (aspams52.cai.com [155.35.248.76]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA19578 for <ietf-pkix@imc.org>; Sun, 23 Jul 2000 20:27:49 -0700 (PDT) Received: by aspams52.cai.com with Internet Mail Service (5.5.2650.21) id <3X7BA3PJ>; Mon, 24 Jul 2000 13:30:22 +1000 Message-ID: <11981F9F5649D411BC92009027D0D18C77268C@aspams01.cai.com> From: "Ramsay, Ron" <Ron.Ramsay@ca.com> To: Bob Jueneman <bjueneman@novell.com>, peterw@valicert.com Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Date: Mon, 24 Jul 2000 13:30:25 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" I don't have more specific information, but I think they saw the strength of their method as being impervious to the compromise of a single server. You seem to be addressing password cracking. Password cracking wou -----Original Message----- From: Bob Jueneman [mailto:bjueneman@novell.com] Sent: Saturday, 22 July 2000 0:54 To: Ramsay, Ron; peterw@valicert.com Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand I can't tell from the brief description, but it appears that they are using a simple password to log on sequentially to multiple sites, and then assembling the collected secret shares at that point. Granted that this makes it impossible for a rogue administrator at one institution to access a user's keys, but what is to prevent an attacker from collecting the shares himself, using a multiplicity of simple passwords? Even if the user is scrupulous about using a different password for each server (making it very difficult to remember them all), the effort to break the system would seem to be merely additive, rather than exponential. Guessing the or four simple passwords is still simple. I must be missing something. Does anyone have the patent application, or further details? Bob >>> "Ramsay, Ron" <Ron.Ramsay@ca.com> 07/20/00 10:48PM >>> Very interesting. It would have been interesting to have heard from Warwick on the issue of non-repudiation. Verisign would seem to have placed a stake in the ground. Ron. -----Original Message----- From: Peter Williams [ mailto:peterw@valicert.com] <mailto:peterw@valicert.com]> Sent: Friday, 21 July 2000 12:52 To: 'Richard Levitte'; Anders Rundgren Cc: Peter Lipp; piers@bj.co.uk; ietf-pkix@imc.org Subject: RE: Signing what you don't understand http://www.verisign.com/press/2000/roaming.html <http://www.verisign.com/press/2000/roaming.html> "VeriSign's revolutionary technology allows an end-user to securely store digital certificates and/or any other type of data, such as financial information or an online patient record, on distributed network servers operated by multiple trusted service providers. This technology enables portability of digital certificates, providing convenience for users to access and download their certificates and private keys for online authentication. It also enables the generation of binding digital signatures for conducting high-value e-commerce transactions, regardless of whether users are accessing the Internet from work, home, or another location such as an Internet kiosk. Digital certificates are electronic credentials that identify parties online, enabling encrypted communications and legally binding, valid digital signatures. " -----Original Message----- From: Richard Levitte [ mailto:richard.levitte@celocom.se] <mailto:richard.levitte@celocom.se]> Sent: Thursday, July 20, 2000 11:24 AM To: Anders Rundgren Cc: Peter Lipp; piers@bj.co.uk; ietf-pkix@imc.org Subject: Re: Signing what you don't understand Anders Rundgren wrote: > Peter, > > >> Several leading PKI vendors have implemented systems where the private key > >> is held on a central Web server and then downloaded at run time to a web > >> browser. Are you saying that signatures created using these keys are > >> invalid? > >Are you sure? Could you provide a reference? I doubt that strongly... > > > >Peter > > I think this is one... > > http://www.arcot.com/products/webfort.html <http://www.arcot.com/products/webfort.html> I think not, at least from reading the papers "Protecting Digital Identities" and "Protecting Your Private Key". All they say is that they've invented some kind of key database ("key wallet" to use their term) that is more secure than what comes with for example MSIE and Netscape Communicator... Personally, if I was confronted with a CA that wanted to create my private key for me, and store it centrally to boot, I'd go somewhere else. Very fast. It contradicts anything even remotely close to being called "secure". -- Richard Levitte !!! New cell phone number !!! richard.levitte@celocom.se /* You might enjoy viewing the complete vCard */ Received: from e2.ny.us.ibm.com (e2.ny.us.ibm.com [32.97.182.102]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA29065 for <ietf-pkix@imc.org>; Sun, 23 Jul 2000 08:55:26 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e2.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id LAA78224; Sun, 23 Jul 2000 11:57:46 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id LAA26192; Sun, 23 Jul 2000 11:57:45 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256925.0057AB71 ; Sun, 23 Jul 2000 11:57:35 -0400 X-Lotus-FromDomain: IBMUS To: Ben Laurie <ben@algroup.co.uk> cc: pgut001@cs.auckland.ac.nz, bjueneman@novell.com, ietf-pkix@imc.org Message-ID: <85256925.0057AADC.00@D51MTA04.pok.ibm.com> Date: Sun, 23 Jul 2000 11:57:31 -0400 Subject: Re: Dual-signed certificates Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Responses below. I don't think parallel signatures from the CA and the user are a very good idea, but the user's enveloping signature might be another matter. Tom Gindin Ben Laurie <ben@algroup.co.uk> on 07/22/2000 11:39:24 AM To: Tom Gindin/Watson/IBM@IBMUS cc: pgut001@cs.auckland.ac.nz, bjueneman@novell.com, ietf-pkix@imc.org Subject: Re: Dual-signed certificates tgindin@us.ibm.com wrote: > > Although a certificate with these exact characteristics might not be > feasible, how about a CMS SignedData containing the certificate with an > signedAttribute called "CertificateAccepted" with value GeneralizedTime? > The other alternative would be a self-signed certificate with an > "ExternalCertificate" extension, with a value containing the certificate. > Of course, all these prove is that whoever has the private key agrees that > the certificate is valid - they don't do anything to prove who it is who > has the private key. Absolutely, but please don't let's get into the whole identity discussion again. All I care about is the private key. [Tom Gindin] I was just pointing out the limitation. I don't want to start another round of that debate - NR is enough. > Getting the acceptance itself into the ordinary certificate would not > be feasible. Why not? [Tom Gindin] Because an acceptance signature comes after the issuer signature, or else it doesn't cover the issuer signature. In any case, the current signature format is not designed for dual simultaneous signatures. > However, do people think it appropriate for the real external > certificate to be carried around inside a CMS SignedData or a self-signed > certificate? It certainly can be done, but should it? The certificate should be extended to carry two signatures, IMO. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from e2.ny.us.ibm.com (e2.ny.us.ibm.com [32.97.182.102]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA28746 for <ietf-pkix@imc.org>; Sun, 23 Jul 2000 08:45:24 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e2.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id LAA103948; Sun, 23 Jul 2000 11:47:44 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id LAA15254; Sun, 23 Jul 2000 11:47:43 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256925.0056C2F6 ; Sun, 23 Jul 2000 11:47:40 -0400 X-Lotus-FromDomain: IBMUS To: Sharon Boeyen <sharon.boeyen@entrust.com> cc: "'Stephen Kent'" <kent@bbn.com>, ietf-pkix@imc.org Message-ID: <85256925.0056C201.00@D51MTA04.pok.ibm.com> Date: Sun, 23 Jul 2000 11:47:34 -0400 Subject: RE: forward & reverse confusion Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline This naming does cause implementors to need to go over the standards very carefully. I would certainly favor "certForThis" and "certIssuedBy" (not the plural, since there can only be one certificate in the element) over the current wording, or perhaps "asSubject" and "asIssuer". If even one of the labels is changed, the confusion will vanish. Tom Gindin Sharon Boeyen <sharon.boeyen@entrust.com> on 07/21/2000 11:33:06 AM To: "'Stephen Kent'" <kent@bbn.com> cc: ietf-pkix@imc.org Subject: RE: forward & reverse confusion side issue: In any conversation I have on these attributes or on path development or on path processing, the terms 'forward' and 'reverse' cause confusion. I suspect I'm not alone in this. How do folks feel about submitting a defect report that would replace those terms in the crossCertificatePair attribute with less confusing ones (e.g. certsIssuedToThisCA, certsIssuedByThisCA)? I'm certainly not wed to those terms, but something along those lines that better conveys what they really are. Sharon > -----Original Message----- > From: Stephen Kent [mailto:kent@bbn.com] > Sent: Friday, July 21, 2000 9:41 AM > To: Sharon Boeyen > Cc: ietf-pkix@imc.org > Subject: RE: Reverse paths > > > Sharon, > > >Steve, > >I don't think I've been able to clearly describe what I meant. I am > >NOT proposing ANY additional certificate issuance by anybody. I think > >the terms reverse and forward are very unfortunate and always confuse > >these discussions. Can we chat offline just to make sure that you > >understand what it is I am proposing. Email makes this type of > >discussion difficult at best. > > > >Within a hierarchy I don't believe any change is required. > If the root > >of a hierarchy issued a certificate to some CA that is NOT a > subordinate > >of the root, then currently PKIX does not require the root > CA to place > >that certificate in the root CA's entry. What I am proposing is that > >such a certificate, IF ISSUED, be placed in the issuer's > entry as well > >as in the subject CA's entry. > > Ok, I think this clarification makes me more comfortable. > > Steve > > P.S. All the negative comments about bridge CAs in my previous > message still apply. > Received: from janus.hosting4u.net (janus.hosting4u.net [209.15.2.37]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA22861 for <ietf-pkix@imc.org>; Sun, 23 Jul 2000 07:48:27 -0700 (PDT) Received: (qmail 12292 invoked from network); 23 Jul 2000 14:51:19 -0000 Received: from taurus.hosting4u.net (209.15.2.33) by mail-gate.hosting4u.net with SMTP; 23 Jul 2000 14:51:19 -0000 Received: from nma.com ([63.204.17.82]) by taurus.hosting4u.net ; Sun, 23 Jul 2000 09:51:17 -0500 Message-ID: <397B066A.2C809808@nma.com> Date: Sun, 23 Jul 2000 07:51:22 -0700 From: Ed Gerck <egerck@nma.com> X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Anders Rundgren <anders.rundgren@telia.com> CC: Denis Pinkas <Denis.Pinkas@bull.net>, Stefan Santesson <stefan@accurata.se>, tgindin@us.ibm.com, Paul Halliden <PHalliden@baltimore.com>, IETF-PXIX <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt References: <000c01bff4b0$c698fe40$0201a8c0@mega.vincent.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Anders Rundgren wrote: > Ed Gerck wrote: > >Anders, > >what you ask cannot be done in X.509/PKIX and will fail if tried. > >There are three main reasons for failure: > > > >1. technical: The old Bob Jones example. > > Information about the old, the dead, and the young Bob Jones etc. is stored > in variuos registers that the QC RA/CA has access to. In the Internet no one can control both sides of the communication channel, neither sending nor receiving. This is the major problem in trying to define unique DNs based on X.500 -- you think you have all your bases covered, that DN "X" uniquely identifies A and yet, it may also identify B, C and so on. You have an example right in my phrase! I wrote "The old Bob Jones example" and meant the old example of "Bob Jones." You understood the example of "old Bob Jones"! The same happens when you try to identify Bob Jones, and I will cite from the "old example" of Bob Jones (with yet another use of "old" because Bob Jones is an "old friend" -- which does not mean that Bob Jones is old, either): The second [problem] is that even if some large corporation were to deploy X.500 internally and generate X.509 certificates using those DNs [X509], it would make those DNs unique by addition of information of relevance to the corporation, such as operational unit, building name or mail stop. Such a unique name is not adequate to disambiguate a common name from the point of view of all possible users of the certificate. That is, Alice may have an old friend, Bob Jones, at IBM but have no idea of his mail stop, building name or operational unit. Although she has a fully trusted identity certificate from IBM for each employed Bob Jones, she can not trust any of them to be her friend. Therefore, the certificate has failed in its task of binding identity to a public key. This old example is from my old friend Carl Ellison and is given in the old URL of 1996: http://usenix.org/publications/library/proceedings/sec96/full_papers/ellison/index.html Besides the other two problems I mentioned: > >2. commercial: CAs make mistakes and may issue the same DN for > >two different people. They do not want to be liable for it. > >3. revocation: if a cert is revoked with DN "X" for entity A then that DN > >may be reused for entity B. However, revocation of certificates does > >not revoke certs -- it merely puts them in a black list. There may be > >any number of certs with "X" for A in the world which have not yet > >been revoked by a client app, and may thus clash with a cert that also > >has "X" but for B. there are still more problems as we follow the logic in second-order, third-order, etc. > >There are also other reasons. It is thus much better security-wise to avoid > >a false sense of security and leave matters as they are now. A certificate > >is a hint, QC or not QC, no more, no less. > > If QC is just a hint it is REDUNDANT. I can we *great* ease produce QC-like > certificates on my W2K-server and distribute them out-of-band to RPs. Does it make me a > QC-CA? I hope not. You already accept that you can produce QC-like certificates. You just need to ask ... why not? If you have clients, you are already trusted by them and you may as well issue their QC-certificates. You know them much better than another company that never even heard of them, no? Besides, note that creating national IDs in order to uniquely identify people is forbidden by the constittution of ALL EC countries. What would a certificate that purports to uniquely identify people within a country be but ... a national ID? Where is Sweden, BTW? Cheers, Ed Gerck Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA21586 for <ietf-pkix@imc.org>; Sun, 23 Jul 2000 06:16:03 -0700 (PDT) Received: from mega (t1o69p16.telia.com [62.20.144.16]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id PAA14654; Sun, 23 Jul 2000 15:18:39 +0200 (CEST) Message-ID: <000c01bff4b0$c698fe40$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Ed Gerck" <egerck@nma.com> Cc: "Denis Pinkas" <Denis.Pinkas@bull.net>, "Stefan Santesson" <stefan@accurata.se>, <tgindin@us.ibm.com>, "Paul Halliden" <PHalliden@baltimore.com>, "IETF-PXIX" <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Sun, 23 Jul 2000 16:17:44 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA21588 Ed, I know that you can go on and on forever (me too!) so I think we can conclude that we differ in opinions and thats about it. But of course I will answer... >Anders, >what you ask cannot be done in X.509/PKIX and will fail if tried. The idea to make QC a PKIX-item was probably not that great given the wide scope of such a thing. But technically I don't see any unsolvable problems. >There are three main reasons for failure: > >1. technical: The old Bob Jones example. Information about the old, the dead, and the young Bob Jones etc. is stored in variuos registers that the QC RA/CA has access to. >2. commercial: CAs make mistakes and may issue the same DN for >two different people. They do not want to be liable for it. Exactly how much it will cost a CA to make a mistake (which has happened and will happen) will vary quite a bit. It will not be a part of the QC-draft. Actually a *minor* error rate does not at all make the system useless. Compare it to anyhting else we have today and it should be a vast improvement! Then there is something that the CAs in Sweden don't understand, but which I believe is very important: To "absolutely identify" (whatever that really means) an individual is NOT as important as guaranteeing that two different individuals do not get the same ID (DN). The former is getting pretty impossible given the society we live in with a lot of brief contacts and high mobility, while the latter can be done with high precision using fairly simple technical procdures such a biometrics, register data, various credentials like old ID-cards etc. Cheap and quick DNA-fingerprinting may be in reach within 5-10 years. There are other smarter ways of differentiating which I unfortunately (for commercial reasons) can't go into here... Maybe the term "relative identity" is applicable :-) The reason that the differentiator mechanism is much more important is that you usually don't get access to huge values without being known as an individual in the first place. >3. revocation: if a cert is revoked with DN "X" for entity A then that DN >may be reused for entity B. However, revocation of certificates does >not revoke certs -- it merely puts them in a black list. There may be >any number of certs with "X" for A in the world which have not yet >been revoked by a client app, and may thus clash with a cert that also >has "X" but for B. We will see what the *final* QC draft will ends up with! I would say I will be *very* surpriced if it allows DN reuse as it is technically a no-brainer given that the CA knows its subjects. And if it does not, why bother with QCs? >There are also other reasons. It is thus much better security-wise to avoid >a false sense of security and leave matters as they are now. A certificate >is a hint, QC or not QC, no more, no less. If QC is just a hint it is REDUNDANT. I can we *great* ease produce QC-like certificates on my W2K-server and distribute them out-of-band to RPs. Does it make me a QC-CA? I hope not. >Cheers, U 2! Anders Received: from janus.hosting4u.net (janus.hosting4u.net [209.15.2.37]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id BAA10120 for <ietf-pkix@imc.org>; Sun, 23 Jul 2000 01:17:50 -0700 (PDT) Received: (qmail 28562 invoked from network); 23 Jul 2000 08:20:40 -0000 Received: from taurus.hosting4u.net (209.15.2.33) by mail-gate.hosting4u.net with SMTP; 23 Jul 2000 08:20:40 -0000 Received: from nma.com ([63.204.17.82]) by taurus.hosting4u.net ; Sun, 23 Jul 2000 03:20:38 -0500 Message-ID: <397AAAD9.1C6CDB68@nma.com> Date: Sun, 23 Jul 2000 01:20:41 -0700 From: Ed Gerck <egerck@nma.com> X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Anders Rundgren <anders.rundgren@telia.com> CC: Denis Pinkas <Denis.Pinkas@bull.net>, Stefan Santesson <stefan@accurata.se>, tgindin@us.ibm.com, Paul Halliden <PHalliden@baltimore.com>, IETF-PXIX <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt References: <001701bfedc5$26f65000$0201a8c0@mega.vincent.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Anders, what you ask cannot be done in X.509/PKIX and will fail if tried. There are three main reasons for failure: 1. technical: The old Bob Jones example. 2. commercial: CAs make mistakes and may issue the same DN for two different people. They do not want to be liable for it. 3. revocation: if a cert is revoked with DN "X" for entity A then that DN may be reused for entity B. However, revocation of certificates does not revoke certs -- it merely puts them in a black list. There may be any number of certs with "X" for A in the world which have not yet been revoked by a client app, and may thus clash with a cert that also has "X" but for B. There are also other reasons. It is thus much better security-wise to avoid a false sense of security and leave matters as they are now. A certificate is a hint, QC or not QC, no more, no less. Cheers, Ed Gerck Anders Rundgren wrote: > >In fact, X.509v3 section 11.2 has a note which > >>states "a certification authority shall not issue certificates for two > >>users with the same name", > >> > >This is not the point at dispute. The QC text used to have an additional > >requirement that a QC contained "an unmistakable identity ... which ... > >relates to a specific entity." It also contained the concept of "a > >corresponding officially registered identity". > > > >The contentious point is that this requirement has been dropped. the reason > >is that, in some jurisdictions there is simply no support for the > >"unmistakable" concept. Thus the subject name can be unique within the CA's > >name space. > > This last line is actually the thing requested by Denis and by me! > > But even that is said to be impossible to achieve for reasons so > far not particularly well explained. > > I.e. this requirement is purely technical and has nothing to do with official > identities etc. It simply requires CAs to keep track of its own subjects and > not issue ambigious DNs or resissue already used DNs. > > Involves IMO no politics or magic, just plain engineering. > > If resolved it affects things like cert compares. > > Anders Received: from mail.spyrus.com (mail.spyrus.com [207.212.34.20]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA14715 for <ietf-pkix@imc.org>; Sat, 22 Jul 2000 12:16:05 -0700 (PDT) Received: from rhousley_laptop (dial03.spyrus.com [207.212.34.123]) by mail.spyrus.com (8.9.3/8.9.3) with ESMTP id MAA19204; Sat, 22 Jul 2000 12:18:15 -0700 (PDT) Message-Id: <4.2.0.58.20000721190541.00a98800@mail.spyrus.com> X-Sender: rhousley@mail.spyrus.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 21 Jul 2000 19:22:35 -0400 To: Stephen Kent <kent@bbn.com> From: Russ Housley <housley@spyrus.com> Subject: RE: Reverse paths Cc: Sharon Boeyen <sharon.boeyen@entrust.com>, ietf-pkix@imc.org, Richard.Guida@cio.treas.gov In-Reply-To: <v0422080cb59d2878c417@[171.78.30.107]> References: < <ED026032A3FCD211AEDA00105A9C4696016E587B@sothmxs05.entrust.com> <ED026032A3FCD211AEDA00105A9C4696016E587B@sothmxs05.entrust.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 06:14 PM 07/20/2000 -0400, Stephen Kent wrote: >I think the Federal Bridge CA model is broken. It is appropriate to use a >bridge CA as a convenient means of distributing certificates between >communities, to avoid the order N**2 cross certification problem. CA-1 >could go to the bridge CA to acquire the public key for CA-2, then import >that key into CA-1's domain, by issuing a cross certificate from CA-1 to >CA-2. In this fashion CA-1 van impose the appropriate name constraints >extension, appropriate policy mapping constrains, even basic constraints >on the depth of cert paths. Then the existing processing methods we have >should work, right? > >If one tries to process a path via a bridge CA, then one looses the >ability to impose name constraints, and to apply selective policy mapping >etc, because the bridge CA is in the path, getting in the way :-). So, >no, I am not persuaded by the suggestion that bridge CAs are the wave of >the future. I think they are ill conceived in their current use, but they >could be rehabilitated! If the Federal Bridge CA is not employing name constraints, then I agree with you. Certificates issued by a Department to the Federal Bridge should exclude the name space of the issuing Department. This will ensure that no one else can issue a certificate with a subject name that is in the Department's name space that will be validated by relying parties within the Department. Also, certificates issued by Federal Bridge to a Department should include the name space of the subject Department. This will ensure that Department cannot issue a certificate with a subject name in the name space of another Department that will be validated by relying parties outside of the misbehaving Department. It has been over a year since I looked at the certification policies proposed for the Federal Bridge. I recall at least one briefing that included name constraints. They were a good idea back then, and they are still a good idea. Assuming that name constraints are employed, the biggest problem with the Federal Bridge is certificate path construction. It is not possible to use the linkage provided by the subject key identifier and the authority key identifier extensions. Without this tool, certificate path creation is more complex, and several widely deployed implementations are not up to the task. These implementations must become more robust for the Bridge to achieve its potential. Russ Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id IAA09693 for <ietf-pkix@imc.org>; Sat, 22 Jul 2000 08:37:43 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id QAA08010; Sat, 22 Jul 2000 16:55:08 +0100 Message-ID: <3979C02C.D0E467FB@algroup.co.uk> Date: Sat, 22 Jul 2000 16:39:24 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: tgindin@us.ibm.com CC: pgut001@cs.auckland.ac.nz, bjueneman@novell.com, ietf-pkix@imc.org Subject: Re: Dual-signed certificates References: <85256923.00753B46.00@D51MTA04.pok.ibm.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit tgindin@us.ibm.com wrote: > > Although a certificate with these exact characteristics might not be > feasible, how about a CMS SignedData containing the certificate with an > signedAttribute called "CertificateAccepted" with value GeneralizedTime? > The other alternative would be a self-signed certificate with an > "ExternalCertificate" extension, with a value containing the certificate. > Of course, all these prove is that whoever has the private key agrees that > the certificate is valid - they don't do anything to prove who it is who > has the private key. Absolutely, but please don't let's get into the whole identity discussion again. All I care about is the private key. > Getting the acceptance itself into the ordinary certificate would not > be feasible. Why not? > However, do people think it appropriate for the real external > certificate to be carried around inside a CMS SignedData or a self-signed > certificate? It certainly can be done, but should it? The certificate should be extended to carry two signatures, IMO. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id IAA08467 for <ietf-pkix@imc.org>; Sat, 22 Jul 2000 08:32:58 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id QAA07989; Sat, 22 Jul 2000 16:51:39 +0100 Message-ID: <3979BF5B.BE2ACB1F@algroup.co.uk> Date: Sat, 22 Jul 2000 16:35:55 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: Simon Tardell <simon.tardell@iD2tech.com> CC: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: Re: Dual-signed certificates References: <C0E81C20AD21D311BDB200805FCCD9412F62C0@aunt9.ausys.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Simon Tardell wrote: > > > However, do people think it appropriate for the real external > > certificate to be carried around inside a CMS SignedData or a > > self-signed certificate? It certainly can be done, but should it? > > If I've been reading the thread correctly the physical world analogy of the > "threat" that this would countermeasure is that a bank noone ever heard of > would issue an ID card with my picture (which they can do, because they saw > my ID card once) to someone who doesn't look like me and the question is not > whether you can trust the odd-looking fellow, but whether you can trust that > bank. > > When it comes to well-known banks, government branches, etc I assume they > won't do this, and I would not trust even my closest friends to be able to > assert with any degrees of certitude if a bank is honest or not issuing > certs. And no number of assertions that a Mickey Mouse CA issues a > certificate to the right guy would make me trust that CA to always do the > right thing (even if I would trust the particular certs it issued). > > I am bit skeptical here, not because web-of-trust models don't have a > legitimate use, but rather because they don't mix very well with PKI. Eh? What does this have to do with web-of-trust? This is to do with contracts (i.e. the one between the subject and the issuer). I do find it strange that there seems to be this kind of knee-jerk reaction that says "if it isn't a CA signing, then it must be web-of-trust, and that's bad". Anyway, the point you are making appears to reinforce my point, not argue against it: no-one can work out whether a CA is honest, but the subject signs the cert, they can at least work out that _the subject_ trusts them (within the context of the issued cert, of course)! Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from naigwy (void1.ausys.se [62.20.78.253]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id FAA29109 for <ietf-pkix@imc.org>; Sat, 22 Jul 2000 05:44:11 -0700 (PDT) Received: FROM aunt15.ausys.se BY naigwy ; Sat Jul 22 14:45:03 2000 +0200 Received: by aunt15.ausys.se with Internet Mail Service (5.5.2650.21) id <PLML1V45>; Sat, 22 Jul 2000 14:46:25 +0200 Message-ID: <C0E81C20AD21D311BDB200805FCCD9412F62C0@aunt9.ausys.se> From: Simon Tardell <simon.tardell@iD2tech.com> To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: RE: Dual-signed certificates Date: Sat, 22 Jul 2000 14:46:09 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" > However, do people think it appropriate for the real external > certificate to be carried around inside a CMS SignedData or a > self-signed certificate? It certainly can be done, but should it? If I've been reading the thread correctly the physical world analogy of the "threat" that this would countermeasure is that a bank noone ever heard of would issue an ID card with my picture (which they can do, because they saw my ID card once) to someone who doesn't look like me and the question is not whether you can trust the odd-looking fellow, but whether you can trust that bank. When it comes to well-known banks, government branches, etc I assume they won't do this, and I would not trust even my closest friends to be able to assert with any degrees of certitude if a bank is honest or not issuing certs. And no number of assertions that a Mickey Mouse CA issues a certificate to the right guy would make me trust that CA to always do the right thing (even if I would trust the particular certs it issued). I am bit skeptical here, not because web-of-trust models don't have a legitimate use, but rather because they don't mix very well with PKI. Simon Simon Tardell, Software Architect, iD2 Technologies voice +46 8 7755225, fax +46 8 7267912, cell +46 70 3198319 simon.tardell@iD2tech.com, http://www.iD2tech.com Securing the Internet economy Received: from sngrel5.hp.com (sngrel5.hp.com [192.6.86.210]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA20482 for <ietf-pkix@imc.org>; Sat, 22 Jul 2000 02:44:14 -0700 (PDT) From: esmond_tong@hp.com Received: from hkmail.hkg.hp.com (hkmail.hkg.hp.com [15.106.56.21]) by sngrel5.hp.com (Postfix) with ESMTP id F34971DC for <ietf-pkix@imc.org>; Sat, 22 Jul 2000 17:46:53 +0800 (SGP) Received: from localhost (root@localhost) by hkmail.hkg.hp.com (8.9.3 (PHNE_18979)/8.9.3 SMKit6.0.6 OpenMail) with SMTP id RAA08773 for ietf-pkix@imc.org; Sat, 22 Jul 2000 17:46:52 +0800 (HKG) X-OpenMail-Hops: 1 Date: Sat, 22 Jul 2000 17:46:47 +0800 Message-Id: <H00012891250125e@MHS> Subject: unsubscribe MIME-Version: 1.0 Cc: ietf-pkix@imc.org Content-Type: text/plain; charset=US-ASCII; name="BDY.TXT" Content-Disposition: inline; filename="BDY.TXT" Content-Transfer-Encoding: 7bit unsubscribe Received: from mail.arabtrust.com (mail.arabtrust.com [216.247.149.19]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA15028 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 23:57:59 -0700 (PDT) Received: from jean [195.39.160.178] by mail.arabtrust.com (SMTPD32-6.00) id A6F131FE0126; Sat, 22 Jul 2000 03:02:09 -0400 From: "Jean Abraham" <jean.med@arabtrust.com> To: "Tony Bartoletti" <azb@llnl.gov>, "Simon McMahon" <simon@onthenet.com.au>, <ietf-pkix@imc.org> Subject: RE: A Real Rationale for Dedicated Keys Date: Sat, 22 Jul 2000 09:58:27 +0300 Message-ID: <LPBBLAPIGLOAGIHKOOGDKEAECCAA.jean.med@arabtrust.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal In-reply-to: <4.2.2.20000720171643.00ab0620@poptop.llnl.gov> How could one sign or encrypt an email with a public key shouldnt a private key be used. -----Original Message----- From: Tony Bartoletti [mailto:azb@llnl.gov] Sent: Friday, July 21, 2000 3:37 AM To: Simon McMahon; Jean Abraham; ietf-pkix@imc.org Subject: Re: A Real Rationale for Dedicated Keys At 10:04 AM 7/21/00 +1000, Simon McMahon wrote: > > > > Could you tell me what has NR (Non-Repudation) to do with CA control key > > generation. > > >By "CA controlled key generation" I mean that the CA specifies minimum >standards and one option of the CA may be to do the key gen itself. The CA >should verify that the minimum standards are being followed if it specifies >any. Agreed! >Non-repudiation requires (at least) that the private key does not get >exposed or used by someone else without the owner knowing it. That means >that how the private key is used and how it is stored when not in use is >very relevant to NR. CAs can (and should) insist that key pairs are >generated and the private part is stored to some minimum standard before >they certify the public part. Agreed! >As a merchant I would be more inclined to trust NR signatures verified by >certs from a CA that operated this way than from a CA that only checked the >key owner's identity. Agreed! >I know of one commercial CA that only certified public keys for key pairs >that it (the CA) generated. Their rationale was that they did not want the >risk of certifying a dodgy key pair because of the risk of bad publicity >undermining their reputation as a CA. The generated private key was >transfered securely to the client. They wanted to take the next step and >start storing the private key directly onto smart cards. Some reservations here! I would be wary of a process that actually allows the "key-generating operator" to learn the value of the secret. If there were ways to guarantee that the secret key were actually generated "in the card", (and could not be extracted, of course) I would feel better about such a process. But, this does not address the issue of the dishonest user who would have the corresponding public key "certified for authentication, NR=0", use it for signing email receipts, and then try to repudiate a contract by arguing they were fooled into signing it with their NR=0 usage. I don't think "Just Say No" to key multi-certification will work. What will? ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from e2.ny.us.ibm.com (e2.ny.us.ibm.com [32.97.182.102]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA19970 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 14:18:22 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e2.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id RAA24788; Fri, 21 Jul 2000 17:20:35 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id RAA38046; Fri, 21 Jul 2000 17:20:33 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256923.00753BFF ; Fri, 21 Jul 2000 17:20:30 -0400 X-Lotus-FromDomain: IBMUS To: Ben Laurie <ben@algroup.co.uk> cc: pgut001@cs.auckland.ac.nz, bjueneman@novell.com, ietf-pkix@imc.org Message-ID: <85256923.00753B46.00@D51MTA04.pok.ibm.com> Date: Fri, 21 Jul 2000 17:20:26 -0400 Subject: Re: Dual-signed certificates Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Although a certificate with these exact characteristics might not be feasible, how about a CMS SignedData containing the certificate with an signedAttribute called "CertificateAccepted" with value GeneralizedTime? The other alternative would be a self-signed certificate with an "ExternalCertificate" extension, with a value containing the certificate. Of course, all these prove is that whoever has the private key agrees that the certificate is valid - they don't do anything to prove who it is who has the private key. Getting the acceptance itself into the ordinary certificate would not be feasible. However, do people think it appropriate for the real external certificate to be carried around inside a CMS SignedData or a self-signed certificate? It certainly can be done, but should it? Tom Gindin Ben Laurie <ben@algroup.co.uk> on 07/21/2000 02:27:15 PM To: pgut001@cs.auckland.ac.nz cc: bjueneman@novell.com, ietf-pkix@imc.org Subject: Re: Dual-signed certificates Peter Gutmann wrote: > > "Bob Jueneman" <bjueneman@novell.com> writes: > > >[snip] > > > >>Since a certificate is comprised of public information signed by a CA, > >>clearly a CA can create a certificate saying more-or-less what they > >>want. I suppose this is an argument for having certificates that are > >>dual-signed (by the CA and the public key the contain). > > >Duh! Head-slapping! What a great idea! I'd love to see this added to X.509 > >v3 as an optional, noncritical extension. > > The chickenAndEgg extension I presume? How do you process this (or generate > it)? Eh? Or are you referring to the difficulty of having the signature within the cert? If so, quite! Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA18202 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 13:16:23 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id QAA23092; Fri, 21 Jul 2000 16:18:53 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v04220817b59e5f630840@[171.78.30.107]> In-Reply-To: <OFA56AF04B.7DCF20DD-ON85256923.006AE268@iris.com> References: <OFA56AF04B.7DCF20DD-ON85256923.006AE268@iris.com> Date: Fri, 21 Jul 2000 16:13:56 -0400 To: John_Wray@iris.com From: Stephen Kent <kent@bbn.com> Subject: Re: Signing what you don't understand Cc: John_Wray@iris.com, ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" John, >Steve, > > >>You are missing what I'm trying to say. I'm not disputing that the > >>signature was created at the time claimed. > >> > >>The fact that CRLs include an invalidityDate field, which can indicate >that > >>a certificate was invalid well before that CRL was published means that >it > >>is possible for a certificate revocation to be "backdated" - i.e. even > >>though a perfectly valid CRL was referenced in the signature and >indicated > >>that the certificate was valid at the time the signature was constructed, > >>another CRL can be published (possibly much) later that will say the > >>certificate was invalid at the signing time. > > > >> > >>This renders signer-provided evidence of non-revocation of little use > >>(unless you are willing to let the signer-provided evidence of > >>non-revocation trump the more recent CRL that asserts that the >certificate > >>was invalid, which would open up a lot of security holes). > > > >The inclusion of the invalidity date in a CRL does not allow > >backdating, although it may appear that way. The argument put forth > >to justify approval of this extension was to allow the CA to alert > >RPs to newly gained info re a revocation so that IF the RP had not > >acted upon a transaction (or the like) THEN the RP could elect to > >treat the signature as invalid. However, if an RP has collected a > >CRL that covers the interval during which the transaction took place, > >then any later CRL with an invalidity date does not prevent the RP > >from using the CRL he acquired to support NR, i.e., the RP has > >exercised due diligence by obtaining the first CRL. > >Note that I was talking about initial signature verification by the RP, not >subsequent NR. The situation that I described had a signature with >embedded, signer-provided NR evidence which contained a CRL reference that >indicated one of the certificates was valid, but the RP obtains a more >recent CRL indicating that it has expired. To decide whether to trust the >signature, the RP should use the most recent revocation data available to >him - the CRL that flags the certificate as revoked - and ignore the >earlier one referenced in the signature. Under that circumstance, you're right. Sorry I lost the context. Steve Received: from arista.iris.com (arista.iris.com [198.112.211.42]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA17319 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 12:33:08 -0700 (PDT) From: John_Wray@iris.com Subject: Re: Signing what you don't understand To: Stephen Kent <kent@bbn.com> Cc: John_Wray@iris.com, ietf-pkix@imc.org X-Mailer: Lotus Notes Release 5.0.2c February 2, 2000 Message-ID: <OFA56AF04B.7DCF20DD-ON85256923.006AE268@iris.com> Date: Fri, 21 Jul 2000 15:35:38 -0400 X-MIMETrack: Serialize by Router on Arista/Iris(Build V505_07112000 |July 11, 2000) at 07/21/2000 03:35:54 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Steve, >>You are missing what I'm trying to say. I'm not disputing that the >>signature was created at the time claimed. >> >>The fact that CRLs include an invalidityDate field, which can indicate that >>a certificate was invalid well before that CRL was published means that it >>is possible for a certificate revocation to be "backdated" - i.e. even >>though a perfectly valid CRL was referenced in the signature and indicated >>that the certificate was valid at the time the signature was constructed, >>another CRL can be published (possibly much) later that will say the >>certificate was invalid at the signing time. > >> >>This renders signer-provided evidence of non-revocation of little use >>(unless you are willing to let the signer-provided evidence of >>non-revocation trump the more recent CRL that asserts that the certificate >>was invalid, which would open up a lot of security holes). > >The inclusion of the invalidity date in a CRL does not allow >backdating, although it may appear that way. The argument put forth >to justify approval of this extension was to allow the CA to alert >RPs to newly gained info re a revocation so that IF the RP had not >acted upon a transaction (or the like) THEN the RP could elect to >treat the signature as invalid. However, if an RP has collected a >CRL that covers the interval during which the transaction took place, >then any later CRL with an invalidity date does not prevent the RP >from using the CRL he acquired to support NR, i.e., the RP has >exercised due diligence by obtaining the first CRL. Note that I was talking about initial signature verification by the RP, not subsequent NR. The situation that I described had a signature with embedded, signer-provided NR evidence which contained a CRL reference that indicated one of the certificates was valid, but the RP obtains a more recent CRL indicating that it has expired. To decide whether to trust the signature, the RP should use the most recent revocation data available to him - the CRL that flags the certificate as revoked - and ignore the earlier one referenced in the signature. John Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA16696 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 12:02:35 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id MAA13058; Fri, 21 Jul 2000 12:04:07 -0700 (PDT) Message-Id: <4.2.2.20000721120241.00b1d800@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 21 Jul 2000 12:11:54 -0700 To: Denis Pinkas <Denis.Pinkas@bull.net> From: Tony Bartoletti <azb@llnl.gov> Subject: Re: A Real Rationale for Dedicated Keys Cc: ietf-pkix@imc.org In-Reply-To: <397815F0.2BC092DC@bull.net> References: <4.2.2.20000719163358.00ab5100@poptop.llnl.gov> <4.2.2.20000719163358.00ab5100@poptop.llnl.gov> <4.2.2.20000720150730.00aa3540@poptop.llnl.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 11:20 AM 7/21/00 +0200, Denis Pinkas wrote: > > I agree with the main points, and I worked from the assumption that > > CAs will not certify without POP (certainly not NR without POP!). > >This is just the contrary: A CA can issue a certificate without POP, >if the certificate contains the NR bit. Hence is the reason: That >certificate shall only be used in a trusted environment (e.g. *not* >a door lock) where, by some means, there is some assurance of *what* >is being signed; in particular, which document is being signed and >which format is being used for the signature. Since the certificate >shall only be used with a trusted sofwtare, it is possible to >mandate properties for that trusted software; in particular, that it >SHALL always include the identifier of the signer's certificate and >protect it under the digital signature. > >As soon as the private key is *only* used with signature formats >that contain the identifier of the certificate protected under the >digital signature, this provides "real-time" POP. In other words, >only the entity owning the private key is able to include the right >certificate identifier. If a CA has issued a certificate without >POP, this does not matter anymore, since only the legitimate entity >able to use the private key will be able to sign under the >certificate that contains the matching public key. Security is a mix >of security mechanisms and security procedures. In this case, we >rely on "good cryptography" rather than security procedures (that >may be hard and long to verify "after the fact"). Denis, What you write implies that NR-keys will not be employed by "ordinary users" for undertaking mid-high level internet transactions. Maybe that is a "good thing". But while I support the real-time-POP, I question the guarantee that the "right" person possess the key in the first place. Are you suggesting that a CA might create a key-pair (via trusted key-device) and then create/issue an NR-certificate under your name, BEFORE (or EVER) ascertaining that the private key/device is in your hands? ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA15986 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 11:41:33 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id LAA01649; Fri, 21 Jul 2000 11:43:45 -0700 (PDT) Message-Id: <4.2.2.20000721115023.00b24100@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 21 Jul 2000 11:51:31 -0700 To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org From: Tony Bartoletti <azb@llnl.gov> Subject: Re: A Real Rationale for Dedicated Keys In-Reply-To: <200007211758.NAA23247@roadblock.missi.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 02:06 PM 7/21/00 -0400, David P. Kemp wrote: > > > Much more likely is that the owner *will* show up to the CA or one of its > > > RAs to get a NR certificate. Anything less will probably fail to meet the > > > legal requirements for NR and be worth no more than a NR=0 cert. > > > > While I mostly agree, what you are stating is impractical. Very few > will use > > digital signatures that "meet the legal requirements for NR" if they > have to > > physically show up to the CA. > >The U.S. postal service once wanted to be the CA for the masses; maybe >7-11 or Exxon could take over that job :-). User takes his cereal box >token to the corner gas station, the operator looks at his driver's license >and notarizes the cert request. I LIKE IT! (LOL) ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA15695 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 11:36:07 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id LAA28395 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 11:38:19 -0700 (PDT) Message-Id: <4.2.2.20000721114507.00aa1c80@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 21 Jul 2000 11:46:06 -0700 To: ietf-pkix@imc.org From: Tony Bartoletti <azb@llnl.gov> Subject: Re: A Real Rationale for Dedicated Keys Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 08:33 AM 7/21/00 -0700, Aram Perez wrote: >Hi Simon M., > > >> Without the owner physically showing up, how can a CA know whether or not > > a > >> key pair was "generated and the private part is stored to some minimum > >> standard"? > >> > > The key generation device has its own private key and signs the cert > request > > for the newly generated user key pair. The CA then knows that the key pair > > originated in a device it (the CA) trusts and probably provides as part of > > its service. The CA certifies the public key of the device so it can verify > > the device's cert requests. > >I'll restate my question: If the CA does not physically see the device that >generates the key pair, how can the CA know "that the key pair originated in >a device it (the CA) trusts"? And if the CA provides the device "as part of >its service", then I have to physically show up to get the device and >participate in the key generation process. > > > > > Such a device is obviously not cheap but without such a device the CA > cannot > > control the quality of remotely generated keys or how the private key is > > stored and protected from duplication (necessary for NR). > > > > Much more likely is that the owner *will* show up to the CA or one of its > > RAs to get a NR certificate. Anything less will probably fail to meet the > > legal requirements for NR and be worth no more than a NR=0 cert. > >While I mostly agree, what you are stating is impractical. Very few will use >digital signatures that "meet the legal requirements for NR" if they have to >physically show up to the CA. Could not the CA (stocked with such devices) simply ship the device to the purported subscriber? If it is embedded with its own (CA established) device-key, then the CA will be able to trust the device remotely. As far as guaranteeing that the device landed in the hands of the right person, this is harder. Perhaps it will come with a biometric input that captures the subscriber's "vitals" as part of the key-certificate request. ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id LAA15218 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 11:25:20 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id TAA29239; Fri, 21 Jul 2000 19:42:40 +0100 Message-ID: <39789603.677872C7@algroup.co.uk> Date: Fri, 21 Jul 2000 19:27:15 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: pgut001@cs.auckland.ac.nz CC: bjueneman@novell.com, ietf-pkix@imc.org Subject: Re: Dual-signed certificates References: <96420185332042@kahu.cs.auckland.ac.nz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Peter Gutmann wrote: > > "Bob Jueneman" <bjueneman@novell.com> writes: > > >[snip] > > > >>Since a certificate is comprised of public information signed by a CA, > >>clearly a CA can create a certificate saying more-or-less what they > >>want. I suppose this is an argument for having certificates that are > >>dual-signed (by the CA and the public key the contain). > > >Duh! Head-slapping! What a great idea! I'd love to see this added to X.509 > >v3 as an optional, noncritical extension. > > The chickenAndEgg extension I presume? How do you process this (or generate > it)? Eh? Or are you referring to the difficulty of having the signature within the cert? If so, quite! Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA14824 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 11:20:47 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id LAA19076; Fri, 21 Jul 2000 11:22:56 -0700 (PDT) Message-Id: <4.2.2.20000721104701.00a9de80@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 21 Jul 2000 11:30:43 -0700 To: "Bob Jueneman" <bjueneman@novell.com>, <kent@bbn.com> From: Tony Bartoletti <azb@llnl.gov> Subject: Re: A Real Rationale for Dedicated Keys Cc: <ietf-pkix@imc.org> In-Reply-To: <s978163d.034@prv-mail20.provo.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 09:22 AM 7/21/00 -0600, Bob Jueneman wrote: >Tony, > >I agree that creating multiple certificates containing the same key is a >dumb idea, because it makes it very difficult to know which set of >assertions (contained in the certificate) were supposed to apply to a >given transaction. > >But since the individual CA cannot possible detect or prevent someone from >going to two different CAs with the same public key, and making two >different sets of assertions, complete with full-blown POP, the only >reasonable solution to to place the burden firmly on the subscriber/user. > >If he creates two certificates for the same key, one with NR and one >without (or any other assertion), then unless the certificate is bound to >the transaction by more than just the signature, the relying party should >be permitted to make his case using which ever certificate is most >favorable to his case. I think I agree :) For such a "burden" to be considered reasonable by the courts, there need be some manner of evidence that this "should have been obvious" to the user. There are ways to make this "reasonably obvious" to the user, but I don't want "its there in black and white in chapter 6, paragraph 23 of our CP." Nor do I want to force the user to "deduce" that the burden may fall upon their shoulders, based only on the "common knowledge" that a signature may be taken as having "NR-intent" when ANY extant certificate for that key states NR=1. (I once wrote, only half in jest, that archived with every NR-certificate issued should be the voiceprint of the user, reciting the CP/CPS verbatim.) Perhaps much of my fear come from ignorance of the actual implementations, existing and proposed, by which such signatures would become affixed. I recall learning, via conversations with Ed Gerck, that the strength of DES (for one example) depends critically upon what the material being encrypted. A "random sentence" is not really random if it is embedded in a (say) MS Word document, the entire body of which is being encrypted, and for which the first block of "file" will be a constant for practically all users. This makes an entropy-based attack to recover the key far easier to perform. The point being, how will the user be assured that an operation is covering precisely what is being presented? Where such assurance is lacking, reliance upon minimalist NR conditions become more dangerous. ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from roadblock.missi.ncsc.mil (roadblock.missi.ncsc.mil [144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA14357 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 11:07:36 -0700 (PDT) Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id NAA23251 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 13:58:41 -0400 (EDT) Message-Id: <200007211758.NAA23247@roadblock.missi.ncsc.mil> Date: Fri, 21 Jul 2000 14:06:26 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: A Real Rationale for Dedicated Keys To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: ZDo0i7s0JKNQH8CDSRlezA== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc > From: Aram Perez <aram@pacbell.net> > > > The key generation device has its own private key and signs the cert request > > for the newly generated user key pair. The CA then knows that the key pair > > originated in a device it (the CA) trusts and probably provides as part of > > its service. The CA certifies the public key of the device so it can verify > > the device's cert requests. > > I'll restate my question: If the CA does not physically see the device that > generates the key pair, how can the CA know "that the key pair originated in > a device it (the CA) trusts"? And if the CA provides the device "as part of > its service", then I have to physically show up to get the device and > participate in the key generation process. If company X produces such a device, using designs and processes that have been evaluated, company X can give the device public key to the CA. The CA then knows, to the extent that the CA trusts the manufacturing process, that any cert request including the device signature could have come from nowhere else. Even if the devices were distributed in cereal boxes (with no link to a specific human) there is assurance that user keypairs cannot be extracted or replicated. > > Much more likely is that the owner *will* show up to the CA or one of its > > RAs to get a NR certificate. Anything less will probably fail to meet the > > legal requirements for NR and be worth no more than a NR=0 cert. > > While I mostly agree, what you are stating is impractical. Very few will use > digital signatures that "meet the legal requirements for NR" if they have to > physically show up to the CA. The U.S. postal service once wanted to be the CA for the masses; maybe 7-11 or Exxon could take over that job :-). User takes his cereal box token to the corner gas station, the operator looks at his driver's license and notarizes the cert request. Received: from mail.ec.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.201]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA13900 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 10:50:29 -0700 (PDT) Received: from kahu.cs.auckland.ac.nz (pgut001@kahu.cs.auckland.ac.nz [130.216.36.13]) by mail.ec.auckland.ac.nz (8.9.3/8.8.6/cs-master) with SMTP id FAA04593; Sat, 22 Jul 2000 05:50:54 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by kahu.cs.auckland.ac.nz (relaymail v0.9) id <96420185332042>; Sat, 22 Jul 2000 05:50:53 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: bjueneman@novell.com Subject: Re: Dual-signed certificates Cc: ietf-pkix@imc.org Sender: pgut001@cs.auckland.ac.nz Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on kahu.cs.auckland.ac.nz Date: Sat, 22 Jul 2000 05:50:53 (NZST) Message-ID: <96420185332042@kahu.cs.auckland.ac.nz> "Bob Jueneman" <bjueneman@novell.com> writes: >[snip] > >>Since a certificate is comprised of public information signed by a CA, >>clearly a CA can create a certificate saying more-or-less what they >>want. I suppose this is an argument for having certificates that are >>dual-signed (by the CA and the public key the contain). >Duh! Head-slapping! What a great idea! I'd love to see this added to X.509 >v3 as an optional, noncritical extension. The chickenAndEgg extension I presume? How do you process this (or generate it)? Peter. Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA13089 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 10:17:41 -0700 (PDT) Received: from [192.168.1.7] ([208.233.228.110]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FY2005784WAS9@mta5.snfc21.pbi.net> for ietf-pkix@imc.org; Fri, 21 Jul 2000 10:07:22 -0700 (PDT) Date: Fri, 21 Jul 2000 10:07:46 -0700 From: Aram Perez <aram@pacbell.net> Subject: Re: Signing what you don't understand In-reply-to: <200007211654.SAA26579@emeriau.edelweb.fr> To: PKIX <ietf-pkix@imc.org> Message-id: <B59DD171.15A9%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Hi Peter S., [snip] > An interesting part in the ETSI standard and the > Internet-draft is the following reference: > > > [TSP] C. Adams, P. Cain, D. Pinkas, R. Zuccherato. Time Stamp Protocol > (TSP), (under progress). June 2000. Are you saying that the ETSI standard is referring and possibly mandated the use of something that is "under progress"? The lawyers should have a field day! Regards, Aram Perez Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA13030 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 10:16:50 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id NAA26167; Fri, 21 Jul 2000 13:19:19 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v04220811b59e34bd031a@[171.78.30.107]> In-Reply-To: <OF8234B5FE.AF9FE3FA-ON85256923.0051FD82@iris.com> References: <OF8234B5FE.AF9FE3FA-ON85256923.0051FD82@iris.com> Date: Fri, 21 Jul 2000 13:16:35 -0400 To: John_Wray@iris.com From: Stephen Kent <kent@bbn.com> Subject: Re: Signing what you don't understand Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" John, <snip> >You are missing what I'm trying to say. I'm not disputing that the >signature was created at the time claimed. > >The fact that CRLs include an invalidityDate field, which can indicate that >a certificate was invalid well before that CRL was published means that it >is possible for a certificate revocation to be "backdated" - i.e. even >though a perfectly valid CRL was referenced in the signature and indicated >that the certificate was valid at the time the signature was constructed, >another CRL can be published (possibly much) later that will say the >certificate was invalid at the signing time. > >This renders signer-provided evidence of non-revocation of little use >(unless you are willing to let the signer-provided evidence of >non-revocation trump the more recent CRL that asserts that the certificate >was invalid, which would open up a lot of security holes). The inclusion of the invalidity date in a CRL does not allow backdating, although it may appear that way. The argument put forth to justify approval of this extension was to allow the CA to alert RPs to newly gained info re a revocation so that IF the RP had not acted upon a transaction (or the like) THEN the RP could elect to treat the signature as invalid. However, if an RP has collected a CRL that covers the interval during which the transaction took place, then any later CRL with an invalidity date does not prevent the RP from using the CRL he acquired to support NR, i.e., the RP has exercised due diligence by obtaining the first CRL. <snip> Steve Received: from ntserver2.chrysalis-its.com ([209.47.245.163]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA12419 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 10:00:07 -0700 (PDT) From: FRousseau@chrysalis-its.com Received: by NTSERVER2 with Internet Mail Service (5.5.2650.21) id <PGABZ01V>; Fri, 21 Jul 2000 13:03:35 -0400 Message-ID: <918C70B01822D411A87400B0D0204DFF04C0BC@panda.chrysalis-its.com> To: bjueneman@novell.com Cc: ietf-pkix@imc.org Subject: RE: Indicating How Private Keys are Generated/Stored (was RE: A R eal Rationale for Dedicated Keys) Date: Fri, 21 Jul 2000 13:03:19 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF335.9AE5232C" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF335.9AE5232C Content-Type: text/plain; charset="iso-8859-1" Bob, Yes the Novell Security Attributes keyQuality and cryptoProcessQuality from Section 4 of your document seem to contain the basis of the information that the subscriber (i.e. the key generation device in my case) could put in the registration information in CRMF of a certificate request message. However, a common standardised method would have to be supported by the IETF. Francois ___________________________________ Francois Rousseau Director of Standards and Conformance Chrysalis-ITS 1688 Woodward Drive Ottawa, Ontario, CANADA, K2C 3R7 frousseau@chrysalis-its.com Tel. (613) 723-5076 ext. 419 http://www.chrysalis-its.com Fax. (613) 723-5078 P.S. Although the URL mentions the v1.0 for this Novell document, once downloaded it is only version 0.998 of Aug 98. -----Original Message----- From: Bob Jueneman [mailto:bjueneman@novell.com] Sent: Friday, July 21, 2000 11:40 AM To: FRousseau@chrysalis-its.com; simon@onthenet.com.au Cc: ietf-pkix@imc.org Subject: Indicating How Private Keys are Generated/Stored (was RE: A Real Rationale for Dedicated Keys) Francois, I completely agree. All certificates issue by Novell, or created using Novell Certificate Server, contain a X.509 extension called the Novell Security Attributes. An important component of these attributes is the notion of a "certificate quality indicator", and one of the factors of the certificate quality is an indication of how the key was created (both the computer security and cryptographic security of the creating process, e.g., the TCSEC, ITSEC, or Common Criteria rating of the computing platform, together with the FIPS 140-1 rating). But in addition, it is necessary to have either a representation from the subscriber as to how the key will be used in the future (same parameters), and where and how the key will be stored in the meantime. Ideally, these representations should be enforced as constraints, with a bit provide to indicate that fact. For the details , including the ASN.1 encoding, see http://developer.novell.com/repository/attributes/certattrs_v10.htm Bob >>><FRousseau@chrysalis-its.com> 07/21/00 09:20AM >>> Hi Simon, I totally agree with you that if a key generation device had its own private key that is trusted by a CA and this key was used to sign a certificate request for a newly generated end user's key pair, this would certainly provide more confidence for this CA to certify the end user's public key for NR. Currently neither the CMP protocol [RFC2510] nor the CMC protocol [RFC2797] include a standard way for a key generation device to explicitly indicate in a certificate request the quality of remotely generated key pair and also how the private key will be stored and protected in the future. However, both CMP and CMC use CRMF [RFC2511] and Section 3 on the certificate request message indicates that the optional registration information field can contain supplementary information related to the context of the certification request when such information is required to fulfil a certification request. Wouldn't it make sense to define additional type(s) for the registration information in CRMF for this particular purpose of indicating the quality of remotely generated key pair and also how the private key will be stored and protected in the future? Certificate request messages containing this new registration information and the end user's public key would then be signed with the private key of the key generation device, which would acting as an RA in this case, and be forwarded to another RA or directly to the CA to be certified. What do others think about this suggestion? Regards, Francois ___________________________________ Francois Rousseau Director of Standards and Conformance Chrysalis-ITS 1688 Woodward Drive Ottawa, Ontario, CANADA, K2C 3R7 frousseau@chrysalis-its.com Tel. (613) 723-5076 ext. 419 http://www.chrysalis-its.com Fax. (613) 723-5078 -----Original Message----- From: Simon McMahon [mailto:simon@onthenet.com.au Sent: Friday, July 21, 2000 12:15 AM To: Aram Perez; ietf-pkix@imc.org Subject: Re: A Real Rationale for Dedicated Keys > > Without the owner physically showing up, how can a CA know whether or not > key pair was "generated and the private part is stored to some minimum > standard"? > The key generation device has its own private key and signs the cert request for the newly generated user key pair. The CA then knows that the key pair originated in a device it (the CA) trusts and probably provides as part of its service. The CA certifies the public key of the device so it can verify the device's cert requests. Such a device is obviously not cheap but without such a device the CA cannot control the quality of remotely generated keys or how the private key is stored and protected from duplication (necessary for NR). Much more likely is that the owner *will* show up to the CA or one of its RAs to get a NR certificate. Anything less will probably fail to meet the legal requirements for NR and be worth no more than a NR=0 cert. Simon McMahon ERACOM Pty. Ltd. ------_=_NextPart_001_01BFF335.9AE5232C Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: Indicating How Private Keys are Generated/Stored (was RE: A = Real Rationale for Dedicated Keys)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Bob,</FONT> </P> <P><FONT SIZE=3D2>Yes the Novell Security Attributes keyQuality and = cryptoProcessQuality from Section 4 of your document seem to contain = the basis of the information that the subscriber (i.e. the key = generation device in my case) could put in the registration information = in CRMF of a certificate request message. However, a common = standardised method would have to be supported by the IETF.</FONT></P> <P><FONT SIZE=3D2>Francois</FONT> <BR><FONT SIZE=3D2>___________________________________</FONT> <BR><FONT SIZE=3D2>Francois Rousseau</FONT> <BR><FONT SIZE=3D2>Director of Standards and Conformance</FONT> <BR><FONT SIZE=3D2>Chrysalis-ITS</FONT> <BR><FONT SIZE=3D2>1688 Woodward Drive</FONT> <BR><FONT SIZE=3D2>Ottawa, Ontario, CANADA, K2C 3R7</FONT> <BR><FONT = SIZE=3D2>frousseau@chrysalis-its.com Tel. = (613) 723-5076 ext. 419</FONT> <BR><FONT SIZE=3D2><A HREF=3D"http://www.chrysalis-its.com" = TARGET=3D"_blank">http://www.chrysalis-its.com</A> &nbs= p; Fax. (613) 723-5078</FONT> </P> <P><FONT SIZE=3D2>P.S. Although the URL mentions the v1.0 for this = Novell document, once downloaded it is only version 0.998 of Aug = 98.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Bob Jueneman [<A = HREF=3D"mailto:bjueneman@novell.com">mailto:bjueneman@novell.com</A>]</F= ONT> <BR><FONT SIZE=3D2>Sent: Friday, July 21, 2000 11:40 AM</FONT> <BR><FONT SIZE=3D2>To: FRousseau@chrysalis-its.com; = simon@onthenet.com.au</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Indicating How Private Keys are = Generated/Stored (was RE: A</FONT> <BR><FONT SIZE=3D2>Real Rationale for Dedicated Keys)</FONT> </P> <BR> <P><FONT SIZE=3D2>Francois,</FONT> </P> <P><FONT SIZE=3D2>I completely agree.</FONT> </P> <P><FONT SIZE=3D2>All certificates issue by Novell, or created using = Novell Certificate Server, contain a X.509 extension called the Novell = Security Attributes. An important component of these attributes is the = notion of a "certificate quality indicator", and one of the = factors of the certificate quality is an indication of how the key was = created (both the computer security and cryptographic security of the = creating process, e.g., the TCSEC, ITSEC, or Common Criteria rating of = the computing platform, together with the FIPS 140-1 rating). But in = addition, it is necessary to have either a representation from the = subscriber as to how the key will be used in the future (same = parameters), and where and how the key will be stored in the = meantime.</FONT></P> <P><FONT SIZE=3D2>Ideally, these representations should be enforced as = constraints, with a bit provide to indicate that fact.</FONT> </P> <P><FONT SIZE=3D2>For the details , including the ASN.1 encoding, see = <A = HREF=3D"http://developer.novell.com/repository/attributes/certattrs_v10.= htm" = TARGET=3D"_blank">http://developer.novell.com/repository/attributes/cert= attrs_v10.htm</A></FONT> </P> <P><FONT SIZE=3D2>Bob</FONT> </P> <BR> <P><FONT SIZE=3D2>>>><FRousseau@chrysalis-its.com> = 07/21/00 09:20AM >>></FONT> </P> <BR> <P><FONT SIZE=3D2>Hi Simon,</FONT> </P> <P><FONT SIZE=3D2>I totally agree with you that if a key generation = device had its own private key that is trusted by a CA and this key was = used to sign a certificate request for a newly generated end user's key = pair, this would certainly provide more confidence for this CA to = certify the end user's public key for NR.</FONT></P> <P><FONT SIZE=3D2>Currently neither the CMP protocol [RFC2510] nor the = CMC protocol [RFC2797] include a standard way for a key generation = device to explicitly indicate in a certificate request the quality of = remotely generated key pair and also how the private key will be stored = and protected in the future. However, both CMP and CMC use CRMF = [RFC2511] and Section 3 on the certificate request message indicates = that the optional registration information field can contain = supplementary information related to the context of the certification = request when such information is required to fulfil a certification = request.</FONT></P> <P><FONT SIZE=3D2>Wouldn't it make sense to define additional type(s) = for the registration information in CRMF for this particular purpose of = indicating the quality of remotely generated key pair and also how the = private key will be stored and protected in the future? Certificate = request messages containing this new registration information and the = end user's public key would then be signed with the private key of the = key generation device, which would acting as an RA in this case, and be = forwarded to another RA or directly to the CA to be certified. What do = others think about this suggestion?</FONT></P> <P><FONT SIZE=3D2>Regards,</FONT> </P> <P><FONT SIZE=3D2>Francois</FONT> <BR><FONT SIZE=3D2>___________________________________</FONT> <BR><FONT SIZE=3D2>Francois Rousseau</FONT> <BR><FONT SIZE=3D2>Director of Standards and Conformance</FONT> <BR><FONT SIZE=3D2>Chrysalis-ITS</FONT> <BR><FONT SIZE=3D2>1688 Woodward Drive</FONT> <BR><FONT SIZE=3D2>Ottawa, Ontario, CANADA, K2C 3R7</FONT> <BR><FONT SIZE=3D2>frousseau@chrysalis-its.com Tel. (613) 723-5076 ext. = 419</FONT> <BR><FONT SIZE=3D2><A HREF=3D"http://www.chrysalis-its.com" = TARGET=3D"_blank">http://www.chrysalis-its.com</A> Fax. (613) = 723-5078</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Simon McMahon [<A = HREF=3D"mailto:simon@onthenet.com.au">mailto:simon@onthenet.com.au</A> = </FONT> <BR><FONT SIZE=3D2>Sent: Friday, July 21, 2000 12:15 AM</FONT> <BR><FONT SIZE=3D2>To: Aram Perez; ietf-pkix@imc.org </FONT> <BR><FONT SIZE=3D2>Subject: Re: A Real Rationale for Dedicated = Keys</FONT> </P> <P><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Without the owner physically showing up, how = can a CA know whether or not</FONT> </P> <P><FONT SIZE=3D2>> key pair was "generated and the private = part is stored to some minimum</FONT> <BR><FONT SIZE=3D2>> standard"?</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>The key generation device has its own private key = and signs the cert request</FONT> <BR><FONT SIZE=3D2>for the newly generated user key pair. The CA then = knows that the key pair</FONT> <BR><FONT SIZE=3D2>originated in a device it (the CA) trusts and = probably provides as part of</FONT> <BR><FONT SIZE=3D2>its service. The CA certifies the public key of the = device so it can verify</FONT> <BR><FONT SIZE=3D2>the device's cert requests.</FONT> </P> <P><FONT SIZE=3D2>Such a device is obviously not cheap but without such = a device the CA cannot</FONT> <BR><FONT SIZE=3D2>control the quality of remotely generated keys or = how the private key is</FONT> <BR><FONT SIZE=3D2>stored and protected from duplication (necessary for = NR).</FONT> <BR><FONT SIZE=3D2>Much more likely is that the owner *will* show up to = the CA or one of its</FONT> <BR><FONT SIZE=3D2>RAs to get a NR certificate. Anything less will = probably fail to meet the</FONT> <BR><FONT SIZE=3D2>legal requirements for NR and be worth no more than = a NR=3D0 cert.</FONT> </P> <P><FONT SIZE=3D2>Simon McMahon</FONT> <BR><FONT SIZE=3D2>ERACOM Pty. Ltd.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFF335.9AE5232C-- Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA12100 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 09:53:01 -0700 (PDT) Received: from [192.168.1.7] ([208.233.228.110]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FY2005FH4AEFC@mta5.snfc21.pbi.net> for ietf-pkix@imc.org; Fri, 21 Jul 2000 09:54:15 -0700 (PDT) Date: Fri, 21 Jul 2000 09:54:39 -0700 From: Aram Perez <aram@pacbell.net> Subject: Re: A Real Rationale for Dedicated Keys In-reply-to: <s978163d.033@prv-mail20.provo.novell.com> To: PKIX <ietf-pkix@imc.org> Message-id: <B59DCE5E.159D%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Hi Bob J., > I agree that creating multiple certificates containing the same key is a dumb > idea, because it makes it very difficult to know which set of assertions > (contained in the certificate) were supposed to apply to a given transaction. Whether it is dumb or not, I have personally heard a major financial institution state that they plan to have at least 3 certificates for the same key. The first is a self-signed certificate since they plan to run an internal CA. The next is a certificate issued by the ABA, since they are a member of ABA. And the third was a certificate issued by another major organization (which I don't recall), again because they belong to that organization. And speaking of dumb, PKIX allows several dumb things to happen that are perfectly legal according to the standards. Regards, Aram Perez [snip] Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA11823 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 09:47:29 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id MAA22127; Fri, 21 Jul 2000 12:49:23 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v0422080eb59e2d1e3897@[171.78.30.107]> In-Reply-To: <B59DBE1C.1588%aram@pacbell.net> References: <B59DBE1C.1588%aram@pacbell.net> Date: Fri, 21 Jul 2000 12:42:51 -0400 To: Aram Perez <aram@pacbell.net> From: Stephen Kent <kent@bbn.com> Subject: Re: Signing what you don't understand Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Aram, >Hi Steve K., > > > Aram, > > > >> Hi Steve K., > >> > >>> When we check a signature for NR, and significant time has elapsed > >>> since the signature was applied, then different rules must be > >>> employed. > >> > >> How do you know how much "time has elapsed since the signature >was applied"? > >> I am not aware of any standard that mandates the time of the signature. > >> S/MIME/PKCS#7 has provision for the signature time, but they don't mandate > >> it. > > > > If one is looking to effect NR, one has to do a number of things > > beyond simple signature checking of the sort required for typical > > authentication for input to an access control process. For example, > > one often needs to time stamp the signature on the data, collect the > > certs and CRLs and have them time stamped, etc. This creates a > > context that allows NR signature verification for the longer term > > than the validity of the signer's cert, or the signer's CAs' cert, > > etc. > >Without regurgitating the previous discussions on the validity of the NR >bit, where would someone know that if you are trying "to effect NR, one has >to do a number of things beyond simple signature checking"? From my perspective most of the NR burden usually is on the RP, and an RP knows when it is interested in NR vs. simple authentication. >Denis P. pointed >out ETSI Standard ES 201733, but how many implementers of digital signatures >that effect NR have read that standard and implemented it? I doubt that this is widely used yet, but then I see very little if any use of digital signatures for high value, long term NR anyway. Steve Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id JAA11328 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 09:38:56 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Fri, 21 Jul 2000 10:40:59 -0600 Message-Id: <s97828bb.021@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 5.5.3.1 Date: Fri, 21 Jul 2000 10:41:01 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <ben@algroup.co.uk>, <thayes@netscape.com> Cc: <ietf-pkix@imc.org> Subject: Dual-signed certificates Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id JAA11329 Ben, [snip] >Since a certificate is comprised of public information signed by a CA, >clearly a CA can create a certificate saying more-or-less what they >want. I suppose this is an argument for having certificates that are >dual-signed (by the CA and the public key the contain). Duh! Head-slapping! What a great idea! I'd love to see this added to X.509 v3 as an optional, noncritical extension. For years, especially within the ABA, we have talked about the need for the user to explicitly confirm acceptance of the certificate, but at present there is no good way to confirm acceptance, except by procedures that are not verifiable by any relying party. Obviously, having the user sign the certificate herself would confirm acceptance. Now, granted, if a rogue CA wanted to create a bogus certificate containing my name and their public key, they could also sign the certificate, since they would possess the private key. However, this threat tends to evaporate as soon as the real user signs something which in all likelihood only that user could have done. and the more transactions that are signed, the more confidence that it really is the user -- in fact irrespective of the certificate, because the confidence in a signature tends to increase though repetitive use. As an aside, I sometimes get into arguments with people about whether, and how, trusted roots should be incorporated within browsers, etc. My experience is that I often receive a signed e-mail from someone whose root is not in my cache of trusted roots. Because in most cases the authentication of the user isn't exactly life and death (users who post to this list, for example), I tend to click OK and add that root to my cache. Now, one certificate authenticated by that root doesn't prove much, but by the time I've received three or four certificates all signed by the US DOD Medium Assurance CA, for example, I have a greatly increased confidence that that root is bone fide. Bob Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA11127 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 09:36:43 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id MAA20850; Fri, 21 Jul 2000 12:39:23 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v0422080db59e2c23fdc9@[171.78.30.107]> In-Reply-To: <200007211608.MAA21398@roadblock.missi.ncsc.mil> References: <200007211608.MAA21398@roadblock.missi.ncsc.mil> Date: Fri, 21 Jul 2000 12:38:26 -0400 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> From: Stephen Kent <kent@bbn.com> Subject: RE: Reverse paths Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Save, >Steve, > >If the intent of the bridge is to enable universal cryptographic >connectivity (which I believe it is), then using a bridge CA merely >as a "super certifier" for obtaining trusted copies of other >communities' keys doesn't avoid having to issue and manage N**2 >cross certs. Agreed. It just provides a way for each CA that WANTS to cross certify with other CAs to acquire the public key of the other CAs. >And including the bridge CA in paths does not preclude name >constraints - it is feasible and reasonable for each community >to distinguish between "my namespace" and "everyone else" in it's >outbound cert, and it is also feasible to use the bridge CA as a >namespace allocation authority to enforce disjointness using the >inbound certs. Yes, one can use the exclusion feature of name constraints to enforce that distinction, but that's a pretty wimpy feature compared to forcing each cross certified CA to issue certs ONLY within the name space for which it is authoritative. Similarly, for policy stuff, one seems tp be restricted to a one size fits all model for dealing with other CAs, as opposed to being able to make pairwise decisions. Steve Received: from raptor.access.net.id (root@raptor.access.net.id [202.180.0.14]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA10953 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 09:32:39 -0700 (PDT) Received: from mahatel (pteredon137.access.net.id [202.180.8.137]) by raptor.access.net.id (8.10.0/8.10.0) with SMTP id e6LGOYM04901; Fri, 21 Jul 2000 23:24:38 +0700 Message-Id: <3.0.6.32.20000721231517.008b6620@pop3.access.net.id> X-Sender: teddyap@pop3.access.net.id X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Fri, 21 Jul 2000 23:15:17 +0700 To: Mcken.Mak@equifax.com From: Teddy A Purwadi <chairman@mii.or.id> Subject: Re: Value of smart cards. Re: Signing what you don't understand Cc: "Anders Rundgren" <anders.rundgren@telia.com>, ietf-pkix@imc.org In-Reply-To: <85256922.0056EBC2.00@noteswetc15.fin.equifax.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Folks, Is there an idea to discuss new Internet-Smart-Card? It might be IIN application on it. IMHO: Since we will have Standard PKI for each country, Internet-Smart-Card might be the one to be chosen. -Teddy At 11:49 AM 7/20/00 -0400, Mcken.Mak@equifax.com wrote: > > > >>The discrete credit-sized smart card is probably not going to take over the >world >>as you say. But the SIM/WIM card will. Actually 300 million *existing* >customers >>can't be wrong! > >I just want to add a comment for the SIM card - It is a smaller version of >Smartcard in a different footprint. The program in the GSM card use >non-standard encryption, it is not truely secure (both phyical/logical). > >>It provides a cheap tamper-resistant storage and crypto-processor that *will* >also >>be apart of PDAs when they are "connected". It is the ability to insert a >>subscription into a mobile phone and PDA that is the driving factor now. >>Later it will be PKI. >IMHO: I do like to see the PDA or phone will accept personal (crypto) smartcard >that could perform secure operations (ie. Sign Document, payment...) > >Mcken Mak > > ISOC: Indonesian Information-Internet Society Grha Citra Caraka, Mezzanine Fl, IIX-NAP NOC Jln Gatot Subroto 52, Jakarta 12710 - INDONESIA V:+62-21 5296 3841; F: +62-21 5296 3844; M: +62-8218 44444 E: chairman@mii.or.id; I: http://www.mii.or.id Received: from roadblock.missi.ncsc.mil (roadblock.missi.ncsc.mil [144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA10536 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 09:17:40 -0700 (PDT) Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id MAA21402 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 12:08:45 -0400 (EDT) Message-Id: <200007211608.MAA21398@roadblock.missi.ncsc.mil> Date: Fri, 21 Jul 2000 12:16:30 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: RE: Reverse paths To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: E87srE3220l3uuz9FMiuHQ== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc Steve, If the intent of the bridge is to enable universal cryptographic connectivity (which I believe it is), then using a bridge CA merely as a "super certifier" for obtaining trusted copies of other communities' keys doesn't avoid having to issue and manage N**2 cross certs. And including the bridge CA in paths does not preclude name constraints - it is feasible and reasonable for each community to distinguish between "my namespace" and "everyone else" in it's outbound cert, and it is also feasible to use the bridge CA as a namespace allocation authority to enforce disjointness using the inbound certs. Dave > From: Stephen Kent <kent@bbn.com> > > Sharon, > > I think the Federal Bridge CA model is broken. It is appropriate to > use a bridge CA as a convenient means of distributing certificates > between communities, to avoid the order N**2 cross certification > problem. CA-1 could go to the bridge CA to acquire the public key > for CA-2, then import that key into CA-1's domain, by issuing a cross > certificate from CA-1 to CA-2. In this fashion CA-1 van impose the > appropriate name constraints extension, appropriate policy mapping > constrains, even basic constraints on the depth of cert paths. Then > the existing processing methods we have should work, right? > > If one tries to process a path via a bridge CA, then one looses the > ability to impose name constraints, and to apply selective policy > mapping etc, because the bridge CA is in the path, getting in the way > :-). So, no, I am not persuaded by the suggestion that bridge CAs > are the wave of the future. I think they are ill conceived in their > current use, but they could be rehabilitated! > > <snip> > > Steve Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA10181 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 09:09:44 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id SAA46768; Fri, 21 Jul 2000 18:16:07 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id SAA39594; Fri, 21 Jul 2000 18:11:42 +0200 Message-ID: <39787640.E64F055C@bull.net> Date: Fri, 21 Jul 2000 18:11:44 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: John_Wray@iris.com CC: ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <OF8234B5FE.AF9FE3FA-ON85256923.0051FD82@iris.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit John, (deleted text) > You are missing what I'm trying to say. I'm not disputing that the > signature was created at the time claimed. > > The fact that CRLs include an invalidityDate field, which can indicate that > a certificate was invalid well before that CRL was published means that it > is possible for a certificate revocation to be "backdated" - i.e. even > though a perfectly valid CRL was referenced in the signature and indicated > that the certificate was valid at the time the signature was constructed, > another CRL can be published (possibly much) later that will say the > certificate was invalid at the signing time. OK. I now understand better ! The point you are raising is interesting. If the RP uses the current CRL then he is *sure* that he is missing revocations that recently occured. In any case the time to wait for fetching the revocation status of a certificate is "signature policy dependent". But let us suppose that the time is set to a very short period of time. In that case the RP thinks he holds a valid proof (this is the case you mention) and the signer, in order to object would have to ask for the CA to prove when his certificate was revoked. The case you mention also exists with OCSP server, even if it provide "real time" information just because it is reasonable to give time to the real signer to report a key compromise. The conclusion is that the signature policy must set a period which is "big enough and reasonable". This is for this reason why when validating an electronic signature you may get "incomplete validation" which means that you have to try again later on. For high value transactions, the time to wait might be counted in days (to make sure that the real user noticed that his private key has been compromised and to give him the time to report). > This renders signer-provided evidence of non-revocation of little use > (unless you are willing to let the signer-provided evidence of > non-revocation trump the more recent CRL that asserts that the certificate > was invalid, which would open up a lot of security holes). (deleted text) > I think you're agreeing with the point I was originally trying to make. In that case that's fine ! Denis > This conversation started because it was suggested that simply using the > correct certificate chain would obviate the need for putting anything > special into the signature in support of NR - my response was that binding > the cert chain into the signature has some disadvantages, notably that the > signature can be rendered unverifiable _by_the_RP_ by circumstances that > ought to have no bearing on the signer's trustworthiness. You appear to be > countering this with a requirement that the signer put special evidence > designed in support of NR (but in this case used by the RP to perform an > initial signature verification) into the signature in addition to the cert > chain. I pointed out above that, due to the possibility of backdated > revocations, this doesn't really work, but that's really beside the point, > since requiring putting NR evidence into the signature is itself an > addition to the signature. > John Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA09919 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 09:05:56 -0700 (PDT) Received: from [192.168.1.7] ([208.233.228.110]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FY20051621GBY@mta5.snfc21.pbi.net> for ietf-pkix@imc.org; Fri, 21 Jul 2000 09:05:41 -0700 (PDT) Date: Fri, 21 Jul 2000 09:06:15 -0700 From: Aram Perez <aram@pacbell.net> Subject: AW: Signing what you don't understand To: PKIX <ietf-pkix@imc.org> Message-id: <B59DC306.1589%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Hi Peter L., >> Several leading PKI vendors have implemented systems where the private key >> is held on a central Web server and then downloaded at run time to a web >> browser. Are you saying that signatures created using these keys are >> invalid? >Are you sure? Could you provide a reference? I doubt that strongly... Sorry for the delay, but I thought someone on PKIX had mentioned something on this and it took me a while to find it in the PKIX archives. Partly because these keys are referred to as one of the following: mobile or roaming credentials. Anyway, on 15 Mar 2000, Magnus Nystrom wrote: "Please find attached to this email a memo discussing the use of and potential need for a PDU format and associated protocol for down- (and potentiall up-) load of personal credentials, such as private keys and X.509 certificates. Stephen Farrell of Baltimore is likely to give a presentation on this subject at the upcoming IETF meeting in Adelaide. We are currently unsure of whether this would be a work item for PKIX or for some BOF (or at all), but at least it seems as if this mailing list would be a good starting point. Comments are of course welcome and solicited." On 3 Jul 2000, Stephen Farrel wrote: "I put up a slide in Adelaide about roaming credentials and it looks like we're on for a BOF in Pittsburgh (date TBD). The strawman charter/BOF description is attached. So, if you're interested then subscribe to the list and let's see how much progress we can make prior to Pittsburgh. Paul Hoffman has kindly agreed to host the mailing list which he'll open for postings in a day or two, as soon as subscribing is seen to be working without problems, (but you can subscribe right now). Paul's also hosting the web site at: http://www.imc.org/ietf-sacred If you have any questions in the meantime, feel free to mail Magnus and/or me directly." Regards, Aram Perez Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA09422 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 08:57:28 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id LAA14166; Fri, 21 Jul 2000 11:59:32 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v0422080ab59e2219a1d8@[171.78.30.107]> In-Reply-To: <ED026032A3FCD211AEDA00105A9C4696016E588C@sothmxs05.entrust.com> References: <ED026032A3FCD211AEDA00105A9C4696016E588C@sothmxs05.entrust.com> Date: Fri, 21 Jul 2000 11:52:18 -0400 To: Sharon Boeyen <sharon.boeyen@entrust.com> From: Stephen Kent <kent@bbn.com> Subject: RE: Reverse paths Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sharon, >OK, I think we've cleared up the confusion. > >So what I'd propose is the addition of a sentence along these lines: > >If a CA issues a certificate to a CA that is not a subordinate to the >issuing >CA, the issuing CA must place the certificate in its own directory entry in >the crossCertificatePair attribute as a value of the reverse element. > >Is that ok? > Sounds OK to me. Steve Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA09427 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 08:57:29 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id LAA14175; Fri, 21 Jul 2000 11:59:36 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v0422080bb59e22c1c958@[171.78.30.107]> In-Reply-To: <ED026032A3FCD211AEDA00105A9C4696016E588E@sothmxs05.entrust.com> References: <ED026032A3FCD211AEDA00105A9C4696016E588E@sothmxs05.entrust.com> Date: Fri, 21 Jul 2000 11:55:20 -0400 To: Sharon Boeyen <sharon.boeyen@entrust.com> From: Stephen Kent <kent@bbn.com> Subject: RE: forward & reverse confusion Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sharon, >Another side issue: > >In any conversation I have on these attributes or on path development or >on path processing, the terms 'forward' and 'reverse' cause confusion. I >suspect >I'm not alone in this. > >How do folks feel about submitting a defect report that would replace those >terms in the crossCertificatePair attribute with less confusing ones (e.g. >certsIssuedToThisCA, certsIssuedByThisCA)? I'm certainly not wed to those >terms, but something along those lines that better conveys what they really >are. Yes, I agree that it would be beneficial to change the terminology. Steve Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA08869 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 08:48:49 -0700 (PDT) Received: from [192.168.1.7] ([208.233.228.110]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FY2005X512AS9@mta5.snfc21.pbi.net> for ietf-pkix@imc.org; Fri, 21 Jul 2000 08:44:36 -0700 (PDT) Date: Fri, 21 Jul 2000 08:45:16 -0700 From: Aram Perez <aram@pacbell.net> Subject: Re: Signing what you don't understand In-reply-to: <v04220800b59e009cc38f@[171.78.30.107]> To: Stephen Kent <kent@bbn.com> Cc: ietf-pkix@imc.org Message-id: <B59DBE1C.1588%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Hi Steve K., > Aram, > >> Hi Steve K., >> >>> When we check a signature for NR, and significant time has elapsed >>> since the signature was applied, then different rules must be >>> employed. >> >> How do you know how much "time has elapsed since the signature was applied"? >> I am not aware of any standard that mandates the time of the signature. >> S/MIME/PKCS#7 has provision for the signature time, but they don't mandate >> it. > > If one is looking to effect NR, one has to do a number of things > beyond simple signature checking of the sort required for typical > authentication for input to an access control process. For example, > one often needs to time stamp the signature on the data, collect the > certs and CRLs and have them time stamped, etc. This creates a > context that allows NR signature verification for the longer term > than the validity of the signer's cert, or the signer's CAs' cert, > etc. Without regurgitating the previous discussions on the validity of the NR bit, where would someone know that if you are trying "to effect NR, one has to do a number of things beyond simple signature checking"? Denis P. pointed out ETSI Standard ES 201733, but how many implementers of digital signatures that effect NR have read that standard and implemented it? Regards, Aram Perez Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA08770 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 08:48:08 -0700 (PDT) Received: from [192.168.1.7] ([208.233.228.110]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FY20059L0IYS9@mta5.snfc21.pbi.net> for ietf-pkix@imc.org; Fri, 21 Jul 2000 08:33:55 -0700 (PDT) Date: Fri, 21 Jul 2000 08:33:44 -0700 From: Aram Perez <aram@pacbell.net> Subject: Re: A Real Rationale for Dedicated Keys In-reply-to: <028d01bff2ca$4956e3d0$8802a8c0@eracom.com.au> To: ietf-pkix@imc.org Message-id: <B59DBB67.1586%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Hi Simon M., >> Without the owner physically showing up, how can a CA know whether or not > a >> key pair was "generated and the private part is stored to some minimum >> standard"? >> > The key generation device has its own private key and signs the cert request > for the newly generated user key pair. The CA then knows that the key pair > originated in a device it (the CA) trusts and probably provides as part of > its service. The CA certifies the public key of the device so it can verify > the device's cert requests. I'll restate my question: If the CA does not physically see the device that generates the key pair, how can the CA know "that the key pair originated in a device it (the CA) trusts"? And if the CA provides the device "as part of its service", then I have to physically show up to get the device and participate in the key generation process. > > Such a device is obviously not cheap but without such a device the CA cannot > control the quality of remotely generated keys or how the private key is > stored and protected from duplication (necessary for NR). > > Much more likely is that the owner *will* show up to the CA or one of its > RAs to get a NR certificate. Anything less will probably fail to meet the > legal requirements for NR and be worth no more than a NR=0 cert. While I mostly agree, what you are stating is impractical. Very few will use digital signatures that "meet the legal requirements for NR" if they have to physically show up to the CA. Just my opinion, Aram Perez Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA08768 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 08:48:08 -0700 (PDT) Received: from [192.168.1.7] ([208.233.228.110]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FY20060H0R3C6@mta5.snfc21.pbi.net> for ietf-pkix@imc.org; Fri, 21 Jul 2000 08:39:06 -0700 (PDT) Date: Fri, 21 Jul 2000 08:38:36 -0700 From: Aram Perez <aram@pacbell.net> Subject: Re: Signing what you don't understand In-reply-to: <3977FA7A.B2FC0E7A@bull.net> To: PKIX <ietf-pkix@imc.org> Message-id: <B59DBC8C.1587%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Hi Denis P., > ETSI Standard ES 201733 mandates the signature time as a signed > attribute of the CMS structure. How widely implemented/used is this standard? Who determines the signature time? Is the signature time "certified"? > An informational draft RFC based on > that standard is available from: > > http://www.ietf.org/internet-drafts/draft-ietf-smime-esformats-01.txt How long before this "informational draft RFC" becomes a standard? Regards, Aram Perez Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id IAA06938 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 08:38:38 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Fri, 21 Jul 2000 09:40:35 -0600 Message-Id: <s9781a93.054@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 5.5.3.1 Date: Fri, 21 Jul 2000 09:40:29 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <FRousseau@chrysalis-its.com>, <simon@onthenet.com.au> Cc: <ietf-pkix@imc.org> Subject: Indicating How Private Keys are Generated/Stored (was RE: A Real Rationale for Dedicated Keys) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id IAA06940 Francois, I completely agree. All certificates issue by Novell, or created using Novell Certificate Server, contain a X.509 extension called the Novell Security Attributes. An important component of these attributes is the notion of a "certificate quality indicator", and one of the factors of the certificate quality is an indication of how the key was created (both the computer security and cryptographic security of the creating process, e.g., the TCSEC, ITSEC, or Common Criteria rating of the computing platform, together with the FIPS 140-1 rating). But in addition, it is necessary to have either a representation from the subscriber as to how the key will be used in the future (same parameters), and where and how the key will be stored in the meantime. Ideally, these representations should be enforced as constraints, with a bit provide to indicate that fact. For the details , including the ASN.1 encoding, see http://developer.novell.com/repository/attributes/certattrs_v10.htm Bob >>><FRousseau@chrysalis-its.com> 07/21/00 09:20AM >>> Hi Simon, I totally agree with you that if a key generation device had its own private key that is trusted by a CA and this key was used to sign a certificate request for a newly generated end user's key pair, this would certainly provide more confidence for this CA to certify the end user's public key for NR. Currently neither the CMP protocol [RFC2510] nor the CMC protocol [RFC2797] include a standard way for a key generation device to explicitly indicate in a certificate request the quality of remotely generated key pair and also how the private key will be stored and protected in the future. However, both CMP and CMC use CRMF [RFC2511] and Section 3 on the certificate request message indicates that the optional registration information field can contain supplementary information related to the context of the certification request when such information is required to fulfil a certification request. Wouldn't it make sense to define additional type(s) for the registration information in CRMF for this particular purpose of indicating the quality of remotely generated key pair and also how the private key will be stored and protected in the future? Certificate request messages containing this new registration information and the end user's public key would then be signed with the private key of the key generation device, which would acting as an RA in this case, and be forwarded to another RA or directly to the CA to be certified. What do others think about this suggestion? Regards, Francois ___________________________________ Francois Rousseau Director of Standards and Conformance Chrysalis-ITS 1688 Woodward Drive Ottawa, Ontario, CANADA, K2C 3R7 frousseau@chrysalis-its.com Tel. (613) 723-5076 ext. 419 http://www.chrysalis-its.com Fax. (613) 723-5078 -----Original Message----- From: Simon McMahon [mailto:simon@onthenet.com.au Sent: Friday, July 21, 2000 12:15 AM To: Aram Perez; ietf-pkix@imc.org Subject: Re: A Real Rationale for Dedicated Keys > > Without the owner physically showing up, how can a CA know whether or not > key pair was "generated and the private part is stored to some minimum > standard"? > The key generation device has its own private key and signs the cert request for the newly generated user key pair. The CA then knows that the key pair originated in a device it (the CA) trusts and probably provides as part of its service. The CA certifies the public key of the device so it can verify the device's cert requests. Such a device is obviously not cheap but without such a device the CA cannot control the quality of remotely generated keys or how the private key is stored and protected from duplication (necessary for NR). Much more likely is that the owner *will* show up to the CA or one of its RAs to get a NR certificate. Anything less will probably fail to meet the legal requirements for NR and be worth no more than a NR=0 cert. Simon McMahon ERACOM Pty. Ltd. Received: from arista.iris.com (arista.iris.com [198.112.211.42]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA06332 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 08:36:30 -0700 (PDT) From: John_Wray@iris.com Subject: Re: Signing what you don't understand To: Denis Pinkas <Denis.Pinkas@bull.net> Cc: John_Wray@iris.com, ietf-pkix@imc.org X-Mailer: Lotus Notes Release 5.0.2c February 2, 2000 Message-ID: <OF8234B5FE.AF9FE3FA-ON85256923.0051FD82@iris.com> Date: Fri, 21 Jul 2000 11:39:30 -0400 X-MIMETrack: Serialize by Router on Arista/Iris(Build V505_07112000 |July 11, 2000) at 07/21/2000 11:39:15 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Denis, >> >This is contradictory. "if it includes evidence that at the time of >> >signature creation, those certificates had not yet been revoked" >> >means that you must provide a proof that the certificates whre not >> >revoked at the time of the signature, so you cannot say at the same >> >time "certificate chain that contains revoked certificates". >> >> It's not contradictory: Evidence that a certificate had not been revoked >> at time T could include a CRL that was valid at T, and that did not list >> the certificate. However, if later a CRL were published (and were >> available to the RP) that included the certificate, along with an >> invalidityDate before time T, then the RP can conclude that the certificate >> has been revoked, and should not be trusted to verify a signature made at >> T. > >You should talk a closer look at <draft-ietf-smime-esformats-01.txt> >section 4.1.1 Signature Timestamp Attribute Definition > >The Signature Validation Policy specifies, in the >signatureTimestampDelay field of TimestampTrustConditions, a maximum >acceptable time difference which is allowed between the time >indicated in the signing time attribute and the time indicated by >the Signature Timestamp attribute. If this delay is exceeded then >the electronic signature *must* be considered as invalid. > >This means that the signed data *must* include a signing time (as a >signed attribute from the CMS construct). This allows to solve >unambiguously the case. You are missing what I'm trying to say. I'm not disputing that the signature was created at the time claimed. The fact that CRLs include an invalidityDate field, which can indicate that a certificate was invalid well before that CRL was published means that it is possible for a certificate revocation to be "backdated" - i.e. even though a perfectly valid CRL was referenced in the signature and indicated that the certificate was valid at the time the signature was constructed, another CRL can be published (possibly much) later that will say the certificate was invalid at the signing time. This renders signer-provided evidence of non-revocation of little use (unless you are willing to let the signer-provided evidence of non-revocation trump the more recent CRL that asserts that the certificate was invalid, which would open up a lot of security holes). >> >So what are you talking about ??? >> >> The case where an RP receives a document and is trying to verify a >> signature. The significance of the NR bit in a certificate was the >> starting point for this discussion, but for now I'm simply concerned with >> the initial signature verification (if the RP doesn't believe my signature, >> he certainly can't expect to hold me to it :). Note I'm not restricting >> this to simple E-mail, where because of the one-to-one, low-latency nature >> of the communications involved, there is unlikely to be a significant time >> between signing and verifying (and if there is, the RP can simply ask the >> sender for a freshly-signed copy). Rather, I'm talking about high-latency >> or one-to-many environments. An extreme example of this might be signing a >> document and placing it on a web-site or in a directory - here I am signing >> the document without any knowledge of the identity of the RPs, and with the >> possibility of significant delay before an RP will try to verify the >> signature. > >Your are talking NR without knowing it. :-) > >In your example, the signed data does not have NR properties but the >RP would like to get the the NR properties. So unless the signer >places signed data that have NR properties, the case CANNOT be >solved, i.e. disputes cannot be solved, just because there is not >enough information available to solve the dispute. So unless >"sufficient" information is orginally placed, the signed message >does not have long term properties. I think you're agreeing with the point I was originally trying to make. This conversation started because it was suggested that simply using the correct certificate chain would obviate the need for putting anything special into the signature in support of NR - my response was that binding the cert chain into the signature has some disadvantages, notably that the signature can be rendered unverifiable _by_the_RP_ by circumstances that ought to have no bearing on the signer's trustworthiness. You appear to be countering this with a requirement that the signer put special evidence designed in support of NR (but in this case used by the RP to perform an initial signature verification) into the signature in addition to the cert chain. I pointed out above that, due to the possibility of backdated revocations, this doesn't really work, but that's really beside the point, since requiring putting NR evidence into the signature is itself an addition to the signature. John Received: from sothmxs01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA05406 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 08:32:36 -0700 (PDT) Received: by sothmxs01.entrust.com with Internet Mail Service (5.5.2650.21) id <PHL2HG57>; Fri, 21 Jul 2000 11:34:47 -0400 Message-ID: <ED026032A3FCD211AEDA00105A9C4696016E588E@sothmxs05.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Stephen Kent'" <kent@bbn.com> Cc: ietf-pkix@imc.org Subject: RE: forward & reverse confusion Date: Fri, 21 Jul 2000 11:33:06 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Another side issue: In any conversation I have on these attributes or on path development or on path processing, the terms 'forward' and 'reverse' cause confusion. I suspect I'm not alone in this. How do folks feel about submitting a defect report that would replace those terms in the crossCertificatePair attribute with less confusing ones (e.g. certsIssuedToThisCA, certsIssuedByThisCA)? I'm certainly not wed to those terms, but something along those lines that better conveys what they really are. Sharon > -----Original Message----- > From: Stephen Kent [mailto:kent@bbn.com] > Sent: Friday, July 21, 2000 9:41 AM > To: Sharon Boeyen > Cc: ietf-pkix@imc.org > Subject: RE: Reverse paths > > > Sharon, > > >Steve, > >I don't think I've been able to clearly describe what I meant. I am > >NOT proposing ANY additional certificate issuance by anybody. I think > >the terms reverse and forward are very unfortunate and always confuse > >these discussions. Can we chat offline just to make sure that you > >understand what it is I am proposing. Email makes this type of > >discussion difficult at best. > > > >Within a hierarchy I don't believe any change is required. > If the root > >of a hierarchy issued a certificate to some CA that is NOT a > subordinate > >of the root, then currently PKIX does not require the root > CA to place > >that certificate in the root CA's entry. What I am proposing is that > >such a certificate, IF ISSUED, be placed in the issuer's > entry as well > >as in the subject CA's entry. > > Ok, I think this clarification makes me more comfortable. > > Steve > > P.S. All the negative comments about bridge CAs in my previous > message still apply. > Received: from sothmxs01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA03891 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 08:26:28 -0700 (PDT) Received: by sothmxs01.entrust.com with Internet Mail Service (5.5.2650.21) id <PHL2HGXW>; Fri, 21 Jul 2000 11:28:37 -0400 Message-ID: <ED026032A3FCD211AEDA00105A9C4696016E588C@sothmxs05.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Stephen Kent'" <kent@bbn.com> Cc: ietf-pkix@imc.org Subject: RE: Reverse paths Date: Fri, 21 Jul 2000 11:26:55 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" OK, I think we've cleared up the confusion. So what I'd propose is the addition of a sentence along these lines: If a CA issues a certificate to a CA that is not a subordinate to the issuing CA, the issuing CA must place the certificate in its own directory entry in the crossCertificatePair attribute as a value of the reverse element. Is that ok? Sharon > -----Original Message----- > From: Stephen Kent [mailto:kent@bbn.com] > Sent: Friday, July 21, 2000 9:41 AM > To: Sharon Boeyen > Cc: ietf-pkix@imc.org > Subject: RE: Reverse paths > > > Sharon, > > >Steve, > >I don't think I've been able to clearly describe what I meant. I am > >NOT proposing ANY additional certificate issuance by anybody. I think > >the terms reverse and forward are very unfortunate and always confuse > >these discussions. Can we chat offline just to make sure that you > >understand what it is I am proposing. Email makes this type of > >discussion difficult at best. > > > >Within a hierarchy I don't believe any change is required. > If the root > >of a hierarchy issued a certificate to some CA that is NOT a > subordinate > >of the root, then currently PKIX does not require the root > CA to place > >that certificate in the root CA's entry. What I am proposing is that > >such a certificate, IF ISSUED, be placed in the issuer's > entry as well > >as in the subject CA's entry. > > Ok, I think this clarification makes me more comfortable. > > Steve > > P.S. All the negative comments about bridge CAs in my previous > message still apply. > Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id IAA02135 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 08:20:15 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Fri, 21 Jul 2000 09:22:05 -0600 Message-Id: <s978163d.033@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 5.5.3.1 Date: Fri, 21 Jul 2000 09:22:01 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <kent@bbn.com>, <azb@llnl.gov> Cc: <ietf-pkix@imc.org> Subject: Re: A Real Rationale for Dedicated Keys Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=_CE96828D.BBDAB31A" This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --=_CE96828D.BBDAB31A Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Tony, I agree that creating multiple certificates containing the same key is a = dumb idea, because it makes it very difficult to know which set of = assertions (contained in the certificate) were supposed to apply to a = given transaction. But since the individual CA cannot possible detect or prevent someone from = going to two different CAs with the same public key, and making two = different sets of assertions, complete with full-blown POP, the only = reasonable solution to to place the burden firmly on the subscriber/user. If he creates two certificates for the same key, one with NR and one = without (or any other assertion), then unless the certificate is bound to = the transaction by more than just the signature, the relying party should = be permitted to make his case using which ever certificate is most = favorable to his case. Bob >>> Tony Bartoletti <azb@llnl.gov> 07/20/00 05:20PM >>> At 05:48 PM 7/20/00 -0400, Stephen Kent wrote: >Tony, > >You cited the ability of a user (or someone else) to bind a public key=20 >into multiple certs, some with and some without the NR bit enabled as = a=20 >reason that the NR bit is not useful for the purpose I stated. I think = I=20 >pointed out in my response to John Wary why this line of reasoning is = not=20 >necessarily true. It would be a mistake for a user to have the same = public=20 >key in multiple certs, and anyone other than the user should not be = able=20 >to effect POP and get a CA to issue a cert. Yes, a user could act in = this=20 >inappropriate fashion, in some instances, but then too a user could=20 >undermine most of the safeguards that we envision through negligent = conduct. Steve, I agree with the main points, and I worked from the assumption that CAs will not certify without POP (certainly not NR without POP!). Thus, if a user (wisely, naively, or unscrupulously) has an NR-key "differently certified", it is largely under the user's control, since they are the only ones that can satisfy POP. So, my tack becomes "How best to work from this assumption?" Bad as such a practice may be, I asked myself how close one could come to making such a situation "workable", and the answer (to me) was a protocol that forces a conscious selection of certificate be bound into the transaction. (I suppose they will always have the "Ooops, I thought I selected the NR=3D0 cert that time, honest mistake...) but the signed content would at least implicate a usage (and for NR and the RP, more importantly, the strength of a DN-Person binding that is commensurate with such a usage.) To a Relying Party, the value of the NR bit on ANY certificate for a given key (even where the same key may have been lightly certified elsewhere) is that someone (who but the CA?) has gone to greater lengths to ensure the "reasonableness" of the DN as a reliable indicator of an identifiable party. (Of what value an NR-cert binding a key to the DN-equivalent of "someone@mailbox"?) To my understanding, a re-certification of such a "strong" key does not in itself weaken the established DN-Entity binding. (It DOES allow a "lightweight CA" to leverage the hard work of the diligent NR-certifying CA ... Is that an issue?) It (NR-bit) may also be a declaration from the CA that the key was generated in a secure device. But all of this lends a degree of value to ANY use of the key, EXCEPT for a use requiring some measure of anonymity. Fortunately, the user is self-motivated to employ a distinct key for such purposes. As far as this being a reason that the "NR-bit is not useful" for the purpose you stated, I am not quite sure. From your response to John Wray, I can only suppose that this use centers on the reduction of "added mechanisms" to support Non-Repudiation. But I feel that "additional mechanisms" are required for such a weighty use as legally binding signatures. I really want to avoid people buying into the semantic that "Valid Signature" plus "I found a certificate that says NR" somehow equates to "signature was made with NR intent." (Even binding a selected NR-cert into the signature is insufficient, but moves us a step closer.) There are really two motivations I consider: 1. What can be done to help prevent a "criminal" user from perpetrating a fraud. 2. What can the legitimate user do to protect herself from misapplication by others. If we agree that we cannot (easily) prevent a user from having a key "multiply-certified", the goal must shift to how we might best prevent the unscrupulous user from profiting by the practice. My point about the privacy/anonymity issue is that the user has legitimate control over this by applying different keys. ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 --=_CE96828D.BBDAB31A Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" http-equiv=3DContent-Type= > <META content=3D"MSHTML 5.00.2614.3401" name=3DGENERATOR></HEAD> <BODY style=3D"FONT: 8pt MS Sans Serif; MARGIN-LEFT: 2px; MARGIN-TOP: = 2px"> <DIV><FONT size=3D1>Tony,</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>I agree that creating multiple certificates containing = the=20 same key is a dumb idea, because it makes it very difficult to know which = set of=20 assertions (contained in the certificate) were supposed to apply to a = given=20 transaction.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>But since the individual CA cannot possible detect or = prevent=20 someone from going to two different CAs with the same public key, and = making two=20 different sets of assertions, complete with full-blown POP, the only = reasonable=20 solution to to place the burden firmly on the subscriber/user.</FONT></DIV>= <DIV> </DIV> <DIV><FONT size=3D1>If he creates two certificates for the same key, one = with NR=20 and one without (or any other assertion), then unless the certificate is = bound=20 to the transaction by more than just the signature, the relying party = should be=20 permitted to make his case using which ever certificate is most favorable = to his=20 case.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Bob</FONT></DIV> <DIV> </DIV> <DIV><BR>>>> Tony Bartoletti <azb@llnl.gov> 07/20/00 = 05:20PM=20 >>><BR>At 05:48 PM 7/20/00 -0400, Stephen Kent=20 wrote:<BR>>Tony,<BR>><BR>>You cited the ability of a user (or = someone=20 else) to bind a public key <BR>>into multiple certs, some with and = some=20 without the NR bit enabled as a <BR>>reason that the NR bit is not = useful for=20 the purpose I stated. I think I <BR>>pointed out in my response = to John=20 Wary why this line of reasoning is not <BR>>necessarily true. It would = be a=20 mistake for a user to have the same public <BR>>key in multiple certs, = and=20 anyone other than the user should not be able <BR>>to effect POP and = get a CA=20 to issue a cert. Yes, a user could act in this <BR>>inappropriate= =20 fashion, in some instances, but then too a user could <BR>>undermine = most of=20 the safeguards that we envision through negligent=20 conduct.<BR><BR>Steve,<BR><BR>I agree with the main points, and I worked = from=20 the assumption that<BR>CAs will not certify without POP (certainly not = NR=20 without POP!).<BR><BR>Thus, if a user (wisely, naively, or unscrupulously) = has=20 an NR-key<BR>"differently certified", it is largely under the user's=20 control,<BR>since they are the only ones that can satisfy POP.<BR><BR>So, = my=20 tack becomes "How best to work from this assumption?"<BR><BR>Bad as such = a=20 practice may be, I asked myself how close one could come<BR>to making such = a=20 situation "workable", and the answer (to me) was a<BR>protocol that forces = a=20 conscious selection of certificate be bound<BR>into the transaction. = (I=20 suppose they will always have the "Ooops,<BR>I thought I selected the = NR=3D0 cert=20 that time, honest mistake...) but<BR>the signed content would at least = implicate=20 a usage (and for NR and<BR>the RP, more importantly, the strength of a = DN-Person=20 binding that<BR>is commensurate with such a usage.)<BR><BR>To a Relying = Party,=20 the value of the NR bit on ANY certificate for a<BR>given key (even where = the=20 same key may have been lightly certified<BR>elsewhere) is that someone = (who but=20 the CA?) has gone to greater<BR>lengths to ensure the "reasonableness" of = the DN=20 as a reliable<BR>indicator of an identifiable party. (Of what value = an=20 NR-cert<BR>binding a key to the DN-equivalent of "someone@mailbox"?)<BR><BR= >To=20 my understanding, a re-certification of such a "strong" key<BR>does not = in=20 itself weaken the established DN-Entity binding.<BR><BR>(It DOES allow = a=20 "lightweight CA" to leverage the hard work<BR>of the diligent NR-certifying= CA=20 ... Is that an issue?)<BR><BR>It (NR-bit) may also be a declaration from = the CA=20 that the key<BR>was generated in a secure device. But all of this = lends a=20 degree<BR>of value to ANY use of the key, EXCEPT for a use requiring=20 some<BR>measure of anonymity. Fortunately, the user is=20 self-motivated<BR>to employ a distinct key for such purposes.<BR><BR>As = far as=20 this being a reason that the "NR-bit is not useful"<BR>for the purpose = you=20 stated, I am not quite sure. From your<BR>response to John Wray, I = can=20 only suppose that this use centers<BR>on the reduction of "added mechanisms= " to=20 support Non-Repudiation.<BR><BR>But I feel that "additional mechanisms" = are=20 required for such<BR>a weighty use as legally binding signatures.<BR><BR>I= =20 really want to avoid people buying into the semantic that<BR>"Valid = Signature"=20 plus "I found a certificate that says NR"<BR>somehow equates to "signature = was=20 made with NR intent."<BR>(Even binding a selected NR-cert into the = signature=20 is<BR>insufficient, but moves us a step closer.)<BR><BR>There are really = two=20 motivations I consider:<BR><BR>1. What can be done to help prevent = a=20 "criminal" user from<BR> perpetrating a=20 fraud.<BR><BR>2. What can the legitimate user do to protect = herself=20 from<BR> misapplication by others.<BR><BR>If we = agree=20 that we cannot (easily) prevent a user from having<BR>a key=20 "multiply-certified", the goal must shift to how we might<BR>best prevent = the=20 unscrupulous user from profiting by the practice.<BR><BR>My point about = the=20 privacy/anonymity issue is that the user has<BR>legitimate control over = this by=20 applying different keys.<BR><BR>___tony___<BR><BR><BR>Tony Bartoletti=20 925-422-3881 <azb@llnl.gov><BR>Information Operations, Warfare = and=20 Assurance Center<BR>Lawrence Livermore National Laboratory<BR>Livermore, = CA=20 94551-9900<BR><BR></DIV></BODY></HTML> --=_CE96828D.BBDAB31A-- Received: from ntserver2.chrysalis-its.com ([209.47.245.163]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA01906 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 08:17:15 -0700 (PDT) From: FRousseau@chrysalis-its.com Received: by NTSERVER2 with Internet Mail Service (5.5.2650.21) id <PGABZ976>; Fri, 21 Jul 2000 11:20:43 -0400 Message-ID: <918C70B01822D411A87400B0D0204DFF04C0B8@panda.chrysalis-its.com> To: simon@onthenet.com.au Cc: ietf-pkix@imc.org Subject: Indicating How Private Keys are Generated/Stored (was RE: A Real Rationale for Dedicated Keys) Date: Fri, 21 Jul 2000 11:20:30 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF327.3BC79D38" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF327.3BC79D38 Content-Type: text/plain; charset="iso-8859-1" Hi Simon, I totally agree with you that if a key generation device had its own private key that is trusted by a CA and this key was used to sign a certificate request for a newly generated end user's key pair, this would certainly provide more confidence for this CA to certify the end user's public key for NR. Currently neither the CMP protocol [RFC2510] nor the CMC protocol [RFC2797] include a standard way for a key generation device to explicitly indicate in a certificate request the quality of remotely generated key pair and also how the private key will be stored and protected in the future. However, both CMP and CMC use CRMF [RFC2511] and Section 3 on the certificate request message indicates that the optional registration information field can contain supplementary information related to the context of the certification request when such information is required to fulfil a certification request. Wouldn't it make sense to define additional type(s) for the registration information in CRMF for this particular purpose of indicating the quality of remotely generated key pair and also how the private key will be stored and protected in the future? Certificate request messages containing this new registration information and the end user's public key would then be signed with the private key of the key generation device, which would acting as an RA in this case, and be forwarded to another RA or directly to the CA to be certified. What do others think about this suggestion? Regards, Francois ___________________________________ Francois Rousseau Director of Standards and Conformance Chrysalis-ITS 1688 Woodward Drive Ottawa, Ontario, CANADA, K2C 3R7 frousseau@chrysalis-its.com Tel. (613) 723-5076 ext. 419 http://www.chrysalis-its.com Fax. (613) 723-5078 -----Original Message----- From: Simon McMahon [mailto:simon@onthenet.com.au] Sent: Friday, July 21, 2000 12:15 AM To: Aram Perez; ietf-pkix@imc.org Subject: Re: A Real Rationale for Dedicated Keys > > Without the owner physically showing up, how can a CA know whether or not a > key pair was "generated and the private part is stored to some minimum > standard"? > The key generation device has its own private key and signs the cert request for the newly generated user key pair. The CA then knows that the key pair originated in a device it (the CA) trusts and probably provides as part of its service. The CA certifies the public key of the device so it can verify the device's cert requests. Such a device is obviously not cheap but without such a device the CA cannot control the quality of remotely generated keys or how the private key is stored and protected from duplication (necessary for NR). Much more likely is that the owner *will* show up to the CA or one of its RAs to get a NR certificate. Anything less will probably fail to meet the legal requirements for NR and be worth no more than a NR=0 cert. Simon McMahon ERACOM Pty. Ltd. ------_=_NextPart_001_01BFF327.3BC79D38 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>Indicating How Private Keys are Generated/Stored (was RE: A Real = Rationale for Dedicated Keys)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Hi Simon,</FONT> </P> <P><FONT SIZE=3D2>I totally agree with you that if a key generation = device had its own private key that is trusted by a CA and this key was = used to sign a certificate request for a newly generated end user's key = pair, this would certainly provide more confidence for this CA to = certify the end user's public key for NR.</FONT></P> <P><FONT SIZE=3D2>Currently neither the CMP protocol [RFC2510] nor the = CMC protocol [RFC2797] include a standard way for a key generation = device to explicitly indicate in a certificate request the quality of = remotely generated key pair and also how the private key will be stored = and protected in the future. However, both CMP and CMC use CRMF = [RFC2511] and Section 3 on the certificate request message indicates = that the optional registration information field can contain = supplementary information related to the context of the certification = request when such information is required to fulfil a certification = request.</FONT></P> <P><FONT SIZE=3D2>Wouldn't it make sense to define additional type(s) = for the registration information in CRMF for this particular purpose of = indicating the quality of remotely generated key pair and also how the = private key will be stored and protected in the future? Certificate = request messages containing this new registration information and the = end user's public key would then be signed with the private key of the = key generation device, which would acting as an RA in this case, and be = forwarded to another RA or directly to the CA to be certified. What do = others think about this suggestion?</FONT></P> <P><FONT SIZE=3D2>Regards,</FONT> </P> <P><FONT SIZE=3D2>Francois</FONT> <BR><FONT SIZE=3D2>___________________________________</FONT> <BR><FONT SIZE=3D2>Francois Rousseau</FONT> <BR><FONT SIZE=3D2>Director of Standards and Conformance</FONT> <BR><FONT SIZE=3D2>Chrysalis-ITS</FONT> <BR><FONT SIZE=3D2>1688 Woodward Drive</FONT> <BR><FONT SIZE=3D2>Ottawa, Ontario, CANADA, K2C 3R7</FONT> <BR><FONT = SIZE=3D2>frousseau@chrysalis-its.com Tel. = (613) 723-5076 ext. 419</FONT> <BR><FONT SIZE=3D2><A HREF=3D"http://www.chrysalis-its.com" = TARGET=3D"_blank">http://www.chrysalis-its.com</A> &nbs= p; Fax. (613) 723-5078</FONT> </P> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Simon McMahon [<A = HREF=3D"mailto:simon@onthenet.com.au">mailto:simon@onthenet.com.au</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Friday, July 21, 2000 12:15 AM</FONT> <BR><FONT SIZE=3D2>To: Aram Perez; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: A Real Rationale for Dedicated = Keys</FONT> </P> <BR> <P><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Without the owner physically showing up, how = can a CA know whether or not</FONT> <BR><FONT SIZE=3D2>a</FONT> <BR><FONT SIZE=3D2>> key pair was "generated and the private = part is stored to some minimum</FONT> <BR><FONT SIZE=3D2>> standard"?</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>The key generation device has its own private key = and signs the cert request</FONT> <BR><FONT SIZE=3D2>for the newly generated user key pair. The CA then = knows that the key pair</FONT> <BR><FONT SIZE=3D2>originated in a device it (the CA) trusts and = probably provides as part of</FONT> <BR><FONT SIZE=3D2>its service. The CA certifies the public key of the = device so it can verify</FONT> <BR><FONT SIZE=3D2>the device's cert requests.</FONT> </P> <P><FONT SIZE=3D2>Such a device is obviously not cheap but without such = a device the CA cannot</FONT> <BR><FONT SIZE=3D2>control the quality of remotely generated keys or = how the private key is</FONT> <BR><FONT SIZE=3D2>stored and protected from duplication (necessary for = NR).</FONT> </P> <P><FONT SIZE=3D2>Much more likely is that the owner *will* show up to = the CA or one of its</FONT> <BR><FONT SIZE=3D2>RAs to get a NR certificate. Anything less will = probably fail to meet the</FONT> <BR><FONT SIZE=3D2>legal requirements for NR and be worth no more than = a NR=3D0 cert.</FONT> </P> <P><FONT SIZE=3D2>Simon McMahon</FONT> <BR><FONT SIZE=3D2>ERACOM Pty. Ltd.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFF327.3BC79D38-- Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id IAA01631 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 08:10:36 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Fri, 21 Jul 2000 09:12:40 -0600 Message-Id: <s9781408.014@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 5.5.3.1 Date: Fri, 21 Jul 2000 09:12:34 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <ietf-pkix@imc.org>, <aram@pacbell.net> Subject: Re: A Real Rationale for Dedicated Keys Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=_39617578.A4C5AC03" This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --=_39617578.A4C5AC03 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hi, Aram, Let me first observe that we seem to be greatly overloading a poor single = NR bit. Suggestions have been made that certain standards of key control must = apply, that various time stamping and/or other certificate validation = standards must apply, maybe some kind of biometrics must be used to = protect against the possibility that they user accidentally or deliberately= gave away his key or smart card, that somehow we have to have proof that = what the user through he was signing was in fact what was signed, that the = mechanism should somehow protect against multiple signature operations = taking place during a single card insertion, and that somehow we should = ensure that they user really intended to sign that particular transaction = as his volitional act. Whew! But with respect to how the CA can or should know that the keys were = properly generated, stored, and used, let me just say that I believe that = is putting too much responsibility on the CA. The contents of a certificate should be primarily viewed as a set of = representations made by the subscriber to the CA, with the CA acting as a = trusted witness. If certificates are to be reasonably affordable, we = cannot require that the CA employ a vast network of Pinkerton agents to go = out and independently investigate the truth of every assertion made. It = should be sufficient that the CA verify the identity of the subscriber and = the possession of the private key corresponding to the public key -- = everything else should be viewed as a representation by the subscriber = (not that the CA should turn a blind eye to an obvious error or falsehood.)= Particularly in the case of a digital signature certificate (less so in = the case of encryption, but NR presumably doesn't apply there), if the = subscriber claims a certain degree of key protection, and essentially says = to the relying party, ":You can trust this transaction, because I have = taken scrupulous care to ensure than no one can access my keys without my = permission," then the subscriber would clearly have a very difficult time = trying to repudiate the transaction based on a key compromise -- he would = be hung with his own rope. Bob >>> Aram Perez <aram@pacbell.net> 07/20/00 08:10PM >>> Hi Tony B., > At 10:04 AM 7/21/00 +1000, Simon McMahon wrote: >>>=20 >>> Could you tell me what has NR (Non-Repudation) to do with CA control = key >>> generation. >>>=20 >> By "CA controlled key generation" I mean that the CA specifies minimum >> standards and one option of the CA may be to do the key gen itself. The = CA >> should verify that the minimum standards are being followed if it = specifies >> any. >=20 > Agreed! >=20 >> Non-repudiation requires (at least) that the private key does not get >> exposed or used by someone else without the owner knowing it. That = means >> that how the private key is used and how it is stored when not in use = is >> very relevant to NR. CAs can (and should) insist that key pairs are >> generated and the private part is stored to some minimum standard = before >> they certify the public part. >=20 > Agreed! Without the owner physically showing up, how can a CA know whether or not = a key pair was "generated and the private part is stored to some minimum standard"? Regards, Aram Perez [snip] --=_39617578.A4C5AC03 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" http-equiv=3DContent-Type= > <META content=3D"MSHTML 5.00.2614.3401" name=3DGENERATOR></HEAD> <BODY style=3D"FONT: 8pt MS Sans Serif; MARGIN-LEFT: 2px; MARGIN-TOP: = 2px"> <DIV><FONT size=3D1>Hi, Aram,</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Let me first observe that we seem to be greatly = overloading a=20 poor single NR bit.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Suggestions have been made that certain standards of = key=20 control must apply, that </FONT><FONT size=3D1>various time stamping = and/or other=20 certificate validation standards must apply, </FONT><FONT size=3D1>maybe = some kind=20 of biometrics must be used to protect against the possibility that they = user=20 accidentally or deliberately gave away his key or smart card, that somehow = we=20 have to have proof that what the user through he was signing was in fact = what=20 was signed, that the mechanism should somehow protect against multiple = signature=20 operations taking place during a single card insertion, and that somehow = we=20 should ensure that they user really intended to sign that particular = transaction=20 as his volitional act. Whew!</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>But with respect to how the CA can or should know that = the=20 keys were properly generated, stored, and used, let me just say that I = believe=20 that is putting too much responsibility on the CA.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>The contents of a certificate should be primarily = viewed as a=20 set of representations made by the subscriber to the CA, with the CA = acting as a=20 trusted witness. If certificates are to be reasonably affordable, = we=20 cannot require that the CA employ a vast network of Pinkerton agents to go = out=20 and independently investigate the truth of every assertion made. It = should=20 be sufficient that the CA verify the identity of the subscriber and the=20 possession of the private key corresponding to the public key -- everything= else=20 should be viewed as a representation by the subscriber (not that the CA = should=20 turn a blind eye to an obvious error or falsehood.)</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Particularly in the case of a digital signature = certificate=20 (less so in the case of encryption, but NR presumably doesn't apply = there), if=20 the subscriber claims a certain degree of key protection, and essentially = says=20 to the relying party, ":You can trust this transaction, because I have = taken=20 scrupulous care to ensure than no one can access my keys without my = permission,"=20 then the subscriber would clearly have a very difficult time trying to = repudiate=20 the transaction based on a key compromise -- he would be hung with his = own=20 rope.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Bob</FONT><BR><BR>>>> Aram Perez=20 <aram@pacbell.net> 07/20/00 08:10PM >>><BR>Hi Tony=20 B.,<BR><BR>> At 10:04 AM 7/21/00 +1000, Simon McMahon wrote:<BR>>>= >=20 <BR>>>> Could you tell me what has NR (Non-Repudation) to do with = CA=20 control key<BR>>>> generation.<BR>>>> <BR>>> By = "CA=20 controlled key generation" I mean that the CA specifies minimum<BR>>>= =20 standards and one option of the CA may be to do the key gen itself. The=20 CA<BR>>> should verify that the minimum standards are being followed = if it=20 specifies<BR>>> any.<BR>> <BR>> Agreed!<BR>> <BR>>>=20= Non-repudiation requires (at least) that the private key does not=20 get<BR>>> exposed or used by someone else without the owner knowing = it.=20 That means<BR>>> that how the private key is used and how it is = stored=20 when not in use is<BR>>> very relevant to NR. CAs can (and should) = insist=20 that key pairs are<BR>>> generated and the private part is stored to = some=20 minimum standard before<BR>>> they certify the public part.<BR>>= =20 <BR>> Agreed!<BR><BR>Without the owner physically showing up, how can a = CA=20 know whether or not a<BR>key pair was "generated and the private part is = stored=20 to some minimum<BR>standard"?<BR><BR>Regards,<BR>Aram=20 Perez<BR><BR>[snip]<BR><BR></DIV></BODY></HTML> --=_39617578.A4C5AC03-- Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA01094 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 07:51:48 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Fri, 21 Jul 2000 08:53:56 -0600 Message-Id: <s9780fa4.081@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 5.5.3.1 Date: Fri, 21 Jul 2000 08:53:53 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <Ron.Ramsay@ca.com>, <peterw@valicert.com> Cc: <ietf-pkix@imc.org> Subject: RE: Signing what you don't understand Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=_59011514.86E78E2D" This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --=_59011514.86E78E2D Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable I can't tell from the brief description, but it appears that they are = using a simple password to log on sequentially to multiple sites, and then = assembling the collected secret shares at that point. Granted that this makes it impossible for a rogue administrator at one = institution to access a user's keys, but what is to prevent an attacker = from collecting the shares himself, using a multiplicity of simple = passwords? Even if the user is scrupulous about using a different password for each = server (making it very difficult to remember them all), the effort to = break the system would seem to be merely additive, rather than exponential.= Guessing the or four simple passwords is still simple. I must be missing something. Does anyone have the patent application, or = further details? Bob >>> "Ramsay, Ron" <Ron.Ramsay@ca.com> 07/20/00 10:48PM >>> Very interesting. It would have been interesting to have heard from = Warwick on the issue of non-repudiation. Verisign would seem to have placed a = stake in the ground. Ron. -----Original Message----- From: Peter Williams [mailto:peterw@valicert.com] Sent: Friday, 21 July 2000 12:52 To: 'Richard Levitte'; Anders Rundgren Cc: Peter Lipp; piers@bj.co.uk; ietf-pkix@imc.org Subject: RE: Signing what you don't understand http://www.verisign.com/press/2000/roaming.html "VeriSign's revolutionary technology allows an end-user to securely=20 store digital certificates and/or any other type of data, such as=20 financial information or an online patient record, on distributed=20 network servers operated by multiple trusted service providers. This=20 technology enables portability of digital certificates, providing=20 convenience for users to access and download their certificates and=20 private keys for online authentication. It also enables the generation=20 of binding digital signatures for conducting high-value e-commerce=20 transactions, regardless of whether users are accessing the Internet=20 from work, home, or another location such as an Internet kiosk. Digital=20 certificates are electronic credentials that identify parties online,=20 enabling encrypted communications and legally binding, valid digital=20 signatures.=20 " -----Original Message----- From: Richard Levitte [mailto:richard.levitte@celocom.se] Sent: Thursday, July 20, 2000 11:24 AM To: Anders Rundgren Cc: Peter Lipp; piers@bj.co.uk; ietf-pkix@imc.org Subject: Re: Signing what you don't understand Anders Rundgren wrote: > Peter, > > >> Several leading PKI vendors have implemented systems where the = private key > >> is held on a central Web server and then downloaded at run time to a web > >> browser. Are you saying that signatures created using these keys are > >> invalid? > >Are you sure? Could you provide a reference? I doubt that strongly... > > > >Peter > > I think this is one... > > http://www.arcot.com/products/webfort.html I think not, at least from reading the papers "Protecting Digital Identities" and "Protecting Your Private Key". All they say is that they've invented some kind of key database ("key wallet" to use their term) that is more secure than what comes with for example MSIE and Netscape Communicator... Personally, if I was confronted with a CA that wanted to create my private key for me, and store it centrally to boot, I'd go somewhere else. Very fast. It contradicts anything even remotely close to being called "secure". -- Richard Levitte !!! New cell phone number !!! richard.levitte@celocom.se /* You might enjoy viewing the complete vCard */ --=_59011514.86E78E2D Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" http-equiv=3DContent-Type= > <META content=3D"MSHTML 5.00.2614.3401" name=3DGENERATOR></HEAD> <BODY style=3D"FONT: 8pt MS Sans Serif; MARGIN-LEFT: 2px; MARGIN-TOP: = 2px"> <DIV><FONT size=3D1>I can't tell from the brief description, but it = appears that=20 they are using a simple password to log on sequentially to multiple sites, = and=20 then assembling the collected secret shares at that point.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Granted that this makes it impossible for a rogue=20 administrator at one institution to access a user's keys, but what is to = prevent=20 an attacker from collecting the shares himself, using a multiplicity of = simple=20 passwords?</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Even if the user is scrupulous about using a = different=20 password for each server (making it very difficult to remember them all), = the=20 effort to break the system would seem to be merely additive, rather = than=20 exponential. Guessing the or four simple passwords is still=20 simple.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>I must be missing something. Does anyone have = the patent=20 application, or further details?</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Bob</FONT><BR><BR>>>> "Ramsay, Ron"=20 <Ron.Ramsay@ca.com> 07/20/00 10:48PM >>><BR><BR>Very = interesting.=20 It would have been interesting to have heard from Warwick<BR>on the issue = of=20 non-repudiation. Verisign would seem to have placed a stake<BR>in the=20 ground.<BR><BR>Ron.<BR>-----Original Message-----<BR>From: Peter Williams = [<A=20 href=3D"mailto:peterw@valicert.com]">mailto:peterw@valicert.com]</A><BR>Sen= t:=20 Friday, 21 July 2000 12:52<BR>To: 'Richard Levitte'; Anders Rundgren<BR>Cc:= =20 Peter Lipp; piers@bj.co.uk; ietf-pkix@imc.org<BR>Subject: RE: Signing what = you=20 don't understand<BR><BR><BR><BR><BR><A=20 href=3D"http://www.verisign.com/press/2000/roaming.html">http://www.verisig= n.com/press/2000/roaming.html</A><BR><BR><BR><BR>"VeriSign's=20 revolutionary technology allows an end-user to securely <BR>store = digital=20 certificates and/or any other type of data, such as <BR>financial = information or=20 an online patient record, on distributed <BR>network servers operated = by=20 multiple trusted service providers. This <BR>technology enables portability= of=20 digital certificates, providing <BR>convenience for users to access and = download=20 their certificates and <BR>private keys for online authentication. It = also=20 enables the generation <BR>of binding digital signatures for conducting=20 high-value e-commerce <BR>transactions, regardless of whether users are=20 accessing the Internet <BR>from work, home, or another location such as = an=20 Internet kiosk. Digital <BR>certificates are electronic credentials = that=20 identify parties online, <BR>enabling encrypted communications and = legally=20 binding, valid digital <BR>signatures. <BR>"<BR><BR>-----Original=20 Message-----<BR>From: Richard Levitte [<A=20 href=3D"mailto:richard.levitte@celocom.se]">mailto:richard.levitte@celocom.= se]</A><BR>Sent:=20 Thursday, July 20, 2000 11:24 AM<BR>To: Anders Rundgren<BR>Cc: Peter = Lipp;=20 piers@bj.co.uk; ietf-pkix@imc.org<BR>Subject: Re: Signing what you = don't=20 understand<BR><BR><BR>Anders Rundgren wrote:<BR><BR>> Peter,<BR>><BR>= >=20 >> Several leading PKI vendors have implemented systems where the=20 private<BR>key<BR>> >> is held on a central Web server and = then=20 downloaded at run time to a<BR>web<BR>> >> browser. Are = you=20 saying that signatures created using these keys are<BR>> >>=20 invalid?<BR>> >Are you sure? Could you provide a reference? I doubt = that=20 strongly...<BR>> ><BR>> >Peter<BR>><BR>> I think this = is=20 one...<BR>><BR>> <A=20 href=3D"http://www.arcot.com/products/webfort.html">http://www.arcot.com/pr= oducts/webfort.html</A><BR><BR>I=20 think not, at least from reading the papers "Protecting Digital<BR>Identiti= es"=20 and<BR>"Protecting Your Private Key". All they say is that they've=20= invented some<BR>kind<BR>of key database ("key wallet" to use their term) = that=20 is more secure than<BR>what<BR>comes with for example MSIE and Netscape=20 Communicator...<BR><BR>Personally, if I was confronted with a CA that = wanted to=20 create my private<BR>key<BR>for me, and store it centrally to boot, I'd = go=20 somewhere else. Very fast.<BR>It<BR>contradicts anything even = remotely=20 close to being called "secure".<BR><BR>--<BR>Richard Levitte = !!! New=20 cell phone number !!!<BR>richard.levitte@celocom.se<BR><BR>/* You might = enjoy=20 viewing the complete vCard */<BR></DIV></BODY></HTML> --=_59011514.86E78E2D-- Received: from ns.celocom.se (firewall-user@ns.celocom.se [212.209.40.66]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA29478 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 07:06:06 -0700 (PDT) Received: by ns.celocom.se; id QAA05065; Fri, 21 Jul 2000 16:08:47 +0200 (CEST) Received: from zap.celocom.se(10.10.10.1) by ns.celocom.se via smap (4.1) id xma029855; Fri, 21 Jul 00 14:49:56 +0200 Received: from celocom.com (dhcp121.celocom.se [10.10.11.21]) by zap.celocom.se (8.8.7/8.8.7) with ESMTP id OAA28234; Fri, 21 Jul 2000 14:49:55 +0200 Message-ID: <397846F3.AA1101F8@celocom.com> Date: Fri, 21 Jul 2000 14:49:55 +0200 From: Oscar Jacobsson <oscar.jacobsson@celocom.com> Organization: Celo Communications X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Richard Levitte <richard.levitte@celocom.se> CC: ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <001301bff26e$86043410$0201a8c0@mega.vincent.se> <397743B7.3F6BB0A7@celocom.se> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msCDF0A6BC020D37BBF8FCF625" This is a cryptographically signed message in MIME format. --------------msCDF0A6BC020D37BBF8FCF625 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Richard Levitte wrote: > Personally, if I was confronted with a CA that wanted to create my private key > for me, and store it centrally to boot, I'd go somewhere else. Very fast. It > contradicts anything even remotely close to being called "secure". This gets a bit problematic when you're dealing with a party that is literally authoritative, for instance the Swedish government, who will assign you a unique identifier whether you agree with their practises or not. I myself have, as an example, tried to inform the Swedish tax authorities that I'd prefer to take my business elsewhere on a number of occasions, since they tend to be a bit pricey for my taste. No luck yet though. :-( //oscar --------------msCDF0A6BC020D37BBF8FCF625 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIH/gYJKoZIhvcNAQcCoIIH7zCCB+sCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC Bc8wggKzMIICHKADAgECAgMCjYUwDQYJKoZIhvcNAQEEBQAwgZQxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZU aGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25h bCBGcmVlbWFpbCBSU0EgMTk5OS45LjE2MB4XDTAwMDUxMzAwMDEzOVoXDTAxMDUxMzAwMDEz OVowTTEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEqMCgGCSqGSIb3DQEJARYb b3NjYXIuamFjb2Jzc29uQGNlbG9jb20uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQCZB2URw+NGaMMV/cSk9JoOb4OGMunL44lk/ioXoBR5brSVUcVaB+s+8UmcqOmi9RAAc+Uy wY69hjPn/LWS3HzN4N4KW6jTEiDm0jPE1aVyxMg7un4rjRSGe9htdPL0ut8QoKXLCjafLKIo v/pyudWgC1PxSglWECgKyKVVMl13KwIDAQABo1kwVzAmBgNVHREEHzAdgRtvc2Nhci5qYWNv YnNzb25AY2Vsb2NvbS5jb20wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSIq/Fgg2ZV9ORY x0YdwGG9I9fDjDANBgkqhkiG9w0BAQQFAAOBgQB8NkKsoEJaIAfecEv+NJp6bBs3xM+ynX5F qJ/ave0p7v2eBBO/fovRoMsmFjF0jHf4RFJqxm9NrpoZWlhehM5nOdS0AyPwFIMEWl7PdSxO pKkxGS8wgEsVammWQc8MAwULu4qy8SdL9LnszsvEKtrsJFG+bILsOf1qBkC6UuSR4DCCAxQw ggJ9oAMCAQICAQswDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1 bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNV BAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29u YWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw05OTA5MTYxNDAxNDBaFw0wMTA5MTUxNDAxNDBa MIGUMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJi YW52aWxsZTEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNl czEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDE5OTkuOS4xNjCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAs2lal9TQFgt6tcVd6SGcI3LNEkxL937Px/vKciT0QlKsV5Xj e2F6F4Tn/XI5OJS06u1lp5IGXr3gZfYZu5R5dkw+uWhwdYQc9BF0ALwFLE8JAxcxzPRB1HLG pl3iiESwiy7ETfHw1oU+bPOVlHiRfkDpnNGNFVeOwnPlMN5G9U8CAwEAAaM3MDUwEgYDVR0T AQH/BAgwBgEB/wIBADAfBgNVHSMEGDAWgBRyScJzNMZV9At2coF+d/SH58ayDjANBgkqhkiG 9w0BAQQFAAOBgQBrxlnpMfrptuyxA9jfcnL+kWBI6sZV3XvwZ47GYXDnbcKlN9idtxcoVgWL 3Vx1b8aRkMZsZnET0BB8a5FvhuAhNi3B1+qyCa3PLW3Gg1Kb+7v+nIed/LfpdJLkXJeu/H6s yg1vcnpnLGtz9Yb5nfUAbvQdB86dnoJjKe+TCX5V3jGCAfcwggHzAgEBMIGcMIGUMQswCQYD VQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEP MA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDE5OTkuOS4xNgIDAo2FMAkGBSsOAwIaBQCggbEw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDAwNzIxMTI0OTU2 WjAjBgkqhkiG9w0BCQQxFgQU9a6L1WUW3TbcEdvODdaguYoSdzkwUgYJKoZIhvcNAQkPMUUw QzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAw DQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYALmFweEi6NcAftqFh8Pn3p3V9/d8YC QPt5uKj8hsio0Q7PTx7Cu9/su0D6gdZLrzsJv0H1SvX//bqSY4DOtqL/PhYlPH5rWniHqxPM Q6HZEiJkhUB1SoUY7iqfuV1OpDsNjuGc7uMkZ/qO+Bv8l9Njgy3Y7ras9/q5ACcUtZQa3g== --------------msCDF0A6BC020D37BBF8FCF625-- Received: from ns.celocom.se (firewall-user@ns.celocom.se [212.209.40.66]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA29227 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 07:02:01 -0700 (PDT) Received: by ns.celocom.se; id QAA04938; Fri, 21 Jul 2000 16:04:41 +0200 (CEST) Received: from zap.celocom.se(10.10.10.1) by ns.celocom.se via smap (4.1) id xma001677; Fri, 21 Jul 00 15:13:58 +0200 Received: from celocom.se (dhcp013.celocom.se [10.10.10.193]) by zap.celocom.se (8.8.7/8.8.7) with ESMTP id PAA28291; Fri, 21 Jul 2000 15:13:58 +0200 Message-ID: <39784C75.47CC9DDB@celocom.se> Date: Fri, 21 Jul 2000 15:13:27 +0200 From: Richard Levitte <richard.levitte@celocom.se> Organization: Celo Communications, Ltd. X-Mailer: Mozilla 4.73 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Oscar Jacobsson <oscar.jacobsson@celocom.com> CC: ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <001301bff26e$86043410$0201a8c0@mega.vincent.se> <397743B7.3F6BB0A7@celocom.se> <397846F3.AA1101F8@celocom.com> Content-Type: multipart/mixed; boundary="------------23C7D395CD03F6790F5076FA" This is a multi-part message in MIME format. --------------23C7D395CD03F6790F5076FA Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Oscar Jacobsson wrote: > Richard Levitte wrote: > > Personally, if I was confronted with a CA that wanted to create my private key > > for me, and store it centrally to boot, I'd go somewhere else. Very fast. It > > contradicts anything even remotely close to being called "secure". > > This gets a bit problematic when you're dealing with a party that is > literally authoritative, for instance the Swedish government, who will > assign you a unique identifier whether you agree with their practises or > not. Thanks for kicking me back into reality... :-) -- Richard Levitte !!! New cell phone number !!! richard.levitte@celocom.se /* You might enjoy viewing the complete vCard */ --------------23C7D395CD03F6790F5076FA Content-Type: text/x-vcard; charset=us-ascii; name="richard.levitte.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Richard Levitte Content-Disposition: attachment; filename="richard.levitte.vcf" begin:vcard n:Levitte;Richard tel;cell:+46-733-72 8811 tel;work:+46-8-58 72 8811 x-mozilla-html:FALSE org:<A HREF="http://www.celocom.com">Celo Communications</A> version:2.1 email;internet:richard.levitte@celocom.se title:Software Artist adr;quoted-printable:;;Sveav=E4gen 145, 5tr=0D=0AStockholm;;;;SWEDEN note;quoted-printable:<br>=0D=0A<table border=3D0>=0D=0A<tr>=0D=0A <td bgcolor=3D"#00ffff">c=EAlo, =E2vi, =E2tum, (latin) 1,v.a.=0D=0A to hide something from one, to keep secret, to conceal.=0D=0A </td>=0D=0A</tr>=0D=0A</table>=0D=0A<br>=0D=0A<table border=3D3>=0D=0A<tr>=0D=0A <td>=0D=0A <table>=0D=0A <tr>=0D=0A <td valign=3Dtop>o/~</td>=0D=0A <td><font size=3D-1>Coding, coding, coding</font><br>=0D=0A Keep'em hackers coding<br>=0D=0A <font size=3D+1>And When They're Done Coding</font><br>=0D=0A <font size=3D7>COMPIIIIIIILE!!</font></td>=0D=0A </tr>=0D=0A </table>=0D=0A </td>=0D=0A</tr>=0D=0A</table> fn:Richard Levitte end:vcard --------------23C7D395CD03F6790F5076FA-- Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA28760 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 06:47:42 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id JAA22452; Fri, 21 Jul 2000 09:49:52 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v04220804b59e0447a045@[171.78.30.107]> In-Reply-To: <4.2.2.20000720180425.00b18ae0@poptop.llnl.gov> References: <39774642.978BDD06@sun.com> <96411195511841@kahu.cs.auckland.ac.nz> <39774642.978BDD06@sun.com> <4.2.2.20000720180425.00b18ae0@poptop.llnl.gov> Date: Fri, 21 Jul 2000 09:46:05 -0400 To: Tony Bartoletti <azb@llnl.gov> From: Stephen Kent <kent@bbn.com> Subject: Re: Reverse paths Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Tony, >At 06:05 PM 7/20/00 -0400, Stephen Kent wrote: >>Steve, >> >><snip> >> >>>As to how you can display the network of trust in a mesh topology, >>>X.500 DNs provide a nice hierarchy. >>>Certificates are directional arcs between nodes in the tree. Trust >>>anchors can be displayed as arcs >>>from the RP to the trusted party (in a different color, if you like). >> >>Experience with user behavior says that displaying cert paths is >>almost worthless. Almost nobody will view them, and few would be >>able to understand the implications of such paths if they did view >>them. >> >><snip> > >Actually displaying the mesh to users, I hope, would not be the issue. > >Rather, given the mesh can be uniquely represented in "memory", can >one write software that can reply accurately to queries of the form >"Is there a path from A to B that satisfies my set of constraints?" > >And would the behavior of such a tool become intractably slow (as it >certainly must on a general graph with many nodes, and most painfully >if each "satisfies constraints" requires a net-fetch from a directory.) Even if the user doesn't have to visually examine a complex cert path, I think all evidence to date suggests that users will not be amenable to formulating queries to pose to underlying software of this sort. Steve Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA28280 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 06:39:43 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id JAA21013; Fri, 21 Jul 2000 09:39:50 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v04220800b59e009cc38f@[171.78.30.107]> In-Reply-To: <B59CF790.1566%aram@pacbell.net> References: <B59CF790.1566%aram@pacbell.net> Date: Fri, 21 Jul 2000 09:34:34 -0400 To: Aram Perez <aram@pacbell.net> From: Stephen Kent <kent@bbn.com> Subject: Re: Signing what you don't understand Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Aram, >Hi Steve K., > > > When we check a signature for NR, and significant time has elapsed > > since the signature was applied, then different rules must be > > employed. > >How do you know how much "time has elapsed since the signature was applied"? >I am not aware of any standard that mandates the time of the signature. >S/MIME/PKCS#7 has provision for the signature time, but they don't mandate >it. If one is looking to effect NR, one has to do a number of things beyond simple signature checking of the sort required for typical authentication for input to an access control process. For example, one often needs to time stamp the signature on the data, collect the certs and CRLs and have them time stamped, etc. This creates a context that allows NR signature verification for the longer term than the validity of the signer's cert, or the signer's CAs' cert, etc. Steve Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA28134 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 06:37:26 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id JAA21089; Fri, 21 Jul 2000 09:40:02 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v04220802b59e03205b00@[171.78.30.107]> In-Reply-To: <ED026032A3FCD211AEDA00105A9C4696016E588A@sothmxs05.entrust.com> References: <ED026032A3FCD211AEDA00105A9C4696016E588A@sothmxs05.entrust.com> Date: Fri, 21 Jul 2000 09:40:47 -0400 To: Sharon Boeyen <sharon.boeyen@entrust.com> From: Stephen Kent <kent@bbn.com> Subject: RE: Reverse paths Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sharon, >Steve, >I don't think I've been able to clearly describe what I meant. I am >NOT proposing ANY additional certificate issuance by anybody. I think >the terms reverse and forward are very unfortunate and always confuse >these discussions. Can we chat offline just to make sure that you >understand what it is I am proposing. Email makes this type of >discussion difficult at best. > >Within a hierarchy I don't believe any change is required. If the root >of a hierarchy issued a certificate to some CA that is NOT a subordinate >of the root, then currently PKIX does not require the root CA to place >that certificate in the root CA's entry. What I am proposing is that >such a certificate, IF ISSUED, be placed in the issuer's entry as well >as in the subject CA's entry. Ok, I think this clarification makes me more comfortable. Steve P.S. All the negative comments about bridge CAs in my previous message still apply. Received: from sothmxs01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA26695 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 05:52:59 -0700 (PDT) Received: by sothmxs01.entrust.com with Internet Mail Service (5.5.2650.21) id <PHL2H1MW>; Fri, 21 Jul 2000 08:55:10 -0400 Message-ID: <ED026032A3FCD211AEDA00105A9C4696016E588A@sothmxs05.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Stephen Kent'" <kent@bbn.com>, Steve Hanna <steve.hanna@sun.com> Cc: ietf-pkix@imc.org Subject: RE: Reverse paths Date: Fri, 21 Jul 2000 08:53:30 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Steve, I don't think I've been able to clearly describe what I meant. I am NOT proposing ANY additional certificate issuance by anybody. I think the terms reverse and forward are very unfortunate and always confuse these discussions. Can we chat offline just to make sure that you understand what it is I am proposing. Email makes this type of discussion difficult at best. Within a hierarchy I don't believe any change is required. If the root of a hierarchy issued a certificate to some CA that is NOT a subordinate of the root, then currently PKIX does not require the root CA to place that certificate in the root CA's entry. What I am proposing is that such a certificate, IF ISSUED, be placed in the issuer's entry as well as in the subject CA's entry. > -----Original Message----- > From: Stephen Kent [mailto:kent@bbn.com] > Sent: Thursday, July 20, 2000 6:04 PM > To: Steve Hanna > Cc: ietf-pkix@imc.org > Subject: Re: Reverse paths > > > At 10:04 AM -0400 7/20/00, Steve Hanna wrote: > >Stephen Kent wrote: > > > I am uncomfortable with the proposal that we mandate > both elements, > > > as this would seem to imply that every CA would have to engage in > > > reverse path certificate generation in all contexts. Did I > > > misunderstand the implication? > > > >I'm not sure what you mean by "reverse path certificate generation". > >This change would require that > >when a CA issues a cross certificate, they would have to place a > >copy of it in their own directory > >entry (in the reverse element of a value of the crossCertificate > >attribute). It would not require the > >generation of any additional certificates. > > I though Sharon suggested that each CA entry would hold mandated > pairs of cross certs, one forward and one back, for each CA it was > being linked to. In today's mostly hierarchic environment, a CA > issues a forward cert (using X.509 terminology) to CAs "below" it and > is certified by CAs "above" it, but CAs do not usually generate the > other, reverse certs, even though they are defined and a valid part > of the X.509 model. Only when CAs in different organizational > domains certify one another is there typically a a pair of certs > available. Thus, if one were to impose a constraint, via LDAP, that > caused CAs to issues reverse certs, it would constitute a major > change in the way most PKIs today are arranged. > > > > > > I know that Entrust has always encouraged (required?) > this type of > > > cross certification among CAs, but it doesn't seem that other CA > > > vendors or most users have. I would not think it appropriate to > > > impose this sort of requirement, given the vendor-specific > > > implications of such a change. > > > >I don't see this as a vendor-specific issue, but rather as an aid to > >building certification paths. > > It is vendor specific in so far as Entrust products have long > (always?) issued reverse certs, while no other major products have. > > Steve > Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA15255 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 02:18:41 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id LAA45696; Fri, 21 Jul 2000 11:25:09 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id LAA27174; Fri, 21 Jul 2000 11:20:45 +0200 Message-ID: <397815F0.2BC092DC@bull.net> Date: Fri, 21 Jul 2000 11:20:48 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Tony Bartoletti <azb@llnl.gov> CC: ietf-pkix@imc.org Subject: Re: A Real Rationale for Dedicated Keys References: <4.2.2.20000719163358.00ab5100@poptop.llnl.gov> <4.2.2.20000719163358.00ab5100@poptop.llnl.gov> <4.2.2.20000720150730.00aa3540@poptop.llnl.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > >Tony, > >You cited the ability of a user (or someone else) to bind a public key > >into multiple certs, some with and some without the NR bit enabled as a > >reason that the NR bit is not useful for the purpose I stated. I think I > >pointed out in my response to John Wary why this line of reasoning is not > >necessarily true. It would be a mistake for a user to have the same public > >key in multiple certs, and anyone other than the user should not be able > >to effect POP and get a CA to issue a cert. Yes, a user could act in this > >inappropriate fashion, in some instances, but then too a user could > >undermine most of the safeguards that we envision through negligent conduct. > > Steve, > > I agree with the main points, and I worked from the assumption that > CAs will not certify without POP (certainly not NR without POP!). This is just the contrary: A CA can issue a certificate without POP, if the certificate contains the NR bit. Hence is the reason: That certificate shall only be used in a trusted environment (e.g. *not* a door lock) where, by some means, there is some assurance of *what* is being signed; in particular, which document is being signed and which format is being used for the signature. Since the certificate shall only be used with a trusted sofwtare, it is possible to mandate properties for that trusted software; in particular, that it SHALL always include the identifier of the signer's certificate and protect it under the digital signature. As soon as the private key is *only* used with signature formats that contain the identifier of the certificate protected under the digital signature, this provides "real-time" POP. In other words, only the entity owning the private key is able to include the right certificate identifier. If a CA has issued a certificate without POP, this does not matter anymore, since only the legitimate entity able to use the private key will be able to sign under the certificate that contains the matching public key. Security is a mix of security mechanisms and security procedures. In this case, we rely on "good cryptography" rather than security procedures (that may be hard and long to verify "after the fact"). Denis (further text deleted) > ___tony___ > > Tony Bartoletti 925-422-3881 <azb@llnl.gov> > Information Operations, Warfare and Assurance Center > Lawrence Livermore National Laboratory > Livermore, CA 94551-9900 Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA11299 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 00:52:26 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id JAA18090; Fri, 21 Jul 2000 09:58:46 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id JAA39622; Fri, 21 Jul 2000 09:54:22 +0200 Message-ID: <3977FA7A.B2FC0E7A@bull.net> Date: Fri, 21 Jul 2000 09:23:38 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Aram Perez <aram@pacbell.net> CC: ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <B59CF790.1566%aram@pacbell.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Aram, ETSI Standard ES 201733 mandates the signature time as a signed attribute of the CMS structure. An informational draft RFC based on that standard is available from: http://www.ietf.org/internet-drafts/draft-ietf-smime-esformats-01.txt Denis > Hi Steve K., > > > When we check a signature for NR, and significant time has elapsed > > since the signature was applied, then different rules must be > > employed. > > How do you know how much "time has elapsed since the signature was applied"? > I am not aware of any standard that mandates the time of the signature. > S/MIME/PKCS#7 has provision for the signature time, but they don't mandate > it. > > Regards, > Aram Perez Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA11275 for <ietf-pkix@imc.org>; Fri, 21 Jul 2000 00:52:21 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id JAA23348; Fri, 21 Jul 2000 09:58:46 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id JAA15398; Fri, 21 Jul 2000 09:54:21 +0200 Message-ID: <3977F896.DF01468C@bull.net> Date: Fri, 21 Jul 2000 09:15:34 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: John_Wray@iris.com CC: ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <OF060C6E85.78B161B4-ON85256922.005E1861@iris.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit John, If you attend the next meeting in Pittsburgh, I propose that we continue this discussion in the corridors. I will nevertheless answer your questions. > Denis, > > >> Note I'm not talking about NR here - > > > >So what are you talking about ??? > > The case where an RP receives a document and is trying to verify a > signature. The significance of the NR bit in a certificate was the > starting point for this discussion, but for now I'm simply concerned with > the initial signature verification (if the RP doesn't believe my signature, > he certainly can't expect to hold me to it :). Note I'm not restricting > this to simple E-mail, where because of the one-to-one, low-latency nature > of the communications involved, there is unlikely to be a significant time > between signing and verifying (and if there is, the RP can simply ask the > sender for a freshly-signed copy). Rather, I'm talking about high-latency > or one-to-many environments. An extreme example of this might be signing a > document and placing it on a web-site or in a directory - here I am signing > the document without any knowledge of the identity of the RPs, and with the > possibility of significant delay before an RP will try to verify the > signature. Your are talking NR without knowing it. :-) In your example, the signed data does not have NR properties but the RP would like to get the the NR properties. So unless the signer places signed data that have NR properties, the case CANNOT be solved, i.e. disputes cannot be solved, just because there is not enough information available to solve the dispute. So unless "sufficient" information is orginally placed, the signed message does not have long term properties. > >> >A RP can be responsible for acquiring all the requisite evidence for > >> >later support of signed document validity, including time stamping > >> >this evidence. I think this addresses the scenario you described > >> >above. > >> > >> That addresses the case where the document is processed by the RP prior > to > >> my CA going out of business, but it doesn't help if trust in the CA has > >> already been revoked at the time the RP tries to verify the signature. > > > >Don't you think that if a RP receives a siganture it has better to > >make sure that what it gets is "fine" ? So he should validate the > >signature as soon as possible and in order to cover the case of a > >possible (volontary) revocation of the signer certificate, he should > >time stamp the signature as soon as possible. So the case you are > >considering is not a practical case. > > In the situation I'm discussing, one of the CAs that the signer chose to > embed in his signature has already gone out of business by the time the RP > sees the signature. > > >> But that doesn't help > >> unless the RP directly trusts the signer's root CA. > > > >There is no concept of root CA. There is a concept of a Signature > >Policy that may involve one or more root CAs but involves many other > >conditions. > > > >> If the RP doesn't trust the root that the signer chooses, > > > > ... you mean : If the RP thinks that the Signature Policy is not > >adequate for his context of use, then this is the end of the story. > > Yes, that's a concise statement of the problem. By requiring that the > signer choose a specific Signature Policy (including, in the context of > this discussion, the certificate chain), rather than leaving it to the RP > to construct the chain, there is a possibility of a signature being > incorrectly determined as invalid. This is incorrect. If in this specific case, all the chain is built by the signer (including proof that every certificate from the chain was not revoked at the time of the signature) then there is only ONE determination possible. This means the chain must be constructed while all the CAs are still in business, ... and this solves the case. > By omitting the signer's certificate > chain, and leaving it up to the RP to construct an appropriate chain, then > if my CA goes out of business, it wouldn't necessarily invalidate my prior > signatures (providing my key can be certified by another CA). (snip) > >This is contradictory. "if it includes evidence that at the time of > >signature creation, those certificates had not yet been revoked" > >means that you must provide a proof that the certificates whre not > >revoked at the time of the signature, so you cannot say at the same > >time "certificate chain that contains revoked certificates". > > It's not contradictory: Evidence that a certificate had not been revoked > at time T could include a CRL that was valid at T, and that did not list > the certificate. However, if later a CRL were published (and were > available to the RP) that included the certificate, along with an > invalidityDate before time T, then the RP can conclude that the certificate > has been revoked, and should not be trusted to verify a signature made at > T. You should talk a closer look at <draft-ietf-smime-esformats-01.txt> section 4.1.1 Signature Timestamp Attribute Definition The Signature Validation Policy specifies, in the signatureTimestampDelay field of TimestampTrustConditions, a maximum acceptable time difference which is allowed between the time indicated in the signing time attribute and the time indicated by the Signature Timestamp attribute. If this delay is exceeded then the electronic signature *must* be considered as invalid. This means that the signed data *must* include a signing time (as a signed attribute from the CMS construct). This allows to solve unambiguously the case. Denis > > John Received: from iaik.tu-graz.ac.at (excalibur.iaik.tu-graz.ac.at [129.27.152.30]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA09852 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 23:48:45 -0700 (PDT) Received: from PLIPP2 [129.27.152.34] by iaik.tu-graz.ac.at (SMTPD32-6.00) id A2EA24A0090; Fri, 21 Jul 2000 08:51:22 +0200 Received: from 127.0.0.1 [127.0.0.1] by PLIPP2 (IAIK S/MIME Mapper 2.0beta3 22/March/2000); Fr, 21 Jul 2000 08:52:32 +0100 From: "Peter Lipp" <Peter.Lipp@iaik.at> To: "Peter Williams" <peterw@valicert.com> Cc: <ietf-pkix@imc.org> Subject: AW: Signing what you don't understand Date: Fri, 21 Jul 2000 08:52:32 +0200 Message-ID: <NDBBLDEHJKOODMJCNBNCEEIEEDAA.Peter.Lipp@iaik.at> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; boundary="--IAIK.SMIME.MAPPER.542A9105--"; protocol="application/x-pkcs7-signature" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 In-Reply-To: <27FF4FAEA8CDD211B97E00902745CBE235E31B@seine.valicert.com> Importance: Normal This is a multipart MIME message, it may require a MIME capable user agent. ----IAIK.SMIME.MAPPER.542A9105-- Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable > "VeriSign's revolutionary technology allows an end-user to securely > store digital certificates and/or any other type of data, such as > financial information or an online patient record, on distributed > network servers operated by multiple trusted service providers. This > technology enables portability of digital certificates, providing > convenience for users to access and download their certificates and > private keys for online authentication. It also enables the generation > of binding digital signatures for conducting high-value e-commerce > transactions, regardless of whether users are accessing the Internet > from work, home, or another location such as an Internet kiosk. Digital > certificates are electronic credentials that identify parties online, > enabling encrypted communications and legally binding, valid digital > signatures. Admittedly you don't explicitly claim that technology to be able to generate legally binding digital signatures, even if the last sentence seems to imply that... at least you wouldn't be able to in Europe. Peter ----IAIK.SMIME.MAPPER.542A9105-- Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAA oIIVIDCCBE0wggM5oAMCAQICAwGGrTAJBgUrDgMCHQUAMIIBEzELMAkGA1UEBhMC QVQxDzANBgNVBAgTBlN0eXJpYTENMAsGA1UEBxMER1JBWjEZMBcGA1UECRMQSW5m ZmVsZGdhc3NlIDE2YTEmMCQGA1UEChMdR1JBWiBVTklWRVJTSVRZIE9GIFRFQ0hO T0xPR1kxRzBFBgNVBAsTPkluc2l0dXRlIGZvciBBcHBsaWVkIEluZm9ybWF0aW9u IFByb2Nlc3NpbmcgYW5kIENvbW11bmljYXRpb25zMRkwFwYDVQQLExBJQUlLIElO VFJBTkVUIENBMRkwFwYDVQQDExBJQUlLIFRVLUdSQVogU0lHMSIwIAYDVQQMExlJ QUlLIGVsZWN0cm9uaWMgc2lnbmF0dXJlMB4XDTk5MTEyODIwMjIzOVoXDTAwMTEy ODIwMjIzOVowgZMxCzAJBgNVBAYTAkFUMSYwJAYDVQQKEx1HUkFaIFVOSVZFUlNJ VFkgT0YgVEVDSE5PTE9HWTFHMEUGA1UECxM+SW5zaXR1dGUgZm9yIEFwcGxpZWQg SW5mb3JtYXRpb24gUHJvY2Vzc2luZyBhbmQgQ29tbXVuaWNhdGlvbnMxEzARBgNV BAMTClBldGVyIExpcHAwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGBAM5s1aJQ xXxczmMNSJtL4cv9nhMA+dtbUN4+DA5qfZBqcwR2zWw2VulPyrAeZDA1HFP8zlpk PlC5C4hNnX+p7QdG8u0LMk45FwaatOm2r2gEmTYGH/znwQSrKTsZXi0d0VHZV0TX yU/I3SlYxSXfjFafAVE09KKa2m8jcUOhF97dAgEDo4G0MIGxMDgGA1UdHwQxMC8w LaAroCmkJzAlMRAwDgYDVQQKEwdpYWlrLmF0MREwDwYDVQQDEwhJQUlLQ1JMMTAR BglghkgBhvhCAQEEBAMCAKAwKAYJYIZIAYb4QgENBBsWGVVzZXItQ2VydGlmaWNh dGUgSU5UUkFORVQwDAYDVR0TBAUwAwEBADAdBgNVHREEFjAUgRJQZXRlci5MaXBw QGlhaWsuYXQwCwYDVR0PBAQDAgbAMAkGBSsOAwIdBQADggEBAA4r/qDOLW8ChbuC 2pGzcf74Uv190Q45aHj99lMgNhPQRIVaLLNXJH+NYJxEvIwmVOWIXjdA03TqkOOq FJ/tK31wV+RbrvaPaVUwRjPhC2f8rr+K6pp9mzUC1SolUEbRWVHgOZGsbnEJkTEr oJOelFdKr0coT+Xeje/fI5d50P3CwsJLR2PFkiswnOoWBINi2nq6MGZ7fwmzW8F9 ZVstrNMQYCeEj4V2SR/YIUrDxsdqMQyorBe/su3eab3fOpPlonb86KKWH6jLdgpi KGRoHGWeGgAWlMB0HdxaupX7Lm8LhVYZOdh9SpvO8AdhMyOXNHOKF6sMXCZvSEHy 2XUvbmAwggRUMIIDQKADAgECAgJOIDAJBgUrDgMCHQUAMIGZMQswCQYDVQQGEwJB VDEmMCQGA1UEChMdR1JBWiBVTklWRVJTSVRZIE9GIFRFQ0hOT0xPR1kxRzBFBgNV BAsTPkluc2l0dXRlIGZvciBBcHBsaWVkIEluZm9ybWF0aW9uIFByb2Nlc3Npbmcg YW5kIENvbW11bmljYXRpb25zMRkwFwYDVQQDExBJQUlLIElOVFJBTkVUIENBMB4X DTk5MTExNDEyNTE0OVoXDTAyMTIzMTIyNTkzMFowggETMQswCQYDVQQGEwJBVDEP MA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHUkFaMRkwFwYDVQQJExBJbmZmZWxk Z2Fzc2UgMTZhMSYwJAYDVQQKEx1HUkFaIFVOSVZFUlNJVFkgT0YgVEVDSE5PTE9H WTFHMEUGA1UECxM+SW5zaXR1dGUgZm9yIEFwcGxpZWQgSW5mb3JtYXRpb24gUHJv Y2Vzc2luZyBhbmQgQ29tbXVuaWNhdGlvbnMxGTAXBgNVBAsTEElBSUsgSU5UUkFO RVQgQ0ExGTAXBgNVBAMTEElBSUsgVFUtR1JBWiBTSUcxIjAgBgNVBAwTGUlBSUsg ZWxlY3Ryb25pYyBzaWduYXR1cmUwggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAwggEI AoIBAQDSyhKuZGsL1EPk5mOTG8RzhHS/Va+/WYjs7Zm91nwVHu1+XFLJeJ85AICk SQ7yq9lWa9ur34cywbNhl/9QxaOBOiHkMvAuXxs2Bq/uhe/hEb1T7XgO12ptG80q SOP8/nKxw1PXlbUkd1rD9727mO/5tpvagEQfz7CZQ5wI4HkrNw5uH/vsJ72wRcRT FzmHy/nOX3Y9sXLd/V7TG8j1x0oNWsR3b0tHEWM+Oc1Qq5FfCknoMMCitSD38cUL CCcLJtVxkOiapWaZrDXUAuhvshhsRPjkXh6IzpqsZEtRI64SurLoUUShPv108ELE 6rfQKtm9FNnlFRD954diwfFHko/lAgEFozMwMTARBglghkgBhvhCAQEEBAMCAAIw DwYDVR0TBAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwCQYFKw4DAh0FAAOCAQEAc26n vl5jQspoqD0fzjpZkqGARmFVj9uHNqVoWttqw/y6t46OhJUcePEmXkKsFP4NuCFx 2MyvmbWb6R6QNQ5WfoarGWyQ382cQN6mccPS5weDjXAzYeGZUkx99K70ncVxkwq7 rINAhJtari2XSLxmfBJyTYrZuWEgd5C9NBuf2u3iZyArarOKPbrBjZxjmXwBbZ7t sfAhSVMGSr2ODgQcQjf7ZndNIsQZL75HkN21Pj+/x3wnMCAQF50+Pt8ioAgZ/SAu dxmdYNr2itI0vmsV/xjD1NQuwb6+HwmR2LxclhMzrT1VbtTDkRLD/h8LKC1OpKV8 lQlS7Ir+Od/XNafKJjCCA8owggKyoAMCAQICAQEwDQYJKoZIhvcNAQEEBQAwgZkx CzAJBgNVBAYTAkFUMSYwJAYDVQQKEx1HUkFaIFVOSVZFUlNJVFkgT0YgVEVDSE5P TE9HWTFHMEUGA1UECxM+SW5zaXR1dGUgZm9yIEFwcGxpZWQgSW5mb3JtYXRpb24g UHJvY2Vzc2luZyBhbmQgQ29tbXVuaWNhdGlvbnMxGTAXBgNVBAMTEElBSUsgSU5U UkFORVQgQ0EwHhcNOTkxMTE0MTIzMTU5WhcNMDIxMjMxMjI1OTMwWjCBmTELMAkG A1UEBhMCQVQxJjAkBgNVBAoTHUdSQVogVU5JVkVSU0lUWSBPRiBURUNITk9MT0dZ MUcwRQYDVQQLEz5JbnNpdHV0ZSBmb3IgQXBwbGllZCBJbmZvcm1hdGlvbiBQcm9j ZXNzaW5nIGFuZCBDb21tdW5pY2F0aW9uczEZMBcGA1UEAxMQSUFJSyBJTlRSQU5F VCBDQTCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAMLr+IHe6qeAtYLk fvxyRI6ogrvBP5iKPEBZ7j3T1yVJL7CDPGH8hgPsI4qt6Fnzh2MuAq84JS58zX5x LqEUC/E5xw1xyAzorC6yWwxGRhb+fvTg4OlM2JVsTlyJO6F/BWlXuZU33lgGky/R X84sItXKhmhbUPscnHYBsVKcQO5rFcRrJK/5c1Mha/bcQNVDQaQw+HRCvr7T4mAV Yi+DVJv6jb393CoDBnffGP/mcIkFGFO5D6lyfP8QiSs06+0unIYWwUn1YzQI2RNB AjXrCuAJtlf4qYrGXC09Neg8ymoI2uOglo6scWiZXt/prxWoi+btPX8oWDl5+7DE tCf0rx8CAQejHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3 DQEBBAUAA4IBAQAfdOMJ/ePlmrY0flkgiL6vyRDBuWGcIaB/oGofngJzbQLa7X2s hWzpIiVpvo64XcjIBuocpErhIQfc2UZTSqYYT7R2Uydh0wVeqScURuwuihFURPhI 7GWCSrNwym2lrwsva2Xh/MTyzhXs9vo29dP2djjelN8n347dXhKJOYJ0tsA583af EKmKvkfzAb+sQLxEmPyasQTCGJMec/iWjLTsEDRfCrROYVgDZ4NcCpiRSv9mWw6s PYB8Chf5fJq1waFzluFYSUkuF24NKVopr1E4dKt2Lc1zdMRGRztKQWeUiBLkqFCQ xsi6iZrl1nvMCdF+scuLj7G4lNshx6n1ZcabMIIETTCCAzmgAwIBAgIDAw1NMAkG BSsOAwIdBQAwggETMQswCQYDVQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYD VQQHEwRHcmF6MRkwFwYDVQQJExBJbmZmZWxkZ2Fzc2UgMTZhMSYwJAYDVQQKEx1H UkFaIFVOSVZFUlNJVFkgT0YgVEVDSE5PTE9HWTFHMEUGA1UECxM+SW5zaXR1dGUg Zm9yIEFwcGxpZWQgSW5mb3JtYXRpb24gUHJvY2Vzc2luZyBhbmQgQ29tbXVuaWNh dGlvbnMxGTAXBgNVBAsTEElBSUsgSU5UUkFORVQgQ0ExGzAZBgNVBAMTEklBSUsg VFUtR1JBWiBDUllQVDEgMB4GA1UEDBMXSUFJSyBjb25maWRlbnRpYWxpdHkgQ0Ew HhcNOTkxMTI4MjAyMzM4WhcNMDAxMTI4MjAyMzM4WjCBkzELMAkGA1UEBhMCQVQx JjAkBgNVBAoTHUdSQVogVU5JVkVSU0lUWSBPRiBURUNITk9MT0dZMUcwRQYDVQQL Ez5JbnNpdHV0ZSBmb3IgQXBwbGllZCBJbmZvcm1hdGlvbiBQcm9jZXNzaW5nIGFu ZCBDb21tdW5pY2F0aW9uczETMBEGA1UEAxMKUGV0ZXIgTGlwcDCBnTANBgkqhkiG 9w0BAQEFAAOBiwAwgYcCgYEAvQe3ZdxrE2Nv5z2ZLink1P2MFeQb5gYrS55w4jsX ZGD5v9Ajnv3w30Ajcn7jI+blIvYYpmNQV476+aUHNZFUML/KN5WGVXfdBOxb2n+6 Porez8KMnUlq3cCvAdhVdquFjwaRHO5k7gY80hNAfVker52A1aXbrT0TaWGlCl25 sq0CAQWjgbQwgbEwOAYDVR0fBDEwLzAtoCugKaQnMCUxEDAOBgNVBAoTB2lhaWsu YXQxETAPBgNVBAMTCElBSUtDUkwxMBEGCWCGSAGG+EIBAQQEAwIAoDAoBglghkgB hvhCAQ0EGxYZVXNlci1DZXJ0aWZpY2F0ZSBJTlRSQU5FVDAMBgNVHRMEBTADAQEA MB0GA1UdEQQWMBSBElBldGVyLkxpcHBAaWFpay5hdDALBgNVHQ8EBAMCA3gwCQYF Kw4DAh0FAAOCAQEAhvbZ0/1a47YqiCYjsnsqxWhFufL9oPQzzK9sBDjZZwbpPnhD ZN8PmBqWUXAo74a6oz7Q0W1QieAPCIGenFcVe5ui9m+9TDwtrQN1ECE5k3VuGlh9 l+1Sw5GjFEynARTDmaSRIc75EV/nx4a1LuHLkRYGC5Mg6LskWpIw7ShdPD54U/3Q 19iboaASh0ynfySjBsy1549hQcmi9UfMMX7u1QCCia2kd15u+YaVxtWoMHFB59q6 ELx+9XseEpEI/zBlvSwdyDTXWtnlxnzZjsyk0a/W+FpdeuZ7k2Dbf/Owx0nXS70M HrH/AErvvbhxJ1BaAPC6TAN6da4xPpwy5XSRfjCCBFQwggNAoAMCAQICAnUwMAkG BSsOAwIdBQAwgZkxCzAJBgNVBAYTAkFUMSYwJAYDVQQKEx1HUkFaIFVOSVZFUlNJ VFkgT0YgVEVDSE5PTE9HWTFHMEUGA1UECxM+SW5zaXR1dGUgZm9yIEFwcGxpZWQg SW5mb3JtYXRpb24gUHJvY2Vzc2luZyBhbmQgQ29tbXVuaWNhdGlvbnMxGTAXBgNV BAMTEElBSUsgSU5UUkFORVQgQ0EwHhcNOTkxMTE0MTI1NTM2WhcNMDIxMjMxMjI1 OTMwWjCCARMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcT BEdyYXoxGTAXBgNVBAkTEEluZmZlbGRnYXNzZSAxNmExJjAkBgNVBAoTHUdSQVog VU5JVkVSU0lUWSBPRiBURUNITk9MT0dZMUcwRQYDVQQLEz5JbnNpdHV0ZSBmb3Ig QXBwbGllZCBJbmZvcm1hdGlvbiBQcm9jZXNzaW5nIGFuZCBDb21tdW5pY2F0aW9u czEZMBcGA1UECxMQSUFJSyBJTlRSQU5FVCBDQTEbMBkGA1UEAxMSSUFJSyBUVS1H UkFaIENSWVBUMSAwHgYDVQQMExdJQUlLIGNvbmZpZGVudGlhbGl0eSBDQTCCASAw DQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAMEnzjatic90xi5VRmr0i2O16Z1a SElQFZitoNvAzGw+KehOTuKeUr5ALHib9tGInNm+jPTWVGl/u5Hab1JRzXj0xAKy qvZ+KphGy6ag6VcCVySJmeY1AqTM0W78XdFQXnlZuciBv00Ktoulb/Ktgh6c0YNg o4UMVdxjGHJweibT1AGvlFe2BqulwtuwOLovMIuIyHHh+o6F2HXYKUB54GJpia1B 2IfmqcpBBFdYtDlHyrxugB5QhuhLo0BjD8jCe8B2gkQnI2wIeyfpLlH+u3/VQAl1 2cZKkqaqPpOgP/znsdh62QBSabrRluvCp9OQW9M8u+mJlrxIIVwtThfzIW0CAQWj MzAxMBEGCWCGSAGG+EIBAQQEAwIAAjAPBgNVHRMECDAGAQH/AgEBMAsGA1UdDwQE AwIBBjAJBgUrDgMCHQUAA4IBAQBa+v4JIzqbBydvFOaP/dA5D/GLWEWjPTF8tKcP hxlEYABH8dW5E2tk/nNE2CDyGjkJtR+o9kiCDCa4N/qlc2LepJpa0I28Hi4wCd0C uxSWpEuDHNDrW6Y/bU8gJ8DpskVl+lR0QFkqSCWAu3bY0e2VvUffk2ltrx1KvO64 vGX+ayZn2P7naGHPfYjCBWUKzW0zS8chVf0aehu/qXFuZDfy1MlDgEnPl1DQ1vSL CMmFEDc99iNzcCU7ILn+RgWPNYPVhCUqoDQ6buX00ohfNVS/OHgqkWpa1HLvLRXq E9NmYUJvfhE2zCY6w6bTME3IfDCXRat2Q3twP4/iP9xtsTbPMYICeDCCAnQCAQEw ggEcMIIBEzELMAkGA1UEBhMCQVQxDzANBgNVBAgTBlN0eXJpYTENMAsGA1UEBxME R1JBWjEZMBcGA1UECRMQSW5mZmVsZGdhc3NlIDE2YTEmMCQGA1UEChMdR1JBWiBV TklWRVJTSVRZIE9GIFRFQ0hOT0xPR1kxRzBFBgNVBAsTPkluc2l0dXRlIGZvciBB cHBsaWVkIEluZm9ybWF0aW9uIFByb2Nlc3NpbmcgYW5kIENvbW11bmljYXRpb25z MRkwFwYDVQQLExBJQUlLIElOVFJBTkVUIENBMRkwFwYDVQQDExBJQUlLIFRVLUdS QVogU0lHMSIwIAYDVQQMExlJQUlLIGVsZWN0cm9uaWMgc2lnbmF0dXJlAgMBhq0w CQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3 DQEJBTEPFw0wMDA3MjEwNjUyMzJaMCMGCSqGSIb3DQEJBDEWBBR7isd2IdxCuWKI 78jSUeGeUJI4vTBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3 DQMCAgIAgDANBggqhkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDAHBgUrDgMCBzAN BgkqhkiG9w0BAQEFAASBgF3L605S2d/S4b2oiWamlzQqXiDQdmrx5flmKDNe+Y+Q vVNtegz+BQ98O69+3r0t/8Mik+VOBOHdrBcjzL42c32UqcjG3mokNWV8T4Llf3Eb 3no+/bsbLLpBaRajPYj/uM1HS13l20ZJ1Cy0gQMSuTGjgXs0azVbJMZDUQfjjCtx AAAAAAAA ----IAIK.SMIME.MAPPER.542A9105---- Received: from aspams52.cai.com (aspams52.cai.com [155.35.248.76]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA03998 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 21:47:14 -0700 (PDT) Received: by aspams52.cai.com with Internet Mail Service (5.5.2650.21) id <3X7BA2LS>; Fri, 21 Jul 2000 14:48:11 +1000 Message-ID: <11981F9F5649D411BC92009027D0D18C72ED1E@aspams01.cai.com> From: "Ramsay, Ron" <Ron.Ramsay@ca.com> To: Peter Williams <peterw@valicert.com> Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Date: Fri, 21 Jul 2000 14:48:08 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Very interesting. It would have been interesting to have heard from Warwick on the issue of non-repudiation. Verisign would seem to have placed a stake in the ground. Ron. -----Original Message----- From: Peter Williams [mailto:peterw@valicert.com] Sent: Friday, 21 July 2000 12:52 To: 'Richard Levitte'; Anders Rundgren Cc: Peter Lipp; piers@bj.co.uk; ietf-pkix@imc.org Subject: RE: Signing what you don't understand http://www.verisign.com/press/2000/roaming.html "VeriSign's revolutionary technology allows an end-user to securely store digital certificates and/or any other type of data, such as financial information or an online patient record, on distributed network servers operated by multiple trusted service providers. This technology enables portability of digital certificates, providing convenience for users to access and download their certificates and private keys for online authentication. It also enables the generation of binding digital signatures for conducting high-value e-commerce transactions, regardless of whether users are accessing the Internet from work, home, or another location such as an Internet kiosk. Digital certificates are electronic credentials that identify parties online, enabling encrypted communications and legally binding, valid digital signatures. " -----Original Message----- From: Richard Levitte [mailto:richard.levitte@celocom.se] Sent: Thursday, July 20, 2000 11:24 AM To: Anders Rundgren Cc: Peter Lipp; piers@bj.co.uk; ietf-pkix@imc.org Subject: Re: Signing what you don't understand Anders Rundgren wrote: > Peter, > > >> Several leading PKI vendors have implemented systems where the private key > >> is held on a central Web server and then downloaded at run time to a web > >> browser. Are you saying that signatures created using these keys are > >> invalid? > >Are you sure? Could you provide a reference? I doubt that strongly... > > > >Peter > > I think this is one... > > http://www.arcot.com/products/webfort.html I think not, at least from reading the papers "Protecting Digital Identities" and "Protecting Your Private Key". All they say is that they've invented some kind of key database ("key wallet" to use their term) that is more secure than what comes with for example MSIE and Netscape Communicator... Personally, if I was confronted with a CA that wanted to create my private key for me, and store it centrally to boot, I'd go somewhere else. Very fast. It contradicts anything even remotely close to being called "secure". -- Richard Levitte !!! New cell phone number !!! richard.levitte@celocom.se /* You might enjoy viewing the complete vCard */ Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA02612 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 21:04:14 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id OAA61074; Fri, 21 Jul 2000 14:06:27 +1000 (EST) Message-ID: <028d01bff2ca$4956e3d0$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: "Aram Perez" <aram@pacbell.net>, <ietf-pkix@imc.org> References: <B59CFF3E.156E%aram@pacbell.net> Subject: Re: A Real Rationale for Dedicated Keys Date: Fri, 21 Jul 2000 14:14:51 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 > > Without the owner physically showing up, how can a CA know whether or not a > key pair was "generated and the private part is stored to some minimum > standard"? > The key generation device has its own private key and signs the cert request for the newly generated user key pair. The CA then knows that the key pair originated in a device it (the CA) trusts and probably provides as part of its service. The CA certifies the public key of the device so it can verify the device's cert requests. Such a device is obviously not cheap but without such a device the CA cannot control the quality of remotely generated keys or how the private key is stored and protected from duplication (necessary for NR). Much more likely is that the owner *will* show up to the CA or one of its RAs to get a NR certificate. Anything less will probably fail to meet the legal requirements for NR and be worth no more than a NR=0 cert. Simon McMahon ERACOM Pty. Ltd. Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA01714 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 20:50:04 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id NAA58099; Fri, 21 Jul 2000 13:52:28 +1000 (EST) Message-ID: <028a01bff2c8$5845e5a0$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: "Jean Abraham" <jean.med@arabtrust.com>, <ietf-pkix@imc.org>, "Tony Bartoletti" <azb@llnl.gov> References: <LPBBLAPIGLOAGIHKOOGDMEPFCBAA.jean.med@arabtrust.com><4.2.2.20000720171643.00ab0620@poptop.llnl.gov> <4.2.2.20000720184758.00b3d2f0@poptop.llnl.gov> Subject: Re: A Real Rationale for Dedicated Keys Date: Fri, 21 Jul 2000 14:00:49 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 > At 11:41 AM 7/21/00 +1000, Simon McMahon wrote: > >I am are not saying "no" to multi-certification. Just "no" to its use as a > >repudiation defense. Appropriate CA policy can make it harder for the > >dishonest user to make repudiation claims based on being "fooled". If the > >user has declared that they will not multi-certify a NR=1 key down to NR=0, > >then goes and does it anyway their repudiation claim is going to look pretty > >weak. > > OK, that is a good point. Now, I set my mind to thinking of how > the (bad) user might argue that the policy was not conveyed to them, > and wonder how to "bind" the user's "expression of understanding" > into the certificate. > If the bad user gets away with it then the CA's policy or procedures failed. Either the bad user or the CA is liable so someone will be held accountable for it. > Granted, the user/subscriber is "duty-bound" to be aware of policy, > but in most instances (e.g., detailed credit card agreements) they > are not, and the laws are usually crafted to keep the foolish from > hurting themselves too badly. How can any party to an "agreement" not be duty-bound to be aware of policy relating to the agreement ? But as you say laws will be crafted to minimise losses where they aren't. > The protocol for applying for and > receiving a (hypothetical) NR-certificate, especially through an > electronic transaction, will need to be both involved and rigorous, > in order to thwart a claim that "the policy wasn't obvious" or > "my screen displayed no policy". > Thats for sure. I personally doubt that legally enforcible NR-certificates will ever granted fully on-line. You would need a legally enforcible on-line authentication of the subject for a start. That sort of thing is usually done by an agent of the CA sighting documents like passport, drivers license etc. Simon. Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA27838 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 19:57:09 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FY100K011NOMU@ext-mail.valicert.com> for ietf-pkix@imc.org; Thu, 20 Jul 2000 19:59:48 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FY100K021NOMQ@ext-mail.valicert.com>; Thu, 20 Jul 2000 19:59:48 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <36006T9Y>; Thu, 20 Jul 2000 19:51:36 -0700 Content-return: allowed Date: Thu, 20 Jul 2000 19:51:31 -0700 From: Peter Williams <peterw@valicert.com> Subject: RE: Signing what you don't understand To: "'Richard Levitte'" <richard.levitte@celocom.se>, Anders Rundgren <anders.rundgren@telia.com> Cc: Peter Lipp <Peter.Lipp@iaik.at>, piers@bj.co.uk, ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE235E31B@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 http://www.verisign.com/press/2000/roaming.html "VeriSign's revolutionary technology allows an end-user to securely store digital certificates and/or any other type of data, such as financial information or an online patient record, on distributed network servers operated by multiple trusted service providers. This technology enables portability of digital certificates, providing convenience for users to access and download their certificates and private keys for online authentication. It also enables the generation of binding digital signatures for conducting high-value e-commerce transactions, regardless of whether users are accessing the Internet from work, home, or another location such as an Internet kiosk. Digital certificates are electronic credentials that identify parties online, enabling encrypted communications and legally binding, valid digital signatures. " -----Original Message----- From: Richard Levitte [mailto:richard.levitte@celocom.se] Sent: Thursday, July 20, 2000 11:24 AM To: Anders Rundgren Cc: Peter Lipp; piers@bj.co.uk; ietf-pkix@imc.org Subject: Re: Signing what you don't understand Anders Rundgren wrote: > Peter, > > >> Several leading PKI vendors have implemented systems where the private key > >> is held on a central Web server and then downloaded at run time to a web > >> browser. Are you saying that signatures created using these keys are > >> invalid? > >Are you sure? Could you provide a reference? I doubt that strongly... > > > >Peter > > I think this is one... > > http://www.arcot.com/products/webfort.html I think not, at least from reading the papers "Protecting Digital Identities" and "Protecting Your Private Key". All they say is that they've invented some kind of key database ("key wallet" to use their term) that is more secure than what comes with for example MSIE and Netscape Communicator... Personally, if I was confronted with a CA that wanted to create my private key for me, and store it centrally to boot, I'd go somewhere else. Very fast. It contradicts anything even remotely close to being called "secure". -- Richard Levitte !!! New cell phone number !!! richard.levitte@celocom.se /* You might enjoy viewing the complete vCard */ Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA24594 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 19:08:38 -0700 (PDT) Received: from [192.168.1.7] ([208.233.228.110]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FY0008XWZDE20@mta6.snfc21.pbi.net> for ietf-pkix@imc.org; Thu, 20 Jul 2000 19:10:27 -0700 (PDT) Date: Thu, 20 Jul 2000 19:10:55 -0700 From: Aram Perez <aram@pacbell.net> Subject: Re: A Real Rationale for Dedicated Keys In-reply-to: <4.2.2.20000720171643.00ab0620@poptop.llnl.gov> To: ietf-pkix@imc.org Message-id: <B59CFF3E.156E%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Hi Tony B., > At 10:04 AM 7/21/00 +1000, Simon McMahon wrote: >>> >>> Could you tell me what has NR (Non-Repudation) to do with CA control key >>> generation. >>> >> By "CA controlled key generation" I mean that the CA specifies minimum >> standards and one option of the CA may be to do the key gen itself. The CA >> should verify that the minimum standards are being followed if it specifies >> any. > > Agreed! > >> Non-repudiation requires (at least) that the private key does not get >> exposed or used by someone else without the owner knowing it. That means >> that how the private key is used and how it is stored when not in use is >> very relevant to NR. CAs can (and should) insist that key pairs are >> generated and the private part is stored to some minimum standard before >> they certify the public part. > > Agreed! Without the owner physically showing up, how can a CA know whether or not a key pair was "generated and the private part is stored to some minimum standard"? Regards, Aram Perez [snip] Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA23558 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 18:51:38 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id SAA25128; Thu, 20 Jul 2000 18:52:26 -0700 (PDT) Message-Id: <4.2.2.20000720184758.00b3d2f0@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 20 Jul 2000 19:00:14 -0700 To: "Simon McMahon" <simon@onthenet.com.au>, "Jean Abraham" <jean.med@arabtrust.com>, <ietf-pkix@imc.org> From: Tony Bartoletti <azb@llnl.gov> Subject: Re: A Real Rationale for Dedicated Keys In-Reply-To: <025601bff2b4$e1d7e200$8802a8c0@eracom.com.au> References: <LPBBLAPIGLOAGIHKOOGDMEPFCBAA.jean.med@arabtrust.com> <4.2.2.20000720171643.00ab0620@poptop.llnl.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 11:41 AM 7/21/00 +1000, Simon McMahon wrote: >I am are not saying "no" to multi-certification. Just "no" to its use as a >repudiation defense. Appropriate CA policy can make it harder for the >dishonest user to make repudiation claims based on being "fooled". If the >user has declared that they will not multi-certify a NR=1 key down to NR=0, >then goes and does it anyway their repudiation claim is going to look pretty >weak. OK, that is a good point. Now, I set my mind to thinking of how the (bad) user might argue that the policy was not conveyed to them, and wonder how to "bind" the user's "expression of understanding" into the certificate. Granted, the user/subscriber is "duty-bound" to be aware of policy, but in most instances (e.g., detailed credit card agreements) they are not, and the laws are usually crafted to keep the foolish from hurting themselves too badly. The protocol for applying for and receiving a (hypothetical) NR-certificate, especially through an electronic transaction, will need to be both involved and rigorous, in order to thwart a claim that "the policy wasn't obvious" or "my screen displayed no policy". ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA22853 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 18:46:51 -0700 (PDT) Received: from [192.168.1.7] ([208.233.228.110]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FY000L5TXWM3I@mta5.snfc21.pbi.net> for ietf-pkix@imc.org; Thu, 20 Jul 2000 18:38:47 -0700 (PDT) Date: Thu, 20 Jul 2000 18:38:08 -0700 From: Aram Perez <aram@pacbell.net> Subject: Re: Signing what you don't understand In-reply-to: <v0422080db59d2d88f4ad@[171.78.30.107]> To: ietf-pkix@imc.org Message-id: <B59CF790.1566%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Hi Steve K., > When we check a signature for NR, and significant time has elapsed > since the signature was applied, then different rules must be > employed. How do you know how much "time has elapsed since the signature was applied"? I am not aware of any standard that mandates the time of the signature. S/MIME/PKCS#7 has provision for the signature time, but they don't mandate it. Regards, Aram Perez Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA20957 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 18:30:44 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id LAA33093; Fri, 21 Jul 2000 11:33:08 +1000 (EST) Message-ID: <025601bff2b4$e1d7e200$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: "Jean Abraham" <jean.med@arabtrust.com>, <ietf-pkix@imc.org>, "Tony Bartoletti" <azb@llnl.gov> References: <LPBBLAPIGLOAGIHKOOGDMEPFCBAA.jean.med@arabtrust.com> <4.2.2.20000720171643.00ab0620@poptop.llnl.gov> Subject: Re: A Real Rationale for Dedicated Keys Date: Fri, 21 Jul 2000 11:41:31 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 > > >I know of one commercial CA that only certified public keys for key pairs > >that it (the CA) generated. Their rationale was that they did not want the > >risk of certifying a dodgy key pair because of the risk of bad publicity > >undermining their reputation as a CA. The generated private key was > >transfered securely to the client. They wanted to take the next step and > >start storing the private key directly onto smart cards. > > Some reservations here! I would be wary of a process that actually > allows the "key-generating operator" to learn the value of the secret. > CA's have internal policies and procedures to prevent that and they have good reason to follow them too since they are in the business of selling trust. > If there were ways to guarantee that the secret key were actually generated > "in the card", (and could not be extracted, of course) I would feel better > about such a process. > Me too, but if the CA I have to use (and everybody else uses) does it their way I have to accept it or not participate. > But, this does not address the issue of the dishonest user who would > have the corresponding public key "certified for authentication, NR=0", > use it for signing email receipts, and then try to repudiate a contract > by arguing they were fooled into signing it with their NR=0 usage. > > I don't think "Just Say No" to key multi-certification will work. > > What will? > As long as the dishonest user can be made accountable for their actions you should have a workable solution. You can not prevent dishonesty, only raise the cost for dishonest behaviour. I am are not saying "no" to multi-certification. Just "no" to its use as a repudiation defense. Appropriate CA policy can make it harder for the dishonest user to make repudiation claims based on being "fooled". If the user has declared that they will not multi-certify a NR=1 key down to NR=0, then goes and does it anyway their repudiation claim is going to look pretty weak. Regards, Simon McMahon ERACOM Pty. Ltd. Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA17913 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 18:08:35 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id SAA15428; Thu, 20 Jul 2000 18:10:41 -0700 (PDT) Message-Id: <4.2.2.20000720180425.00b18ae0@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 20 Jul 2000 18:18:28 -0700 To: Stephen Kent <kent@bbn.com>, Steve Hanna <steve.hanna@sun.com> From: Tony Bartoletti <azb@llnl.gov> Subject: Re: Reverse paths Cc: ietf-pkix@imc.org In-Reply-To: <v0422080bb59d27c098db@[171.78.30.107]> References: <39774642.978BDD06@sun.com> <96411195511841@kahu.cs.auckland.ac.nz> <39774642.978BDD06@sun.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 06:05 PM 7/20/00 -0400, Stephen Kent wrote: >Steve, > ><snip> > >>As to how you can display the network of trust in a mesh topology, X.500 >>DNs provide a nice hierarchy. >>Certificates are directional arcs between nodes in the tree. Trust >>anchors can be displayed as arcs >>from the RP to the trusted party (in a different color, if you like). > >Experience with user behavior says that displaying cert paths is almost >worthless. Almost nobody will view them, and few would be able to >understand the implications of such paths if they did view them. > ><snip> Actually displaying the mesh to users, I hope, would not be the issue. Rather, given the mesh can be uniquely represented in "memory", can one write software that can reply accurately to queries of the form "Is there a path from A to B that satisfies my set of constraints?" And would the behavior of such a tool become intractably slow (as it certainly must on a general graph with many nodes, and most painfully if each "satisfies constraints" requires a net-fetch from a directory.) ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id RAA14369 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 17:27:25 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id RAA00049; Thu, 20 Jul 2000 17:28:55 -0700 (PDT) Message-Id: <4.2.2.20000720171643.00ab0620@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 20 Jul 2000 17:36:42 -0700 To: "Simon McMahon" <simon@onthenet.com.au>, "Jean Abraham" <jean.med@arabtrust.com>, <ietf-pkix@imc.org> From: Tony Bartoletti <azb@llnl.gov> Subject: Re: A Real Rationale for Dedicated Keys In-Reply-To: <01d201bff2a7$51738a50$8802a8c0@eracom.com.au> References: <LPBBLAPIGLOAGIHKOOGDMEPFCBAA.jean.med@arabtrust.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 10:04 AM 7/21/00 +1000, Simon McMahon wrote: > > > > Could you tell me what has NR (Non-Repudation) to do with CA control key > > generation. > > >By "CA controlled key generation" I mean that the CA specifies minimum >standards and one option of the CA may be to do the key gen itself. The CA >should verify that the minimum standards are being followed if it specifies >any. Agreed! >Non-repudiation requires (at least) that the private key does not get >exposed or used by someone else without the owner knowing it. That means >that how the private key is used and how it is stored when not in use is >very relevant to NR. CAs can (and should) insist that key pairs are >generated and the private part is stored to some minimum standard before >they certify the public part. Agreed! >As a merchant I would be more inclined to trust NR signatures verified by >certs from a CA that operated this way than from a CA that only checked the >key owner's identity. Agreed! >I know of one commercial CA that only certified public keys for key pairs >that it (the CA) generated. Their rationale was that they did not want the >risk of certifying a dodgy key pair because of the risk of bad publicity >undermining their reputation as a CA. The generated private key was >transfered securely to the client. They wanted to take the next step and >start storing the private key directly onto smart cards. Some reservations here! I would be wary of a process that actually allows the "key-generating operator" to learn the value of the secret. If there were ways to guarantee that the secret key were actually generated "in the card", (and could not be extracted, of course) I would feel better about such a process. But, this does not address the issue of the dishonest user who would have the corresponding public key "certified for authentication, NR=0", use it for signing email receipts, and then try to repudiate a contract by arguing they were fooled into signing it with their NR=0 usage. I don't think "Just Say No" to key multi-certification will work. What will? ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id RAA14059 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 17:17:29 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id KAA18384; Fri, 21 Jul 2000 10:19:57 +1000 (EST) Message-ID: <01fe01bff2aa$a5eba830$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: <tgindin@us.ibm.com> Cc: <ietf-pkix@imc.org>, "Tony Bartoletti" <azb@llnl.gov> References: <85256922.0052F4C9.00@D51MTA04.pok.ibm.com> Subject: Re: A Real Rationale for Dedicated Keys Date: Fri, 21 Jul 2000 10:28:21 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 > > > My point being, the key-owner is the primary point of > > control in enforcing a "one-key, one-cert" personal regime. > > > The "key generator" is really the primary point of control and need not be > the same as the "key owner" (the one who makes signatures). Some CAs insist > on having some control over key origin, key generation, or at least the > equipment used to do it so that uncontrolled certifications and hackable > private keys can be avoided. I would expect that all commercial CAs that > generate certs intended for NR usage will have to control key generation. > > Does it really matter how many certificates there are for a public key as > long as the one specifying NR relates to a private key that cannot be > duplicated ? I dont see how multiple certs for a key is a threat to > non-repudiation of signatures. Only private key exposure / duplication is. > > [Tom Gindin] The threat is that the subject could claim, as an attempt to > repudiate, that he was using an ordinary authentication key, and he didn't > know that it was for NR. For this reason and similar ones, having multiple > certificates with conflicting key usages but the same key is surely bad > practice - having multiple certificates with the same key usages and the > same key from different issuers is much less so. There is a converse > threat, in that an untrustworthy CA could (in theory) issue certificates > for users it has no relationship with, based on existing valid > certificates, but with stronger key usage and an RP could claim reliance on > such certificates. Then the CA goes out of operation and the RP claims > non-repudiation. > I think reputable CAs will counter this threat by controlling key pair generation and private key storage or by making subjects declare (backed up with a handwritten signature) that the key they have presented for an NR certificate will only ever be certified for NR use. I dont think the concept of an "untrustworthy CA" is a realistic threat to consider. Why would anyone trust certificates from an untrustworthy CA ? > Regards, > > Simon McMahon. > ERACOM Pty. Ltd. > > > Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id RAA13760 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 17:08:35 -0700 (PDT) From: bjueneman@novell.com Message-Id: <200007210008.RAA13760@ns.secondary.com> Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Thu, 20 Jul 2000 18:10:23 -0600 Mime-Version: 1.0 Date: Thu, 20 Jul 2000 18:11:00 -0600 X-Mailer: Groupwise 5.5.3.1 Subject: Re: Signing what you don't understand To: ietf-pkix@imc.org Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="____VDCOGBZYLUKMFWUAOQMZ____" --____VDCOGBZYLUKMFWUAOQMZ____ Content-Type: multipart/alternative; boundary="____XGVTDUZAZWKBBJMXHBFC____" --____XGVTDUZAZWKBBJMXHBFC____ Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Peter, The Novell Certificate Server is included with every copy of NDS, and thus = is potentially available to some 50 million users, plus or minus. = Although I certainly wouldn't claim that all of those customers are using = our certificate server, they could, and for free, using servers running on = NetWare, NT, and Solaris.=20 For a number of reasons, including a certain mistrust of both the physical = security, computer security, and cryptographic security of existing = browser and e-mail implementations, together with the requirement to do = _something_ about business key recovery for encryption and mixed usage = keys, we made the decision to generate such keys on the (normally more = secure) server, and then download the keys securely to the browser or = e-mail client for use. I can hear the screams now -- "but the system administrator might have = access to my keys in that case" -- and that is true, and deliberately so. = And by the way, at least in most corporate environments, the system = administrator is also the guy who installed the browsers, configured the = operating system, specified what roots are to be trusted, etc.. It's not = that I trust systems administrators for everything under the sun, but you = can hardly expect the secretaries, clerks, or even the General Counsel or = CEO in most corporations to have a Ph.D. in computer science/cryptography = AND have the time to do all of this stuff themselves. And of course, if = our certificate server doesn't meet their needs, they can go pay lots of = money to someone else. It's a free product -- if they don't like it, = we'll cheerfully refund what they paid for it. Having said that, there are a couple of caveats. First, these keys are = primarily used for authentication to corporate resources that are under = the control of the system administrator in any case, and secondarily for = use in encrypting internal e-mail, for which the company may choose to = assert a business key recovery right and responsibility. Secondly, in part due to my frustration in not having an agreed-upon = definition for nonrepudiation, and in particular the semantic requirements = as to what to do or not do when presented such a certificate, the Novell = Certificate Server does not at this time create certs with the NR bit = asserted. =20 Whatever the NR bit is finally determined to mean, it will almost = certainly call for a higher level of trust than what is currently provided = within existing browsers and e-mail packages, which at present is our = primary market segment. I hope that clarifies the issue somewhat. Regards, Bob Robert R. Jueneman Consultant Engineer, PKI/Security Architect Novell, Inc. -- the leading provider of Net services software 1800 South Novell Place Provo, UT 84606 www.novell.com bjueneman@novell.com 1-801-861-7387 DISCLAIMER: If this message (with or without attached documents) is digitally = signed, and/or if certificates are attached, the intended purpose is to=20 (1) Ensure that e-mail came from the apparent sender (2) Protect e-mail from tampering (3) Ensure that the content of e-mail sent to me and encrypted in my = dual-use key cannot be viewed by others. It is explicitly NOT the intent of any such signed message or document = to represent any type or form of legally binding contract or other = representation, and any such interpretation should not be considered = commercially reasonable and will be repudiated, notwithstanding any = wording or implications to the opposite effect in the text of the message = itself. >>> Ronald A Martin <ramartin@raytheon.com> 07/20/00 02:20PM >>> Another... http://www.rsasecurity.com/products/keon/advancedpkiservices.html Ron Anders Rundgren wrote: > Peter, > > >> Several leading PKI vendors have implemented systems where the = private key > >> is held on a central Web server and then downloaded at run time to a = web > >> browser. Are you saying that signatures created using these keys are > >> invalid? > >Are you sure? Could you provide a reference? I doubt that strongly... > > > >Peter > > I think this is one... > > http://www.arcot.com/products/webfort.html > > Anders --____XGVTDUZAZWKBBJMXHBFC____ Content-Type: multipart/related; boundary="____LDRLFIKOSBKEMECJKSLQ____" --____LDRLFIKOSBKEMECJKSLQ____ Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" http-equiv=3DContent-Type= > <META content=3D"MSHTML 5.00.2614.3401" name=3DGENERATOR></HEAD> <BODY style=3D"FONT: 8pt MS Sans Serif; MARGIN-LEFT: 2px; MARGIN-TOP: = 2px"> <DIV><FONT size=3D1>Peter,</FONT></DIV> <DIV><FONT size=3D1></FONT> </DIV> <DIV><FONT size=3D1>The Novell Certificate Server is included with every = copy of=20 NDS, and thus is potentially available to some 50 million users, plus = or=20 minus. Although I certainly wouldn't claim that all of those=20 customers are using our certificate server, they could, and for free, = using=20 servers running on NetWare, NT, and Solaris. </FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>For a number of reasons, including a certain mistrust = of both=20 the physical security, computer security, and cryptographic = security=20 of existing browser and e-mail implementations, together with the = requirement to=20 do _something_ about business key recovery for encryption and mixed usage = keys,=20 we made the decision to generate such keys on the (normally more secure) = server,=20 and then download the keys securely to the browser or e-mail client for=20 use.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>I can hear the screams now -- "but the system = administrator=20 might have access to my keys in that case" -- and that is true, and = deliberately=20 so. And by the way, at least in most corporate environments, the = system=20 administrator is also the guy who installed the browsers, configured = the=20 operating system, specified what roots are to be trusted, etc.. It's = not=20 that I trust systems administrators for everything under the sun, but you = can=20 hardly expect the secretaries, clerks, or even the General Counsel or = CEO=20 in most corporations to have a Ph.D. in computer science/cryptography = AND=20 have the time to do all of this stuff themselves. And of course, if = our=20 certificate server doesn't meet their needs, they can go pay lots of money = to=20 someone else. It's a free product -- if they don't like it, we'll=20 cheerfully refund what they paid for it.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Having said that, there are a couple of caveats. = First,=20 these keys are primarily used for authentication to corporate resources = that are=20 under the control of the system administrator in any case, and secondarily = for=20 use in encrypting internal e-mail, for which the company may choose to = assert a=20 business key recovery right and responsibility.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Secondly, in part due to my frustration in not having = an=20 agreed-upon definition for nonrepudiation, and in particular the = semantic=20 requirements as to what to do or not do when presented such a certificate, = the=20 Novell Certificate Server does not at this time create certs with the NR = bit=20 asserted. </FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Whatever the NR bit is finally determined to mean, it = will=20 almost certainly call for a higher level of trust than what is currently=20= provided within existing browsers and e-mail packages, which at present is = our=20 primary market segment.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>I hope that clarifies the issue somewhat.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Regards,</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Bob</FONT></DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV>Robert R. Jueneman<BR>Consultant Engineer, PKI/Security Architect</DIV= > <DIV> </DIV> <DIV>Novell, Inc. -- the leading provider of Net services software<BR>1800 = South=20 Novell Place<BR>Provo, UT 84606<BR><A=20 href=3D"http://www.novell.com">www.novell.com</A></DIV> <DIV> </DIV> <DIV><A=20 href=3D"mailto:bjueneman@novell.com">bjueneman@novell.com</A><BR>1-801-861-= 7387</DIV> <DIV> </DIV> <DIV>DISCLAIMER:<BR> If this message (with or without attached = documents)=20 is digitally signed, and/or if certificates are attached, the intended = purpose=20 is to <BR> (1) Ensure that e-mail came from the apparent=20 sender<BR> (2) Protect e-mail from tampering<BR> = (3)=20 Ensure that the content of e-mail sent to me and encrypted in my = dual-use=20 key cannot be viewed by others.<BR> It is explicitly NOT the intent = of any=20 such signed message or document to represent any type or form of legally = binding=20 contract or other representation, and any such interpretation should not = be=20 considered commercially reasonable and will be repudiated, notwithstanding = any=20 wording or implications to the opposite effect in the text of the = message=20 itself.<BR><BR>>>> Ronald A Martin <ramartin@raytheon.com>= =20 07/20/00 02:20PM >>><BR>Another...<BR><BR><A=20 href=3D"http://www.rsasecurity.com/products/keon/advancedpkiservices.html">= http://www.rsasecurity.com/products/keon/advancedpkiservices.html</A><BR><B= R> =20 Ron<BR><BR>Anders Rundgren wrote:<BR><BR>> Peter,<BR>><BR>> = >>=20 Several leading PKI vendors have implemented systems where the private=20 key<BR>> >> is held on a central Web server and then downloaded = at run=20 time to a web<BR>> >> browser. Are you saying that = signatures=20 created using these keys are<BR>> >> invalid?<BR>> >Are you = sure?=20 Could you provide a reference? I doubt that strongly...<BR>> ><BR>>= ;=20 >Peter<BR>><BR>> I think this is one...<BR>><BR>> <A=20 href=3D"http://www.arcot.com/products/webfort.html">http://www.arcot.com/pr= oducts/webfort.html</A><BR>><BR>>=20 Anders<BR><BR></DIV></BODY></HTML> --____LDRLFIKOSBKEMECJKSLQ____-- --____XGVTDUZAZWKBBJMXHBFC____-- --____VDCOGBZYLUKMFWUAOQMZ____ Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" CONTENT-DESCRIPTION: S/MIME Cryptographic Signature MIIMlwYJKoZIhvcNAQcCoIIMiDCCDIQCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCCh8w ggUIMIID8KADAgECAhoCFAAAABQ0/V7yZC4krZCad8s8I/9yAgID2jANBgkqhkiG9w0BAQUFADAy MRswGQYDVQQLExJOb3ZlbGwgRW1wbG95ZWUgQ0ExEzARBgNVBAoUCk5PVkVMTF9JTkMwHhcNOTkx MDA5MTcyMDAwWhcNMDkxMDA5MTcyMDAwWjAyMRswGQYDVQQLExJOb3ZlbGwgRW1wbG95ZWUgQ0Ex EzARBgNVBAoUCk5PVkVMTF9JTkMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFXNJ5 6dllO0vfXHFpTJKFXsPp4/ODFGguxqQOt/gRB+jEILRth9kko6r1DRMVtdJ3vYFxujArU9E1dEUL mf12vQOHveLyiu3+2QWFoWxGMRzdeziJkB5lk8noS3yhCCBoEOh+8UZ8xbeXRiBE9Trn4e5mojH8 +ao7khHpd5tw2MbfDgEh7ngp0jg7ZvLUz/UW4ki8em35g3KC3UFdUO/q+V/n2NUqnpgUH2bkpoib kSMjwAfVn50B1PpK/MJMGvtYGiVtTvq6VKDR+wa8WC7uVEQiPbEiH8KOKd9fFBCsZvd12fbfUeNI FmrnNkk5Ob/p/GRKrppExWbGueulpBExAgMBAAGjggIOMIICCjAKBgNVHQ4EAwQBATAMBgNVHSME BTADgAEBMA8GA1UdEwEBAAQFMAMBAf8wDgYDVR0PAQEABAQDAgEGMIIBywYLYIZIAYb4NwEJBAEB AQAEggG3MIIBswQCAQABAf8THU5vdmVsbCBTZWN1cml0eSBBdHRyaWJ1dGUodG0pFkNodHRwOi8v ZGV2ZWxvcGVyLm5vdmVsbC5jb20vcmVwb3NpdG9yeS9hdHRyaWJ1dGVzL2NlcnRhdHRyc192MTAu aHRtMIIBRKAaAQEAMAgwBgIBAQIBRjAIMAYCAQECAQoCAWmhGgEBADAIMAYCAQECAUYwCDAGAgEB AgEKAgFpogYCARgBAf+jggEAoFoCAQICAgD/AgEAAw0AgAAAAAAAAAAAAAAAAwkAgAAAAAAAAAAw GDAQAgEAAgh//////////wEBAAIEBvDfSDAYMBACAQACCH//////////AQEAAgQG8N9IMFKhUgIB AgICAP8CAQADDQBAAAAAAAAAAAAAAAADCQBAAAAAAAAAADAVMBACAQACCH//////////AQEAAgEU MBUwEAIBAAIIf/////////8BAQACARSiTjBMAgECAgIA/wIBAAMNAID//////////////wMJAID/ ////////MBIwEAIBAAIIf/////////8BAf8wEjAQAgEAAgh//////////wEB/zANBgkqhkiG9w0B AQUFAAOCAQEAaiESm7ALSKkCI86jYyeRPzNazTY4f0GepqTPidwM546hDZKxkFfKjop9nhZDEg0S xj69kL7mlqowVlU6dgoEPgqwPglP0jBO60EyzqjorrVbnpuSNUVoY+6OyymyrdNrx2DGTBTqsI/i urILrt1V2b8ioTAWSp9lHr5LxAOxQgTeNMMI/b5B0sTlAlwBNbn2K1b11EfYdxSmkQZfsQVCmfKl 8y2xqF7X2+W45Zgdev0/JQxCXlRVoGEMbshs7V5AECg9qezn9dTyfCX1nS+YoLkJf0khv2MrcfrN 1SG2EGusV2NVDxCdXFuLhyWxwAxVLoI5LNIMLFa4P8vAinCxJTCCBQ8wggP3oAMCAQICGgIUAAAA FDT9XvJkLiStkJp3yzwj/3ICAgTqMA0GCSqGSIb3DQEBBQUAMDIxGzAZBgNVBAsTEk5vdmVsbCBF bXBsb3llZSBDQTETMBEGA1UEChQKTk9WRUxMX0lOQzAeFw05OTEwMDkxODE4MDBaFw0wMTEwMDkx ODE4MDBaMEIxEjAQBgNVBAMTCUJKdWVuZW1hbjENMAsGA1UECxMETlNSRDEMMAoGA1UECxMDUFJW MQ8wDQYDVQQKEwZOb3ZlbGwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3eHuGT669 GWzGuMYSIvezmPdEFF0nbdlhqv0KwebG5WHi4TiLyX7s8l6+0CQRAF9rFQhEdh7I2lti9hgrNOjo 4SZvxU0PstQcN9ad6usXMzHBa36Xj31kJUhguKEKpCaUYGmWPcq6ehLcuxTv0nuq1QvAGTIqjCT5 y/tpSwo2nXpb9UXOEpZg8CmL6OTKj44cAmHzPk6dElXxF7SjnhkNOYNvwgs/Afa+7iOX0Lv6vTYJ eaz1eklKMSoJf5mZ/EZfJjUkf5jDRdIb5Rog2/HWMEsBvP2vgiBrV1nwVFGBkpfs1qwq0A7h3UdG bm8NlzgFMs2lltqtONbGiZK5UMoDAgMBAAGjggIFMIICATAMBgNVHSMEBTADgAEBMCIGA1UdEQEB AAQYMBaBFEJKVUVORU1BTkBub3ZlbGwuY29tMIIBywYLYIZIAYb4NwEJBAEBAQAEggG3MIIBswQC AQABAf8THU5vdmVsbCBTZWN1cml0eSBBdHRyaWJ1dGUodG0pFkNodHRwOi8vZGV2ZWxvcGVyLm5v dmVsbC5jb20vcmVwb3NpdG9yeS9hdHRyaWJ1dGVzL2NlcnRhdHRyc192MTAuaHRtMIIBRKAaAQEA MAgwBgIBAQIBRjAIMAYCAQECAQoCAWmhGgEBADAIMAYCAQECAUYwCDAGAgEBAgEKAgFpogYCARQB Af+jggEAoFoCAQICAgD/AgEAAw0AgAAAAAAAAAAAAAAAAwkAgAAAAAAAAAAwGDAQAgEAAgh///// /////wEBAAIEBvDfSDAYMBACAQACCH//////////AQEAAgQG8N9IMFKhUgIBAgICAP8CAQADDQBA AAAAAAAAAAAAAAADCQBAAAAAAAAAADAVMBACAQACCH//////////AQEAAgEUMBUwEAIBAAIIf/// //////8BAQACARSiTjBMAgECAgEAAgIA/wMNAIAAAAAAAAAAAAAAAAMJAIAAAAAAAAAAMBIwEAIB AAIIf/////////8BAQAwEjAQAgEAAgh//////////wEBADANBgkqhkiG9w0BAQUFAAOCAQEAiEId iox84BfJlz8suOJdTEwkuJsT1AbsLBwWzEpwfBS5FRGglOyKwlj8Fq+bFmgnBX//wbW4gjutgAEu w8fXGUaQ9d2qwUn06Ta8C8AeBr7XmxrHe1Hs4YBQfqtVpdbZDasgeOhJhKSAMmIbv7jajwI9oZ93 aS5w/ArkTGFm+hpexZsSHtTjcKFAQ977M+QwbnilmnBfPYiQk+y/uGcAeJqJRnmzbfrbmzlpsyqg yJENC+zD4O5tq9Gn53pHpG1EnjX/ZN3+jM0HKIc/rDuQ+yQ4e3LReenrRbmAoDlD5krF2sfFXphb P86HUMcytbnXDgBbtKYdVtH/kDDMHCMQBTGCAkAwggI8AgEBMFAwMjEbMBkGA1UECxMSTm92ZWxs IEVtcGxveWVlIENBMRMwEQYDVQQKFApOT1ZFTExfSU5DAhoCFAAAABQ0/V7yZC4krZCad8s8I/9y AgIE6jAJBgUrDgMCGgUAoIHGMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF MQ8XDTAwMDcyMDE4MTEzMFowIwYJKoZIhvcNAQkEMRYEFNg9QFD+hWGYdRFTo0XcDyhW+kbPMGcG CSqGSIb3DQEJDzFaMFgwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAoGCCqGSIb3DQMEMA0G CCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAcGBSsOAwIaMA0GCSqGSIb3DQEB AQUABIIBAGi0Vn/PNo1Bg7mCWsu7Xad/8BLvsTyfInUTNx0G6oKnKtCcTJTYRQjAueg7fyJ81Vzo r3K2jf8KooOQe3qFheVuPuSfoo/XFVrNHWdOOYHLf059ADnfmTajF/zP6HsIVVoCS1R9UPX1vKfd 4qjYpUirXIM/Gm7mQQCqgqs/CgcuhrDL76ROfXecB2/Cz+wTf1QyB0kBuQvK+67n7r4F++7ltEOf lRpFULabARw9pl53sMt71P0CfnpQlghathr7gqgjitiYYBOMIgMQ3z97y8T9KTblH6+WG2vBDfKl 1lNE4sBpfUuU8J/CUt1QyUYCw7hqJ6gCvdeyHmxa37Ivs6o= --____VDCOGBZYLUKMFWUAOQMZ____-- Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA13241 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 16:53:38 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id JAA13803; Fri, 21 Jul 2000 09:56:07 +1000 (EST) Message-ID: <01d201bff2a7$51738a50$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: "Jean Abraham" <jean.med@arabtrust.com>, <ietf-pkix@imc.org>, "Tony Bartoletti" <azb@llnl.gov> References: <LPBBLAPIGLOAGIHKOOGDMEPFCBAA.jean.med@arabtrust.com> Subject: Re: A Real Rationale for Dedicated Keys Date: Fri, 21 Jul 2000 10:04:30 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 > > Could you tell me what has NR (Non-Repudation) to do with CA control key > generation. > By "CA controlled key generation" I mean that the CA specifies minimum standards and one option of the CA may be to do the key gen itself. The CA should verify that the minimum standards are being followed if it specifies any. Non-repudiation requires (at least) that the private key does not get exposed or used by someone else without the owner knowing it. That means that how the private key is used and how it is stored when not in use is very relevant to NR. CAs can (and should) insist that key pairs are generated and the private part is stored to some minimum standard before they certify the public part. As a merchant I would be more inclined to trust NR signatures verified by certs from a CA that operated this way than from a CA that only checked the key owner's identity. I know of one commercial CA that only certified public keys for key pairs that it (the CA) generated. Their rationale was that they did not want the risk of certifying a dodgy key pair because of the risk of bad publicity undermining their reputation as a CA. The generated private key was transfered securely to the client. They wanted to take the next step and start storing the private key directly onto smart cards. Regards, Simon Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA13208 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 16:52:58 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id QAA25138; Thu, 20 Jul 2000 16:12:59 -0700 (PDT) Message-Id: <4.2.2.20000720150730.00aa3540@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 20 Jul 2000 16:20:47 -0700 To: Stephen Kent <kent@bbn.com> From: Tony Bartoletti <azb@llnl.gov> Subject: Re: A Real Rationale for Dedicated Keys Cc: ietf-pkix@imc.org In-Reply-To: <v04220809b59d230d7e55@[171.78.30.107]> References: <4.2.2.20000719163358.00ab5100@poptop.llnl.gov> <4.2.2.20000719163358.00ab5100@poptop.llnl.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 05:48 PM 7/20/00 -0400, Stephen Kent wrote: >Tony, > >You cited the ability of a user (or someone else) to bind a public key >into multiple certs, some with and some without the NR bit enabled as a >reason that the NR bit is not useful for the purpose I stated. I think I >pointed out in my response to John Wary why this line of reasoning is not >necessarily true. It would be a mistake for a user to have the same public >key in multiple certs, and anyone other than the user should not be able >to effect POP and get a CA to issue a cert. Yes, a user could act in this >inappropriate fashion, in some instances, but then too a user could >undermine most of the safeguards that we envision through negligent conduct. Steve, I agree with the main points, and I worked from the assumption that CAs will not certify without POP (certainly not NR without POP!). Thus, if a user (wisely, naively, or unscrupulously) has an NR-key "differently certified", it is largely under the user's control, since they are the only ones that can satisfy POP. So, my tack becomes "How best to work from this assumption?" Bad as such a practice may be, I asked myself how close one could come to making such a situation "workable", and the answer (to me) was a protocol that forces a conscious selection of certificate be bound into the transaction. (I suppose they will always have the "Ooops, I thought I selected the NR=0 cert that time, honest mistake...) but the signed content would at least implicate a usage (and for NR and the RP, more importantly, the strength of a DN-Person binding that is commensurate with such a usage.) To a Relying Party, the value of the NR bit on ANY certificate for a given key (even where the same key may have been lightly certified elsewhere) is that someone (who but the CA?) has gone to greater lengths to ensure the "reasonableness" of the DN as a reliable indicator of an identifiable party. (Of what value an NR-cert binding a key to the DN-equivalent of "someone@mailbox"?) To my understanding, a re-certification of such a "strong" key does not in itself weaken the established DN-Entity binding. (It DOES allow a "lightweight CA" to leverage the hard work of the diligent NR-certifying CA ... Is that an issue?) It (NR-bit) may also be a declaration from the CA that the key was generated in a secure device. But all of this lends a degree of value to ANY use of the key, EXCEPT for a use requiring some measure of anonymity. Fortunately, the user is self-motivated to employ a distinct key for such purposes. As far as this being a reason that the "NR-bit is not useful" for the purpose you stated, I am not quite sure. From your response to John Wray, I can only suppose that this use centers on the reduction of "added mechanisms" to support Non-Repudiation. But I feel that "additional mechanisms" are required for such a weighty use as legally binding signatures. I really want to avoid people buying into the semantic that "Valid Signature" plus "I found a certificate that says NR" somehow equates to "signature was made with NR intent." (Even binding a selected NR-cert into the signature is insufficient, but moves us a step closer.) There are really two motivations I consider: 1. What can be done to help prevent a "criminal" user from perpetrating a fraud. 2. What can the legitimate user do to protect herself from misapplication by others. If we agree that we cannot (easily) prevent a user from having a key "multiply-certified", the goal must shift to how we might best prevent the unscrupulous user from profiting by the practice. My point about the privacy/anonymity issue is that the user has legitimate control over this by applying different keys. ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA11913 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 15:37:42 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA04848; Thu, 20 Jul 2000 18:40:19 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v0422080db59d2d88f4ad@[171.78.30.107]> In-Reply-To: <OF71EFC20C.08145845-ON85256922.004BC9D3@iris.com> References: <OF71EFC20C.08145845-ON85256922.004BC9D3@iris.com> Date: Thu, 20 Jul 2000 18:38:28 -0400 To: John_Wray@iris.com From: Stephen Kent <kent@bbn.com> Subject: Re: Signing what you don't understand Cc: John_Wray@iris.com, <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" John, >Steve, > > >>What other mechanisms would cover that case of my issuing CA going out of > >>business? If a CA's assets (including its keys) are sold as part of a > >>bankruptcy process, I would think that trust in those keys would be >fairly > >>quickly revoked by other CAs that might have cross-certified it. In this > >>case, invalidityDate on those revocations would probably be set so that >no > >>certificate that had been issued by the former CA's key would be trusted > >>(to prevent the keys' new owners from issuing new backdated >certificates). > >>However, as a subscriber to the former CA, I don't see why my signatures > >>should suddenly become less trustworthy, if my key can be verified via > >>another path. > > > >A RP can be responsible for acquiring all the requisite evidence for > >later support of signed document validity, including time stamping > >this evidence. I think this addresses the scenario you described > >above. > >That addresses the case where the document is processed by the RP prior to >my CA going out of business, but it doesn't help if trust in the CA has >already been revoked at the time the RP tries to verify the signature. >Note I'm not talking about NR here - In the scenario I'm concerned with, >the RP will itself not trust my signature, even though it should be valid. >In an e-mail environment, this may not matter too much, as the RP could >simply ask the signer to re-send a freshly signed copy of the e-mail, but >in a work-flow or EDI environment, where documents move through a system >acquiring multiple counter-signatures over portions of the documents, it >may be impractical to simply re-start the process. I agree that in a more slowly moving processes you describe above the window for the CA vanishing is greater, but in practice I think it would be quite rare. If it's quite rare, it's feasible to restart the process. >It is possible for the signer to timestamp his signature, along with a >complete certification path from some root CA, along with CRL- or >OCSP-based liveness evidence for every certificate on that path. This is, >I think, what ESS terms a signer-generated ES-X. But that doesn't help >unless the RP directly trusts the signer's root CA. If the RP doesn't >trust the root that the signer chooses, then the timestamped chain is of >little use to him, since it won't say anything about the certificates in >the chain the RP constructs (although if a chain from one of the RP's >trusted roots happens to "join up" with some fraction of the signer's >timestamped chain, then the timestamp can be used as evidence of validity >at signing time of the fraction of the chain below the intersection point). In practice today (and maybe the right way in the long run anyway) there are not multiple choices for a root relative to a specific signer. For example, if I operate in an organization context, my cert is issued by my org, period. My org may not choose to be certified by any TTPs, or it may choose only one. In such cases, an RP has a take it or leave it option. In the physical world we often have this sort of credential situation. If you don't trust the bank from which I got a letter of credit, we don't do business. If you don't trust D&B for a background check on a U.S. business, your options are severely limited. >Even if the RP does trust the signer's root, though, it's not clear why the >RP's software should believe a signature based on a certificate chain that >contains revoked certificates (with invalidity dates that precede the >signature date), even if it includes evidence that at the time of signature >creation, those certificates had not yet been revoked. Even if not >rejected outright, such a signature should be treated as at best >suspicious. When we check a signature for NR, and significant time has elapsed since the signature was applied, then different rules must be employed. After all, the certs may have expired and, unless we make use of the private key validity interval extension (which is not too common), we still consider the signature to be potentially valid. One might define this as an "archival signature validation" process, with different rules and additional inputs (e.g., TSA signed data ...). Steve Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA11104 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 15:10:18 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA02895; Thu, 20 Jul 2000 18:12:55 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v0422080cb59d2878c417@[171.78.30.107]> In-Reply-To: <ED026032A3FCD211AEDA00105A9C4696016E587B@sothmxs05.entrust.com> References: <ED026032A3FCD211AEDA00105A9C4696016E587B@sothmxs05.entrust.com> Date: Thu, 20 Jul 2000 18:14:23 -0400 To: Sharon Boeyen <sharon.boeyen@entrust.com> From: Stephen Kent <kent@bbn.com> Subject: RE: Reverse paths Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sharon, ><snip> > >It is my opinion that recent events, such as the US Federal Bridge CA >activity >have shown that a single global hierarchy does not work, that distributed >trust >models are, in fact necessary as well. Because of these events and because >the >issue was raised, not by me but by another vendor (Sean Mullan from Sun), I >thought >it was a reasonable recommendation to support now. Having said that, let me >clarify >what I meant. To answer your first question, no I don't mean to impose >reverse in >all contexts. Nor do I mean to impose bilateral cross-certification. Rather, >I am >suggesting mandating that, in addition to what PKIX says currently, a CA >that issues a certificate to another CA (where the subject CA is NOT a >subordinate CA to the issuing CA within a hierarchy), must place that >certificate in the reverse element of the cross certificate pairs attribute >of the its own directory entry. No impact within a hierarchy at all, no >requirement that cross certification be bilateral. Sorry for the confusion >and I hope this is a bit clearer. So I guess to summarize: I think the Federal Bridge CA model is broken. It is appropriate to use a bridge CA as a convenient means of distributing certificates between communities, to avoid the order N**2 cross certification problem. CA-1 could go to the bridge CA to acquire the public key for CA-2, then import that key into CA-1's domain, by issuing a cross certificate from CA-1 to CA-2. In this fashion CA-1 van impose the appropriate name constraints extension, appropriate policy mapping constrains, even basic constraints on the depth of cert paths. Then the existing processing methods we have should work, right? If one tries to process a path via a bridge CA, then one looses the ability to impose name constraints, and to apply selective policy mapping etc, because the bridge CA is in the path, getting in the way :-). So, no, I am not persuaded by the suggestion that bridge CAs are the wave of the future. I think they are ill conceived in their current use, but they could be rehabilitated! <snip> Steve Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA10920 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 15:08:31 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA02763; Thu, 20 Jul 2000 18:11:05 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v0422080bb59d27c098db@[171.78.30.107]> In-Reply-To: <39774642.978BDD06@sun.com> References: <96411195511841@kahu.cs.auckland.ac.nz> <39774642.978BDD06@sun.com> Date: Thu, 20 Jul 2000 18:05:58 -0400 To: Steve Hanna <steve.hanna@sun.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Reverse paths Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Steve, <snip> >As to how you can display the network of trust in a mesh topology, >X.500 DNs provide a nice hierarchy. >Certificates are directional arcs between nodes in the tree. Trust >anchors can be displayed as arcs >from the RP to the trusted party (in a different color, if you like). Experience with user behavior says that displaying cert paths is almost worthless. Almost nobody will view them, and few would be able to understand the implications of such paths if they did view them. <snip> Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA10906 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 15:08:30 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA02758; Thu, 20 Jul 2000 18:11:04 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v0422080ab59d257e1108@[171.78.30.107]> In-Reply-To: <397706E7.9C032886@sun.com> References: <ED026032A3FCD211AEDA00105A9C4696016E584C@sothmxs05.entrust.com> <v04220807b59baae71151@[128.33.238.44]> <397706E7.9C032886@sun.com> Date: Thu, 20 Jul 2000 18:03:32 -0400 To: Steve Hanna <steve.hanna@sun.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Reverse paths Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 10:04 AM -0400 7/20/00, Steve Hanna wrote: >Stephen Kent wrote: > > I am uncomfortable with the proposal that we mandate both elements, > > as this would seem to imply that every CA would have to engage in > > reverse path certificate generation in all contexts. Did I > > misunderstand the implication? > >I'm not sure what you mean by "reverse path certificate generation". >This change would require that >when a CA issues a cross certificate, they would have to place a >copy of it in their own directory >entry (in the reverse element of a value of the crossCertificate >attribute). It would not require the >generation of any additional certificates. I though Sharon suggested that each CA entry would hold mandated pairs of cross certs, one forward and one back, for each CA it was being linked to. In today's mostly hierarchic environment, a CA issues a forward cert (using X.509 terminology) to CAs "below" it and is certified by CAs "above" it, but CAs do not usually generate the other, reverse certs, even though they are defined and a valid part of the X.509 model. Only when CAs in different organizational domains certify one another is there typically a a pair of certs available. Thus, if one were to impose a constraint, via LDAP, that caused CAs to issues reverse certs, it would constitute a major change in the way most PKIs today are arranged. > > > I know that Entrust has always encouraged (required?) this type of > > cross certification among CAs, but it doesn't seem that other CA > > vendors or most users have. I would not think it appropriate to > > impose this sort of requirement, given the vendor-specific > > implications of such a change. > >I don't see this as a vendor-specific issue, but rather as an aid to >building certification paths. It is vendor specific in so far as Entrust products have long (always?) issued reverse certs, while no other major products have. Steve Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA10366 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 14:48:24 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id RAA00986; Thu, 20 Jul 2000 17:50:29 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v04220809b59d230d7e55@[171.78.30.107]> In-Reply-To: <4.2.2.20000719163358.00ab5100@poptop.llnl.gov> References: <4.2.2.20000719163358.00ab5100@poptop.llnl.gov> Date: Thu, 20 Jul 2000 17:48:17 -0400 To: Tony Bartoletti <azb@llnl.gov> From: Stephen Kent <kent@bbn.com> Subject: Re: A Real Rationale for Dedicated Keys Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Tony, You cited the ability of a user (or someone else) to bind a public key into multiple certs, some with and some without the NR bit enabled as a reason that the NR bit is not useful for the purpose I stated. I think I pointed out in my response to John Wary why this line of reasoning is not necessarily true. It would be a mistake for a user to have the same public key in multiple certs, and anyone other than the user should not be able to effect POP and get a CA to issue a cert. Yes, a user could act in this inappropriate fashion, in some instances, but then too a user could undermine most of the safeguards that we envision through negligent conduct. Steve Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA09998 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 14:37:57 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id RAA00132; Thu, 20 Jul 2000 17:40:34 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v04220805b59d2010ca78@[171.78.30.107]> In-Reply-To: <39775F02.D0B7FE76@raytheon.com> References: <001301bff26e$86043410$0201a8c0@mega.vincent.se> <39775F02.D0B7FE76@raytheon.com> Date: Thu, 20 Jul 2000 17:33:22 -0400 To: Ronald A Martin <ramartin@raytheon.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Signing what you don't understand Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Ron, >Another... > > http://www.rsasecurity.com/products/keon/advancedpkiservices.html > > Ron I think what you cite here is one way to facilitate credential portability in the absence of hardware tokens. It might also be construed as a way to keep selling SecurID cards :-). It does not fundamentally change the focus of our discussion; it is only an remote option for encrypted private key and cert storage. Steve Received: from lukla.Sun.COM (lukla.Sun.COM [192.18.98.31]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA08581 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 13:28:10 -0700 (PDT) Received: from eastmail1.East.Sun.COM ([129.148.1.240]) by lukla.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id OAA13828; Thu, 20 Jul 2000 14:30:46 -0600 (MDT) Received: from sunlabs.East.Sun.COM (sunlabs.East.Sun.COM [129.148.75.250]) by eastmail1.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id QAA06853; Thu, 20 Jul 2000 16:30:09 -0400 (EDT) Received: from sun.com (dhcp75-155 [129.148.75.155]) by sunlabs.East.Sun.COM (8.9.3+Sun/8.9.1) with ESMTP id QAA13443; Thu, 20 Jul 2000 16:29:54 -0400 (EDT) Message-ID: <3977611C.6FFEEE17@sun.com> Date: Thu, 20 Jul 2000 16:29:16 -0400 From: Steve Hanna <steve.hanna@sun.com> Organization: Sun Microsystems, Inc. X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: pgut001@cs.auckland.ac.nz CC: ietf-pkix@imc.org, kent@bbn.com, sharon.boeyen@entrust.com Subject: Re: Reverse paths References: <96412158014910@kahu.cs.auckland.ac.nz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Peter Gutmann wrote: > Steve Hanna <steve.hanna@sun.com> writes: > >As to how you can display the network of trust in a mesh topology, X.500 DNs > >provide a nice hierarchy. Certificates are directional arcs between nodes in > >the tree. Trust anchors can be displayed as arcs from the RP to the trusted > >party (in a different color, if you like). > > This only works if DN's in certs are ordered hierarchically. We rejected > displaying certs ordered by DN almost instantly because the DN's can be more or > less random, or even pseudo-flat (only the CN changes as you go up the chain). > The best attempt was to display them arranged by issuer chaining, but this also > fails when there are multiple effective issuers, the spaghetti of trust is > rather difficult to display graphically (specifically as a tree control rather > than having to draw graphs). You seem to be trying to arrange certificates into a single order. Perhaps you are trying to display them in a text format. Certainly, this doesn't work well with a non-hierarchical topology. It isn't even an accurate depiction of a hierarchy, since the hierarchy must be flattened in some way. But I don't think the PKIX working group had a design goal of making it easy to display a certificate network in an ordered text file. Other concerns (like security and business requirements) must come first. And a *graphical representation* can provide a superior visualization, as my earlier note indicated. This is a bit of a tangent from the original discussion and probably not of interest to the list as a whole. Let's take it off-line. If anyone wants to follow us, let me know. -Steve Received: from bos-gate3.raytheon.com (bos-gate3.raytheon.com [199.46.198.232]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA08101 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 13:17:45 -0700 (PDT) Received: from ds02e00.directory.ray.com (ds02e00.rsc.raytheon.com [147.25.130.245]) by bos-gate3.raytheon.com (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e6KKKFQ20100; Thu, 20 Jul 2000 16:20:15 -0400 (EDT) Received: from eoits2.eo.ray.com (localhost [127.0.0.1]) by ds02e00.directory.ray.com (8.9.3/8.9.3) with ESMTP id QAA25838; Thu, 20 Jul 2000 16:20:14 -0400 (EDT) Received: from raytheon.com (marnas-async22.ed.ray.com [138.125.18.222]) by eoits2.eo.ray.com (8.8.8+Sun/8.8.8) with ESMTP id QAA08843; Thu, 20 Jul 2000 16:20:12 -0400 (EDT) Message-ID: <39775F02.D0B7FE76@raytheon.com> Date: Thu, 20 Jul 2000 16:20:19 -0400 From: Ronald A Martin <ramartin@raytheon.com> Organization: Raytheon Company Corporate IT X-Mailer: Mozilla 4.73 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 CC: Peter Lipp <Peter.Lipp@iaik.at>, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <001301bff26e$86043410$0201a8c0@mega.vincent.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Another... http://www.rsasecurity.com/products/keon/advancedpkiservices.html Ron Anders Rundgren wrote: > Peter, > > >> Several leading PKI vendors have implemented systems where the private key > >> is held on a central Web server and then downloaded at run time to a web > >> browser. Are you saying that signatures created using these keys are > >> invalid? > >Are you sure? Could you provide a reference? I doubt that strongly... > > > >Peter > > I think this is one... > > http://www.arcot.com/products/webfort.html > > Anders Received: from mail.ec.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.201]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA06966 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 12:30:24 -0700 (PDT) Received: from kahu.cs.auckland.ac.nz (pgut001@kahu.cs.auckland.ac.nz [130.216.36.13]) by mail.ec.auckland.ac.nz (8.9.3/8.8.6/cs-master) with SMTP id HAA27726; Fri, 21 Jul 2000 07:33:00 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by kahu.cs.auckland.ac.nz (relaymail v0.9) id <96412158014910>; Fri, 21 Jul 2000 07:33:00 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: pgut001@cs.auckland.ac.nz, steve.hanna@sun.com Subject: Re: Reverse paths Cc: ietf-pkix@imc.org, kent@bbn.com, sharon.boeyen@entrust.com Sender: pgut001@cs.auckland.ac.nz Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on kahu.cs.auckland.ac.nz Date: Fri, 21 Jul 2000 07:33:00 (NZST) Message-ID: <96412158014910@kahu.cs.auckland.ac.nz> Steve Hanna <steve.hanna@sun.com> writes: >As to how you can display the network of trust in a mesh topology, X.500 DNs >provide a nice hierarchy. Certificates are directional arcs between nodes in >the tree. Trust anchors can be displayed as arcs from the RP to the trusted >party (in a different color, if you like). This only works if DN's in certs are ordered hierarchically. We rejected displaying certs ordered by DN almost instantly because the DN's can be more or less random, or even pseudo-flat (only the CN changes as you go up the chain). The best attempt was to display them arranged by issuer chaining, but this also fails when there are multiple effective issuers, the spaghetti of trust is rather difficult to display graphically (specifically as a tree control rather than having to draw graphs). Peter. Received: from mail.ec.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.201]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA06547 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 12:15:04 -0700 (PDT) Received: from kahu.cs.auckland.ac.nz (pgut001@kahu.cs.auckland.ac.nz [130.216.36.13]) by mail.ec.auckland.ac.nz (8.9.3/8.8.6/cs-master) with SMTP id HAA13645; Fri, 21 Jul 2000 07:17:38 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by kahu.cs.auckland.ac.nz (relaymail v0.9) id <96412065804050>; Fri, 21 Jul 2000 07:17:38 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: pgut001@cs.auckland.ac.nz, pkoning@xedia.com Subject: RE: Reverse paths Cc: ietf-pkix@imc.org, kent@bbn.com, sharon.boeyen@entrust.com Sender: pgut001@cs.auckland.ac.nz Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on kahu.cs.auckland.ac.nz Date: Fri, 21 Jul 2000 07:17:38 (NZST) Message-ID: <96412065804050@kahu.cs.auckland.ac.nz> Paul Koning <pkoning@xedia.com> writes: >>>>>> "Peter" == Peter Gutmann <pgut001@cs.auckland.ac.nz> writes: > >Peter> ... (I've seen a >Peter> paper which tries to formally model PKIX path processing and >Peter> finds that it's somewhat problematic once you try to create a >Peter> precise, formal spec rather than the informal description in >Peter> the RFC, there are some things which actually require the >Peter> informal spec because they can't be specified in a precise, >Peter> formal manner). >A program (algorithm) is a precise formal specification, so does what you say >mean that the RFC cannot be translated into an algorithm? That would be a >problem, indeed... A program constitutes one interpretation of the text in the RFC, however the RFC really presents an entire class of solutions (or alternatively a rather large solution space) within which it's possible to construct many different concrete implementations, all of which are compliant but none of which produce the same result. This is why trying to formally specify the path processing was so difficult, you're trying to construct an unambiguous, exact specification for something which isn't unambiguous or exact. In the (draft) paper I saw they couldn't go as far as they would have liked because it turned out to be a lot harder than expected to produce a formal spec for the path processing. Originally the intent was to model all the path processing stuff, in the end I think the only thing they managed to complete was policies, and even then there were some areas where there was no clear indication of what to do. The paper is "The PKI Specification Dilemna: A Formal Solution", it was (or at least will have been by now) published at a conference in Australia, but I can't find any reference to it online. Peter. Received: from lukla.Sun.COM (lukla.Sun.COM [192.18.98.31]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA05698 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 11:33:19 -0700 (PDT) Received: from eastmail1.East.Sun.COM ([129.148.1.240]) by lukla.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id MAA19127; Thu, 20 Jul 2000 12:35:47 -0600 (MDT) Received: from sunlabs.East.Sun.COM (sunlabs.East.Sun.COM [129.148.75.250]) by eastmail1.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id OAA12667; Thu, 20 Jul 2000 14:35:21 -0400 (EDT) Received: from sun.com (dhcp75-155 [129.148.75.155]) by sunlabs.East.Sun.COM (8.9.3+Sun/8.9.1) with ESMTP id OAA03382; Thu, 20 Jul 2000 14:35:20 -0400 (EDT) Message-ID: <39774642.978BDD06@sun.com> Date: Thu, 20 Jul 2000 14:34:42 -0400 From: Steve Hanna <steve.hanna@sun.com> Organization: Sun Microsystems, Inc. X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: pgut001@cs.auckland.ac.nz CC: kent@bbn.com, sharon.boeyen@entrust.com, ietf-pkix@imc.org Subject: Re: Reverse paths References: <96411195511841@kahu.cs.auckland.ac.nz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Peter Gutmann wrote: > The result is that instead of cert decisions being "yes" or "no", they become > "probably" (there may be another path which says otherwise) and "maybe" (again, > there may be another path which says otherwise). Since you can never know > where all the paths lead or if you've examined all of them, you can never > really know whether you're making a valid decision based on the information > you've got (this is a generalisation of the original problem, which was "how > the *#^&$ can we display this mess in a meaningful manner?"). Even in a hierarchical trust model, it is often difficult to say definitively "there is no valid certification path from point A to point B". Especially if there exist certificates that you don't have. All you can say is "I didn't find a valid path" or "I did find a valid path". However, this should be sufficient for most purposes (IPsec, SSL, S/MIME, etc). If you're able to find a valid path, you can proceed. If not, you must fail safe. This is similar to the behavior if you're trying to determine revocation status for a certificate using CRLs and you can't find a current CRL that covers that cert. All you can say is "I don't know if this certificate has been revoked." Of course, you should fail safe and reject the certificate in this circumstance. As to how you can display the network of trust in a mesh topology, X.500 DNs provide a nice hierarchy. Certificates are directional arcs between nodes in the tree. Trust anchors can be displayed as arcs from the RP to the trusted party (in a different color, if you like). Of course, this doesn't represent the namespace of subject alternative names. Nor does it handle the case where two distinct CAs (or EEs) have the same name or a single CA (or EE) has multiple keys that have been separately certified. Like most visualizations, it's a simplification. -Steve Received: from ns.celocom.se (firewall-user@ns.celocom.se [212.209.40.66]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA05349 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 11:22:03 -0700 (PDT) Received: by ns.celocom.se; id UAA11579; Thu, 20 Jul 2000 20:24:39 +0200 (CEST) Received: from zap.celocom.se(10.10.10.1) by ns.celocom.se via smap (4.1) id xma011572; Thu, 20 Jul 00 20:24:35 +0200 Received: from celocom.se (dhcp013.celocom.se [10.10.10.193]) by zap.celocom.se (8.8.7/8.8.7) with ESMTP id UAA24953; Thu, 20 Jul 2000 20:24:34 +0200 Message-ID: <397743B7.3F6BB0A7@celocom.se> Date: Thu, 20 Jul 2000 20:23:51 +0200 From: Richard Levitte <richard.levitte@celocom.se> Organization: Celo Communications, Ltd. X-Mailer: Mozilla 4.73 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Anders Rundgren <anders.rundgren@telia.com> CC: Peter Lipp <Peter.Lipp@iaik.at>, piers@bj.co.uk, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <001301bff26e$86043410$0201a8c0@mega.vincent.se> Content-Type: multipart/mixed; boundary="------------8A211C6186195BEB17D478B9" This is a multi-part message in MIME format. --------------8A211C6186195BEB17D478B9 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Anders Rundgren wrote: > Peter, > > >> Several leading PKI vendors have implemented systems where the private key > >> is held on a central Web server and then downloaded at run time to a web > >> browser. Are you saying that signatures created using these keys are > >> invalid? > >Are you sure? Could you provide a reference? I doubt that strongly... > > > >Peter > > I think this is one... > > http://www.arcot.com/products/webfort.html I think not, at least from reading the papers "Protecting Digital Identities" and "Protecting Your Private Key". All they say is that they've invented some kind of key database ("key wallet" to use their term) that is more secure than what comes with for example MSIE and Netscape Communicator... Personally, if I was confronted with a CA that wanted to create my private key for me, and store it centrally to boot, I'd go somewhere else. Very fast. It contradicts anything even remotely close to being called "secure". -- Richard Levitte !!! New cell phone number !!! richard.levitte@celocom.se /* You might enjoy viewing the complete vCard */ --------------8A211C6186195BEB17D478B9 Content-Type: text/x-vcard; charset=us-ascii; name="richard.levitte.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Richard Levitte Content-Disposition: attachment; filename="richard.levitte.vcf" begin:vcard n:Levitte;Richard tel;cell:+46-733-72 8811 tel;work:+46-8-58 72 8811 x-mozilla-html:FALSE org:<A HREF="http://www.celocom.com">Celo Communications</A> version:2.1 email;internet:richard.levitte@celocom.se title:Software Artist adr;quoted-printable:;;Sveav=E4gen 145, 5tr=0D=0AStockholm;;;;SWEDEN note;quoted-printable:<br>=0D=0A<table border=3D0>=0D=0A<tr>=0D=0A <td bgcolor=3D"#00ffff">c=EAlo, =E2vi, =E2tum, (latin) 1,v.a.=0D=0A to hide something from one, to keep secret, to conceal.=0D=0A </td>=0D=0A</tr>=0D=0A</table>=0D=0A<br>=0D=0A<table border=3D3>=0D=0A<tr>=0D=0A <td>=0D=0A <table>=0D=0A <tr>=0D=0A <td valign=3Dtop>o/~</td>=0D=0A <td><font size=3D-1>Coding, coding, coding</font><br>=0D=0A Keep'em hackers coding<br>=0D=0A <font size=3D+1>And When They're Done Coding</font><br>=0D=0A <font size=3D7>COMPIIIIIIILE!!</font></td>=0D=0A </tr>=0D=0A </table>=0D=0A </td>=0D=0A</tr>=0D=0A</table> fn:Richard Levitte end:vcard --------------8A211C6186195BEB17D478B9-- Received: from wssone.bj.co.uk (wssone.bj.co.uk [194.72.164.250]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id LAA05041 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 11:15:07 -0700 (PDT) Received: from 194.72.164.27 by wssone.bj.co.uk with ESMTP (WorldSecure Server SMTP Relay(WSS) v4.3); Thu, 20 Jul 00 19:21:17 +0100 X-Server-Uuid: 1407cc62-e1e1-11d2-808b-0060971f0dc2 Received: from piers2k (host212-140-80-197.host.btclick.com [212.140.80.197]) by bjex1.bj.co.uk with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id MC4C48TZ; Thu, 20 Jul 2000 19:19:31 +0100 Reply-to: piers@bj.co.uk From: "Piers Chivers" <piers@bj.co.uk> To: "'Peter Lipp'" <Peter.Lipp@iaik.at> cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Date: Thu, 20 Jul 2000 19:19:04 +0100 Message-ID: <000901bff276$fdc126e0$1a01a8c0@piers2k.bj.co.uk> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 In-Reply-To: <NDBBLDEHJKOODMJCNBNCMEHCEDAA.Peter.Lipp@iaik.at> X-WSS-ID: 15699C9769027-01-01 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Entrust TruePass Baltimore did something similar for a UK bank. I don't think it's commercially available but was presented at Infosec 2000. Maybe someone from Baltimore can expand?? Piers -----Original Message----- From: Peter Lipp [mailto:Peter.Lipp@iaik.at] Sent: 20 July 2000 16:59 To: piers@bj.co.uk Cc: ietf-pkix@imc.org Subject: AW: Signing what you don't understand > Several leading PKI vendors have implemented systems where the private key > is held on a central Web server and then downloaded at run time to a web > browser. Are you saying that signatures created using these keys are > invalid? Are you sure? Could you provide a reference? I doubt that strongly... Peter ------------------------------------------------------------------------------------------ This message is for the named persons use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. PROTEK Network Management Group and each of its subsidiaries reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Received: from arista.iris.com (arista.iris.com [198.112.211.42]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA04744 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 11:07:02 -0700 (PDT) From: John_Wray@iris.com Subject: Re: Signing what you don't understand To: Denis Pinkas <Denis.Pinkas@bull.net> Cc: John_Wray@iris.com, ietf-pkix@imc.org X-Mailer: Lotus Notes Release 5.0.2c February 2, 2000 Message-ID: <OF060C6E85.78B161B4-ON85256922.005E1861@iris.com> Date: Thu, 20 Jul 2000 14:09:56 -0400 X-MIMETrack: Serialize by Router on Arista/Iris(Build V505_07112000 |July 11, 2000) at 07/20/2000 02:09:43 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Denis, >> Note I'm not talking about NR here - > >So what are you talking about ??? The case where an RP receives a document and is trying to verify a signature. The significance of the NR bit in a certificate was the starting point for this discussion, but for now I'm simply concerned with the initial signature verification (if the RP doesn't believe my signature, he certainly can't expect to hold me to it :). Note I'm not restricting this to simple E-mail, where because of the one-to-one, low-latency nature of the communications involved, there is unlikely to be a significant time between signing and verifying (and if there is, the RP can simply ask the sender for a freshly-signed copy). Rather, I'm talking about high-latency or one-to-many environments. An extreme example of this might be signing a document and placing it on a web-site or in a directory - here I am signing the document without any knowledge of the identity of the RPs, and with the possibility of significant delay before an RP will try to verify the signature. >> >A RP can be responsible for acquiring all the requisite evidence for >> >later support of signed document validity, including time stamping >> >this evidence. I think this addresses the scenario you described >> >above. >> >> That addresses the case where the document is processed by the RP prior to >> my CA going out of business, but it doesn't help if trust in the CA has >> already been revoked at the time the RP tries to verify the signature. > >Don't you think that if a RP receives a siganture it has better to >make sure that what it gets is "fine" ? So he should validate the >signature as soon as possible and in order to cover the case of a >possible (volontary) revocation of the signer certificate, he should >time stamp the signature as soon as possible. So the case you are >considering is not a practical case. In the situation I'm discussing, one of the CAs that the signer chose to embed in his signature has already gone out of business by the time the RP sees the signature. >> But that doesn't help >> unless the RP directly trusts the signer's root CA. > >There is no concept of root CA. There is a concept of a Signature >Policy that may involve one or more root CAs but involves many other >conditions. > >> If the RP doesn't trust the root that the signer chooses, > > ... you mean : If the RP thinks that the Signature Policy is not >adequate for his context of use, then this is the end of the story. Yes, that's a concise statement of the problem. By requiring that the signer choose a specific Signature Policy (including, in the context of this discussion, the certificate chain), rather than leaving it to the RP to construct the chain, there is a possibility of a signature being incorrectly determined as invalid. By omitting the signer's certificate chain, and leaving it up to the RP to construct an appropriate chain, then if my CA goes out of business, it wouldn't necessarily invalidate my prior signatures (providing my key can be certified by another CA). >> then the timestamped chain is of >> little use to him, since it won't say anything about the certificates in >> the chain the RP constructs (although if a chain from one of the RP's >> trusted roots happens to "join up" with some fraction of the signer's >> timestamped chain, then the timestamp can be used as evidence of validity >> at signing time of the fraction of the chain below the intersection point). >> >> Even if the RP does trust the signer's root, though, it's not clear why the >> RP's software should believe a signature based on a certificate chain that >> contains revoked certificates (with invalidity dates that precede the >> signature date), even if it includes evidence that at the time of signature >> creation, those certificates had not yet been revoked. > >This is contradictory. "if it includes evidence that at the time of >signature creation, those certificates had not yet been revoked" >means that you must provide a proof that the certificates whre not >revoked at the time of the signature, so you cannot say at the same >time "certificate chain that contains revoked certificates". It's not contradictory: Evidence that a certificate had not been revoked at time T could include a CRL that was valid at T, and that did not list the certificate. However, if later a CRL were published (and were available to the RP) that included the certificate, along with an invalidityDate before time T, then the RP can conclude that the certificate has been revoked, and should not be trusted to verify a signature made at T. John Received: from dfw7-1.relay.mail.uu.net (dfw7-1.relay.mail.uu.net [199.171.54.106]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA03571 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 10:10:04 -0700 (PDT) Received: from xedia.com by dfw7sosrv11.alter.net with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQiyrk08767; Thu, 20 Jul 2000 17:12:37 GMT Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA17285; Thu, 20 Jul 00 13:08:42 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id NAA07477; Thu, 20 Jul 2000 13:12:36 -0400 From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <14711.13059.672729.860650@xedia.com> Date: Thu, 20 Jul 2000 13:12:35 -0400 (EDT) To: pgut001@cs.auckland.ac.nz Cc: kent@bbn.com, sharon.boeyen@entrust.com, ietf-pkix@imc.org Subject: RE: Reverse paths References: <96411195511841@kahu.cs.auckland.ac.nz> X-Mailer: VM 6.72 under 21.1 (patch 9) "Canyonlands" XEmacs Lucid >>>>> "Peter" == Peter Gutmann <pgut001@cs.auckland.ac.nz> writes: Peter> ... (I've seen a Peter> paper which tries to formally model PKIX path processing and Peter> finds that it's somewhat problematic once you try to create a Peter> precise, formal spec rather than the informal description in Peter> the RFC, there are some things which actually require the Peter> informal spec because they can't be specified in a precise, Peter> formal manner). A program (algorithm) is a precise formal specification, so does what you say mean that the RFC cannot be translated into an algorithm? That would be a problem, indeed... paul Received: from mail.ec.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.201]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA02888 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 09:50:01 -0700 (PDT) Received: from kahu.cs.auckland.ac.nz (pgut001@kahu.cs.auckland.ac.nz [130.216.36.13]) by mail.ec.auckland.ac.nz (8.9.3/8.8.6/cs-master) with SMTP id EAA10785; Fri, 21 Jul 2000 04:52:35 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by kahu.cs.auckland.ac.nz (relaymail v0.9) id <96411195511841>; Fri, 21 Jul 2000 04:52:35 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: kent@bbn.com, sharon.boeyen@entrust.com Subject: RE: Reverse paths Cc: ietf-pkix@imc.org Sender: pgut001@cs.auckland.ac.nz Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on kahu.cs.auckland.ac.nz Date: Fri, 21 Jul 2000 04:52:35 (NZST) Message-ID: <96411195511841@kahu.cs.auckland.ac.nz> Sharon Boeyen <sharon.boeyen@entrust.com> writes: >However, once you start connecting hierarchies together, e.g. through bridge >CAs and once you moved out of hierarchies into distributed trust models, that >condition no longer holds true. As bridges become more common and the >certificates issued to and by bridges increases, the number of potential paths >becomes quite large. I had a long talk with some people a few weeks back about how to write code to display cert chains in the presence of bridge CA's, and it turns out to be an almost unsolveable problem because the bridges turn a hierarchy of trust into a spaghetti of trust (I won't use the PGP term "web of trust" because PGP was designed for this model and handles it reasonably well, whereas X.509 wasn't and doesn't - I'm not trying to start a PGP flame war here, just pointing out that X.509 was never intended to work this way). The result is that instead of cert decisions being "yes" or "no", they become "probably" (there may be another path which says otherwise) and "maybe" (again, there may be another path which says otherwise). Since you can never know where all the paths lead or if you've examined all of them, you can never really know whether you're making a valid decision based on the information you've got (this is a generalisation of the original problem, which was "how the *#^&$ can we display this mess in a meaningful manner?"). For example, if I start by collecting my set of initial policy identifiers and find a cert for which I don't have a path leading to a member of the policy set, this doesn't mean that the cert isn't acceptable, merely that I haven't found one of the fifteen other paths to another CA which could end in an acceptable policy. Revocation is even messier ("It's revoked! Not it isn't! Yes it is!"). Has anyone ever done an analysis of the potential mess bridge CA's are leading into, or was it just tacked onto the side of the original hierarchical model as a quick fix? (I've seen a paper which tries to formally model PKIX path processing and finds that it's somewhat problematic once you try to create a precise, formal spec rather than the informal description in the RFC, there are some things which actually require the informal spec because they can't be specified in a precise, formal manner). As a subset of this question, how *do* you display the spaghetti of trust in a meaningful manner? Peter. Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA01705 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 09:16:52 -0700 (PDT) Received: from mega (t2o69p98.telia.com [62.20.144.218]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id SAA04575; Thu, 20 Jul 2000 18:19:22 +0200 (CEST) Message-ID: <001301bff26e$86043410$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Peter Lipp" <Peter.Lipp@iaik.at>, <piers@bj.co.uk> Cc: <ietf-pkix@imc.org> Subject: Re: Signing what you don't understand Date: Thu, 20 Jul 2000 19:18:27 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id JAA01710 Peter, >> Several leading PKI vendors have implemented systems where the private key >> is held on a central Web server and then downloaded at run time to a web >> browser. Are you saying that signatures created using these keys are >> invalid? >Are you sure? Could you provide a reference? I doubt that strongly... > >Peter I think this is one... http://www.arcot.com/products/webfort.html Anders Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA01675 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 09:16:46 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id SAA28016; Thu, 20 Jul 2000 18:23:10 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id SAA41600; Thu, 20 Jul 2000 18:18:45 +0200 Message-ID: <397725DB.925DE2C6@bull.net> Date: Thu, 20 Jul 2000 18:16:27 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: John_Wray@iris.com CC: ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <OF71EFC20C.08145845-ON85256922.004BC9D3@iris.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit John, Let me jump in this discussion (and hopefully go out very quickly). > Steve, > (...) > >A RP can be responsible for acquiring all the requisite evidence for > >later support of signed document validity, including time stamping > >this evidence. I think this addresses the scenario you described > >above. > > That addresses the case where the document is processed by the RP prior to > my CA going out of business, but it doesn't help if trust in the CA has > already been revoked at the time the RP tries to verify the signature. Don't you think that if a RP receives a siganture it has better to make sure that what it gets is "fine" ? So he should validate the signature as soon as possible and in order to cover the case of a possible (volontary) revocation of the signer certificate, he should time stamp the signature as soon as possible. So the case you are considering is not a practical case. > Note I'm not talking about NR here - So what are you talking about ??? > In the scenario I'm concerned with, > the RP will itself not trust my signature, even though it should be valid. > In an e-mail environment, this may not matter too much, as the RP could > simply ask the signer to re-send a freshly signed copy of the e-mail, but > in a work-flow or EDI environment, where documents move through a system > acquiring multiple counter-signatures over portions of the documents, it > may be impractical to simply re-start the process. > > It is possible for the signer to timestamp his signature, along with a > complete certification path from some root CA, along with CRL- or > OCSP-based liveness evidence for every certificate on that path. This is, > I think, what ESS terms a signer-generated ES-X. Yes. This is one of the formats that may be used. > But that doesn't help > unless the RP directly trusts the signer's root CA. There is no concept of root CA. There is a concept of a Signature Policy that may involve one or more root CAs but involves many other conditions. > If the RP doesn't > trust the root that the signer chooses, ... you mean : If the RP thinks that the Signature Policy is not adequate for his context of use, then this is the end of the story. > then the timestamped chain is of > little use to him, since it won't say anything about the certificates in > the chain the RP constructs (although if a chain from one of the RP's > trusted roots happens to "join up" with some fraction of the signer's > timestamped chain, then the timestamp can be used as evidence of validity > at signing time of the fraction of the chain below the intersection point). > > Even if the RP does trust the signer's root, though, it's not clear why the > RP's software should believe a signature based on a certificate chain that > contains revoked certificates (with invalidity dates that precede the > signature date), even if it includes evidence that at the time of signature > creation, those certificates had not yet been revoked. This is contradictory. "if it includes evidence that at the time of signature creation, those certificates had not yet been revoked" means that you must provide a proof that the certificates whre not revoked at the time of the signature, so you cannot say at the same time "certificate chain that contains revoked certificates". Denis > Even if not > rejected outright, such a signature should be treated as at best > suspicious. > > John Received: from iaik.tu-graz.ac.at (excalibur.iaik.tu-graz.ac.at [129.27.152.30]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA01112 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 08:55:06 -0700 (PDT) Received: from PLIPP2 [129.27.152.34] by iaik.tu-graz.ac.at (SMTPD32-6.00) id A165D00134; Thu, 20 Jul 2000 17:57:25 +0200 From: "Peter Lipp" <Peter.Lipp@iaik.at> To: <piers@bj.co.uk> Cc: <ietf-pkix@imc.org> Subject: AW: Signing what you don't understand Date: Thu, 20 Jul 2000 17:58:35 +0200 Message-ID: <NDBBLDEHJKOODMJCNBNCMEHCEDAA.Peter.Lipp@iaik.at> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 In-reply-to: <000301bff227$44419be0$1a01a8c0@piers2k.bj.co.uk> > Several leading PKI vendors have implemented systems where the private key > is held on a central Web server and then downloaded at run time to a web > browser. Are you saying that signatures created using these keys are > invalid? Are you sure? Could you provide a reference? I doubt that strongly... Peter Received: from smtp1.atl.equifax.com (smtp1.atl.equifax.com [216.46.96.117]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA00838 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 08:47:36 -0700 (PDT) From: Mcken.Mak@equifax.com Received: from postoffice-2.equifax.com (unknown [192.168.4.11]) by smtp1.atl.equifax.com (Postfix) with ESMTP id 039E374EAA; Thu, 20 Jul 2000 11:49:41 -0400 (EDT) Received: from noteswetc15.fin.equifax.com (noteswetc15.fin.equifax.com [172.18.113.65]) by postoffice-2.equifax.com (Postfix) with SMTP id 404B36A2AC; Thu, 20 Jul 2000 11:49:43 -0400 (EDT) Received: by noteswetc15.fin.equifax.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256922.0056EE12 ; Thu, 20 Jul 2000 11:49:30 -0400 X-Lotus-FromDomain: EQUIFAX To: "Anders Rundgren" <anders.rundgren@telia.com> Cc: ietf-pkix@imc.org Message-ID: <85256922.0056EBC2.00@noteswetc15.fin.equifax.com> Date: Thu, 20 Jul 2000 11:49:22 -0400 Subject: Re: Value of smart cards. Re: Signing what you don't understand Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline >The discrete credit-sized smart card is probably not going to take over the world >as you say. But the SIM/WIM card will. Actually 300 million *existing* customers >can't be wrong! I just want to add a comment for the SIM card - It is a smaller version of Smartcard in a different footprint. The program in the GSM card use non-standard encryption, it is not truely secure (both phyical/logical). >It provides a cheap tamper-resistant storage and crypto-processor that *will* also >be apart of PDAs when they are "connected". It is the ability to insert a >subscription into a mobile phone and PDA that is the driving factor now. >Later it will be PKI. IMHO: I do like to see the PDA or phone will accept personal (crypto) smartcard that could perform secure operations (ie. Sign Document, payment...) Mcken Mak Received: from e3.ny.us.ibm.com (e3.ny.us.ibm.com [32.97.182.103]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA24590 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 08:04:10 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e3.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id LAA24110; Thu, 20 Jul 2000 11:06:15 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id LAA37018; Thu, 20 Jul 2000 11:06:13 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256922.0052F626 ; Thu, 20 Jul 2000 11:06:09 -0400 X-Lotus-FromDomain: IBMUS To: "Simon McMahon" <simon@onthenet.com.au> cc: ietf-pkix@imc.org, "Tony Bartoletti" <azb@llnl.gov> Message-ID: <85256922.0052F4C9.00@D51MTA04.pok.ibm.com> Date: Thu, 20 Jul 2000 11:06:04 -0400 Subject: Re: A Real Rationale for Dedicated Keys Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline "Simon McMahon" <simon@onthenet.com.au> on 07/20/2000 05:05:01 AM To: <ietf-pkix@imc.org>, "Tony Bartoletti" <azb@llnl.gov> cc: Subject: Re: A Real Rationale for Dedicated Keys > My point being, the key-owner is the primary point of > control in enforcing a "one-key, one-cert" personal regime. > The "key generator" is really the primary point of control and need not be the same as the "key owner" (the one who makes signatures). Some CAs insist on having some control over key origin, key generation, or at least the equipment used to do it so that uncontrolled certifications and hackable private keys can be avoided. I would expect that all commercial CAs that generate certs intended for NR usage will have to control key generation. Does it really matter how many certificates there are for a public key as long as the one specifying NR relates to a private key that cannot be duplicated ? I dont see how multiple certs for a key is a threat to non-repudiation of signatures. Only private key exposure / duplication is. [Tom Gindin] The threat is that the subject could claim, as an attempt to repudiate, that he was using an ordinary authentication key, and he didn't know that it was for NR. For this reason and similar ones, having multiple certificates with conflicting key usages but the same key is surely bad practice - having multiple certificates with the same key usages and the same key from different issuers is much less so. There is a converse threat, in that an untrustworthy CA could (in theory) issue certificates for users it has no relationship with, based on existing valid certificates, but with stronger key usage and an RP could claim reliance on such certificates. Then the CA goes out of operation and the RP claims non-repudiation. Regards, Simon McMahon. ERACOM Pty. Ltd. Received: from arista.iris.com (arista.iris.com [198.112.211.42]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA24290 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 07:55:18 -0700 (PDT) From: John_Wray@iris.com Subject: Re: Signing what you don't understand To: Stephen Kent <kent@bbn.com> Cc: John_Wray@iris.com, <ietf-pkix@imc.org> X-Mailer: Lotus Notes Release 5.0.2c February 2, 2000 Message-ID: <OF71EFC20C.08145845-ON85256922.004BC9D3@iris.com> Date: Thu, 20 Jul 2000 10:58:08 -0400 X-MIMETrack: Serialize by Router on Arista/Iris(Build V505_07112000 |July 11, 2000) at 07/20/2000 10:57:58 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Steve, >>What other mechanisms would cover that case of my issuing CA going out of >>business? If a CA's assets (including its keys) are sold as part of a >>bankruptcy process, I would think that trust in those keys would be fairly >>quickly revoked by other CAs that might have cross-certified it. In this >>case, invalidityDate on those revocations would probably be set so that no >>certificate that had been issued by the former CA's key would be trusted >>(to prevent the keys' new owners from issuing new backdated certificates). >>However, as a subscriber to the former CA, I don't see why my signatures >>should suddenly become less trustworthy, if my key can be verified via >>another path. > >A RP can be responsible for acquiring all the requisite evidence for >later support of signed document validity, including time stamping >this evidence. I think this addresses the scenario you described >above. That addresses the case where the document is processed by the RP prior to my CA going out of business, but it doesn't help if trust in the CA has already been revoked at the time the RP tries to verify the signature. Note I'm not talking about NR here - In the scenario I'm concerned with, the RP will itself not trust my signature, even though it should be valid. In an e-mail environment, this may not matter too much, as the RP could simply ask the signer to re-send a freshly signed copy of the e-mail, but in a work-flow or EDI environment, where documents move through a system acquiring multiple counter-signatures over portions of the documents, it may be impractical to simply re-start the process. It is possible for the signer to timestamp his signature, along with a complete certification path from some root CA, along with CRL- or OCSP-based liveness evidence for every certificate on that path. This is, I think, what ESS terms a signer-generated ES-X. But that doesn't help unless the RP directly trusts the signer's root CA. If the RP doesn't trust the root that the signer chooses, then the timestamped chain is of little use to him, since it won't say anything about the certificates in the chain the RP constructs (although if a chain from one of the RP's trusted roots happens to "join up" with some fraction of the signer's timestamped chain, then the timestamp can be used as evidence of validity at signing time of the fraction of the chain below the intersection point). Even if the RP does trust the signer's root, though, it's not clear why the RP's software should believe a signature based on a certificate chain that contains revoked certificates (with invalidity dates that precede the signature date), even if it includes evidence that at the time of signature creation, those certificates had not yet been revoked. Even if not rejected outright, such a signature should be treated as at best suspicious. John Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA23964 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 07:45:44 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FY000G013SBLN@ext-mail.valicert.com> for ietf-pkix@imc.org; Thu, 20 Jul 2000 07:48:11 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FY000G443SAHR@ext-mail.valicert.com>; Thu, 20 Jul 2000 07:48:10 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <36006Q06>; Thu, 20 Jul 2000 07:40:00 -0700 Content-return: allowed Date: Thu, 20 Jul 2000 07:39:59 -0700 From: Frank Balluffi <frankb@valicert.com> Subject: RE: Signing what you don't understand To: "'byron.k.stump@verizon.com'" <byron.k.stump@verizon.com>, "Golkin, Ken (CAP, CMC)" <Ken_Golkin@mortgage.ge.com> Cc: "'Stephen Kent'" <kent@bbn.com>, ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE20177AFD3@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Byron Stump wrote: > With transactions that are not direct equivalents of paper > contracts, the issues > get even murkier, but perhaps commonsense practices could be > proposed to include > an explicit acknowledgement of the intent to be bound within > the material being > signed. In an online ordering system, this could be a > prominent notice such as > "By proceeding, I understand that I am entering into a > contract to buy the > widget." along with a completed NAME field that can be > matched to the name > bound to the verification key. I agree. Please note Byron's use of "explicit" above. Every meaningful document that I have ever signed has explicitly included one or more verbs. There is no reason why explicit verbs cannot or should not be included in signed authentication responses. For example, "I received the following bytes ..." could be signed. Just because authentication protocols exist that include implicit verbs does not mean this is good practice. If explicit verbs are included, I really do not see a difference between signing an authentication response, a credit card slip [or whatever it is called] to purchase a pizza or a purchase order for a jet aircraft. Frank > -----Original Message----- > From: byron.k.stump@verizon.com [mailto:byron.k.stump@verizon.com] > Sent: Thursday, July 20, 2000 10:13 AM > To: Golkin, Ken (CAP, CMC) > Cc: 'Stephen Kent'; ietf-pkix@imc.org > Subject: RE: Signing what you don't understand > > > > > I've been monitoring this discussion for a couple of weeks. > > May I offer an example to try to crystallize a key point of > this discussion? > > Assume I am negotiating the language of a contract with a > third party and my > purchasing department. We may send numerous drafts back and > forth as e-mail > attachments, in an effort to arrive at agreeable language. > Obviously I can > digitally sign each draft of the contract document before > attaching it, just to > make sure no third party substitutes language in my name. It > should be clear > that in doing so, however, I have not "signed the contract" > in the normal sense. > > Now assuming that all parties accept digital signatures as > binding, the question > is how do I sign it differently when I mean to execute the contract? > > That is the crux of the matter. In protecting the drafts, I > am neither signing > something that I do not understand, nor am I not executing a contract. > > Seems to me absent some elaborate schemes involving multiple > keys, the answer is > that the content and context must be used to determine the > intent. It could be > argued that in this instance, if the contract document > contains "DRAFT", or does > not have my name in the document on a signature line, then it > could be expected > that a reasonable person (or court) would correctly infer > that it was merely a > digitally signed document, not a legally signed contract. > But what if the final > draft does not say DRAFT, and has the signature lines filled > in? That is the > problem, and I think its resolution is in the realms of > evolving practices, > legislation and case law, and cannot be addressed completely > by a technical > spec. > > With transactions that are not direct equivalents of paper > contracts, the issues > get even murkier, but perhaps commonsense practices could be > proposed to include > an explicit acknowledgement of the intent to be bound within > the material being > signed. In an online ordering system, this could be a > prominent notice such as > "By proceeding, I understand that I am entering into a > contract to buy the > widget." along with a completed NAME field that can be > matched to the name > bound to the verification key. > > Byron > > > > > Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA23563 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 07:35:21 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FY000G0139EJ8@ext-mail.valicert.com> for ietf-pkix@imc.org; Thu, 20 Jul 2000 07:36:50 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FY000G1H39EHR@ext-mail.valicert.com> for ietf-pkix@imc.org; Thu, 20 Jul 2000 07:36:50 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <36006Q9L>; Thu, 20 Jul 2000 07:28:40 -0700 Content-return: allowed Date: Thu, 20 Jul 2000 07:28:31 -0700 From: Frank Balluffi <frankb@valicert.com> Subject: Self-Signed Certificate To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Message-id: <27FF4FAEA8CDD211B97E00902745CBE20177AFD2@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 PKIX uses the term self-signed certificate without defining it (e.g., RFC 2459, draft-ietf-pkix-new-part1-01.txt and draft-ietf-pkix-scvp-03.txt). Clearly, a self-signed certificate's subject public key MUST verify its signature. MUST a self-signed certificate's issuer equal its subject? Frank Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA22694 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 07:12:54 -0700 (PDT) Received: from mega (t2o69p46.telia.com [62.20.144.166]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id QAA17727; Thu, 20 Jul 2000 16:15:26 +0200 (CEST) Message-ID: <001f01bff25d$35f06310$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Paul Koning" <pkoning@xedia.com> Cc: <ietf-pkix@imc.org> Subject: Re: Signing what you don't understand Date: Thu, 20 Jul 2000 17:14:31 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id HAA22695 Paul, > Anders> Piers, > >> I would welcome comments from this forum on their opinion of the > >> validity of signatures where the private key and end-user are not > >> co-located. > > Anders> This is now for real as VISA-EU has lost faith in the > Anders> original SET model with local key/cert and will aggresively > Anders> push a server-based model. Way to go IMO! > >What does that mean? It means that the SET card-holder certificate+private key is stored and excuted on the customer's bank instead of in his/her PC, Why do that? This I have talked about several times on this list so I will not go into details but this one is easy: Most potential customers already have an Internet- bank facility that uses some kind of proprietary security solution. In Sweden most banks use a hardware box like secureID or Activecard. With the Server Wallet you use the same security solution for credit-card payments. Assuming that the issuer is the very same bank which is true in 99 cases out of 100. A small step closer to SSO [Single Sign On] :-). I.e. you redirect the merchants's payment request to your bank and authenticate to the cert/key using a bank-specific security solution and then the bank does the rest. All communication is shielded by SSL of course. > Anders> But this was maybe more than you asked for, beacuse the > Anders> signatures are also created on the server (wallet) which is > Anders> not the same as downloading private keys when needed. > > Anders> In German unfortunately: > > Anders> http://www.visa.de/df/presse/pressetexte/000619_001.htm > >Unfortunately that document doesn't actually say anything. It's just >marketing vapor. > >Do you have a reference that contains information? Currently not. This is information gathered from Commerce.Net and it does not contain very much technical details. However, I have confirmed that it works as describe. Anders Received: from tpamail2.bdi.gte.com (tpamail2.bdi.gte.com [192.76.82.136]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA22630 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 07:11:53 -0700 (PDT) From: byron.k.stump@verizon.com Received: from tpamail2.bdi.gte.com (localhost [127.0.0.1]) by tpamail2.bdi.gte.com (8.9.3/8.9.3) with ESMTP id KAA29124 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 10:13:58 -0400 (EDT) Received: from smtptpa.interwan.gte.com ([138.83.66.45]) by tpamail2.bdi.gte.com (8.9.3/8.9.3) with ESMTP id KAA28976; Thu, 20 Jul 2000 10:13:48 -0400 (EDT) Received: from imr01.bellatlantic.com ([141.152.156.12]) by smtptpa.interwan.gte.com (8.9.3/8.9.3) with ESMTP id KAA15635; Thu, 20 Jul 2000 10:13:26 -0400 (EDT) Received: from fhsmtp03.bell-atl.com (is051952.bellatlantic.com [141.152.101.51]) by imr01.bellatlantic.com (8.8.8/8.8.5) with SMTP id KAA29094; Thu, 20 Jul 2000 10:13:08 -0400 (EDT) Received: by fhsmtp03.bell-atl.com(Lotus SMTP MTA v4.6.7 (934.1 12-30-1999)) id 85256922.004E153B ; Thu, 20 Jul 2000 10:12:52 -0400 X-Lotus-FromDomain: BELL-ATL To: "Golkin, Ken (CAP, CMC)" <Ken_Golkin@mortgage.ge.com> cc: "'Stephen Kent'" <kent@bbn.com>, ietf-pkix@imc.org Message-ID: <85256922.004E12C5.00@fhsmtp03.bell-atl.com> Date: Thu, 20 Jul 2000 10:12:54 -0400 Subject: RE: Signing what you don't understand Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline I've been monitoring this discussion for a couple of weeks. May I offer an example to try to crystallize a key point of this discussion? Assume I am negotiating the language of a contract with a third party and my purchasing department. We may send numerous drafts back and forth as e-mail attachments, in an effort to arrive at agreeable language. Obviously I can digitally sign each draft of the contract document before attaching it, just to make sure no third party substitutes language in my name. It should be clear that in doing so, however, I have not "signed the contract" in the normal sense. Now assuming that all parties accept digital signatures as binding, the question is how do I sign it differently when I mean to execute the contract? That is the crux of the matter. In protecting the drafts, I am neither signing something that I do not understand, nor am I not executing a contract. Seems to me absent some elaborate schemes involving multiple keys, the answer is that the content and context must be used to determine the intent. It could be argued that in this instance, if the contract document contains "DRAFT", or does not have my name in the document on a signature line, then it could be expected that a reasonable person (or court) would correctly infer that it was merely a digitally signed document, not a legally signed contract. But what if the final draft does not say DRAFT, and has the signature lines filled in? That is the problem, and I think its resolution is in the realms of evolving practices, legislation and case law, and cannot be addressed completely by a technical spec. With transactions that are not direct equivalents of paper contracts, the issues get even murkier, but perhaps commonsense practices could be proposed to include an explicit acknowledgement of the intent to be bound within the material being signed. In an online ordering system, this could be a prominent notice such as "By proceeding, I understand that I am entering into a contract to buy the widget." along with a completed NAME field that can be matched to the name bound to the verification key. Byron Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA22205 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 07:02:46 -0700 (PDT) Received: from eastmail2.East.Sun.COM ([129.148.1.241]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id HAA03745; Thu, 20 Jul 2000 07:05:06 -0700 (PDT) Received: from sunlabs.East.Sun.COM (sunlabs-74.East.Sun.COM [129.148.74.250]) by eastmail2.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id KAA00911; Thu, 20 Jul 2000 10:05:02 -0400 (EDT) Received: from sun.com (dhcp75-155 [129.148.75.155]) by sunlabs.East.Sun.COM (8.9.3+Sun/8.9.1) with ESMTP id KAA12225; Thu, 20 Jul 2000 10:05:01 -0400 (EDT) Message-ID: <397706E7.9C032886@sun.com> Date: Thu, 20 Jul 2000 10:04:23 -0400 From: Steve Hanna <steve.hanna@sun.com> Organization: Sun Microsystems, Inc. X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Stephen Kent <kent@bbn.com> CC: Sharon Boeyen <sharon.boeyen@entrust.com>, ietf-pkix@imc.org Subject: Re: Reverse paths References: <ED026032A3FCD211AEDA00105A9C4696016E584C@sothmxs05.entrust.com> <v04220807b59baae71151@[128.33.238.44]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Stephen Kent wrote: > I am uncomfortable with the proposal that we mandate both elements, > as this would seem to imply that every CA would have to engage in > reverse path certificate generation in all contexts. Did I > misunderstand the implication? I'm not sure what you mean by "reverse path certificate generation". This change would require that when a CA issues a cross certificate, they would have to place a copy of it in their own directory entry (in the reverse element of a value of the crossCertificate attribute). It would not require the generation of any additional certificates. > I know that Entrust has always encouraged (required?) this type of > cross certification among CAs, but it doesn't seem that other CA > vendors or most users have. I would not think it appropriate to > impose this sort of requirement, given the vendor-specific > implications of such a change. I don't see this as a vendor-specific issue, but rather as an aid to building certification paths. -Steve Received: from sothmxs01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA21549 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 06:52:25 -0700 (PDT) Received: by sothmxs01.entrust.com with Internet Mail Service (5.5.2650.21) id <PHL2GYQX>; Thu, 20 Jul 2000 09:54:31 -0400 Message-ID: <ED026032A3FCD211AEDA00105A9C4696016E587B@sothmxs05.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Stephen Kent'" <kent@bbn.com> Cc: ietf-pkix@imc.org Subject: RE: Reverse paths Date: Thu, 20 Jul 2000 09:52:53 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Hi Steve, I guess I should have made my thoughts a little clearer. Rather than vendors, lets talk about trust models. Within a single hierarchy I agree that the current text is optimum, because of the point that every certificate has one and only one superior certificate. However, once you start connecting hierarchies together, e.g. through bridge CAs and once you moved out of hierarchies into distributed trust models, that condition no longer holds true. As bridges become more common and the certificates issued to and by bridges increases, the number of potential paths becomes quite large.In that trust model, the ONLY way that you prune branches, and eliminate potential paths that are not appropriate, is by building in the reverse direction. Building in the same direction as one would in a hierarchy means that you must build each complete path before processing any of the certificates. Building in the reverse direction for the distribution trust model allows early elimination of paths based on such issues as name constraints, policy constraints and many others. It is my opinion that recent events, such as the US Federal Bridge CA activity have shown that a single global hierarchy does not work, that distributed trust models are, in fact necessary as well. Because of these events and because the issue was raised, not by me but by another vendor (Sean Mullan from Sun), I thought it was a reasonable recommendation to support now. Having said that, let me clarify what I meant. To answer your first question, no I don't mean to impose reverse in all contexts. Nor do I mean to impose bilateral cross-certification. Rather, I am suggesting mandating that, in addition to what PKIX says currently, a CA that issues a certificate to another CA (where the subject CA is NOT a subordinate CA to the issuing CA within a hierarchy), must place that certificate in the reverse element of the cross certificate pairs attribute of the its own directory entry. No impact within a hierarchy at all, no requirement that cross certification be bilateral. Sorry for the confusion and I hope this is a bit clearer. So I guess to summarize: - Within a strict hierarchy, the forward element must be populated - At the root of a strict hierarchy that has cross-certified with CAs outside that hierarchy, both forward and reverse must be populated. In addition to any certificates that applied to the hierarchy itself, the forward element would contain any certificates issued to the root by an external CA and reverse would contain any certificates that the root had issued to external CAs - these need not be pairs) - Within a distributed trust model, both forward and reverse must be populated (actually I suspect that only reverse is really needed but for backward compatibility we'd need to mandate both). Finally, I don't normally talk about Entrust products on any public list, but since you raised it I feel it necessary to respond. Entrust products support both hierarchical and distributed trust models. In the hierarchical case, we build certification paths from the end-entity certificate to the root, in the same way as other vendors and the same way PKIX outlines. In the distributed trust model, we build certification paths in the opposite direction (for efficiency reasons) using the reverse element. I don't believe this is a vendor specific issue (note it was raised by Sun not by Entrust), but I am certainly interested in hearing from other vendors and especially from users and will support the consensus. In no way do I wish to pursue another long drawn out debate on this, along the lines of a few years ago. I merely thought that we had progressed to a point where bridge CAs and distributed trust models were more generally accepted and the requirements for populating reverse go hand in hand with that model. Hope this clarifies my intent. Cheers, Sharon > -----Original Message----- > From: Stephen Kent [mailto:kent@bbn.com] > Sent: Wednesday, July 19, 2000 3:03 PM > To: Sharon Boeyen > Cc: ietf-pkix@imc.org > Subject: RE: Reverse paths > > > Sharon, > > <snip> > > > >I would like to support Sean's request that for the LDAPv3 schema we > >consider making the reverse element mandatory along with the forward > >element. > >This would be a great step forward in supporting > interoperability among PKI > >products and services and, since it does not impact existing > LDAPv2 systems, > > > >doesn't cause those previously deployed systems to be non-conformant. > > > >With both elements mandatory, regardless of the direction the path is > >being built, the certificate using system will be able to locate the > >information > >it seeks. > > > > I am uncomfortable with the proposal that we mandate both elements, > as this would seem to imply that every CA would have to engage in > reverse path certificate generation in all contexts. Did I > misunderstand the implication? > I know that Entrust has always encouraged (required?) this type of > cross certification among CAs, but it doesn't seem that other CA > vendors or most users have. I would not think it appropriate to > impose this sort of requirement, given the vendor-specific > implications of such a change. > > Steve > Received: from dfw7-1.relay.mail.uu.net (dfw7-1.relay.mail.uu.net [199.171.54.106]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA20416 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 06:22:32 -0700 (PDT) Received: from xedia.com by dfw7sosrv11.alter.net with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQiyqv09495; Thu, 20 Jul 2000 13:25:06 GMT Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA14254; Thu, 20 Jul 00 09:21:12 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id JAA00877; Thu, 20 Jul 2000 09:25:05 -0400 From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <14710.64945.400810.759825@xedia.com> Date: Thu, 20 Jul 2000 09:25:05 -0400 (EDT) To: anders.rundgren@telia.com Cc: ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <001b01bff250$38e01be0$0201a8c0@mega.vincent.se> X-Mailer: VM 6.72 under 21.1 (patch 9) "Canyonlands" XEmacs Lucid >>>>> "Anders" == Anders Rundgren <anders.rundgren@telia.com> writes: Anders> Piers, >> I would welcome comments from this forum on their opinion of the >> validity of signatures where the private key and end-user are not >> co-located. Anders> This is now for real as VISA-EU has lost faith in the Anders> original SET model with local key/cert and will aggresively Anders> push a server-based model. Way to go IMO! What does that mean? Anders> But this was maybe more than you asked for, beacuse the Anders> signatures are also created on the server (wallet) which is Anders> not the same as downloading private keys when needed. Anders> In German unfortunately: Anders> http://www.visa.de/df/presse/pressetexte/000619_001.htm Unfortunately that document doesn't actually say anything. It's just marketing vapor. Do you have a reference that contains information? paul Received: from dfw7-1.relay.mail.uu.net (dfw7-1.relay.mail.uu.net [199.171.54.106]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA19942 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 06:14:32 -0700 (PDT) Received: from xedia.com by dfw7sosrv11.alter.net with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQiyqv29910; Thu, 20 Jul 2000 13:17:03 GMT Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA14108; Thu, 20 Jul 00 09:13:09 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id JAA00867; Thu, 20 Jul 2000 09:17:02 -0400 From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <14710.64462.383653.293837@xedia.com> Date: Thu, 20 Jul 2000 09:17:02 -0400 (EDT) To: ben@algroup.co.uk Cc: ericm@lne.com, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <14709.44186.650038.290537@xedia.com> <LPBBLAPIGLOAGIHKOOGDKEOLCBAA.jean.med@arabtrust.com> <14709.45766.150139.121650@xedia.com> <3975EAFC.9E03C4FC@algroup.co.uk> <20000719202512.G17726@slack.lne.com> <3976BA21.FC99EE80@algroup.co.uk> X-Mailer: VM 6.72 under 21.1 (patch 9) "Canyonlands" XEmacs Lucid >>>>> "Ben" == Ben Laurie <ben@algroup.co.uk> writes: Ben> Eric Murray wrote: >> On Wed, Jul 19, 2000 at 06:53:00PM +0100, Ben Laurie wrote: > >> Paul Koning wrote: > > > > First of all, the private key is >> "always with the owner" *only* if you > > have a smartcard with >> embedded PKI engine. Those exist but there > > certainly are >> plenty of PK signing scenarios where they are not used. > > Woah! >> Smartcard salesman detected... what about, say, a Palm, or a > >> Psion? These have an advantage over smartcards, too, in that they >> have > UIs. >> >> The UI on a Palm is really useful from a security standpoint. >> However, the OS with no memory protection negates any use that >> requires security. The slow crypto performance doesn't help >> either. Ben> I'm not arguing with that - but how about the newer PC-style Ben> PDAs (haven't got around to finding out what's in them, but an Ben> MMU seems likely)? If the applications are well-controlled the lack of MMU doesn't matter. I could point you to several examples of secure timesharing systems built on top of apparently-insecure hardware. Conversely, PC-style PDAs run PC-style applications and a PC-style OS, and therefore are likely to be just as virus-friendly as the PCs are. It's easy to build insecure products on any hardware, if your design rule is to aim for flashy "features" and use those as a justification for designing security chasms into the product. The interesting question is where the Palm OS fits in this scale. I don't know from personal analysis. I'd expect it to be somewhere in the middle, though how far to the insecure side is the critical question. paul Received: from unknown-147.101.pilot.net (unknown-147-101.pilot.net [198.232.147.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA19013 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 05:49:16 -0700 (PDT) Received: from unknown-24-5.pilot.net (unknown-24-5.pilot.net [206.189.24.5]) by unknown-147.101.pilot.net with ESMTP id FAA09670; Thu, 20 Jul 2000 05:51:48 -0700 (PDT) Received: from ralsimcout.gecmc.ge.com (localhost [127.0.0.1]) by unknown-24-5.pilot.net with ESMTP id FAA19218; Thu, 20 Jul 2000 05:51:48 -0700 (PDT) Received: by ralsimcout.gecmc.ge.COM with Internet Mail Service (5.5.2651.58) id <PFYKKF34>; Thu, 20 Jul 2000 08:51:45 -0400 Message-ID: <3D1CC63B9E24D211B48B000000004C0B038826AE@chlmail.gecmc.ge.COM> From: "Golkin, Ken (CAP, CMC)" <Ken_Golkin@mortgage.ge.com> To: "'Stephen Kent'" <kent@bbn.com> Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Date: Thu, 20 Jul 2000 08:51:45 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2651.58) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF249.42DAC070" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF249.42DAC070 Content-Type: text/plain; charset="iso-8859-1" I didn't sign in and most importantly there is persistent record of me having entered. There are other places that I have "signed in" and there are indeed persistent records there. -----Original Message----- From: Stephen Kent [mailto:kent@bbn.com] Sent: Wednesday, July 19, 2000 02:32 PM To: Golkin, Ken (CAP, CMC) Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Ken, >This discussion seems to be confusing two different uses for certificates >1) Authentication (I am who I say I am) >2) Signature (I signed a legally binding document) > >In the first case I showed my company issue picture ID (certificate) >to the guard at the door and he let me in the building this morning. Or, maybe you "signed in" as part of entering your workplace, .... <snip> Steve ------_=_NextPart_001_01BFF249.42DAC070 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2651.75"> <TITLE>RE: Signing what you don't understand</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I didn't sign in and most importantly there is = persistent record of me having entered. There are other places = that I have "signed in" and there are indeed persistent = records there.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Stephen Kent [<A = HREF=3D"mailto:kent@bbn.com">mailto:kent@bbn.com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Wednesday, July 19, 2000 02:32 PM</FONT> <BR><FONT SIZE=3D2>To: Golkin, Ken (CAP, CMC)</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: Signing what you don't = understand</FONT> </P> <BR> <P><FONT SIZE=3D2>Ken,</FONT> </P> <P><FONT SIZE=3D2>>This discussion seems to be confusing two = different uses for certificates</FONT> <BR><FONT SIZE=3D2>>1) Authentication (I am who I say I am)</FONT> <BR><FONT SIZE=3D2>>2) Signature (I signed a legally binding = document)</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>In the first case I showed my company issue = picture ID (certificate) </FONT> <BR><FONT SIZE=3D2>>to the guard at the door and he let me in the = building this morning.</FONT> </P> <P><FONT SIZE=3D2>Or, maybe you "signed in" as part of = entering your workplace, ....</FONT> </P> <P><FONT SIZE=3D2><snip></FONT> </P> <P><FONT SIZE=3D2>Steve</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFF249.42DAC070-- Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA18397 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 05:39:59 -0700 (PDT) Received: from mega (t3o69p114.telia.com [62.20.145.114]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id OAA17667; Thu, 20 Jul 2000 14:42:27 +0200 (CEST) Message-ID: <001b01bff250$38e01be0$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: <piers@bj.co.uk>, "'Jean Abraham'" <jean.med@arabtrust.com>, "'Paul Koning'" <pkoning@xedia.com> Cc: <ietf-pkix@imc.org> Subject: Re: Signing what you don't understand Date: Thu, 20 Jul 2000 15:41:32 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id FAA18399 Piers, >I would welcome comments from this forum on their opinion of the validity of >signatures where the private key and end-user are not co-located. This is now for real as VISA-EU has lost faith in the original SET model with local key/cert and will aggresively push a server-based model. Way to go IMO! But this was maybe more than you asked for, beacuse the signatures are also created on the server (wallet) which is not the same as downloading private keys when needed. In German unfortunately: http://www.visa.de/df/presse/pressetexte/000619_001.htm Anders Received: from mail.arabtrust.com (mail.arabtrust.com [216.247.149.19]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA08448 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 02:39:31 -0700 (PDT) Received: from jean [195.39.160.196] by mail.arabtrust.com (SMTPD32-6.00) id A9F826EE00CE; Thu, 20 Jul 2000 05:44:24 -0400 From: "Jean Abraham" <jean.med@arabtrust.com> To: "Simon McMahon" <simon@onthenet.com.au>, <ietf-pkix@imc.org>, "Tony Bartoletti" <azb@llnl.gov> Subject: RE: A Real Rationale for Dedicated Keys Date: Thu, 20 Jul 2000 12:40:42 +0300 Message-ID: <LPBBLAPIGLOAGIHKOOGDMEPFCBAA.jean.med@arabtrust.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 In-reply-to: <01a601bff229$a8bcf540$8802a8c0@eracom.com.au> Simon, Could you tell me what has NR (Non-Repudation) to do with CA control key generation. Jean -----Original Message----- From: Simon McMahon [mailto:simon@onthenet.com.au] Sent: Thursday, July 20, 2000 12:05 PM To: ietf-pkix@imc.org; Tony Bartoletti Subject: Re: A Real Rationale for Dedicated Keys > My point being, the key-owner is the primary point of > control in enforcing a "one-key, one-cert" personal regime. > The "key generator" is really the primary point of control and need not be the same as the "key owner" (the one who makes signatures). Some CAs insist on having some control over key origin, key generation, or at least the equipment used to do it so that uncontrolled certifications and hackable private keys can be avoided. I would expect that all commercial CAs that generate certs intended for NR usage will have to control key generation. Does it really matter how many certificates there are for a public key as long as the one specifying NR relates to a private key that cannot be duplicated ? I dont see how multiple certs for a key is a threat to non-repudiation of signatures. Only private key exposure / duplication is. Regards, Simon McMahon. ERACOM Pty. Ltd. Received: from mail.arabtrust.com (mail.arabtrust.com [216.247.149.19]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA08067 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 02:32:27 -0700 (PDT) Received: from jean [195.39.160.196] by mail.arabtrust.com (SMTPD32-6.00) id A84A26DA00CE; Thu, 20 Jul 2000 05:37:14 -0400 From: "Jean Abraham" <jean.med@arabtrust.com> To: <piers@bj.co.uk>, "'Paul Koning'" <pkoning@xedia.com> Cc: <ietf-pkix@imc.org> Subject: RE: Signing what you don't understand Date: Thu, 20 Jul 2000 12:33:31 +0300 Message-ID: <LPBBLAPIGLOAGIHKOOGDEEPFCBAA.jean.med@arabtrust.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 In-reply-to: <000301bff227$44419be0$1a01a8c0@piers2k.bj.co.uk> Piers, If you would take in to consideration certs that sign emails only then the private key is in the browser or in the machine from which the cert was requested for. When you speak of web server certs then the private key is with the client's web server. If a private key is not with the owner then the owner cannot encrypt or sign or open any email that has been previously signed. At runtime you are speaking of is online shopping then you would have https:// which is SSL then no private key downloaded to someone's PC. You can test the above by applying for a cert that signs email, then before installation of the cert reformat the system and you will see that the cert will not install. For the web server cert you can test, before installation of the cert reconfigure the web server or format the system. The phyical location of the private key is relevant because with that anyone can decrypt any messages encrypted by the persons public key by getting hold of the private key. But the phyiscal location of the public key is irrelevant. Validity of the signatures have nothing to do with the private key and end-user. It should be validity of certs rather than signatures. A cert signs and encrypts a particular information. Jean -----Original Message----- From: Piers Chivers [mailto:piers@bj.co.uk] Sent: Thursday, July 20, 2000 11:48 AM To: 'Jean Abraham'; 'Paul Koning' Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Jean, I disagree with your comment that the "most important apsect...is that the private key is always with the owner and never in transist" (I think you meant transit). Several leading PKI vendors have implemented systems where the private key is held on a central Web server and then downloaded at run time to a web browser. Are you saying that signatures created using these keys are invalid? I would argue that the important point is that the key and user are "strongly-bound". The system should ensure that the key is only useable by the intended end-user. The physical location of the key is irrelevant. Indeed, it could be located thousand of miles away over the Internet. I would welcome comments from this forum on their opinion of the validity of signatures where the private key and end-user are not co-located. Thanks, Piers -----Original Message----- From: Jean Abraham [mailto:jean.med@arabtrust.com] Sent: 19 July 2000 14:32 To: Paul Koning Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Digital signatures generation or creation is not based on the O/S of a particular PC but on the software that is used to generate it. The most important apsect in a digital certificate(which is used to create a digital signature - end user) is that the private key is always with the owner and never in transist. And the private key of the CA that signs the end-user certs are NEVER in transist, therefore the authenticity of the certificate is good and compromise of the end-user certificate ia void only from the PC it would be installed on. Jean -----Original Message----- From: Paul Koning [mailto:pkoning@xedia.com] Sent: Wednesday, July 19, 2000 4:27 PM To: jean.med@arabtrust.com Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand >>>>> "Jean" == Jean Abraham <jean.med@arabtrust.com> writes: Jean> Hi, There is a difference actually, Jean> When you sign the fedex package the person taking your Jean> signature doesnot know if its who you say you are. But in the Jean> case of a digital certificate only you can sign a email and Jean> from YOUR OWN computer which YOU ONLY have access for. If the computer is a PC running the most popular PC operating systems, that statement is extremely optimistic at best. So long as security remains a non-goal of such operating systems, digital signatures produduced by such systems will not offer any meaningful guarantees of any kind. paul ---------------------------------------------------------------------------- -------------- This message is for the named persons use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. PROTEK Network Management Group and each of its subsidiaries reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id BAA06586 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 01:54:06 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id SAA22665; Thu, 20 Jul 2000 18:56:38 +1000 (EST) Message-ID: <01a601bff229$a8bcf540$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: <ietf-pkix@imc.org>, "Tony Bartoletti" <azb@llnl.gov> References: <4.2.2.20000719163358.00ab5100@poptop.llnl.gov> Subject: Re: A Real Rationale for Dedicated Keys Date: Thu, 20 Jul 2000 19:05:01 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 > My point being, the key-owner is the primary point of > control in enforcing a "one-key, one-cert" personal regime. > The "key generator" is really the primary point of control and need not be the same as the "key owner" (the one who makes signatures). Some CAs insist on having some control over key origin, key generation, or at least the equipment used to do it so that uncontrolled certifications and hackable private keys can be avoided. I would expect that all commercial CAs that generate certs intended for NR usage will have to control key generation. Does it really matter how many certificates there are for a public key as long as the one specifying NR relates to a private key that cannot be duplicated ? I dont see how multiple certs for a key is a threat to non-repudiation of signatures. Only private key exposure / duplication is. Regards, Simon McMahon. ERACOM Pty. Ltd. Received: from wssone.bj.co.uk (wssone.bj.co.uk [194.72.164.250]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id BAA06087 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 01:45:49 -0700 (PDT) Received: from 194.72.164.27 by wssone.bj.co.uk with ESMTP (WorldSecure Server SMTP Relay(WSS) v4.3); Thu, 20 Jul 00 09:50:55 +0100 X-Server-Uuid: 1407cc62-e1e1-11d2-808b-0060971f0dc2 Received: from piers2k (host62-6-112-70.host.btclick.com [62.6.112.70]) by bjex1.bj.co.uk with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id MC4C48C1; Thu, 20 Jul 2000 09:49:04 +0100 Reply-to: piers@bj.co.uk From: "Piers Chivers" <piers@bj.co.uk> To: "'Jean Abraham'" <jean.med@arabtrust.com>, "'Paul Koning'" <pkoning@xedia.com> cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Date: Thu, 20 Jul 2000 09:48:23 +0100 Message-ID: <000301bff227$44419be0$1a01a8c0@piers2k.bj.co.uk> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <LPBBLAPIGLOAGIHKOOGDKEOLCBAA.jean.med@arabtrust.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal X-WSS-ID: 156862E565363-01-01 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Jean, I disagree with your comment that the "most important apsect...is that the private key is always with the owner and never in transist" (I think you meant transit). Several leading PKI vendors have implemented systems where the private key is held on a central Web server and then downloaded at run time to a web browser. Are you saying that signatures created using these keys are invalid? I would argue that the important point is that the key and user are "strongly-bound". The system should ensure that the key is only useable by the intended end-user. The physical location of the key is irrelevant. Indeed, it could be located thousand of miles away over the Internet. I would welcome comments from this forum on their opinion of the validity of signatures where the private key and end-user are not co-located. Thanks, Piers -----Original Message----- From: Jean Abraham [mailto:jean.med@arabtrust.com] Sent: 19 July 2000 14:32 To: Paul Koning Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Digital signatures generation or creation is not based on the O/S of a particular PC but on the software that is used to generate it. The most important apsect in a digital certificate(which is used to create a digital signature - end user) is that the private key is always with the owner and never in transist. And the private key of the CA that signs the end-user certs are NEVER in transist, therefore the authenticity of the certificate is good and compromise of the end-user certificate ia void only from the PC it would be installed on. Jean -----Original Message----- From: Paul Koning [mailto:pkoning@xedia.com] Sent: Wednesday, July 19, 2000 4:27 PM To: jean.med@arabtrust.com Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand >>>>> "Jean" == Jean Abraham <jean.med@arabtrust.com> writes: Jean> Hi, There is a difference actually, Jean> When you sign the fedex package the person taking your Jean> signature doesnot know if its who you say you are. But in the Jean> case of a digital certificate only you can sign a email and Jean> from YOUR OWN computer which YOU ONLY have access for. If the computer is a PC running the most popular PC operating systems, that statement is extremely optimistic at best. So long as security remains a non-goal of such operating systems, digital signatures produduced by such systems will not offer any meaningful guarantees of any kind. paul ------------------------------------------------------------------------------------------ This message is for the named persons use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. PROTEK Network Management Group and each of its subsidiaries reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id BAA05647 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 01:37:54 -0700 (PDT) Received: from mega (t5o69p12.telia.com [213.64.110.12]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id KAA12519; Thu, 20 Jul 2000 10:40:25 +0200 (CEST) Message-ID: <001401bff22e$699b5c30$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Peter Lipp" <Peter.Lipp@iaik.at> Cc: <ietf-pkix@imc.org> Subject: Re: Value of smart cards. Re: Signing what you don't understand Date: Thu, 20 Jul 2000 11:39:31 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id BAA05649 Peter, regarding WAP I think it was "invented" to cope with the extremely low bandwith and high latency available in GSM. Unfortuntely such bandwidth and latency is useless anyway. And prices on circuit-switched GSM are much too high to make WAP interesting except for a few proffesionals. And time has showed that only when technology reaches the masses it becomes really interesting. So we will have to wait a while to get GPRS/UMTS, Bluettooth, Palm-like displays and JVMs etc. And to get phones that update themselves whenever there is a new OS-version. The mobile phone makers are already facing considerable "PC-misery" with incompatibility between WAP-browsers, upgrading hassles and unreliable operation. Although it is nice with standards I still believe that it is too hard to implement many standards so the best is really that just 2-3 mobile OS survives. This is awkward for mobile phones makers who believe(d) that they should "differentiate" with software. I don't think that strategy scales very well as it will lock the market to certain operators and content providers. Essentially they can only differentiate on purely exernal stuff such as display quality, battery capacity, packaging, chicness, pricing and only to a minor extent on local software features. Anders -----Original Message----- From: Peter Lipp <Peter.Lipp@iaik.at> To: Anders Rundgren <anders.rundgren@telia.com> Cc: ietf-pkix@imc.org <ietf-pkix@imc.org> Date: Thursday, July 20, 2000 09:47 Subject: AW: Value of smart cards. Re: Signing what you don't understand > as you say. But the SIM/WIM card will. Actually 300 million > *existing* customers can't be wrong! While the pure number of customers does not prove anything (they would have used that technology without any card on it) it definitely could provide a solid basis for deployment. Pity is that the vendors decide to reinvent the world with all the WAP-versions of whatever already had been defined... Our experience with one of the vendors in an EU-project showed lack of interest in implementing relevant standards upcoming in the EU, as long as they don't start with WA(P). Peter Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id BAA05328 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 01:34:30 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id JAA16339; Thu, 20 Jul 2000 09:51:44 +0100 Message-ID: <3976BA21.FC99EE80@algroup.co.uk> Date: Thu, 20 Jul 2000 09:36:49 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: Eric Murray <ericm@lne.com> CC: ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <14709.44186.650038.290537@xedia.com> <LPBBLAPIGLOAGIHKOOGDKEOLCBAA.jean.med@arabtrust.com> <14709.45766.150139.121650@xedia.com> <3975EAFC.9E03C4FC@algroup.co.uk> <20000719202512.G17726@slack.lne.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Eric Murray wrote: > > On Wed, Jul 19, 2000 at 06:53:00PM +0100, Ben Laurie wrote: > > Paul Koning wrote: > > > > > > First of all, the private key is "always with the owner" *only* if you > > > have a smartcard with embedded PKI engine. Those exist but there > > > certainly are plenty of PK signing scenarios where they are not used. > > > > Woah! Smartcard salesman detected... what about, say, a Palm, or a > > Psion? These have an advantage over smartcards, too, in that they have > > UIs. > > The UI on a Palm is really useful from a security standpoint. However, > the OS with no memory protection negates any use that requires security. > The slow crypto performance doesn't help either. I'm not arguing with that - but how about the newer PC-style PDAs (haven't got around to finding out what's in them, but an MMU seems likely)? > The ideal token for carrying private keys and digitally signing > documents would be something with a display (like a Palm) and an OS like > a smartcard's that protects the different applications and their keys > from each other. EROS!!! > Unfortunately that display costs a lot. The CPU power to render anything > interesting on it the display, and to do crypto in reasonable speed adds > to the price. With a readable display (but not pressure-sensitive > like a Palm), probably 5-10x a high-end smartcard. See below. > > Smartcards are a technology whose time never really arrived, and is > > rapidly passing. IMO. > > The problem isn't that they're not being used, it's that they've > never come close to matching the hype, and they probably won't ever. Quite. Whereas PDAs are everywhere. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id BAA04892 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 01:26:53 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id JAA16271; Thu, 20 Jul 2000 09:43:30 +0100 Message-ID: <3976B833.319CA12D@algroup.co.uk> Date: Thu, 20 Jul 2000 09:28:35 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: Irene Gassko <gassko@lucent.com> CC: Simon McMahon <simon@onthenet.com.au>, ietf-pkix@imc.org, denis.bider@denisbider.com Subject: Re: Current signature formats insufficient References: <000901bfeb64$38642f50$0201010a@intergalactic> <4.1.20000718143314.03614008@anuxc.mv.lucent.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Irene Gassko wrote: > > Hello, > > Blind signatures provide another viewpoint. Here a signer does not > know what it is signing but the key used indicates the value of a > monetary unit. Very good point (BTW, see http://anoncvs.aldigital.co.uk/lucre/ for a free implementation of blinded signing) - but in this case the signer _does_ know that it is effectively signing a random number. But this is a good example of why the _key_ should say what it can be used for (I realise the signature could, too, but that's a waste of space, surely?). Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from iaik.tu-graz.ac.at (excalibur.iaik.tu-graz.ac.at [129.27.152.30]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA02982 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 00:45:02 -0700 (PDT) Received: from PLIPP2 [129.27.152.34] by iaik.tu-graz.ac.at (SMTPD32-6.00) id AE805650116; Thu, 20 Jul 2000 09:47:12 +0200 Received: from 127.0.0.1 [127.0.0.1] by PLIPP2 (IAIK S/MIME Mapper 2.0beta3 22/March/2000); Do, 20 Jul 2000 09:48:23 +0100 From: "Peter Lipp" <Peter.Lipp@iaik.at> To: "Anders Rundgren" <anders.rundgren@telia.com> Cc: <ietf-pkix@imc.org> Subject: AW: Value of smart cards. Re: Signing what you don't understand Date: Thu, 20 Jul 2000 09:48:22 +0200 Message-ID: <NDBBLDEHJKOODMJCNBNCEEGFEDAA.Peter.Lipp@iaik.at> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; boundary="--IAIK.SMIME.MAPPER.F12BC676--"; protocol="application/x-pkcs7-signature" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-reply-to: <003901bff1c7$9e2e3ec0$0201a8c0@mega.vincent.se> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal This is a multipart MIME message, it may require a MIME capable user agent. ----IAIK.SMIME.MAPPER.F12BC676-- Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable > as you say. But the SIM/WIM card will. Actually 300 million > *existing* customers can't be wrong! While the pure number of customers does not prove anything (they would have used that technology without any card on it) it definitely could provide a solid basis for deployment. Pity is that the vendors decide to reinvent the world with all the WAP-versions of whatever already had been defined... Our experience with one of the vendors in an EU-project showed lack of interest in implementing relevant standards upcoming in the EU, as long as they don't start with WA(P). Peter ----IAIK.SMIME.MAPPER.F12BC676-- Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAA oIIVIDCCBE0wggM5oAMCAQICAwGGrTAJBgUrDgMCHQUAMIIBEzELMAkGA1UEBhMC QVQxDzANBgNVBAgTBlN0eXJpYTENMAsGA1UEBxMER1JBWjEZMBcGA1UECRMQSW5m ZmVsZGdhc3NlIDE2YTEmMCQGA1UEChMdR1JBWiBVTklWRVJTSVRZIE9GIFRFQ0hO T0xPR1kxRzBFBgNVBAsTPkluc2l0dXRlIGZvciBBcHBsaWVkIEluZm9ybWF0aW9u IFByb2Nlc3NpbmcgYW5kIENvbW11bmljYXRpb25zMRkwFwYDVQQLExBJQUlLIElO VFJBTkVUIENBMRkwFwYDVQQDExBJQUlLIFRVLUdSQVogU0lHMSIwIAYDVQQMExlJ QUlLIGVsZWN0cm9uaWMgc2lnbmF0dXJlMB4XDTk5MTEyODIwMjIzOVoXDTAwMTEy ODIwMjIzOVowgZMxCzAJBgNVBAYTAkFUMSYwJAYDVQQKEx1HUkFaIFVOSVZFUlNJ VFkgT0YgVEVDSE5PTE9HWTFHMEUGA1UECxM+SW5zaXR1dGUgZm9yIEFwcGxpZWQg SW5mb3JtYXRpb24gUHJvY2Vzc2luZyBhbmQgQ29tbXVuaWNhdGlvbnMxEzARBgNV BAMTClBldGVyIExpcHAwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGBAM5s1aJQ xXxczmMNSJtL4cv9nhMA+dtbUN4+DA5qfZBqcwR2zWw2VulPyrAeZDA1HFP8zlpk PlC5C4hNnX+p7QdG8u0LMk45FwaatOm2r2gEmTYGH/znwQSrKTsZXi0d0VHZV0TX yU/I3SlYxSXfjFafAVE09KKa2m8jcUOhF97dAgEDo4G0MIGxMDgGA1UdHwQxMC8w LaAroCmkJzAlMRAwDgYDVQQKEwdpYWlrLmF0MREwDwYDVQQDEwhJQUlLQ1JMMTAR BglghkgBhvhCAQEEBAMCAKAwKAYJYIZIAYb4QgENBBsWGVVzZXItQ2VydGlmaWNh dGUgSU5UUkFORVQwDAYDVR0TBAUwAwEBADAdBgNVHREEFjAUgRJQZXRlci5MaXBw QGlhaWsuYXQwCwYDVR0PBAQDAgbAMAkGBSsOAwIdBQADggEBAA4r/qDOLW8ChbuC 2pGzcf74Uv190Q45aHj99lMgNhPQRIVaLLNXJH+NYJxEvIwmVOWIXjdA03TqkOOq FJ/tK31wV+RbrvaPaVUwRjPhC2f8rr+K6pp9mzUC1SolUEbRWVHgOZGsbnEJkTEr oJOelFdKr0coT+Xeje/fI5d50P3CwsJLR2PFkiswnOoWBINi2nq6MGZ7fwmzW8F9 ZVstrNMQYCeEj4V2SR/YIUrDxsdqMQyorBe/su3eab3fOpPlonb86KKWH6jLdgpi KGRoHGWeGgAWlMB0HdxaupX7Lm8LhVYZOdh9SpvO8AdhMyOXNHOKF6sMXCZvSEHy 2XUvbmAwggRUMIIDQKADAgECAgJOIDAJBgUrDgMCHQUAMIGZMQswCQYDVQQGEwJB VDEmMCQGA1UEChMdR1JBWiBVTklWRVJTSVRZIE9GIFRFQ0hOT0xPR1kxRzBFBgNV BAsTPkluc2l0dXRlIGZvciBBcHBsaWVkIEluZm9ybWF0aW9uIFByb2Nlc3Npbmcg YW5kIENvbW11bmljYXRpb25zMRkwFwYDVQQDExBJQUlLIElOVFJBTkVUIENBMB4X DTk5MTExNDEyNTE0OVoXDTAyMTIzMTIyNTkzMFowggETMQswCQYDVQQGEwJBVDEP MA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHUkFaMRkwFwYDVQQJExBJbmZmZWxk Z2Fzc2UgMTZhMSYwJAYDVQQKEx1HUkFaIFVOSVZFUlNJVFkgT0YgVEVDSE5PTE9H WTFHMEUGA1UECxM+SW5zaXR1dGUgZm9yIEFwcGxpZWQgSW5mb3JtYXRpb24gUHJv Y2Vzc2luZyBhbmQgQ29tbXVuaWNhdGlvbnMxGTAXBgNVBAsTEElBSUsgSU5UUkFO RVQgQ0ExGTAXBgNVBAMTEElBSUsgVFUtR1JBWiBTSUcxIjAgBgNVBAwTGUlBSUsg ZWxlY3Ryb25pYyBzaWduYXR1cmUwggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAwggEI AoIBAQDSyhKuZGsL1EPk5mOTG8RzhHS/Va+/WYjs7Zm91nwVHu1+XFLJeJ85AICk SQ7yq9lWa9ur34cywbNhl/9QxaOBOiHkMvAuXxs2Bq/uhe/hEb1T7XgO12ptG80q SOP8/nKxw1PXlbUkd1rD9727mO/5tpvagEQfz7CZQ5wI4HkrNw5uH/vsJ72wRcRT FzmHy/nOX3Y9sXLd/V7TG8j1x0oNWsR3b0tHEWM+Oc1Qq5FfCknoMMCitSD38cUL CCcLJtVxkOiapWaZrDXUAuhvshhsRPjkXh6IzpqsZEtRI64SurLoUUShPv108ELE 6rfQKtm9FNnlFRD954diwfFHko/lAgEFozMwMTARBglghkgBhvhCAQEEBAMCAAIw DwYDVR0TBAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwCQYFKw4DAh0FAAOCAQEAc26n vl5jQspoqD0fzjpZkqGARmFVj9uHNqVoWttqw/y6t46OhJUcePEmXkKsFP4NuCFx 2MyvmbWb6R6QNQ5WfoarGWyQ382cQN6mccPS5weDjXAzYeGZUkx99K70ncVxkwq7 rINAhJtari2XSLxmfBJyTYrZuWEgd5C9NBuf2u3iZyArarOKPbrBjZxjmXwBbZ7t sfAhSVMGSr2ODgQcQjf7ZndNIsQZL75HkN21Pj+/x3wnMCAQF50+Pt8ioAgZ/SAu dxmdYNr2itI0vmsV/xjD1NQuwb6+HwmR2LxclhMzrT1VbtTDkRLD/h8LKC1OpKV8 lQlS7Ir+Od/XNafKJjCCA8owggKyoAMCAQICAQEwDQYJKoZIhvcNAQEEBQAwgZkx CzAJBgNVBAYTAkFUMSYwJAYDVQQKEx1HUkFaIFVOSVZFUlNJVFkgT0YgVEVDSE5P TE9HWTFHMEUGA1UECxM+SW5zaXR1dGUgZm9yIEFwcGxpZWQgSW5mb3JtYXRpb24g UHJvY2Vzc2luZyBhbmQgQ29tbXVuaWNhdGlvbnMxGTAXBgNVBAMTEElBSUsgSU5U UkFORVQgQ0EwHhcNOTkxMTE0MTIzMTU5WhcNMDIxMjMxMjI1OTMwWjCBmTELMAkG A1UEBhMCQVQxJjAkBgNVBAoTHUdSQVogVU5JVkVSU0lUWSBPRiBURUNITk9MT0dZ MUcwRQYDVQQLEz5JbnNpdHV0ZSBmb3IgQXBwbGllZCBJbmZvcm1hdGlvbiBQcm9j ZXNzaW5nIGFuZCBDb21tdW5pY2F0aW9uczEZMBcGA1UEAxMQSUFJSyBJTlRSQU5F VCBDQTCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAMLr+IHe6qeAtYLk fvxyRI6ogrvBP5iKPEBZ7j3T1yVJL7CDPGH8hgPsI4qt6Fnzh2MuAq84JS58zX5x LqEUC/E5xw1xyAzorC6yWwxGRhb+fvTg4OlM2JVsTlyJO6F/BWlXuZU33lgGky/R X84sItXKhmhbUPscnHYBsVKcQO5rFcRrJK/5c1Mha/bcQNVDQaQw+HRCvr7T4mAV Yi+DVJv6jb393CoDBnffGP/mcIkFGFO5D6lyfP8QiSs06+0unIYWwUn1YzQI2RNB AjXrCuAJtlf4qYrGXC09Neg8ymoI2uOglo6scWiZXt/prxWoi+btPX8oWDl5+7DE tCf0rx8CAQejHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3 DQEBBAUAA4IBAQAfdOMJ/ePlmrY0flkgiL6vyRDBuWGcIaB/oGofngJzbQLa7X2s hWzpIiVpvo64XcjIBuocpErhIQfc2UZTSqYYT7R2Uydh0wVeqScURuwuihFURPhI 7GWCSrNwym2lrwsva2Xh/MTyzhXs9vo29dP2djjelN8n347dXhKJOYJ0tsA583af EKmKvkfzAb+sQLxEmPyasQTCGJMec/iWjLTsEDRfCrROYVgDZ4NcCpiRSv9mWw6s PYB8Chf5fJq1waFzluFYSUkuF24NKVopr1E4dKt2Lc1zdMRGRztKQWeUiBLkqFCQ xsi6iZrl1nvMCdF+scuLj7G4lNshx6n1ZcabMIIETTCCAzmgAwIBAgIDAw1NMAkG BSsOAwIdBQAwggETMQswCQYDVQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYD VQQHEwRHcmF6MRkwFwYDVQQJExBJbmZmZWxkZ2Fzc2UgMTZhMSYwJAYDVQQKEx1H UkFaIFVOSVZFUlNJVFkgT0YgVEVDSE5PTE9HWTFHMEUGA1UECxM+SW5zaXR1dGUg Zm9yIEFwcGxpZWQgSW5mb3JtYXRpb24gUHJvY2Vzc2luZyBhbmQgQ29tbXVuaWNh dGlvbnMxGTAXBgNVBAsTEElBSUsgSU5UUkFORVQgQ0ExGzAZBgNVBAMTEklBSUsg VFUtR1JBWiBDUllQVDEgMB4GA1UEDBMXSUFJSyBjb25maWRlbnRpYWxpdHkgQ0Ew HhcNOTkxMTI4MjAyMzM4WhcNMDAxMTI4MjAyMzM4WjCBkzELMAkGA1UEBhMCQVQx JjAkBgNVBAoTHUdSQVogVU5JVkVSU0lUWSBPRiBURUNITk9MT0dZMUcwRQYDVQQL Ez5JbnNpdHV0ZSBmb3IgQXBwbGllZCBJbmZvcm1hdGlvbiBQcm9jZXNzaW5nIGFu ZCBDb21tdW5pY2F0aW9uczETMBEGA1UEAxMKUGV0ZXIgTGlwcDCBnTANBgkqhkiG 9w0BAQEFAAOBiwAwgYcCgYEAvQe3ZdxrE2Nv5z2ZLink1P2MFeQb5gYrS55w4jsX ZGD5v9Ajnv3w30Ajcn7jI+blIvYYpmNQV476+aUHNZFUML/KN5WGVXfdBOxb2n+6 Porez8KMnUlq3cCvAdhVdquFjwaRHO5k7gY80hNAfVker52A1aXbrT0TaWGlCl25 sq0CAQWjgbQwgbEwOAYDVR0fBDEwLzAtoCugKaQnMCUxEDAOBgNVBAoTB2lhaWsu YXQxETAPBgNVBAMTCElBSUtDUkwxMBEGCWCGSAGG+EIBAQQEAwIAoDAoBglghkgB hvhCAQ0EGxYZVXNlci1DZXJ0aWZpY2F0ZSBJTlRSQU5FVDAMBgNVHRMEBTADAQEA MB0GA1UdEQQWMBSBElBldGVyLkxpcHBAaWFpay5hdDALBgNVHQ8EBAMCA3gwCQYF Kw4DAh0FAAOCAQEAhvbZ0/1a47YqiCYjsnsqxWhFufL9oPQzzK9sBDjZZwbpPnhD ZN8PmBqWUXAo74a6oz7Q0W1QieAPCIGenFcVe5ui9m+9TDwtrQN1ECE5k3VuGlh9 l+1Sw5GjFEynARTDmaSRIc75EV/nx4a1LuHLkRYGC5Mg6LskWpIw7ShdPD54U/3Q 19iboaASh0ynfySjBsy1549hQcmi9UfMMX7u1QCCia2kd15u+YaVxtWoMHFB59q6 ELx+9XseEpEI/zBlvSwdyDTXWtnlxnzZjsyk0a/W+FpdeuZ7k2Dbf/Owx0nXS70M HrH/AErvvbhxJ1BaAPC6TAN6da4xPpwy5XSRfjCCBFQwggNAoAMCAQICAnUwMAkG BSsOAwIdBQAwgZkxCzAJBgNVBAYTAkFUMSYwJAYDVQQKEx1HUkFaIFVOSVZFUlNJ VFkgT0YgVEVDSE5PTE9HWTFHMEUGA1UECxM+SW5zaXR1dGUgZm9yIEFwcGxpZWQg SW5mb3JtYXRpb24gUHJvY2Vzc2luZyBhbmQgQ29tbXVuaWNhdGlvbnMxGTAXBgNV BAMTEElBSUsgSU5UUkFORVQgQ0EwHhcNOTkxMTE0MTI1NTM2WhcNMDIxMjMxMjI1 OTMwWjCCARMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcT BEdyYXoxGTAXBgNVBAkTEEluZmZlbGRnYXNzZSAxNmExJjAkBgNVBAoTHUdSQVog VU5JVkVSU0lUWSBPRiBURUNITk9MT0dZMUcwRQYDVQQLEz5JbnNpdHV0ZSBmb3Ig QXBwbGllZCBJbmZvcm1hdGlvbiBQcm9jZXNzaW5nIGFuZCBDb21tdW5pY2F0aW9u czEZMBcGA1UECxMQSUFJSyBJTlRSQU5FVCBDQTEbMBkGA1UEAxMSSUFJSyBUVS1H UkFaIENSWVBUMSAwHgYDVQQMExdJQUlLIGNvbmZpZGVudGlhbGl0eSBDQTCCASAw DQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAMEnzjatic90xi5VRmr0i2O16Z1a SElQFZitoNvAzGw+KehOTuKeUr5ALHib9tGInNm+jPTWVGl/u5Hab1JRzXj0xAKy qvZ+KphGy6ag6VcCVySJmeY1AqTM0W78XdFQXnlZuciBv00Ktoulb/Ktgh6c0YNg o4UMVdxjGHJweibT1AGvlFe2BqulwtuwOLovMIuIyHHh+o6F2HXYKUB54GJpia1B 2IfmqcpBBFdYtDlHyrxugB5QhuhLo0BjD8jCe8B2gkQnI2wIeyfpLlH+u3/VQAl1 2cZKkqaqPpOgP/znsdh62QBSabrRluvCp9OQW9M8u+mJlrxIIVwtThfzIW0CAQWj MzAxMBEGCWCGSAGG+EIBAQQEAwIAAjAPBgNVHRMECDAGAQH/AgEBMAsGA1UdDwQE AwIBBjAJBgUrDgMCHQUAA4IBAQBa+v4JIzqbBydvFOaP/dA5D/GLWEWjPTF8tKcP hxlEYABH8dW5E2tk/nNE2CDyGjkJtR+o9kiCDCa4N/qlc2LepJpa0I28Hi4wCd0C uxSWpEuDHNDrW6Y/bU8gJ8DpskVl+lR0QFkqSCWAu3bY0e2VvUffk2ltrx1KvO64 vGX+ayZn2P7naGHPfYjCBWUKzW0zS8chVf0aehu/qXFuZDfy1MlDgEnPl1DQ1vSL CMmFEDc99iNzcCU7ILn+RgWPNYPVhCUqoDQ6buX00ohfNVS/OHgqkWpa1HLvLRXq E9NmYUJvfhE2zCY6w6bTME3IfDCXRat2Q3twP4/iP9xtsTbPMYICeDCCAnQCAQEw ggEcMIIBEzELMAkGA1UEBhMCQVQxDzANBgNVBAgTBlN0eXJpYTENMAsGA1UEBxME R1JBWjEZMBcGA1UECRMQSW5mZmVsZGdhc3NlIDE2YTEmMCQGA1UEChMdR1JBWiBV TklWRVJTSVRZIE9GIFRFQ0hOT0xPR1kxRzBFBgNVBAsTPkluc2l0dXRlIGZvciBB cHBsaWVkIEluZm9ybWF0aW9uIFByb2Nlc3NpbmcgYW5kIENvbW11bmljYXRpb25z MRkwFwYDVQQLExBJQUlLIElOVFJBTkVUIENBMRkwFwYDVQQDExBJQUlLIFRVLUdS QVogU0lHMSIwIAYDVQQMExlJQUlLIGVsZWN0cm9uaWMgc2lnbmF0dXJlAgMBhq0w CQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3 DQEJBTEPFw0wMDA3MjAwNzQ4MjNaMCMGCSqGSIb3DQEJBDEWBBRisRXrVulKQ/gr frpAKVDnYvSEiDBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3 DQMCAgIAgDANBggqhkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDAHBgUrDgMCBzAN BgkqhkiG9w0BAQEFAASBgE3lASw8jZhcQi4DLL4avnt3KrhabSxBqfEgNI6kJBZ4 Kmd8z29WvOgPZdJEMwtwSLxEmtZ9PexuzUymGU4enxS15gx5e+uluRvGPhyDAymx mLIGizlDAK8OawEKQT5m6u5uZdvwP4Hra3JI9zTmtpj2qse+oHVUmPde6muRPhuU AAAAAAAA ----IAIK.SMIME.MAPPER.F12BC676---- Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA00287 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 23:31:02 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id IAA12468; Thu, 20 Jul 2000 08:37:24 +0200 Received: from bull.net (frpq6118.frpq.bull.fr [129.184.8.64]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id RAA20310; Tue, 18 Jul 2000 17:05:12 +0200 Message-ID: <39747229.B159FB44@bull.net> Date: Tue, 18 Jul 2000 17:05:13 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: John_Wray@iris.com CC: ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <OF75BDEB08.9FD76D19-ON85256920.004C132A@iris.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit John, May I suggest again that you take a closer look at http://www.ietf.org/internet-drafts/draft-ietf-smime-esformats-01.txt which answers most of your basic questions. Regards, Denis > Steve, > > >>Anything in the certificate that's used to imply something about the > intent > >>behind a signature is asking for trouble, unless the specific certificate > >>that a relying party should use is bound to the signature. What's to > >>prevent me from obtaining certificates from two different CAs, certifying > >>the same key, but with different settings of the NR bit in the two > >>certificates, and then using the certificate with the NR bit clear to > >>repudiate a signature I originally represented as being non-repudiable > >>using the other certificate? > > > >Not necessarily. You seem to assume that a signer could escape > >responsibility for signing in an NR context by producing a > >certificate with the same public key but without the NR bit asserted. > >I don't subscribe to that assumption. if I, as an RP, collect a cert > >associated with the user and it has the right public key and NR > >asserted, then why is my assertion of which cert was used in the > >transaction untenable? A legitimate user should never put the same > >public key into two certs that differ in terms of this key usage bit > >(and probably not if they differ in other, significant ways). If > >push came to shove and the user asserted that the NR-enabled cert was > >not really issued at his request, a check of CA records for POP could > >resolve the problem. [I assume that any CA issuing a cert with an NR > >bit enabled ought to insist on POP, but maybe that's my unwarranted > >assumption :-).] > > I think you're suggesting the use of a distinct key for each possible > "signature intent" here (although the example deals with R vs. NR, there > are more than just two flavors of signature intent). Quite apart from > requiring a signer to maintain a large number of distinct keys, I think > it's a bit much to expect every "legitimate user" to be well-enough versed > in the nuances of certificates to always request the same certificate > extensions in every certificate for a given key. > > >>The only way that using anything in the certificate could work is if the > >>specific certificate that I intend a relying party to use to verify the > >>signature is somehow bound into the signature. Binding a particular > >>certificate to a signature has all sorts of other problems (e.g. do all > my > >>signatures become unverifiable when my certificate is renewed?), and > would > >>require a signature format change anyway, so why not simply assert the > >>intent explicitly as part of the signature? > > > >Based on my comments above, I'm not sure we need to perform this > >binding, but I agree with Denis's comments here, i.e., it's not > >infeasible and the persistence of the signature is divorced from the > >certificate lifetime by other mechanisms. > > What other mechanisms would cover that case of my issuing CA going out of > business? If a CA's assets (including its keys) are sold as part of a > bankruptcy process, I would think that trust in those keys would be fairly > quickly revoked by other CAs that might have cross-certified it. In this > case, invalidityDate on those revocations would probably be set so that no > certificate that had been issued by the former CA's key would be trusted > (to prevent the keys' new owners from issuing new backdated certificates). > However, as a subscriber to the former CA, I don't see why my signatures > should suddenly become less trustworthy, if my key can be verified via > another path. > > >By the way, I'm not saying that a new format for signatures which are > >designed precisely for NR purposes with general purpose documents is > >a bad idea. I just commented on what appeared to be a lack of good > >arguments for such a construct. I agree that the ability to have a > >small token be able to understand such constructs could be valuable, > >even though we still face a lot of problems with regard to secure > >display of the contents of what is being signed. > > The most persuasive argument I can come up with is an architectural one, > and assumes that there are more flavors of "signature intent" than just > repudiable vs non-repudiable. There are three places I can see that one > might try to encode the intent behind a signature: The particular key used, > the particular certificate used, or explicitly as part of the signature > structure. The intent behind a signature is fairly dynamic, possibly > varying with each signature. On occasion I might want to sign a nonce > simply to prove I possess a key; at other times I might want to sign a > piece of e-mail to indicate that I have read it, i.e. to generate a > return-receipt; at other times my signature might assert my agreement to > the contents of a document; at other times it might be intended as an > approval of some business process (i.e. "If the expenses listed in the > document are as described, then they may be reimbursed"). However, both > the certification hierarchy and the availability of keys are fairly static > things - I either need to get my key re-certified for each possible > signature intent I might want to assert, or I need to generate and certify > a distinct key for each possible signature intent. Encoding the intent > explicitly as part of the signature allows me to choose at the time I > generate the signature what intent I wish to associate with the signature, > rather than having to have previously set up certification chains for all > intents I might wish to asserts. I would also claim that it's less > error-prone and probably of greated legal validity to explicitly encode the > intent along with the signature than to try to infer the certified intent > from the contents of certificates issued by third-party CAs. > > John Received: from krdl.org.sg (IDENT:root@rodin.krdl.org.sg [192.122.139.27]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA28832 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 23:02:15 -0700 (PDT) Received: from mailhost.krdl.org.sg (mailhost [192.122.134.30]) by krdl.org.sg (8.9.3/8.9.3) with ESMTP id OAA08316 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 14:13:38 +0800 Received: from vivekpc1 (9Y3811S.krdl.org.sg [192.168.133.104]) by mailhost.krdl.org.sg (8.9.3/8.9.3) with SMTP id OAA14258 for <ietf-pkix@imc.org>; Thu, 20 Jul 2000 14:03:49 +0800 (SGT) Message-ID: <000f01bff211$047b0480$6885a8c0@krdl.org.sg> From: "vivek singh" <svivek@krdl.org.sg> To: <ietf-pkix@imc.org> Subject: Date: Thu, 20 Jul 2000 14:09:09 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 subscribe Received: from mail.arabtrust.com (mail.arabtrust.com [216.247.149.19]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id WAA26897 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 22:40:45 -0700 (PDT) Received: from jean [195.39.160.57] by mail.arabtrust.com (SMTPD32-6.00) id A1FD308C0042; Thu, 20 Jul 2000 01:45:33 -0400 From: "Jean Abraham" <jean.med@arabtrust.com> To: "Ben Laurie" <ben@algroup.co.uk> Cc: "Paul Koning" <pkoning@xedia.com>, <ietf-pkix@imc.org> Subject: RE: Signing what you don't understand Date: Thu, 20 Jul 2000 08:41:51 +0300 Message-ID: <LPBBLAPIGLOAGIHKOOGDCEPBCBAA.jean.med@arabtrust.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <3975EBD0.EFF2F12D@algroup.co.uk> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Yes, CA's dont create private keys except their own I meant to say that a CA signs a end-user certificate. When you apply for a certificate to sign and encrypt an email through a browser then the private key is embeded in the browser and a entry is made in the registry. Jean -----Original Message----- From: Ben Laurie [mailto:ben@algroup.co.uk] Sent: Wednesday, July 19, 2000 8:57 PM To: Jean Abraham Cc: Paul Koning; ietf-pkix@imc.org Subject: Re: Signing what you don't understand Jean Abraham wrote: > > Paul, > > Private keys are also embeded in the browser as well as on a Luna Token. > > MD5 or hash.... are algorithms that generate the public key and private key > and also used for encryption purposes. Errr ... no they aren't. > Now if a application has to be > subverted it can only be done with the operators knowledge or the creator of > the application. Regarding the virus, a virus cannot attack a private key. > The virus creator needs to know the algorithm of the private key or the > public key which will enable the virus to act. Which is public knowledge. > Which is why any CA that > generates end-user certificates are generated or created with utmost > security in mind. CAs do not generate private keys, except their own. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from slack.lne.com (gw.lne.com [209.157.136.81]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA20894 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 20:23:17 -0700 (PDT) Received: (from ericm@localhost) by slack.lne.com (8.9.3/8.9.3) id UAA20847; Wed, 19 Jul 2000 20:25:12 -0700 Date: Wed, 19 Jul 2000 20:25:12 -0700 From: Eric Murray <ericm@lne.com> To: Ben Laurie <ben@algroup.co.uk> Cc: ietf-pkix@imc.org Subject: Re: Signing what you don't understand Message-ID: <20000719202512.G17726@slack.lne.com> References: <14709.44186.650038.290537@xedia.com> <LPBBLAPIGLOAGIHKOOGDKEOLCBAA.jean.med@arabtrust.com> <14709.45766.150139.121650@xedia.com> <3975EAFC.9E03C4FC@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3us In-Reply-To: <3975EAFC.9E03C4FC@algroup.co.uk> On Wed, Jul 19, 2000 at 06:53:00PM +0100, Ben Laurie wrote: > Paul Koning wrote: > > > > First of all, the private key is "always with the owner" *only* if you > > have a smartcard with embedded PKI engine. Those exist but there > > certainly are plenty of PK signing scenarios where they are not used. > > Woah! Smartcard salesman detected... what about, say, a Palm, or a > Psion? These have an advantage over smartcards, too, in that they have > UIs. The UI on a Palm is really useful from a security standpoint. However, the OS with no memory protection negates any use that requires security. The slow crypto performance doesn't help either. The ideal token for carrying private keys and digitally signing documents would be something with a display (like a Palm) and an OS like a smartcard's that protects the different applications and their keys from each other. Unfortunately that display costs a lot. The CPU power to render anything interesting on it the display, and to do crypto in reasonable speed adds to the price. With a readable display (but not pressure-sensitive like a Palm), probably 5-10x a high-end smartcard. > Smartcards are a technology whose time never really arrived, and is > rapidly passing. IMO. The problem isn't that they're not being used, it's that they've never come close to matching the hype, and they probably won't ever. -- Eric Murray www.lne.com/ericm ericm at the site lne.com PGP keyid:E03F65E5 Security consulting: secure protocols, security reviews, standards, smartcards. Received: from cam-mailer1.bbn.com (cam-mailer1.bbn.com [171.78.68.5]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA15870 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 19:06:52 -0700 (PDT) Received: from [171.78.60.33] (dc033.bbn.com [171.78.60.33]) by cam-mailer1.bbn.com (8.8.8+Sun/8.8.8) with ESMTP id WAA10175; Wed, 19 Jul 2000 22:05:23 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04220804b59ba131c71a@[128.33.238.44]> In-Reply-To: <C7006C79F23FD411AFCC00E018C353B4025916@exchange.gadens.com.au> References: <C7006C79F23FD411AFCC00E018C353B4025916@exchange.gadens.com.au> Date: Wed, 19 Jul 2000 14:29:55 -0400 To: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au> From: Stephen Kent <kent@bbn.com> Subject: RE: Signing what you don't understand Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Adrian, >Your example is well put but is this really a digital signature or is it a >set of bits (a mark) that has been affixed using the same technology known >as digital signature technology. This mailing list is the discussion forum for the PKIX WG, a technical WG of the IETF. Thus we tend to employ (at least try to employ) technical terminology in our discussions. In that context, what I described is very definitely a digital signature. >You mention the difference between the 2 intents. I would be surprised, if >anyone (other than the technically minded) even knows that a challenge >response is even being "signed". There is no intent at all in this case. It >is the technology as designed that is effecting the response to the >challenge. I am surprised that "you" sign authentication challenges, just >for authentication purposes. Is it really a signature? Are you really >signing the authentication challenge or is it the software on your machine >effecting the response to the challenge? Again, from a technical perspective yes, I am signing the challenge, and I intended to sign it, but I also want to assert that this digital signature does not imply anything more than my participation in an authentication exchange. We have a means of doing that today, via the key usage extension. >To me this is not a signature. It may use digital signature technology but >it is not a signature. This is probably the problem. It is the use of the >word "signature" which is a technical term but has been used by the PKI >community to cover a myriad of uses. Some uses of the term by the PKI >community are confusing. Every profession has its own terminology with nuanced meanings. In this context, i.e., on this discussion list, the technical terminology takes precedence, declared the WG Co-Chair :-). >I also do not agree with your position that the NR bit can signal any intent >either way. With respect, intent is ascertained at the time of signing. A >certificate has nothing what so ever to do with signing. Its primary >purpose is to identify a public key that corresponds to a private key that >may be held by some previously identified person or entity. The public key >is used to verify a digital signature that has supposedly been created using >the corresponding private key. That is it as far as I understand it unless >there is some other primary purpose that I do not know. I do not see the >relationship between digitally signing a document and the contents of a >certificate. Verification of the signature at some later time is a different >issue which may involve the use of a certificate but this may not be so. There are lots of relationships between a signature and certificate contents. Specifically, policy information can be conveyed in the certificate that binds the public key for signature verification. One might argue that a certificate is not directly involved in the act of signing, but it is essential to the signature validation process, in our context. A public key divorced from a certificate can be used to verify a signature, but it does not tell me who created the signature. This WG addresses signature topics ONLY in the context of public keys bound into certificates. Steve Received: from cam-mailer1.bbn.com (cam-mailer1.bbn.com [171.78.68.5]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA15316 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 19:03:31 -0700 (PDT) Received: from [171.78.60.33] (dc033.bbn.com [171.78.60.33]) by cam-mailer1.bbn.com (8.8.8+Sun/8.8.8) with ESMTP id WAA10230; Wed, 19 Jul 2000 22:06:02 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04220807b59baae71151@[128.33.238.44]> In-Reply-To: <ED026032A3FCD211AEDA00105A9C4696016E584C@sothmxs05.entrust.com> References: <ED026032A3FCD211AEDA00105A9C4696016E584C@sothmxs05.entrust.com> Date: Wed, 19 Jul 2000 15:03:13 -0400 To: Sharon Boeyen <sharon.boeyen@entrust.com> From: Stephen Kent <kent@bbn.com> Subject: RE: Reverse paths Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sharon, <snip> >I would like to support Sean's request that for the LDAPv3 schema we >consider making the reverse element mandatory along with the forward >element. >This would be a great step forward in supporting interoperability among PKI >products and services and, since it does not impact existing LDAPv2 systems, > >doesn't cause those previously deployed systems to be non-conformant. > >With both elements mandatory, regardless of the direction the path is >being built, the certificate using system will be able to locate the >information >it seeks. > I am uncomfortable with the proposal that we mandate both elements, as this would seem to imply that every CA would have to engage in reverse path certificate generation in all contexts. Did I misunderstand the implication? I know that Entrust has always encouraged (required?) this type of cross certification among CAs, but it doesn't seem that other CA vendors or most users have. I would not think it appropriate to impose this sort of requirement, given the vendor-specific implications of such a change. Steve Received: from cam-mailer1.bbn.com (cam-mailer1.bbn.com [171.78.68.5]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA15292 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 19:03:29 -0700 (PDT) Received: from [171.78.60.33] (dc033.bbn.com [171.78.60.33]) by cam-mailer1.bbn.com (8.8.8+Sun/8.8.8) with ESMTP id WAA10221; Wed, 19 Jul 2000 22:05:59 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04220806b59ba5dfe2a7@[128.33.238.44]> In-Reply-To: <OF75BDEB08.9FD76D19-ON85256920.004C132A@iris.com> References: <OF75BDEB08.9FD76D19-ON85256920.004C132A@iris.com> Date: Wed, 19 Jul 2000 14:58:29 -0400 To: John_Wray@iris.com From: Stephen Kent <kent@bbn.com> Subject: Re: Signing what you don't understand Cc: John_Wray@iris.com, <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" John, <snip> >I think you're suggesting the use of a distinct key for each possible >"signature intent" here (although the example deals with R vs. NR, there >are more than just two flavors of signature intent). Quite apart from >requiring a signer to maintain a large number of distinct keys, I think >it's a bit much to expect every "legitimate user" to be well-enough versed >in the nuances of certificates to always request the same certificate >extensions in every certificate for a given key. I am a firm believer in users holding multiple certs and multiple keys. Appropriate interface/management software should make this tolerable. I also believe that it is rarely appropriate to put the same key into multiple certs, hence my general lack of concern over the other issue you cite. But, if one needs to push the granularity of signature intent very far, then I agree that what I proposed could become infeasible to manage. > >>The only way that using anything in the certificate could work is if the > >>specific certificate that I intend a relying party to use to verify the > >>signature is somehow bound into the signature. Binding a particular > >>certificate to a signature has all sorts of other problems (e.g. do all >my > >>signatures become unverifiable when my certificate is renewed?), and >would > >>require a signature format change anyway, so why not simply assert the > >>intent explicitly as part of the signature? > > > >Based on my comments above, I'm not sure we need to perform this > >binding, but I agree with Denis's comments here, i.e., it's not > >infeasible and the persistence of the signature is divorced from the > >certificate lifetime by other mechanisms. >What other mechanisms would cover that case of my issuing CA going out of >business? If a CA's assets (including its keys) are sold as part of a >bankruptcy process, I would think that trust in those keys would be fairly >quickly revoked by other CAs that might have cross-certified it. In this >case, invalidityDate on those revocations would probably be set so that no >certificate that had been issued by the former CA's key would be trusted >(to prevent the keys' new owners from issuing new backdated certificates). >However, as a subscriber to the former CA, I don't see why my signatures >should suddenly become less trustworthy, if my key can be verified via >another path. A RP can be responsible for acquiring all the requisite evidence for later support of signed document validity, including time stamping this evidence. I think this addresses the scenario you described above. > >By the way, I'm not saying that a new format for signatures which are > >designed precisely for NR purposes with general purpose documents is > >a bad idea. I just commented on what appeared to be a lack of good > >arguments for such a construct. I agree that the ability to have a > >small token be able to understand such constructs could be valuable, > >even though we still face a lot of problems with regard to secure > >display of the contents of what is being signed. > >The most persuasive argument I can come up with is an architectural one, >and assumes that there are more flavors of "signature intent" than just >repudiable vs non-repudiable. There are three places I can see that one >might try to encode the intent behind a signature: The particular key used, >the particular certificate used, or explicitly as part of the signature >structure. The intent behind a signature is fairly dynamic, possibly >varying with each signature. On occasion I might want to sign a nonce >simply to prove I possess a key; at other times I might want to sign a >piece of e-mail to indicate that I have read it, i.e. to generate a >return-receipt; at other times my signature might assert my agreement to >the contents of a document; at other times it might be intended as an >approval of some business process (i.e. "If the expenses listed in the >document are as described, then they may be reimbursed"). However, both >the certification hierarchy and the availability of keys are fairly static >things - I either need to get my key re-certified for each possible >signature intent I might want to assert, or I need to generate and certify >a distinct key for each possible signature intent. Encoding the intent >explicitly as part of the signature allows me to choose at the time I >generate the signature what intent I wish to associate with the signature, >rather than having to have previously set up certification chains for all >intents I might wish to asserts. I would also claim that it's less >error-prone and probably of greated legal validity to explicitly encode the >intent along with the signature than to try to infer the certified intent >from the contents of certificates issued by third-party CAs. Those are good arguments. One can choose to represent this info in the document being signed, analogous to what we do in the physical world, or can try to codify the various intents in a newly defined signature format. The latter approach will entail considerable haggling over what the requisite info types will be, how to encode them, etc. The same problems would arise if we try to do this fine granularity intent expression in a standard fashion in signed documents. We already have this sort of facility in the policy qualifier aspect of cert policies, and many of us question the ability of folks to manage this in the more static context in which it might be used. So, another aspect of this debate is whether the "average" user is capable of managing this sort of facility, on a per signature basis, as suggested, irrespective of how we support the capability. Steve Received: from cam-mailer1.bbn.com (cam-mailer1.bbn.com [171.78.68.5]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA15266 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 19:03:25 -0700 (PDT) Received: from [171.78.60.33] (dc033.bbn.com [171.78.60.33]) by cam-mailer1.bbn.com (8.8.8+Sun/8.8.8) with ESMTP id WAA10214; Wed, 19 Jul 2000 22:05:57 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04220805b59ba46288fc@[128.33.238.44]> In-Reply-To: <3D1CC63B9E24D211B48B000000004C0B0388268E@chlmail.gecmc.ge.COM> References: <3D1CC63B9E24D211B48B000000004C0B0388268E@chlmail.gecmc.ge.COM> Date: Wed, 19 Jul 2000 14:32:12 -0400 To: "Golkin, Ken (CAP, CMC)" <Ken_Golkin@mortgage.ge.com> From: Stephen Kent <kent@bbn.com> Subject: RE: Signing what you don't understand Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Ken, >This discussion seems to be confusing two different uses for certificates >1) Authentication (I am who I say I am) >2) Signature (I signed a legally binding document) > >In the first case I showed my company issue picture ID (certificate) >to the guard at the door and he let me in the building this morning. Or, maybe you "signed in" as part of entering your workplace, .... <snip> Steve Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA01976 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 16:52:48 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id QAA08901 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 16:54:51 -0700 (PDT) Message-Id: <4.2.2.20000719163358.00ab5100@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 19 Jul 2000 17:02:40 -0700 To: ietf-pkix@imc.org From: Tony Bartoletti <azb@llnl.gov> Subject: A Real Rationale for Dedicated Keys Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed The common rationale given for maintaining distinct keys for distinct usages is to distinguish the "legal binding signature" from "no intent but saw it" authentication or message tamperproofing. As I've argued in the "Signing what you don't understand" thread, I see no way to prevent the key-owner from having a key "multiply certified" as a ploy to escape the "clutches" of NR in legal signature. (Hence, legal or NR usage should invoke a more involved protocol.) My point being, the key-owner is the primary point of control in enforcing a "one-key, one-cert" personal regime. However, there is a strong rationale where the key-owner is self-motivated in maintaining a strict separation of keys and usages (even as it applies to the legal vs authentication usage.) This is the Privacy Motivation. If I "multiply-certify" a "legal signature" key (with its implication of linkages to detailed personal identifying information) as either a lightweight "someone@address" key, or worse, as a blinded voting key, then I risk the very real possibility that my certificates can become aggregated according to the public key value, and used to violate the anonymity expected of the latter uses. ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA01030 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 16:08:12 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id QAA16829; Wed, 19 Jul 2000 16:08:23 -0700 (PDT) Message-Id: <4.2.2.20000719152618.00a9d500@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 19 Jul 2000 16:16:13 -0700 To: "P.J. Ponder" <ponder@freenet.tlh.fl.us>, Ben Laurie <ben@algroup.co.uk> From: Tony Bartoletti <azb@llnl.gov> Subject: Re: Signing what you don't understand Cc: Eric Murray <ericm@lne.com>, ietf-pkix@imc.org In-Reply-To: <Pine.OSF.4.21.0007191827450.5222-100000@fn3.freenet.tlh.fl .us> References: <3975731E.18D967A5@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 06:32 PM 7/19/00 -0400, P.J. Ponder wrote: >The Internet Security Glossary (RFC2828) > >ftp://ftp.isi.edu/in-notes/rfc2828.txt > >does a pretty good job distinguishing between 'digital signature' and >'electronic signature'. Maybe those definitions are adequate for this >discussion. (I was also under the impression that the Glossary itself was >a product of this workgroup...) > >On Wed, 19 Jul 2000, Ben Laurie wrote: > > > Eric Murray wrote: > > > > > > Since "digital signing" is used all the time in the crypto sense, I'd > > > like to propose that when talking about the second kind of digital > > > signatures, they be called "digital signature of documents". > > > > How about "legally binding digital signature". That certainly says what > > people want it to mean unambiguously. Since most "digital" signatures are "electronic" in implementation, I find the term "electronic signature" equally confusing, in that it does not (automatically) imply the burden of legal binding in the minds of most people. "Legal" or "Legally Binding" is far clearer. In any case, while it is facile to establish an agreed terminology, it serves only to sharpen the discussion of the issue at hand. Given that (electronic, legal) signatures will likely be founded upon the cryptographic "digital signature" operation, how best to distinguish the "DigSig" intent, to the protection of all parties concerned? So far, I have heard: 1. Dedicated Key (implies one-key <--> one cert, and use NR-bit disambiguation) 2. Common Key + "signature over intended certificate" (implies one-key <--> many certs, and use NR-bit disambiguation) 3. Common Key + "look at the content" (implies "who needs the NR-bit") Given that a public key must be assumed "public", I don't see any way to enforce the one-to-one condition in the "Dedicated Key" option (1). I think (2) is a minimum. If something is digitally signed, and the "signed content" does not include a certificate indicating the the "level of intensity" with which "someone" (the CA) attested to the strength of the DN/truePerson association, I would argue that a relying party will (should) be disadvantaged in court. Such a key should be safe for "non-binding" authentication usage, since additional "weaker certification" of the key does not in itself weaken the stronger DN/truePerson binding. (NOTE: such non-binding authentication usage can be argued to encourage deployment of the secret key in relatively unsecured environments, and this IS a problem. However, (to my knowledge) the CA generally is not certifying the manner in which the subscriber protects the key, so I cannot see how it becomes an issue for them.) ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from fn3.freenet.tlh.fl.us (fn3.tfn.net [150.176.31.250]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA23612 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 15:07:18 -0700 (PDT) Received: from localhost (ponder@localhost) by fn3.freenet.tlh.fl.us (8.8.8/8.6.9) with ESMTP id SAA03701; Wed, 19 Jul 2000 18:32:34 -0400 (EDT) Date: Wed, 19 Jul 2000 18:32:34 -0400 (EDT) From: "P.J. Ponder" <ponder@freenet.tlh.fl.us> To: Ben Laurie <ben@algroup.co.uk> cc: Eric Murray <ericm@lne.com>, ietf-pkix@imc.org Subject: Re: Signing what you don't understand In-Reply-To: <3975731E.18D967A5@algroup.co.uk> Message-ID: <Pine.OSF.4.21.0007191827450.5222-100000@fn3.freenet.tlh.fl.us> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII The Internet Security Glossary (RFC2828) ftp://ftp.isi.edu/in-notes/rfc2828.txt does a pretty good job distinguishing between 'digital signature' and 'electronic signature'. Maybe those definitions are adequate for this discussion. (I was also under the impression that the Glossary itself was a product of this workgroup...) On Wed, 19 Jul 2000, Ben Laurie wrote: > Eric Murray wrote: > > Digital signing in the human/legal means signing something different. > > It always means "signing" something that makes sense to a human. It might > > mean using the crypto definition of "digital signing" to do it, or (under > > the new US "digital signing" bill) it might mean clicking on a OK button > > somewhere near the document. This kind of digital signature > > makes sense in a non-repudiation context- it's whole purpose is about NR. > > > > Since "digital signing" is used all the time in the crypto sense, I'd > > like to propose that when talking about the second kind of digital > > signatures, they be called "digital signature of documents". > > How about "legally binding digital signature". That certainly says what > people want it to mean unambiguously. > > Cheers, > > Ben. > > -- > http://www.apache-ssl.org/ben.html > > Coming to ApacheCon Europe 2000? http://apachecon.com/ > Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA21901 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 13:22:10 -0700 (PDT) Received: from mega (t1o69p42.telia.com [62.20.144.42]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id WAA01551; Wed, 19 Jul 2000 22:24:38 +0200 (CEST) Message-ID: <003901bff1c7$9e2e3ec0$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Stefan Kelm" <kelm@secorvo.de>, "Ben Laurie" <ben@algroup.co.uk> Cc: <ietf-pkix@imc.org> Subject: Value of smart cards. Re: Signing what you don't understand Date: Wed, 19 Jul 2000 23:23:40 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id NAA21902 Ben+Stefan > Woah! Smartcard salesman detected... what about, say, a Palm, or a > Psion? These have an advantage over smartcards, too, in that they have > UIs. Smartcards are a technology whose time never really arrived, and is > rapidly passing. IMO. The discrete credit-sized smart card is probably not going to take over the world as you say. But the SIM/WIM card will. Actually 300 million *existing* customers can't be wrong! It provides a cheap tamper-resistant storage and crypto-processor that *will* also be a part of PDAs when they are "connected". It is the ability to insert a subscription into a mobile phone and PDA that is the driving factor now. Later it will be PKI. http://www.mobilephones-tng.com/papers/thenewswissarmyknife.html But Ericsson apparently believe in smart credit-cards as they have introduced this 100% loser-product: http://www.ericsson.se/wirelesswallet/How.htm >Regarding PDAs I recommend the following research paper and the >web site mentioned on the following URL: >"Hand-Held Computers Can Be Better Smart Cards" >Dirk Balfanz, Ed Felten. Proceedings of USENIX Security '99, August, 1999. >http://www.cs.princeton.edu/sip/pub/pilotkey.php3 Nice article. See comment regarding PDAs Anders Received: from rom.antech.de (dns.antech.de [194.45.12.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA20142 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 11:55:26 -0700 (PDT) Received: from scherbius.secorvo.de (scherbius.secorvo.de [194.45.12.219]) by rom.antech.de (8.9.3/8.9.3) with ESMTP id UAA21622; Wed, 19 Jul 2000 20:40:42 +0200 Message-Id: <200007191840.UAA21622@rom.antech.de> From: "Stefan Kelm" <kelm@secorvo.de> Organization: Secorvo Security Consulting GmbH To: Ben Laurie <ben@algroup.co.uk> Date: Wed, 19 Jul 2000 20:56:17 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Signing what you don't understand CC: ietf-pkix@imc.org Priority: normal In-reply-to: <3975EAFC.9E03C4FC@algroup.co.uk> X-mailer: Pegasus Mail for Win32 (v3.12b) > Woah! Smartcard salesman detected... what about, say, a Palm, or a > Psion? These have an advantage over smartcards, too, in that they have > UIs. Smartcards are a technology whose time never really arrived, and is > rapidly passing. IMO. Regarding PDAs I recommend the following research paper and the web site mentioned on the following URL: "Hand-Held Computers Can Be Better Smart Cards" Dirk Balfanz, Ed Felten. Proceedings of USENIX Security '99, August, 1999. http://www.cs.princeton.edu/sip/pub/pilotkey.php3 Cheers, Stefan. -------------------------------------------------------- PKI-Symposium, 10.-11.Oktober 2000, www.pki-symposium.de -------------------------------------------------------- Dipl.-Inform. Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Albert-Nestler-Strasse 9, D-76131 Karlsruhe Tel. +49 721 6105-461, Fax +49 721 6105-455 E-Mail kelm@secorvo.de, http://www.secorvo.de ------------------------------------------------------- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B Received: from nxs_vyr_dns.sie.cl ([206.48.156.90]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA19862 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 11:50:18 -0700 (PDT) Received: from acepta.com ([192.168.4.178]) by nxs_vyr_dns.sie.cl (8.9.3/8.9.3) with ESMTP id KAA06950; Wed, 19 Jul 2000 10:57:50 -0400 Message-ID: <3975F86A.B236CB64@acepta.com> Date: Wed, 19 Jul 2000 14:50:18 -0400 From: "Juan Carlos Perez A." <juancarlos.perez@acepta.com> Organization: Acepta.com X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I) X-Accept-Language: en MIME-Version: 1.0 To: Jean Abraham <jean.med@arabtrust.com> CC: ietf-pkix@imc.org Subject: Re: References: <LPBBLAPIGLOAGIHKOOGDEENNCBAA.jean.med@arabtrust.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit I think that is ASN.1 Juan Carlos Pérez A. Acepta.com CHILE Jean Abraham wrote: > Hello, > > Can anyone tell me what language is the below written in? > > CBCParameter ::= IV > > FBParameter ::= SEQUENCE { > iv IV, > numberOfBits NumberO > ........... > ......... > Thanks > > Best Regards > > Jean Abraham > Key Manager > Arabtrust > Tel: +965 - 5629645/721/827 Ext: 408 > Fax: +965 - 5662164 > jean.med@arabtrust.com Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id LAA18991 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 11:09:53 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id TAA11336; Wed, 19 Jul 2000 19:11:14 +0100 Message-ID: <3975EBD0.EFF2F12D@algroup.co.uk> Date: Wed, 19 Jul 2000 18:56:32 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: Jean Abraham <jean.med@arabtrust.com> CC: Paul Koning <pkoning@xedia.com>, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <LPBBLAPIGLOAGIHKOOGDCEONCBAA.jean.med@arabtrust.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Jean Abraham wrote: > > Paul, > > Private keys are also embeded in the browser as well as on a Luna Token. > > MD5 or hash.... are algorithms that generate the public key and private key > and also used for encryption purposes. Errr ... no they aren't. > Now if a application has to be > subverted it can only be done with the operators knowledge or the creator of > the application. Regarding the virus, a virus cannot attack a private key. > The virus creator needs to know the algorithm of the private key or the > public key which will enable the virus to act. Which is public knowledge. > Which is why any CA that > generates end-user certificates are generated or created with utmost > security in mind. CAs do not generate private keys, except their own. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id LAA18699 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 11:04:00 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id TAA11316; Wed, 19 Jul 2000 19:09:18 +0100 Message-ID: <3975EB5C.A2BA2506@algroup.co.uk> Date: Wed, 19 Jul 2000 18:54:36 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: "Heimberg, Jim" <Jim.Heimberg@GD-CS.COM> CC: "'Tony Bartoletti'" <azb@llnl.gov>, Mitchell Arnone <mitchell.arnone@b2bcommunications.com>, "Golkin Ken (CAP CMC)" <Ken_Golkin@mortgage.ge.com>, "'Adrian McCullagh'" <AMcCullagh@exchange.gadens.com.au>, "'Stephen Kent'" <kent@bbn.com>, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <2575327B6755D211A0E100805F9FF954050804F3@ndhmex02.ndhm.gsc.gte.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit "Heimberg, Jim" wrote: > > A convincing argument for hardware tokens and biometrics if ever I heard > one. A convincing argument against biometrics is that they can't be revoked and they encourage people to steal parts of my body, which I'd really rather they didn't. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id KAA18307 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 10:50:43 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id TAA11312; Wed, 19 Jul 2000 19:07:42 +0100 Message-ID: <3975EAFC.9E03C4FC@algroup.co.uk> Date: Wed, 19 Jul 2000 18:53:00 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: Paul Koning <pkoning@xedia.com> CC: jean.med@arabtrust.com, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <14709.44186.650038.290537@xedia.com> <LPBBLAPIGLOAGIHKOOGDKEOLCBAA.jean.med@arabtrust.com> <14709.45766.150139.121650@xedia.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Paul Koning wrote: > > >>>>> "Jean" == Jean Abraham <jean.med@arabtrust.com> writes: > > Jean> Digital signatures generation or creation is not based on the > Jean> O/S of a particular PC but on the software that is used to > Jean> generate it. The most important apsect in a digital > Jean> certificate(which is used to create a digital signature - end > Jean> user) is that the private key is always with the owner and > Jean> never in transist. > > You're entirely missing the issue that started this long string of > notes. > > First of all, the private key is "always with the owner" *only* if you > have a smartcard with embedded PKI engine. Those exist but there > certainly are plenty of PK signing scenarios where they are not used. Woah! Smartcard salesman detected... what about, say, a Palm, or a Psion? These have an advantage over smartcards, too, in that they have UIs. Smartcards are a technology whose time never really arrived, and is rapidly passing. IMO. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from btw.plaintalk.bellevue.wa.us (btw-xl1.plaintalk.bellevue.wa.us [206.129.5.130]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA14889 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 09:24:08 -0700 (PDT) Received: from software-munitions.com (fwiw.plaintalk.bellevue.wa.us [206.129.5.157]) by btw.plaintalk.bellevue.wa.us (8.10.2/8.10.2) with ESMTP id e6JGQ0C39092; Wed, 19 Jul 2000 09:26:00 -0700 (PDT) Message-ID: <3975D698.3E907152@software-munitions.com> Date: Wed, 19 Jul 2000 09:26:00 -0700 From: Dennis Glatting <dennis.glatting@software-munitions.com> X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Jean Abraham <jean.med@arabtrust.com> CC: Paul Koning <pkoning@xedia.com>, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <LPBBLAPIGLOAGIHKOOGDCEONCBAA.jean.med@arabtrust.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Jean Abraham wrote: > > Paul, > > Private keys are also embeded in the browser as well as on a Luna Token. > > MD5 or hash.... are algorithms that generate the public key and private key > and also used for encryption purposes. Now if a application has to be > subverted it can only be done with the operators knowledge or the creator of > the application. Regarding the virus, a virus cannot attack a private key. > The virus creator needs to know the algorithm of the private key or the > public key which will enable the virus to act. Which is why any CA that > generates end-user certificates are generated or created with utmost > security in mind. > This is not true. Public and private keys are often stored in well known places. All a virus needs to do is copy those files and send them to a remote source. There are plenty of examples of viruses doing this. On Microsoft OS platforms unauthenticated ActiveX controls can be executed and a virus can execute simply by being received (http://www.sans.org/newlook/resources/win_flaw.htm). If one is stupid enough to publicly share on the Internet part of drive where the keys are located then the keys can be remotly copied (e.g., http://www.latimes.com/business/updates/lat_scour000714.htm), attacked, and exploited. Regarding my previous message about PKI risks, the paper by Schneier and Ellison is reasonably current and forceful; however, there are others. I remember seeing a paper by Don Davis dated 1996 (I believe) saying similar things (sorry, my memory is foggy and I lost the URL). > I hope that clears everything > > Jean > > -----Original Message----- > From: Paul Koning [mailto:pkoning@xedia.com] > Sent: Wednesday, July 19, 2000 4:53 PM > To: jean.med@arabtrust.com > Cc: ietf-pkix@imc.org > Subject: RE: Signing what you don't understand > > >>>>> "Jean" == Jean Abraham <jean.med@arabtrust.com> writes: > > Jean> Digital signatures generation or creation is not based on the > Jean> O/S of a particular PC but on the software that is used to > Jean> generate it. The most important apsect in a digital > Jean> certificate(which is used to create a digital signature - end > Jean> user) is that the private key is always with the owner and > Jean> never in transist. > > You're entirely missing the issue that started this long string of > notes. > > First of all, the private key is "always with the owner" *only* if you > have a smartcard with embedded PKI engine. Those exist but there > certainly are plenty of PK signing scenarios where they are not used. > > Second, and this is what started things, the data being signed (hash > or whatever) are supplied to the signing engine by application > software. If the application is subverted (easy to do with a number > of very popular applications) OR the underlying OS is subverted, an > attacker can supply different data to be signed from what you thought > you were signing. > > So the OS is absolutely part of the puzzle; it is not sufficient to > consider only "the software that is used to generate [the > signature]". The application may well be the weakest link, of course; > certainly in a number of well-known cases the application is indeed > the open barn door through which the viruses enter. But it is by no > means the only possible barn door. > > paul -- Dennis Glatting Copyright (c) 2000 Software Munitions Received: from btw.plaintalk.bellevue.wa.us (btw-xl1.plaintalk.bellevue.wa.us [206.129.5.130]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA14068 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 08:56:06 -0700 (PDT) Received: from software-munitions.com (fwiw.plaintalk.bellevue.wa.us [206.129.5.157]) by btw.plaintalk.bellevue.wa.us (8.10.2/8.10.2) with ESMTP id e6JFvtC38795; Wed, 19 Jul 2000 08:57:55 -0700 (PDT) Message-ID: <3975D003.A407FFEA@software-munitions.com> Date: Wed, 19 Jul 2000 08:57:55 -0700 From: Dennis Glatting <dennis.glatting@software-munitions.com> X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Paul Koning <pkoning@xedia.com> CC: jean.med@arabtrust.com, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <14709.44186.650038.290537@xedia.com> <LPBBLAPIGLOAGIHKOOGDKEOLCBAA.jean.med@arabtrust.com> <14709.45766.150139.121650@xedia.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Paul Koning wrote: > > >>>>> "Jean" == Jean Abraham <jean.med@arabtrust.com> writes: > > Jean> Digital signatures generation or creation is not based on the > Jean> O/S of a particular PC but on the software that is used to > Jean> generate it. The most important apsect in a digital > Jean> certificate(which is used to create a digital signature - end > Jean> user) is that the private key is always with the owner and > Jean> never in transist. > I came into this conversation late so I apologize if this has been mentioned before. The following URL is an interesting read on this topic, in particular Risk #2. http://www.counterpane.com/pki-risks.html Received: from btw.plaintalk.bellevue.wa.us (btw-xl1.plaintalk.bellevue.wa.us [206.129.5.130]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA13679 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 08:47:23 -0700 (PDT) Received: from software-munitions.com (fwiw.plaintalk.bellevue.wa.us [206.129.5.157]) by btw.plaintalk.bellevue.wa.us (8.10.2/8.10.2) with ESMTP id e6JFnCC38699; Wed, 19 Jul 2000 08:49:13 -0700 (PDT) Message-ID: <3975CDF8.B743D354@software-munitions.com> Date: Wed, 19 Jul 2000 08:49:12 -0700 From: Dennis Glatting <dennis.glatting@software-munitions.com> X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Paul Koning <pkoning@xedia.com> CC: jean.med@arabtrust.com, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <2575327B6755D211A0E100805F9FF954050804EF@ndhmex02.ndhm.gsc.gte.com> <LPBBLAPIGLOAGIHKOOGDAEOGCBAA.jean.med@arabtrust.com> <14709.44186.650038.290537@xedia.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Paul Koning wrote: > [snip] > So long as security remains a non-goal of such operating systems, > digital signatures produduced by such systems will not offer any > meaningful guarantees of any kind. > And anything derived from biometrics on said operating system. Received: from sothmxs01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA07330 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 07:45:32 -0700 (PDT) Received: by sothmxs01.entrust.com with Internet Mail Service (5.5.2650.21) id <PHL2GNKA>; Wed, 19 Jul 2000 10:47:32 -0400 Message-ID: <ED026032A3FCD211AEDA00105A9C469601E043D9@sothmxs05.entrust.com> From: Carlisle Adams <carlisle.adams@entrust.com> To: "'FRousseau@chrysalis-its.com'" <FRousseau@chrysalis-its.com> Cc: ietf-pkix@imc.org, stephen.farrell@baltimore.ie Subject: RE: Re: CRMF encValue Field Date: Wed, 19 Jul 2000 10:45:56 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Hi Francois, > ---------- > From: > FRousseau@chrysalis-its.com[SMTP:FRousseau@chrysalis-its.com] > Sent: Tuesday, July 18, 2000 9:37 AM > To: carlisle.adams@entrust.com > Cc: ietf-pkix@imc.org; stephen.farrell@baltimore.ie > Subject: RE: Re: CRMF encValue Field > > Hi Carlisle, > > I accept your responses, but I have an extra comment. According to ANSI > X9.42, the Diffie-Hellman algorithm OID listed in an Appendix B2 of > RFC2510bis represents the algorithm OID for a Diffie-Hellman public key, > however the algorithm OID in the PrivateKeyInfo as mentioned in PKCS#11 > identifies the "private key" algorithm OID. Note that Appendix A3 of ANSI > X9.42 indicates that: > > "the syntax and encoding of private keys is considered to be > implementation dependent and beyond the scope of this standard. It may, > however, be useful for specific implementations or derivative standards to > define a number type identified by dh-private-key to encode private keys". > > Shouldn't the algorithm OID for an ANSI X9.42 Diffie-Hellman private key > be added to Appendix B2 for this case? Technically, you are correct and this is a valid observation. However, my feeling is that we do not need to go to the trouble of getting another OID for this. If the protocol message included a generic blob then, by all means, we would need some sort of indicator (i.e., an OID) to say whether the blob contained a wrapped D-H public key or a wrapped D-H private key. This is not the situation here. We've got a container whose explicit purpose is to carry a wrapped private key; all we need to do is indicate whether it is a private key for the RSA algorithm, the D-H algorithm, the DSA algorithm, etc.. Therefore, in this context, the AlgId specifies a particular public-key *algorithm* (as opposed to a particular public key), and it is clear from the syntax that what is wrapped is a private key that pertains to this algorithm. Perhaps this stretches the exact wording of PKCS #11 and X9.42 slightly, but I really think there's no possibility of any confusion here, so a new OID is unnecessary. Let me know if you disagree. By the way, thank you, as always, for your careful reading. You continue to be very helpful in making sure that various specifications are as clear and precise as possible. Carlisle. Received: from mail.arabtrust.com (mail.arabtrust.com [216.247.149.19]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA06009 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 07:02:09 -0700 (PDT) Received: from jean [195.39.153.104] by mail.arabtrust.com (SMTPD32-6.00) id A5F7274500A6; Wed, 19 Jul 2000 10:06:47 -0400 From: "Jean Abraham" <jean.med@arabtrust.com> To: "Paul Koning" <pkoning@xedia.com> Cc: <ietf-pkix@imc.org> Subject: RE: Signing what you don't understand Date: Wed, 19 Jul 2000 17:03:06 +0300 Message-ID: <LPBBLAPIGLOAGIHKOOGDCEONCBAA.jean.med@arabtrust.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <14709.45766.150139.121650@xedia.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Paul, Private keys are also embeded in the browser as well as on a Luna Token. MD5 or hash.... are algorithms that generate the public key and private key and also used for encryption purposes. Now if a application has to be subverted it can only be done with the operators knowledge or the creator of the application. Regarding the virus, a virus cannot attack a private key. The virus creator needs to know the algorithm of the private key or the public key which will enable the virus to act. Which is why any CA that generates end-user certificates are generated or created with utmost security in mind. I hope that clears everything Jean -----Original Message----- From: Paul Koning [mailto:pkoning@xedia.com] Sent: Wednesday, July 19, 2000 4:53 PM To: jean.med@arabtrust.com Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand >>>>> "Jean" == Jean Abraham <jean.med@arabtrust.com> writes: Jean> Digital signatures generation or creation is not based on the Jean> O/S of a particular PC but on the software that is used to Jean> generate it. The most important apsect in a digital Jean> certificate(which is used to create a digital signature - end Jean> user) is that the private key is always with the owner and Jean> never in transist. You're entirely missing the issue that started this long string of notes. First of all, the private key is "always with the owner" *only* if you have a smartcard with embedded PKI engine. Those exist but there certainly are plenty of PK signing scenarios where they are not used. Second, and this is what started things, the data being signed (hash or whatever) are supplied to the signing engine by application software. If the application is subverted (easy to do with a number of very popular applications) OR the underlying OS is subverted, an attacker can supply different data to be signed from what you thought you were signing. So the OS is absolutely part of the puzzle; it is not sufficient to consider only "the software that is used to generate [the signature]". The application may well be the weakest link, of course; certainly in a number of well-known cases the application is indeed the open barn door through which the viruses enter. But it is by no means the only possible barn door. paul Received: from dfw7-1.relay.mail.uu.net (dfw7-1.relay.mail.uu.net [199.171.54.106]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA05090 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 06:50:41 -0700 (PDT) Received: from xedia.com by dfw7sosrv11.alter.net with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQiynf00686; Wed, 19 Jul 2000 13:53:11 GMT Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA02752; Wed, 19 Jul 00 09:49:17 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id JAA14678; Wed, 19 Jul 2000 09:53:10 -0400 From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <14709.45766.150139.121650@xedia.com> Date: Wed, 19 Jul 2000 09:53:10 -0400 (EDT) To: jean.med@arabtrust.com Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand References: <14709.44186.650038.290537@xedia.com> <LPBBLAPIGLOAGIHKOOGDKEOLCBAA.jean.med@arabtrust.com> X-Mailer: VM 6.72 under 21.1 (patch 9) "Canyonlands" XEmacs Lucid >>>>> "Jean" == Jean Abraham <jean.med@arabtrust.com> writes: Jean> Digital signatures generation or creation is not based on the Jean> O/S of a particular PC but on the software that is used to Jean> generate it. The most important apsect in a digital Jean> certificate(which is used to create a digital signature - end Jean> user) is that the private key is always with the owner and Jean> never in transist. You're entirely missing the issue that started this long string of notes. First of all, the private key is "always with the owner" *only* if you have a smartcard with embedded PKI engine. Those exist but there certainly are plenty of PK signing scenarios where they are not used. Second, and this is what started things, the data being signed (hash or whatever) are supplied to the signing engine by application software. If the application is subverted (easy to do with a number of very popular applications) OR the underlying OS is subverted, an attacker can supply different data to be signed from what you thought you were signing. So the OS is absolutely part of the puzzle; it is not sufficient to consider only "the software that is used to generate [the signature]". The application may well be the weakest link, of course; certainly in a number of well-known cases the application is indeed the open barn door through which the viruses enter. But it is by no means the only possible barn door. paul Received: from mail.arabtrust.com (mail.arabtrust.com [216.247.149.19]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA04433 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 06:31:31 -0700 (PDT) Received: from jean [195.39.153.104] by mail.arabtrust.com (SMTPD32-6.00) id AEC12C18003E; Wed, 19 Jul 2000 09:36:01 -0400 From: "Jean Abraham" <jean.med@arabtrust.com> To: "Paul Koning" <pkoning@xedia.com> Cc: <ietf-pkix@imc.org> Subject: RE: Signing what you don't understand Date: Wed, 19 Jul 2000 16:32:20 +0300 Message-ID: <LPBBLAPIGLOAGIHKOOGDKEOLCBAA.jean.med@arabtrust.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <14709.44186.650038.290537@xedia.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Digital signatures generation or creation is not based on the O/S of a particular PC but on the software that is used to generate it. The most important apsect in a digital certificate(which is used to create a digital signature - end user) is that the private key is always with the owner and never in transist. And the private key of the CA that signs the end-user certs are NEVER in transist, therefore the authenticity of the certificate is good and compromise of the end-user certificate ia void only from the PC it would be installed on. Jean -----Original Message----- From: Paul Koning [mailto:pkoning@xedia.com] Sent: Wednesday, July 19, 2000 4:27 PM To: jean.med@arabtrust.com Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand >>>>> "Jean" == Jean Abraham <jean.med@arabtrust.com> writes: Jean> Hi, There is a difference actually, Jean> When you sign the fedex package the person taking your Jean> signature doesnot know if its who you say you are. But in the Jean> case of a digital certificate only you can sign a email and Jean> from YOUR OWN computer which YOU ONLY have access for. If the computer is a PC running the most popular PC operating systems, that statement is extremely optimistic at best. So long as security remains a non-goal of such operating systems, digital signatures produduced by such systems will not offer any meaningful guarantees of any kind. paul Received: from dfw7-1.relay.mail.uu.net (dfw7-1.relay.mail.uu.net [199.171.54.106]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA03860 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 06:24:22 -0700 (PDT) Received: from xedia.com by dfw7sosrv11.alter.net with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQiynd29706; Wed, 19 Jul 2000 13:26:52 GMT Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA02385; Wed, 19 Jul 00 09:22:57 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id JAA14657; Wed, 19 Jul 2000 09:26:50 -0400 From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <14709.44186.650038.290537@xedia.com> Date: Wed, 19 Jul 2000 09:26:50 -0400 (EDT) To: jean.med@arabtrust.com Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand References: <2575327B6755D211A0E100805F9FF954050804EF@ndhmex02.ndhm.gsc.gte.com> <LPBBLAPIGLOAGIHKOOGDAEOGCBAA.jean.med@arabtrust.com> X-Mailer: VM 6.72 under 21.1 (patch 9) "Canyonlands" XEmacs Lucid >>>>> "Jean" == Jean Abraham <jean.med@arabtrust.com> writes: Jean> Hi, There is a difference actually, Jean> When you sign the fedex package the person taking your Jean> signature doesnot know if its who you say you are. But in the Jean> case of a digital certificate only you can sign a email and Jean> from YOUR OWN computer which YOU ONLY have access for. If the computer is a PC running the most popular PC operating systems, that statement is extremely optimistic at best. So long as security remains a non-goal of such operating systems, digital signatures produduced by such systems will not offer any meaningful guarantees of any kind. paul Received: from isis.wu-wien.ac.at (isis.wu-wien.ac.at [137.208.3.42]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA00274 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 05:07:52 -0700 (PDT) Received: from gourmet.wu-wien.ac.at (mfritsch@gourmet.wu-wien.ac.at [137.208.224.124]) by isis.wu-wien.ac.at (8.8.7/8.8.7) with SMTP id OAA24978emf Michael.Fritscher@wu-wien.ac.at; Wed, 19 Jul 2000 14:09:57 +0200 From: Michael Fritscher <Michael.Fritscher@wu-wien.ac.at> Reply-To: Michael.Fritscher@wu-wien.ac.at Organization: WU Wien To: Ben Laurie <ben@algroup.co.uk>, Eric Murray <ericm@lne.com> Subject: Re: Signing what you don't understand Date: Wed, 19 Jul 2000 13:42:04 +0200 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain Cc: ietf-pkix@imc.org References: <3D1CC63B9E24D211B48B000000004C0B0388268E@chlmail.gecmc.ge.COM> <20000718184719.B17726@slack.lne.com> <3975731E.18D967A5@algroup.co.uk> In-Reply-To: <3975731E.18D967A5@algroup.co.uk> MIME-Version: 1.0 Message-Id: <00071914094600.18243@gourmet.wu-wien.ac.at> Content-Transfer-Encoding: 8bit On Wed, 19 Jul 2000, Ben Laurie wrote: > Eric Murray wrote: > > Digital signing in the human/legal means signing something different. > > It always means "signing" something that makes sense to a human. It might > > mean using the crypto definition of "digital signing" to do it, or (under > > the new US "digital signing" bill) it might mean clicking on a OK button > > somewhere near the document. This kind of digital signature > > makes sense in a non-repudiation context- it's whole purpose is about NR. > > > > Since "digital signing" is used all the time in the crypto sense, I'd > > like to propose that when talking about the second kind of digital > > signatures, they be called "digital signature of documents". > > How about "legally binding digital signature". That certainly says what > people want it to mean unambiguously. > An other way of distinguishing between those two meanings of "digital signature" seems to me the use of the terms "electronic signature" and "digital signature" ETSI uses in its standard on Electronic Signature Formats (ETSI ES 201 733) and some others, too. As far as I understood, * "digital signature" is used for the "data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery (taken from ISO 7498-2)" -> i.e. the technical part * whereas "electronic signature" is used for the electronic analogy to "real-life" signatures with the adequate legal consequences including the signature policy, the signed user data, the digital signature and "other signed attributes provided by the signer" (see ch. 4.2 of ETSI ES 201 733 V1.1.3) -> the legal/human mean Cheers, Michael Fritscher -- ------------------------------------------------------------ | Michael Fritscher Michael.Fritscher@wu-wien.ac.at | Department of Information Systems, New Media | Vienna University of Economics and Business Administration | http://wwwi.wu-wien.ac.at/people/Fritscher.html | "A computer without windows NT is like a fish without a | bicycle." ------------------------------------------------------------ Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id CAA13432 for <ietf-pkix@imc.org>; Wed, 19 Jul 2000 02:19:27 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id KAA07180; Wed, 19 Jul 2000 10:36:09 +0100 Message-ID: <3975731E.18D967A5@algroup.co.uk> Date: Wed, 19 Jul 2000 10:21:34 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: Eric Murray <ericm@lne.com> CC: ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <3D1CC63B9E24D211B48B000000004C0B0388268E@chlmail.gecmc.ge.COM> <39747F0E.773BF26E@b2bcommunications.com> <kj4s5nwg1g.fsf@romeo.rtfm.com> <20000718184719.B17726@slack.lne.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Eric Murray wrote: > Digital signing in the human/legal means signing something different. > It always means "signing" something that makes sense to a human. It might > mean using the crypto definition of "digital signing" to do it, or (under > the new US "digital signing" bill) it might mean clicking on a OK button > somewhere near the document. This kind of digital signature > makes sense in a non-repudiation context- it's whole purpose is about NR. > > Since "digital signing" is used all the time in the crypto sense, I'd > like to propose that when talking about the second kind of digital > signatures, they be called "digital signature of documents". How about "legally binding digital signature". That certainly says what people want it to mean unambiguously. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id XAA07679 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 23:38:20 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id XAA02725; Tue, 18 Jul 2000 23:47:33 +0100 Message-ID: <3974DB23.B4977658@algroup.co.uk> Date: Tue, 18 Jul 2000 23:33:07 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: Terry Hayes <thayes@netscape.com> CC: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au>, "'Stephen Kent'" <kent@bbn.com>, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <C7006C79F23FD411AFCC00E018C353B4025916@exchange.gadens.com.au> <3974844A.DB80A88D@algroup.co.uk> <39748C7D.5BC00F14@netscape.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Terry Hayes wrote: > > Ben Laurie wrote: > > > > I also do not agree with your position that the NR bit can signal any intent > > > either way. With respect, intent is ascertained at the time of signing. A > > > certificate has nothing what so ever to do with signing. Its primary > > > purpose is to identify a public key that corresponds to a private key that > > > may be held by some previously identified person or entity. The public key > > > is used to verify a digital signature that has supposedly been created using > > > the corresponding private key. That is it as far as I understand it unless > > > there is some other primary purpose that I do not know. I do not see the > > > relationship between digitally signing a document and the contents of a > > > certificate. Verification of the signature at some later time is a different > > > issue which may involve the use of a certificate but this may not be so. > > > > The relationship is that the creator of the certificate has stated what > > he intends the use of the signature to be. So, if the NR bit is not set, > > the owner of the private key has effectively stated that they do not > > expect the key to be used for NR! > > This is the root of the problem (in my opinion). While you say that the owner of > the private key has stated what they want the key to be used for, in fact the > "creator" of the certificate is the CA, not the end entity. This level of > indirection is very troubling for some. It allows additional certificates to be > created (possibly by untrustworthy CA) that cloud the meaning of the signature. Since a certificate is comprised of public information signed by a CA, clearly a CA can create a certificate saying more-or-less what they want. I suppose this is an argument for having certificates that are dual-signed (by the CA and the public key the contain). > In my opinion, it is best to put a clear statement of the intended purpose of the > signature in the signature itself. A simple policy (or application) OID included > in the authenticated attributes would do the trick. Failing that, the fingerprint > of the certificate itself should be included (as is proposed elsewhere), and the > application should check that the proper extensions are included in that > certificate prior to signing. Or the relying application could check. Keep heading in this direction and you'll get SPKI (which would be no bad thing, IMO). Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from mail.arabtrust.com (mail.arabtrust.com [216.247.149.19]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id WAA04593 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 22:42:39 -0700 (PDT) Received: from jean [195.39.160.111] by mail.arabtrust.com (SMTPD32-6.00) id A0E159A9011A; Wed, 19 Jul 2000 01:47:13 -0400 From: "Jean Abraham" <jean.med@arabtrust.com> To: "Heimberg, Jim" <Jim.Heimberg@GD-CS.COM> Cc: <ietf-pkix@imc.org> Subject: RE: Signing what you don't understand Date: Wed, 19 Jul 2000 08:43:29 +0300 Message-ID: <LPBBLAPIGLOAGIHKOOGDAEOGCBAA.jean.med@arabtrust.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <2575327B6755D211A0E100805F9FF954050804EF@ndhmex02.ndhm.gsc.gte.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Hi, There is a difference actually, When you sign the fedex package the person taking your signature doesnot know if its who you say you are. But in the case of a digital certificate only you can sign a email and from YOUR OWN computer which YOU ONLY have access for. Regarding the fooling of the CA, when a CA is created it is a trusted third party that creates it (trusted by the world). And if it is not a trusted third party then you have the option to accept or decline opening the email or trusting the email. Jean Key Manager Arabtrust Kuwait jean.med@arabtrust.com -----Original Message----- From: Heimberg, Jim [mailto:Jim.Heimberg@GD-CS.COM] Sent: Tuesday, July 18, 2000 9:44 PM To: 'Tony Bartoletti'; Mitchell Arnone; Golkin Ken (CAP CMC) Cc: 'Adrian McCullagh'; 'Stephen Kent'; ietf-pkix@imc.org Subject: RE: Signing what you don't understand Are we moving in the direction of the Twilight Zone. If you could fool the CA with a false driver's licence, why don't you just get the false ID, forge his checks, and raid his bank account? The signature is a mark that is either accepted as being valid or is forged. There is no difference with the digital signature. Your digital signature is not any better or any worse than your pen-and-ink signature. You decide when to use it. If you receive a FEDEX, you sign for receipt, right? If you receive an e-mail, what is different than signing to signify receipt? That signature does not do the same thing as if you were signing the $10M contract contained in the FEDEX package or the one contained in the e-mail. Where is the issue? Jim -----Original Message----- From: Tony Bartoletti [mailto:azb@llnl.gov] Sent: Tuesday, July 18, 2000 2:00 PM To: Mitchell Arnone; Golkin Ken (CAP CMC) Cc: 'Adrian McCullagh'; 'Stephen Kent'; ietf-pkix@imc.org Subject: Re: Signing what you don't understand Ah, that life were really so simple ... :) At 12:00 PM 7/18/00 -0400, Mitchell Arnone wrote: >I have a hard time imagining use of digital signatures for anything >that does not require Non-repudiation. On one level, I can agree with this statement. One wants to say "What other purpose for applying an (assumably unforgeable) mark other than to have it be unforgeable?" And as I have argued long previously, the "math of it" gets you this much, regardless of the setting of key-usage bits or other implied intent. But that is really not saying very much. What (other than certification, to start with) attaches this disembodied signing-key to an "actor"? >As for authentication, digital signatures (which requires access to the >private key, Not a Digital Certificate) demonstrates proof positive that >"a person is who they say they are" and provides a means by which >unquestionable proof can be established that the owner of a given >certificate responded to a challenge and subsequently gained access to >some secure resource. This assertion WAY overstates the strength of the situation: If I can fool a CA (with fake driver's license, etc) into certifying my key-pair as "belongs to Mitchell Arnone of b2bcommunications.com", does my use of this key provide "proof positive" that I am who I say I am? Or equivalently, proof that the real Mitchell took action? And would it matter that, when invoking a signature, that I must use my personal passcode to unlock MY (presumably, your) signature key? To clear one's head, begin with the understanding that the application of (and verification of) a (mechanical) digital signature serves (effectively) as proof positive of three central facts: a. The "wielder of the signature" (person or process) indeed possessed the secret-key corresponding to the public key used in verification. b. Some "process" had access to both the secret-key, and the document (or the hash of the document.) c. The document (or hash) verified is exactly the document (or hash) that was mechanically signed. (No tampering took place.) Now, we would like "wielder of the signature" to have a more substantial form of identity. We attempt to create this "sense of substance" by the use of certificates. But there are clearly wide variances by which this certification may proceed, and from which assertions can flow. >In my mind, authentication and digital signatures are inseparable and we >would be better served to refrain from focusing on the granular differences. "Agree in Principle" ... however ... Contrast "signing important legal contract" with "signing receipt of email". The former should (likely) require an active and duly witnessed "live person", and a trusted display device that guarantees that what is signed is precisely no more and no less than what is being displayed, and further displays the particulars of the key-ownership certificate, to help ensure that the "witnesses" are not being fooled into attesting to my signing with your key. Expensive technology. The latter is a useful application of "digital signature mechanics" that I might employ to let people know that "their mail was delivered to the right address". I might configure my mailer to create such return receipts automatically, even while I am away. In such a case, is it True or False that the application is "signing without the knowledge of the owner of the certificate?" Depends upon perspective. Was there a sufficient "challenge"? Was it enough to effect that challenge (only) during my act of configuring my email-robot to employ the key? Should the act of configuring my email-robot require witnesses and the expensive secured display device described above? If such strong measures are unneeded for this application, how can one ensure the code or process is not subverted to effect signatures for contracts (or arguably so, to repudiate a former signature made with a stronger technology.) Alternatively, do you argue that "email return receipts" should remain "unsigned" by a technology so "strong"? ___tony___ >Mitchell Arnone >PKI Engineer > >"Golkin, Ken (CAP, CMC)" wrote: >> >> >>This discussion seems to be confusing two different uses for certificates >>1) Authentication (I am who I say I am) >>2) Signature (I signed a legally binding document) >> >>In the first case I showed my company issue picture ID (certificate) to >>the guard at the door and he let me in the building this morning. >> >>In the second case I stopped at the hardware store on the way home last >>night to buy a box of nails and some other things. At the check out I >>showed them my charge card (certificate) then signed the sales >>slip. Which legally obligated me to pay $24.86. >> >>The certificate policy (defined as: A named set of rules that indicates the >> applicability of a public key certificate to a particular >> community or class of application with common security >> requirements. For example, a particular certificate policy might >> indicate applicability of a type of public key certificate to the >> authentication of electronic data interchange transactions for >> the trading of goods within a given price range.) in X.509 PKiX >> roadmap makes it clear that all certificates are not created equal. >> >>The Canadian Government and United States Government PKI initiatives have >>defined multiple levels of assurance, and as far as I can tell, most >>business applications of PKI are following the government lead. >> >>If I'm loaning someone $250,000 to buy a house I obviously need a greater >>level of assurance that they are who they are (and their bank is who they >>say they are) then was required by the checkout at the hardware store or >>the guard at the entrance. >> >>-----Original Message----- >>From: Adrian McCullagh >>[<mailto:AMcCullagh@exchange.gadens.com.au>mailto:AMcCullagh@exchange.gade >>ns.com.au] >>Sent: Monday, July 17, 2000 11:08 PM >>To: 'Stephen Kent' >>Cc: ietf-pkix@imc.org >>Subject: RE: Signing what you don't understand >> >>Stephen, >> >>I do not want to get into an argument with you. Yes I am a lawyer but I >>also have a technical background so your suggestion otherwise, I thought was >>not moving the discussion forward. Admittedly, I do not possess the >>technical knowledge that you have. >> >>Your example is well put but is this really a digital signature or is it a >>set of bits (a mark) that has been affixed using the same technology known >>as digital signature technology. >> >>You mention the difference between the 2 intents. I would be surprised, if >>anyone (other than the technically minded) even knows that a challenge >>response is even being "signed". There is no intent at all in this case. It >>is the technology as designed that is effecting the response to the >>challenge. I am surprised that "you" sign authentication challenges, just >>for authentication purposes. Is it really a signature? Are you really >>signing the authentication challenge or is it the software on your machine >>effecting the response to the challenge? >> >>To me this is not a signature. It may use digital signature technology but >>it is not a signature. This is probably the problem. It is the use of the >>word "signature" which is a technical term but has been used by the PKI >>community to cover a myriad of uses. Some uses of the term by the PKI >>community are confusing. >> >>I also do not agree with your position that the NR bit can signal any intent >>either way. With respect, intent is ascertained at the time of signing. A >>certificate has nothing what so ever to do with signing. Its primary >>purpose is to identify a public key that corresponds to a private key that >>may be held by some previously identified person or entity. The public key >>is used to verify a digital signature that has supposedly been created using >>the corresponding private key. That is it as far as I understand it unless >>there is some other primary purpose that I do not know. I do not see the >>relationship between digitally signing a document and the contents of a >>certificate. Verification of the signature at some later time is a different >>issue which may involve the use of a certificate but this may not be so. >> >>Adrian McCullagh >>Director of Electronic Commerce Tel: 617 3231 1522 >>Gadens Lawyers Fax: 617 3229 5850 >>level 39 >>Central Plaza 1 >>345 Queen Street >>Brisbane Australia 4000 >> >>Ph. D. Candidate >>Thesis "The Incorporation of Trust Strategies in Digital Signature >>Regimes for Elec. Comm." >>Information Security Research Centre >>Queensland University of Technology >> >> >>-----Original Message----- >>From: Stephen Kent [<mailto:kent@bbn.com>mailto:kent@bbn.com] >>Sent: Tuesday, July 18, 2000 10:00 AM >>To: Adrian McCullagh >>Cc: ietf-pkix@imc.org >>Subject: RE: Signing what you don't understand >> >>At 12:50 PM +1000 7/15/00, Adrian McCullagh wrote: >> >Stephen >> > >> >I really do not understand your response. Why would anyone sign a >> document >> >that they do not understand. It does not make sense. If I sent you a >> >document written in Chinese and assume you can not read Chinese and at the >> >same time I said just sign this - Why would you sign it. Now if you >>trusted >> >me then you may sign it based upon the information about the document that >>I >> >tell you. A classic case for Non-est-factum. But all the cases that I >>have >> >read clearly rely upon some information provided by an Alleged trusted >>third >> >party. Usually some relative. So without some external information being >> >provided by a third party it is not as far as I can determine possible to >> >rely upon non est factum. >> >>Because we sign authentication challenges, just for authentication >>purposes, but not for NR purposes, it is prudent to distinguish >>between the two intents. Your comments seem to ignore this use of >>digital signature technology. One way of signalling intent is via the >>NR bit. Although it has been argued that having this bit set to True >>does not necessarily signal intent to sign for NR purposes, having it >>set to False certainly signals an intent to not be bound re NR. >> >>(Your use of Latin and your e-mail "signature" suggests a legal, but >>perhaps not a technical background. We've also decided, after much >>debate, that PKIX deals with technical aspects of NR, not legal >>details that may vary based upon jurisdiction.) >> >> >Also what does a "bit" in a certificate got to do with non-repudiation. >>The >> >commercial world and the law does not in my opinion support this position >>of >> >yours. You appear to be on a path to re-engineering the entire commercial >> >legal fabric and as such I with the greatest respect I do not believe >> that >> >society and the law will buy into it. With out the commercial involvement >> >PKI will not survive. >> >>The position is not just mine. Sorry of you don't understand, or >>merely don't agree with the use of the NR bit, or its name, but we >>had this debate a while ago and we're not having it again. >> >> > >> >I do not understand how - "what you are proposing" - will work in >> practical >> >terms. >> >>I'm not "proposing," but I am citing existing Internet and ITU >>standards and the applicability to the question at hand. >> >>Steve Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from slack.lne.com ([209.157.136.81]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA18596 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 18:45:22 -0700 (PDT) Received: (from ericm@localhost) by slack.lne.com (8.9.3/8.9.3) id SAA17850 for ietf-pkix@imc.org; Tue, 18 Jul 2000 18:47:20 -0700 Date: Tue, 18 Jul 2000 18:47:19 -0700 From: Eric Murray <ericm@lne.com> To: ietf-pkix@imc.org Subject: Re: Signing what you don't understand Message-ID: <20000718184719.B17726@slack.lne.com> References: <3D1CC63B9E24D211B48B000000004C0B0388268E@chlmail.gecmc.ge.COM> <39747F0E.773BF26E@b2bcommunications.com> <kj4s5nwg1g.fsf@romeo.rtfm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3us In-Reply-To: <kj4s5nwg1g.fsf@romeo.rtfm.com> On Tue, Jul 18, 2000 at 09:37:31AM -0700, Eric Rescorla wrote: > "Mitchell Arnone" <mitchell.arnone@b2bcommunications.com> writes: > > > [1 <text/plain; us-ascii (7bit)>] > > I am sure I don't have the background in PKI as most of those > > contributing to this list but I would like to share some ideas: > > > > I have a hard time imagining use of digital signatures for anything that > > does not require Non-repudiation. > Then you're not imagining very hard. As previously noted, > digital signatures are used all the time in non non-repudiation > contexts. For instance, for verifying the authenticity of > keying material in IKE handshakes. Just to make it really clear (because it's obviously not clear to some people), there's "digital signing" in the human/legal sense, and "digital signing" in the crypto sense. Digital signing in crypto sense means applying an encryption function to a number and a private key, such that any holder of the public key that corresponds to the private key can decrypt the number. If that number is a hash of a document, then the party doing the verification can do their own hash and compare the values. (yea, I know there's other ways to do a signature, but this is the most common). You can also sign a nonce or keying material as part of a protocol to prove identity or to set up a secure channel. Repudiation of those things, especially the exchange of keying material, doesn't make sense. Digital signing in the human/legal means signing something different. It always means "signing" something that makes sense to a human. It might mean using the crypto definition of "digital signing" to do it, or (under the new US "digital signing" bill) it might mean clicking on a OK button somewhere near the document. This kind of digital signature makes sense in a non-repudiation context- it's whole purpose is about NR. Since "digital signing" is used all the time in the crypto sense, I'd like to propose that when talking about the second kind of digital signatures, they be called "digital signature of documents". I know this is obvious to a lot of people, but now having stated the obvious, there's no excuse for anyone here to mistake one kind of digital signature for the other.... you'll have to find something else to split hairs about now. :-) -- Eric Murray www.lne.com/ericm ericm at the site lne.com PGP keyid:E03F65E5 Security consulting: secure protocols, security reviews, standards, smartcards. Received: from aspams52.cai.com (aspams52.cai.com [155.35.248.76]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA15869 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 18:21:30 -0700 (PDT) Received: by aspams52.cai.com with Internet Mail Service (5.5.2650.21) id <3X7A07BB>; Wed, 19 Jul 2000 11:23:32 +1000 Message-ID: <11981F9F5649D411BC92009027D0D18C698211@aspams01.cai.com> From: "Ramsay, Ron" <Ron.Ramsay@ca.com> To: Mitchell Arnone <mitchell.arnone@b2bcommunications.com> Cc: "'Adrian McCullagh'" <AMcCullagh@exchange.gadens.com.au>, ietf-pkix@imc.org Subject: RE: Signing what you don't understand Date: Wed, 19 Jul 2000 11:23:35 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Hi, I disagree. In fact, I believe that Adrian made a very clear point. He referred to the act of 'signing', which he took to be an act that took place in the world of people, not computers. It seems that, in the world of computers, this relates to the explicit placing of a digital signature on a document. It also invokes non-repudiation procedures which, while being strongly debated, still are reasonably well understood. Against this is the digital process that has been characterised as authentication. In this process, I simply prove that I am 'me' or, digitally, that I hold a particular private key. Perhaps the true difference here is that the signature is applied to a challenge where, regarding 'signing', the signature is applied to a document. I am happy with this distinction. Some argue that it should be possible to apply a 'repudiable' signature to a document. I think that this becomes a legal issue. Is it rather like, what liability attaches to me when I sign for delivery. The usual answer is none, really, it is simply a proof of delivery. In fact, someone else at that address may have signed for it on your behalf. It is probably true that there is no such thing as a repudiable signature (in the sense of 'signing'), but one can reasonably expect that the legal situation will be similar to the case now for bio-signatures. Technical uses of public key algorithms for other purposes (authentication) should not be considered 'signing', as understood by non-technical people. Ron. -----Original Message----- From: Mitchell Arnone [mailto:mitchell.arnone@b2bcommunications.com] Sent: Wednesday, 19 July 2000 2:00 To: Golkin Ken (CAP CMC) Cc: 'Adrian McCullagh'; 'Stephen Kent'; ietf-pkix@imc.org Subject: Re: Signing what you don't understand I am sure I don't have the background in PKI as most of those contributing to this list but I would like to share some ideas: I have a hard time imagining use of digital signatures for anything that does not require Non-repudiation. There are a number of NR issues addressed with digital signatures including NR related to the creation of an object as well as Non-repudiation of activities such as delivery/receipt of messages, knowledge (proof that a message was read), and much more. Sometimes I feel that the term "signature" creates a paradigm that can become difficult to transcend but I cannot come up with a better descriptor of the intent behind the process. As for authentication, digital signatures (which requires access to the private key, Not a Digital Certificate) demonstrates proof positive that "a person is who they say they are" and provides a means by which unquestionable proof can be established that the owner of a given certificate responded to a challenge and subsequently gained access to some secure resource. It it important to remember that a digital certificate is public in nature and without the corresponding private key, it is meaningless. When a challenge is issued in the authentication process, the act of signing that challenge must manifest itself by requiring the user to submit his or her passcode to unlock the private key. If there is no challenge (i.e. the process of signing without the knowledge of the owner of the certificate) then the authentication process is completely invalidated. The following is a quote from FIPS 196: "To acceptably implement this standard, an implementation must meet the following criteria: 1) Each entity in an authentication exchange must use a FIPS approved digital signature algorithm to generate and/or verify digital signatures; 2) Each entity must generate (pseudo)random numbers using a FIPS approved (pseudo)random number generator; 3) Each entity acting as a claimant must be bound to a public/private key pair; the private key should remain in the sole control of the claimant who uses that key to sign a random challenge. The key binding requires a unique authentication identifier for each claimant, so that a verifier can distinguish between multiple claimants; and 4) One or both of the authentication protocols in this standard must be implemented. For each protocol, steps and token fields marked as [OPTIONAL] do not need to be implemented, except where indicated otherwise. However, all other steps and token fields must be implemented." In my mind, authentication and digital signatures are inseparable and we would be better served to refrain from focusing on the granular differences. Mitchell Arnone PKI Engineer "Golkin, Ken (CAP, CMC)" wrote: This discussion seems to be confusing two different uses for certificates 1) Authentication (I am who I say I am) 2) Signature (I signed a legally binding document) In the first case I showed my company issue picture ID (certificate) to the guard at the door and he let me in the building this morning. In the second case I stopped at the hardware store on the way home last night to buy a box of nails and some other things. At the check out I showed them my charge card (certificate) then signed the sales slip. Which legally obligated me to pay $24.86. The certificate policy (defined as: A named set of rules that indicates the applicability of a public key certificate to a particular community or class of application with common security requirements. For example, a particular certificate policy might indicate applicability of a type of public key certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range.) in X.509 PKiX roadmap makes it clear that all certificates are not created equal. The Canadian Government and United States Government PKI initiatives have defined multiple levels of assurance, and as far as I can tell, most business applications of PKI are following the government lead. If I'm loaning someone $250,000 to buy a house I obviously need a greater level of assurance that they are who they are (and their bank is who they say they are) then was required by the checkout at the hardware store or the guard at the entrance. -----Original Message----- From: Adrian McCullagh [ mailto:AMcCullagh@exchange.gadens.com.au <mailto:AMcCullagh@exchange.gadens.com.au> ] Sent: Monday, July 17, 2000 11:08 PM To: 'Stephen Kent' Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Stephen, I do not want to get into an argument with you. Yes I am a lawyer but I also have a technical background so your suggestion otherwise, I thought was not moving the discussion forward. Admittedly, I do not possess the technical knowledge that you have. Your example is well put but is this really a digital signature or is it a set of bits (a mark) that has been affixed using the same technology known as digital signature technology. You mention the difference between the 2 intents. I would be surprised, if anyone (other than the technically minded) even knows that a challenge response is even being "signed". There is no intent at all in this case. It is the technology as designed that is effecting the response to the challenge. I am surprised that "you" sign authentication challenges, just for authentication purposes. Is it really a signature? Are you really signing the authentication challenge or is it the software on your machine effecting the response to the challenge? To me this is not a signature. It may use digital signature technology but it is not a signature. This is probably the problem. It is the use of the word "signature" which is a technical term but has been used by the PKI community to cover a myriad of uses. Some uses of the term by the PKI community are confusing. I also do not agree with your position that the NR bit can signal any intent either way. With respect, intent is ascertained at the time of signing. A certificate has nothing what so ever to do with signing. Its primary purpose is to identify a public key that corresponds to a private key that may be held by some previously identified person or entity. The public key is used to verify a digital signature that has supposedly been created using the corresponding private key. That is it as far as I understand it unless there is some other primary purpose that I do not know. I do not see the relationship between digitally signing a document and the contents of a certificate. Verification of the signature at some later time is a different issue which may involve the use of a certificate but this may not be so. Adrian McCullagh Director of Electronic Commerce Tel: 617 3231 1522 Gadens Lawyers Fax: 617 3229 5850 level 39 Central Plaza 1 345 Queen Street Brisbane Australia 4000 Ph. D. Candidate Thesis "The Incorporation of Trust Strategies in Digital Signature Regimes for Elec. Comm." Information Security Research Centre Queensland University of Technology -----Original Message----- From: Stephen Kent [ mailto:kent@bbn.com <mailto:kent@bbn.com> ] Sent: Tuesday, July 18, 2000 10:00 AM To: Adrian McCullagh Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand At 12:50 PM +1000 7/15/00, Adrian McCullagh wrote: >Stephen > >I really do not understand your response. Why would anyone sign a document >that they do not understand. It does not make sense. If I sent you a >document written in Chinese and assume you can not read Chinese and at the >same time I said just sign this - Why would you sign it. Now if you trusted >me then you may sign it based upon the information about the document that I >tell you. A classic case for Non-est-factum. But all the cases that I have >read clearly rely upon some information provided by an Alleged trusted third >party. Usually some relative. So without some external information being >provided by a third party it is not as far as I can determine possible to >rely upon non est factum. Because we sign authentication challenges, just for authentication purposes, but not for NR purposes, it is prudent to distinguish between the two intents. Your comments seem to ignore this use of digital signature technology. One way of signalling intent is via the NR bit. Although it has been argued that having this bit set to True does not necessarily signal intent to sign for NR purposes, having it set to False certainly signals an intent to not be bound re NR. (Your use of Latin and your e-mail "signature" suggests a legal, but perhaps not a technical background. We've also decided, after much debate, that PKIX deals with technical aspects of NR, not legal details that may vary based upon jurisdiction.) >Also what does a "bit" in a certificate got to do with non-repudiation. The >commercial world and the law does not in my opinion support this position of >yours. You appear to be on a path to re-engineering the entire commercial >legal fabric and as such I with the greatest respect I do not believe that >society and the law will buy into it. With out the commercial involvement >PKI will not survive. The position is not just mine. Sorry of you don't understand, or merely don't agree with the use of the NR bit, or its name, but we had this debate a while ago and we're not having it again. > >I do not understand how - "what you are proposing" - will work in practical >terms. I'm not "proposing," but I am citing existing Internet and ITU standards and the applicability to the question at hand. Steve Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net [207.69.200.243]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA10969 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 16:23:01 -0700 (PDT) Received: from romeo.rtfm.com (user-33qti51.dialup.mindspring.com [199.174.200.161]) by maynard.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id TAA30144; Tue, 18 Jul 2000 19:24:05 -0400 (EDT) Received: (ekr@localhost) by romeo.rtfm.com (8.9.3/8.6.4) id JAA10881; Tue, 18 Jul 2000 09:37:32 -0700 (PDT) Sender: ekr@rtfm.com To: "Mitchell Arnone" <mitchell.arnone@b2bcommunications.com> Cc: "Golkin Ken (CAP CMC)" <Ken_Golkin@mortgage.ge.com>, "'Adrian McCullagh'" <AMcCullagh@exchange.gadens.com.au>, "'Stephen Kent'" <kent@bbn.com>, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <3D1CC63B9E24D211B48B000000004C0B0388268E@chlmail.gecmc.ge.COM> <39747F0E.773BF26E@b2bcommunications.com> Reply-to: EKR <rescorla@mindspring.com> Mime-Version: 1.0 (generated by tm-edit 7.108) Content-Type: text/plain; charset=US-ASCII From: Eric Rescorla <ekr@speedy.rtfm.com> Date: 18 Jul 2000 09:37:31 -0700 In-Reply-To: "Mitchell Arnone"'s message of "Tue, 18 Jul 2000 12:00:14 -0400" Message-ID: <kj4s5nwg1g.fsf@romeo.rtfm.com> Lines: 17 X-Mailer: Gnus v5.6.45/XEmacs 20.4 - "Emerald" "Mitchell Arnone" <mitchell.arnone@b2bcommunications.com> writes: > [1 <text/plain; us-ascii (7bit)>] > I am sure I don't have the background in PKI as most of those > contributing to this list but I would like to share some ideas: > > I have a hard time imagining use of digital signatures for anything that > does not require Non-repudiation. Then you're not imagining very hard. As previously noted, digital signatures are used all the time in non non-repudiation contexts. For instance, for verifying the authenticity of keying material in IKE handshakes. -Ekr [Eric Rescorla ekr@rtfm.com] Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA05788 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 12:22:09 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id MAA12604; Tue, 18 Jul 2000 12:19:19 -0700 (PDT) Message-Id: <4.2.2.20000718121827.00a80460@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 18 Jul 2000 12:26:38 -0700 To: "Heimberg, Jim" <Jim.Heimberg@GD-CS.COM>, Mitchell Arnone <mitchell.arnone@b2bcommunications.com>, "Golkin Ken (CAP CMC)" <Ken_Golkin@mortgage.ge.com> From: Tony Bartoletti <azb@llnl.gov> Subject: RE: Signing what you don't understand Cc: "'Adrian McCullagh'" <AMcCullagh@exchange.gadens.com.au>, "'Stephen Kent'" <kent@bbn.com>, ietf-pkix@imc.org In-Reply-To: <2575327B6755D211A0E100805F9FF954050804EF@ndhmex02.ndhm.gsc .gte.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 02:43 PM 7/18/00 -0400, Heimberg, Jim wrote: >If you receive an e-mail, what is different than signing to signify receipt? >That signature does not do the same thing as if you were signing the $10M >contract contained in the FEDEX package or the one contained in the e-mail. >Where is the issue? >Jim (I neglected this point) Granted, no court of law will likely hold me to some forged $10M contract based upon a simple digital signature. But there is always an exploitable grey area, even if only between $5, $50, $500, where it will be commonplace to rely upon lightweight (digital) signature activity. In such a case, how can you be sure that your browser, configured to automatically sign (harmless) email receipts, does not become subverted by a trojan plug-in to sign other things you may be unaware of? Especially so, if the "evidence" only demonstrates "it was the same key, owned by you." ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from Newman.GSC.GTE.Com (SYSTEM@NS0.GDGSC.Com [192.160.62.66]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA05591 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 12:19:14 -0700 (PDT) Received: from gscex01.gsc.gte.com ("port 1343"@gscex01.ndhm.gsc.gte.com [155.95.162.170]) by Newman.GSC.GTE.Com (PMDF V5.2-30 #38015) with ESMTP id <01JRX12HGCAQ001Z1Z@Newman.GSC.GTE.Com> for ietf-pkix@imc.org; Tue, 18 Jul 2000 15:21:40 -0400 (EDT) Received: by GSCEX01.gsc.gte.com with Internet Mail Service (5.5.2448.0) id <3L3TJJK5>; Tue, 18 Jul 2000 15:21:39 -0400 Content-return: allowed Date: Tue, 18 Jul 2000 15:21:39 -0400 From: "Heimberg, Jim" <Jim.Heimberg@GD-CS.COM> Subject: RE: Signing what you don't understand To: "'Tony Bartoletti'" <azb@llnl.gov>, Mitchell Arnone <mitchell.arnone@b2bcommunications.com>, "Golkin Ken (CAP CMC)" <Ken_Golkin@mortgage.ge.com> Cc: "'Adrian McCullagh'" <AMcCullagh@exchange.gadens.com.au>, "'Stephen Kent'" <kent@bbn.com>, ietf-pkix@imc.org Message-id: <2575327B6755D211A0E100805F9FF954050804F3@ndhmex02.ndhm.gsc.gte.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-type: text/plain; charset="iso-8859-1" A convincing argument for hardware tokens and biometrics if ever I heard one. -----Original Message----- From: Tony Bartoletti [mailto:azb@llnl.gov] Sent: Tuesday, July 18, 2000 3:27 PM To: Heimberg, Jim; Mitchell Arnone; Golkin Ken (CAP CMC) Cc: 'Adrian McCullagh'; 'Stephen Kent'; ietf-pkix@imc.org Subject: RE: Signing what you don't understand At 02:43 PM 7/18/00 -0400, Heimberg, Jim wrote: >If you receive an e-mail, what is different than signing to signify receipt? >That signature does not do the same thing as if you were signing the $10M >contract contained in the FEDEX package or the one contained in the e-mail. >Where is the issue? >Jim (I neglected this point) Granted, no court of law will likely hold me to some forged $10M contract based upon a simple digital signature. But there is always an exploitable grey area, even if only between $5, $50, $500, where it will be commonplace to rely upon lightweight (digital) signature activity. In such a case, how can you be sure that your browser, configured to automatically sign (harmless) email receipts, does not become subverted by a trojan plug-in to sign other things you may be unaware of? Especially so, if the "evidence" only demonstrates "it was the same key, owned by you." ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA05539 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 12:18:08 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id MAA07386; Tue, 18 Jul 2000 12:08:37 -0700 (PDT) Message-Id: <4.2.2.20000718120125.00ab4c70@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 18 Jul 2000 12:15:56 -0700 To: "Heimberg, Jim" <Jim.Heimberg@GD-CS.COM>, Mitchell Arnone <mitchell.arnone@b2bcommunications.com>, "Golkin Ken (CAP CMC)" <Ken_Golkin@mortgage.ge.com> From: Tony Bartoletti <azb@llnl.gov> Subject: RE: Signing what you don't understand Cc: "'Adrian McCullagh'" <AMcCullagh@exchange.gadens.com.au>, "'Stephen Kent'" <kent@bbn.com>, ietf-pkix@imc.org In-Reply-To: <2575327B6755D211A0E100805F9FF954050804EF@ndhmex02.ndhm.gsc .gte.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 02:43 PM 7/18/00 -0400, Heimberg, Jim wrote: >Are we moving in the direction of the Twilight Zone. If you could fool the >CA with a false driver's licence, why don't you just get the false ID, forge >his checks, and raid his bank account? The signature is a mark that is >either accepted as being valid or is forged. There is no difference with >the digital signature. Your digital signature is not any better or any >worse than your pen-and-ink signature. You decide when to use it. If you >receive a FEDEX, you sign for receipt, right? If you receive an e-mail, >what is different than signing to signify receipt? That signature does not >do the same thing as if you were signing the $10M contract contained in the >FEDEX package or the one contained in the e-mail. Where is the issue? >Jim The issues are really: 1. How hard is it to obtain a false digital certification of a key, compared to other false credentials? If it is easy, we are indeed in the "Twilight Zone", and building rock-solid castles on a quick-sand foundation. 2. If it is "variably hard" to obtain false digital credentials, depending upon chosen CA and "level" of certificate purchased, then one cannot "ignore the certificate" when assessing the "binding-ness" of a signature to a (presumably) intended act. 3. If it is "variably hard" to assert the key is safely stored, or was expected to be safely applied by the "signing-device" then this simple result of "verification mathematics" buys you little with respect to assertions about the intent of a given signature, or the strength with which it was "intentionally bound" to a signed object. More so, if one wants to hold all certificates as "equally strong" with respect to usage. ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from Newman.GSC.GTE.Com (SYSTEM@NS0.GDGSC.Com [192.160.62.66]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA04426 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 11:45:53 -0700 (PDT) Received: from gscex01.gsc.gte.com ("port 2992"@gscex01.ndhm.gsc.gte.com [155.95.162.170]) by Newman.GSC.GTE.Com (PMDF V5.2-30 #38015) with ESMTP id <01JRWZVE1Z8I001WRO@Newman.GSC.GTE.Com> for ietf-pkix@imc.org; Tue, 18 Jul 2000 14:48:02 -0400 (EDT) Received: by GSCEX01.gsc.gte.com with Internet Mail Service (5.5.2448.0) id <3L3TJ2SH>; Tue, 18 Jul 2000 14:43:52 -0400 Content-return: allowed Date: Tue, 18 Jul 2000 14:43:51 -0400 From: "Heimberg, Jim" <Jim.Heimberg@GD-CS.COM> Subject: RE: Signing what you don't understand To: "'Tony Bartoletti'" <azb@llnl.gov>, Mitchell Arnone <mitchell.arnone@b2bcommunications.com>, "Golkin Ken (CAP CMC)" <Ken_Golkin@mortgage.ge.com> Cc: "'Adrian McCullagh'" <AMcCullagh@exchange.gadens.com.au>, "'Stephen Kent'" <kent@bbn.com>, ietf-pkix@imc.org Message-id: <2575327B6755D211A0E100805F9FF954050804EF@ndhmex02.ndhm.gsc.gte.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-type: text/plain; charset="iso-8859-1" Are we moving in the direction of the Twilight Zone. If you could fool the CA with a false driver's licence, why don't you just get the false ID, forge his checks, and raid his bank account? The signature is a mark that is either accepted as being valid or is forged. There is no difference with the digital signature. Your digital signature is not any better or any worse than your pen-and-ink signature. You decide when to use it. If you receive a FEDEX, you sign for receipt, right? If you receive an e-mail, what is different than signing to signify receipt? That signature does not do the same thing as if you were signing the $10M contract contained in the FEDEX package or the one contained in the e-mail. Where is the issue? Jim -----Original Message----- From: Tony Bartoletti [mailto:azb@llnl.gov] Sent: Tuesday, July 18, 2000 2:00 PM To: Mitchell Arnone; Golkin Ken (CAP CMC) Cc: 'Adrian McCullagh'; 'Stephen Kent'; ietf-pkix@imc.org Subject: Re: Signing what you don't understand Ah, that life were really so simple ... :) At 12:00 PM 7/18/00 -0400, Mitchell Arnone wrote: >I have a hard time imagining use of digital signatures for anything >that does not require Non-repudiation. On one level, I can agree with this statement. One wants to say "What other purpose for applying an (assumably unforgeable) mark other than to have it be unforgeable?" And as I have argued long previously, the "math of it" gets you this much, regardless of the setting of key-usage bits or other implied intent. But that is really not saying very much. What (other than certification, to start with) attaches this disembodied signing-key to an "actor"? >As for authentication, digital signatures (which requires access to the >private key, Not a Digital Certificate) demonstrates proof positive that >"a person is who they say they are" and provides a means by which >unquestionable proof can be established that the owner of a given >certificate responded to a challenge and subsequently gained access to >some secure resource. This assertion WAY overstates the strength of the situation: If I can fool a CA (with fake driver's license, etc) into certifying my key-pair as "belongs to Mitchell Arnone of b2bcommunications.com", does my use of this key provide "proof positive" that I am who I say I am? Or equivalently, proof that the real Mitchell took action? And would it matter that, when invoking a signature, that I must use my personal passcode to unlock MY (presumably, your) signature key? To clear one's head, begin with the understanding that the application of (and verification of) a (mechanical) digital signature serves (effectively) as proof positive of three central facts: a. The "wielder of the signature" (person or process) indeed possessed the secret-key corresponding to the public key used in verification. b. Some "process" had access to both the secret-key, and the document (or the hash of the document.) c. The document (or hash) verified is exactly the document (or hash) that was mechanically signed. (No tampering took place.) Now, we would like "wielder of the signature" to have a more substantial form of identity. We attempt to create this "sense of substance" by the use of certificates. But there are clearly wide variances by which this certification may proceed, and from which assertions can flow. >In my mind, authentication and digital signatures are inseparable and we >would be better served to refrain from focusing on the granular differences. "Agree in Principle" ... however ... Contrast "signing important legal contract" with "signing receipt of email". The former should (likely) require an active and duly witnessed "live person", and a trusted display device that guarantees that what is signed is precisely no more and no less than what is being displayed, and further displays the particulars of the key-ownership certificate, to help ensure that the "witnesses" are not being fooled into attesting to my signing with your key. Expensive technology. The latter is a useful application of "digital signature mechanics" that I might employ to let people know that "their mail was delivered to the right address". I might configure my mailer to create such return receipts automatically, even while I am away. In such a case, is it True or False that the application is "signing without the knowledge of the owner of the certificate?" Depends upon perspective. Was there a sufficient "challenge"? Was it enough to effect that challenge (only) during my act of configuring my email-robot to employ the key? Should the act of configuring my email-robot require witnesses and the expensive secured display device described above? If such strong measures are unneeded for this application, how can one ensure the code or process is not subverted to effect signatures for contracts (or arguably so, to repudiate a former signature made with a stronger technology.) Alternatively, do you argue that "email return receipts" should remain "unsigned" by a technology so "strong"? ___tony___ >Mitchell Arnone >PKI Engineer > >"Golkin, Ken (CAP, CMC)" wrote: >> >> >>This discussion seems to be confusing two different uses for certificates >>1) Authentication (I am who I say I am) >>2) Signature (I signed a legally binding document) >> >>In the first case I showed my company issue picture ID (certificate) to >>the guard at the door and he let me in the building this morning. >> >>In the second case I stopped at the hardware store on the way home last >>night to buy a box of nails and some other things. At the check out I >>showed them my charge card (certificate) then signed the sales >>slip. Which legally obligated me to pay $24.86. >> >>The certificate policy (defined as: A named set of rules that indicates the >> applicability of a public key certificate to a particular >> community or class of application with common security >> requirements. For example, a particular certificate policy might >> indicate applicability of a type of public key certificate to the >> authentication of electronic data interchange transactions for >> the trading of goods within a given price range.) in X.509 PKiX >> roadmap makes it clear that all certificates are not created equal. >> >>The Canadian Government and United States Government PKI initiatives have >>defined multiple levels of assurance, and as far as I can tell, most >>business applications of PKI are following the government lead. >> >>If I'm loaning someone $250,000 to buy a house I obviously need a greater >>level of assurance that they are who they are (and their bank is who they >>say they are) then was required by the checkout at the hardware store or >>the guard at the entrance. >> >>-----Original Message----- >>From: Adrian McCullagh >>[<mailto:AMcCullagh@exchange.gadens.com.au>mailto:AMcCullagh@exchange.gade >>ns.com.au] >>Sent: Monday, July 17, 2000 11:08 PM >>To: 'Stephen Kent' >>Cc: ietf-pkix@imc.org >>Subject: RE: Signing what you don't understand >> >>Stephen, >> >>I do not want to get into an argument with you. Yes I am a lawyer but I >>also have a technical background so your suggestion otherwise, I thought was >>not moving the discussion forward. Admittedly, I do not possess the >>technical knowledge that you have. >> >>Your example is well put but is this really a digital signature or is it a >>set of bits (a mark) that has been affixed using the same technology known >>as digital signature technology. >> >>You mention the difference between the 2 intents. I would be surprised, if >>anyone (other than the technically minded) even knows that a challenge >>response is even being "signed". There is no intent at all in this case. It >>is the technology as designed that is effecting the response to the >>challenge. I am surprised that "you" sign authentication challenges, just >>for authentication purposes. Is it really a signature? Are you really >>signing the authentication challenge or is it the software on your machine >>effecting the response to the challenge? >> >>To me this is not a signature. It may use digital signature technology but >>it is not a signature. This is probably the problem. It is the use of the >>word "signature" which is a technical term but has been used by the PKI >>community to cover a myriad of uses. Some uses of the term by the PKI >>community are confusing. >> >>I also do not agree with your position that the NR bit can signal any intent >>either way. With respect, intent is ascertained at the time of signing. A >>certificate has nothing what so ever to do with signing. Its primary >>purpose is to identify a public key that corresponds to a private key that >>may be held by some previously identified person or entity. The public key >>is used to verify a digital signature that has supposedly been created using >>the corresponding private key. That is it as far as I understand it unless >>there is some other primary purpose that I do not know. I do not see the >>relationship between digitally signing a document and the contents of a >>certificate. Verification of the signature at some later time is a different >>issue which may involve the use of a certificate but this may not be so. >> >>Adrian McCullagh >>Director of Electronic Commerce Tel: 617 3231 1522 >>Gadens Lawyers Fax: 617 3229 5850 >>level 39 >>Central Plaza 1 >>345 Queen Street >>Brisbane Australia 4000 >> >>Ph. D. Candidate >>Thesis "The Incorporation of Trust Strategies in Digital Signature >>Regimes for Elec. Comm." >>Information Security Research Centre >>Queensland University of Technology >> >> >>-----Original Message----- >>From: Stephen Kent [<mailto:kent@bbn.com>mailto:kent@bbn.com] >>Sent: Tuesday, July 18, 2000 10:00 AM >>To: Adrian McCullagh >>Cc: ietf-pkix@imc.org >>Subject: RE: Signing what you don't understand >> >>At 12:50 PM +1000 7/15/00, Adrian McCullagh wrote: >> >Stephen >> > >> >I really do not understand your response. Why would anyone sign a >> document >> >that they do not understand. It does not make sense. If I sent you a >> >document written in Chinese and assume you can not read Chinese and at the >> >same time I said just sign this - Why would you sign it. Now if you >>trusted >> >me then you may sign it based upon the information about the document that >>I >> >tell you. A classic case for Non-est-factum. But all the cases that I >>have >> >read clearly rely upon some information provided by an Alleged trusted >>third >> >party. Usually some relative. So without some external information being >> >provided by a third party it is not as far as I can determine possible to >> >rely upon non est factum. >> >>Because we sign authentication challenges, just for authentication >>purposes, but not for NR purposes, it is prudent to distinguish >>between the two intents. Your comments seem to ignore this use of >>digital signature technology. One way of signalling intent is via the >>NR bit. Although it has been argued that having this bit set to True >>does not necessarily signal intent to sign for NR purposes, having it >>set to False certainly signals an intent to not be bound re NR. >> >>(Your use of Latin and your e-mail "signature" suggests a legal, but >>perhaps not a technical background. We've also decided, after much >>debate, that PKIX deals with technical aspects of NR, not legal >>details that may vary based upon jurisdiction.) >> >> >Also what does a "bit" in a certificate got to do with non-repudiation. >>The >> >commercial world and the law does not in my opinion support this position >>of >> >yours. You appear to be on a path to re-engineering the entire commercial >> >legal fabric and as such I with the greatest respect I do not believe >> that >> >society and the law will buy into it. With out the commercial involvement >> >PKI will not survive. >> >>The position is not just mine. Sorry of you don't understand, or >>merely don't agree with the use of the NR bit, or its name, but we >>had this debate a while ago and we're not having it again. >> >> > >> >I do not understand how - "what you are proposing" - will work in >> practical >> >terms. >> >>I'm not "proposing," but I am citing existing Internet and ITU >>standards and the applicability to the question at hand. >> >>Steve Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from alemail1.firewall.lucent.com (alemail1.lucent.com [192.11.221.161]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA04352 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 11:44:13 -0700 (PDT) Received: from alemail1.firewall.lucent.com (localhost [127.0.0.1]) by alemail1.firewall.lucent.com (Pro-8.9.3/8.9.3) with ESMTP id OAA07239 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 14:46:40 -0400 (EDT) Received: from anuxc.mv.lucent.com (h135-13-160-12.lucent.com [135.13.160.12]) by alemail1.firewall.lucent.com (Pro-8.9.3/8.9.3) with ESMTP id OAA07185; Tue, 18 Jul 2000 14:46:38 -0400 (EDT) Received: from irene by anuxc.mv.lucent.com (8.8.8+Sun/EMS-1.5 sol2) id OAA02787; Tue, 18 Jul 2000 14:44:02 -0400 (EDT) Message-Id: <4.1.20000718143314.03614008@anuxc.mv.lucent.com> X-Sender: irg@anuxc.mv.lucent.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 18 Jul 2000 14:46:54 -0400 To: "Simon McMahon" <simon@onthenet.com.au> From: Irene Gassko <gassko@lucent.com> Subject: Re: Current signature formats insufficient Cc: <ietf-pkix@imc.org>, <denis.bider@denisbider.com> In-Reply-To: <013901bfeba8$419218f0$8802a8c0@eracom.com.au> References: <000901bfeb64$38642f50$0201010a@intergalactic> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Hello, Blind signatures provide another viewpoint. Here a signer does not know what it is signing but the key used indicates the value of a monetary unit. If keys have very limited usages it will be more difficult to misuse them. Even the most technically unsophisticated consumer will be suspicious if a librarian will ask for his credit card instead of his library card. On the other hand, a contract to sell one's home signed with an e-mail signature key instead of "high value transaction" signature key will be much easier to repudiate if those keys are explicitly defined. I think all of this is achievable with currently available PKIX tools. Cheers, Irene At 12:23 PM 07/12/2000 +1000, Simon McMahon wrote: >Hi all, > >My 2c worth. > >You should look to the analog-signature as an analogy. It's the content of >what you sign that includes the terms and therefore the extent to which the >signer is bound. Carelessly given signatures should be legally binding, >otherwise ignorance will be used as a defense for repudiation, and only >fraudulently or forcefully obtained signatues should be able to be >sucessfully repudiated by recourse to the law and courts. > >You never modify the nature of a handwritten signature to indicate your >intention, e.g different coloured pens or pressing harder, writing bigger / >smaller than normal makes no difference if the handwritten signature can be >shown to be yours or you say it is yours. Its what you sign that binds you. >Having a signature witnessed by a competent authority (a JP) is the only way >I know of to boost non-repudiation of a standard signature. A non-witnessed >signature is presumably easier, but by no means trival to repudiate. > >Just because its easier (relatively) to mess with digital signature formats >than handwritten ones dosen't mean that you should since laws for >handwritten signatures will migrate easier to digital ones if the analogy is >kept closer. > >I dont agree with either digital alternative for indicating the signers >intention in a legally binding way, i.e. boosting or removing >non-repudiation. Firstly that the certificate's usage attributes should >dictate anything about the private key since they may not both be stored on >the same device and the association is not trivial to check, or, secondly, >that the signature format should indicate my intention when I signed. All of >my intentions should be indicated in the content of what I signed. > >Any "intention" indicator added to the signature encoding could just as >easily be encoded into the content before signing. It is effectively >modifying the contract before signing it. For "ephemeral" signatures you >effectively stamp the content "void", then sign it. > >Frank's suggestions : >> In the case of an authentication protocol, you could include an OBJECT >> IDENTIFIER or string in the data to be signed to constrain the use of the >> signature. For example: >> >> AuthenticationInfo ::= SEQUENCE { >> disclaimer UTF8String, >> nonce OCTET STRING >> } >> >> Another technique would be to use PKCS #7 authenticated attributes. > >These look like good mechanisms for this purpose and use current practise >and encodings. No need for yet-another-encoding :-). > >I dont believe that private keys for non-repudiation signatures should ever >be used for ephemeral signatures. It just seems like a dangerous and >unecessary overloading of an important object - the private key. The private >key should be stored with its own usage attributes to avoid looking up the >certificate to see if it is such a key. The device doing the signing should >do whatever the law requires it to do with these keys, regarding >authentication and secure containment, to make non-repudiation enforcable. > >Simon McMahon >ERACOM Pty. Ltd. > ---------------------------------------------------------------------------- ------------------------------------------------------- Irene Gassko Bell Laboratories http://www.lucent.com Lucent Technologies Secure Technologies Dept. 1600 Osgood Street phone: (978) 960-5767 Room 30-2-A31 e-mail: gassko@lucent.com N. Andover, MA 01845 fax: (978) 960-3240 Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA03114 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 10:55:40 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id KAA19252; Tue, 18 Jul 2000 10:52:29 -0700 (PDT) Message-Id: <4.2.2.20000718094316.00ade750@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 18 Jul 2000 10:59:48 -0700 To: "Mitchell Arnone" <mitchell.arnone@b2bcommunications.com>, "Golkin Ken (CAP CMC)" <Ken_Golkin@mortgage.ge.com> From: Tony Bartoletti <azb@llnl.gov> Subject: Re: Signing what you don't understand Cc: "'Adrian McCullagh'" <AMcCullagh@exchange.gadens.com.au>, "'Stephen Kent'" <kent@bbn.com>, ietf-pkix@imc.org In-Reply-To: <39747F0E.773BF26E@b2bcommunications.com> References: <3D1CC63B9E24D211B48B000000004C0B0388268E@chlmail.gecmc.ge.COM> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Ah, that life were really so simple ... :) At 12:00 PM 7/18/00 -0400, Mitchell Arnone wrote: >I have a hard time imagining use of digital signatures for anything >that does not require Non-repudiation. On one level, I can agree with this statement. One wants to say "What other purpose for applying an (assumably unforgeable) mark other than to have it be unforgeable?" And as I have argued long previously, the "math of it" gets you this much, regardless of the setting of key-usage bits or other implied intent. But that is really not saying very much. What (other than certification, to start with) attaches this disembodied signing-key to an "actor"? >As for authentication, digital signatures (which requires access to the >private key, Not a Digital Certificate) demonstrates proof positive that >"a person is who they say they are" and provides a means by which >unquestionable proof can be established that the owner of a given >certificate responded to a challenge and subsequently gained access to >some secure resource. This assertion WAY overstates the strength of the situation: If I can fool a CA (with fake driver's license, etc) into certifying my key-pair as "belongs to Mitchell Arnone of b2bcommunications.com", does my use of this key provide "proof positive" that I am who I say I am? Or equivalently, proof that the real Mitchell took action? And would it matter that, when invoking a signature, that I must use my personal passcode to unlock MY (presumably, your) signature key? To clear one's head, begin with the understanding that the application of (and verification of) a (mechanical) digital signature serves (effectively) as proof positive of three central facts: a. The "wielder of the signature" (person or process) indeed possessed the secret-key corresponding to the public key used in verification. b. Some "process" had access to both the secret-key, and the document (or the hash of the document.) c. The document (or hash) verified is exactly the document (or hash) that was mechanically signed. (No tampering took place.) Now, we would like "wielder of the signature" to have a more substantial form of identity. We attempt to create this "sense of substance" by the use of certificates. But there are clearly wide variances by which this certification may proceed, and from which assertions can flow. >In my mind, authentication and digital signatures are inseparable and we >would be better served to refrain from focusing on the granular differences. "Agree in Principle" ... however ... Contrast "signing important legal contract" with "signing receipt of email". The former should (likely) require an active and duly witnessed "live person", and a trusted display device that guarantees that what is signed is precisely no more and no less than what is being displayed, and further displays the particulars of the key-ownership certificate, to help ensure that the "witnesses" are not being fooled into attesting to my signing with your key. Expensive technology. The latter is a useful application of "digital signature mechanics" that I might employ to let people know that "their mail was delivered to the right address". I might configure my mailer to create such return receipts automatically, even while I am away. In such a case, is it True or False that the application is "signing without the knowledge of the owner of the certificate?" Depends upon perspective. Was there a sufficient "challenge"? Was it enough to effect that challenge (only) during my act of configuring my email-robot to employ the key? Should the act of configuring my email-robot require witnesses and the expensive secured display device described above? If such strong measures are unneeded for this application, how can one ensure the code or process is not subverted to effect signatures for contracts (or arguably so, to repudiate a former signature made with a stronger technology.) Alternatively, do you argue that "email return receipts" should remain "unsigned" by a technology so "strong"? ___tony___ >Mitchell Arnone >PKI Engineer > >"Golkin, Ken (CAP, CMC)" wrote: >> >> >>This discussion seems to be confusing two different uses for certificates >>1) Authentication (I am who I say I am) >>2) Signature (I signed a legally binding document) >> >>In the first case I showed my company issue picture ID (certificate) to >>the guard at the door and he let me in the building this morning. >> >>In the second case I stopped at the hardware store on the way home last >>night to buy a box of nails and some other things. At the check out I >>showed them my charge card (certificate) then signed the sales >>slip. Which legally obligated me to pay $24.86. >> >>The certificate policy (defined as: A named set of rules that indicates the >> applicability of a public key certificate to a particular >> community or class of application with common security >> requirements. For example, a particular certificate policy might >> indicate applicability of a type of public key certificate to the >> authentication of electronic data interchange transactions for >> the trading of goods within a given price range.) in X.509 PKiX >> roadmap makes it clear that all certificates are not created equal. >> >>The Canadian Government and United States Government PKI initiatives have >>defined multiple levels of assurance, and as far as I can tell, most >>business applications of PKI are following the government lead. >> >>If I'm loaning someone $250,000 to buy a house I obviously need a greater >>level of assurance that they are who they are (and their bank is who they >>say they are) then was required by the checkout at the hardware store or >>the guard at the entrance. >> >>-----Original Message----- >>From: Adrian McCullagh >>[<mailto:AMcCullagh@exchange.gadens.com.au>mailto:AMcCullagh@exchange.gade >>ns.com.au] >>Sent: Monday, July 17, 2000 11:08 PM >>To: 'Stephen Kent' >>Cc: ietf-pkix@imc.org >>Subject: RE: Signing what you don't understand >> >>Stephen, >> >>I do not want to get into an argument with you. Yes I am a lawyer but I >>also have a technical background so your suggestion otherwise, I thought was >>not moving the discussion forward. Admittedly, I do not possess the >>technical knowledge that you have. >> >>Your example is well put but is this really a digital signature or is it a >>set of bits (a mark) that has been affixed using the same technology known >>as digital signature technology. >> >>You mention the difference between the 2 intents. I would be surprised, if >>anyone (other than the technically minded) even knows that a challenge >>response is even being "signed". There is no intent at all in this case. It >>is the technology as designed that is effecting the response to the >>challenge. I am surprised that "you" sign authentication challenges, just >>for authentication purposes. Is it really a signature? Are you really >>signing the authentication challenge or is it the software on your machine >>effecting the response to the challenge? >> >>To me this is not a signature. It may use digital signature technology but >>it is not a signature. This is probably the problem. It is the use of the >>word "signature" which is a technical term but has been used by the PKI >>community to cover a myriad of uses. Some uses of the term by the PKI >>community are confusing. >> >>I also do not agree with your position that the NR bit can signal any intent >>either way. With respect, intent is ascertained at the time of signing. A >>certificate has nothing what so ever to do with signing. Its primary >>purpose is to identify a public key that corresponds to a private key that >>may be held by some previously identified person or entity. The public key >>is used to verify a digital signature that has supposedly been created using >>the corresponding private key. That is it as far as I understand it unless >>there is some other primary purpose that I do not know. I do not see the >>relationship between digitally signing a document and the contents of a >>certificate. Verification of the signature at some later time is a different >>issue which may involve the use of a certificate but this may not be so. >> >>Adrian McCullagh >>Director of Electronic Commerce Tel: 617 3231 1522 >>Gadens Lawyers Fax: 617 3229 5850 >>level 39 >>Central Plaza 1 >>345 Queen Street >>Brisbane Australia 4000 >> >>Ph. D. Candidate >>Thesis "The Incorporation of Trust Strategies in Digital Signature >>Regimes for Elec. Comm." >>Information Security Research Centre >>Queensland University of Technology >> >> >>-----Original Message----- >>From: Stephen Kent [<mailto:kent@bbn.com>mailto:kent@bbn.com] >>Sent: Tuesday, July 18, 2000 10:00 AM >>To: Adrian McCullagh >>Cc: ietf-pkix@imc.org >>Subject: RE: Signing what you don't understand >> >>At 12:50 PM +1000 7/15/00, Adrian McCullagh wrote: >> >Stephen >> > >> >I really do not understand your response. Why would anyone sign a >> document >> >that they do not understand. It does not make sense. If I sent you a >> >document written in Chinese and assume you can not read Chinese and at the >> >same time I said just sign this - Why would you sign it. Now if you >>trusted >> >me then you may sign it based upon the information about the document that >>I >> >tell you. A classic case for Non-est-factum. But all the cases that I >>have >> >read clearly rely upon some information provided by an Alleged trusted >>third >> >party. Usually some relative. So without some external information being >> >provided by a third party it is not as far as I can determine possible to >> >rely upon non est factum. >> >>Because we sign authentication challenges, just for authentication >>purposes, but not for NR purposes, it is prudent to distinguish >>between the two intents. Your comments seem to ignore this use of >>digital signature technology. One way of signalling intent is via the >>NR bit. Although it has been argued that having this bit set to True >>does not necessarily signal intent to sign for NR purposes, having it >>set to False certainly signals an intent to not be bound re NR. >> >>(Your use of Latin and your e-mail "signature" suggests a legal, but >>perhaps not a technical background. We've also decided, after much >>debate, that PKIX deals with technical aspects of NR, not legal >>details that may vary based upon jurisdiction.) >> >> >Also what does a "bit" in a certificate got to do with non-repudiation. >>The >> >commercial world and the law does not in my opinion support this position >>of >> >yours. You appear to be on a path to re-engineering the entire commercial >> >legal fabric and as such I with the greatest respect I do not believe >> that >> >society and the law will buy into it. With out the commercial involvement >> >PKI will not survive. >> >>The position is not just mine. Sorry of you don't understand, or >>merely don't agree with the use of the NR bit, or its name, but we >>had this debate a while ago and we're not having it again. >> >> > >> >I do not understand how - "what you are proposing" - will work in >> practical >> >terms. >> >>I'm not "proposing," but I am citing existing Internet and ITU >>standards and the applicability to the question at hand. >> >>Steve Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from netscape.com (h-205-217-237-46.netscape.com [205.217.237.46]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA01979 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 09:55:41 -0700 (PDT) Received: from judge.mcom.com (judge.mcom.com [205.217.237.53]) by netscape.com (8.10.0/8.10.0) with ESMTP id e6IGn2R08680 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 09:49:02 -0700 (PDT) Received: from netscape.com ([205.217.229.47]) by judge.mcom.com (Netscape Messaging Server 4.15) with ESMTP id FXWKG001.R7Q; Tue, 18 Jul 2000 09:57:36 -0700 Message-ID: <39748C7D.5BC00F14@netscape.com> Date: Tue, 18 Jul 2000 09:57:33 -0700 From: thayes@netscape.com (Terry Hayes) X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Ben Laurie <ben@algroup.co.uk> CC: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au>, "'Stephen Kent'" <kent@bbn.com>, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <C7006C79F23FD411AFCC00E018C353B4025916@exchange.gadens.com.au> <3974844A.DB80A88D@algroup.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Ben Laurie wrote: > > I also do not agree with your position that the NR bit can signal any intent > > either way. With respect, intent is ascertained at the time of signing. A > > certificate has nothing what so ever to do with signing. Its primary > > purpose is to identify a public key that corresponds to a private key that > > may be held by some previously identified person or entity. The public key > > is used to verify a digital signature that has supposedly been created using > > the corresponding private key. That is it as far as I understand it unless > > there is some other primary purpose that I do not know. I do not see the > > relationship between digitally signing a document and the contents of a > > certificate. Verification of the signature at some later time is a different > > issue which may involve the use of a certificate but this may not be so. > > The relationship is that the creator of the certificate has stated what > he intends the use of the signature to be. So, if the NR bit is not set, > the owner of the private key has effectively stated that they do not > expect the key to be used for NR! This is the root of the problem (in my opinion). While you say that the owner of the private key has stated what they want the key to be used for, in fact the "creator" of the certificate is the CA, not the end entity. This level of indirection is very troubling for some. It allows additional certificates to be created (possibly by untrustworthy CA) that cloud the meaning of the signature. In my opinion, it is best to put a clear statement of the intended purpose of the signature in the signature itself. A simple policy (or application) OID included in the authenticated attributes would do the trick. Failing that, the fingerprint of the certificate itself should be included (as is proposed elsewhere), and the application should check that the proper extensions are included in that certificate prior to signing. Terry Hayes thayes@netscape.com Received: from thalia.fm.intel.com (thalia.fm.intel.com [132.233.247.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA01443 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 09:36:08 -0700 (PDT) Received: from SMTP (fmsmsxvs01-1.fm.intel.com [132.233.42.201]) by thalia.fm.intel.com (8.9.1a+p1/8.9.1/d: relay.m4,v 1.30 2000/06/08 18:25:35 dmccart Exp $) with SMTP id QAA14983 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 16:39:30 GMT Received: from fmsmsx27.FM.INTEL.COM ([132.233.48.27]) by 132.233.48.201 (Norton AntiVirus for Internet Email Gateways 1.0) ; Tue, 18 Jul 2000 16:38:34 0000 (GMT) Received: by fmsmsx27.fm.intel.com with Internet Mail Service (5.5.2650.21) id <PAZXMMB0>; Tue, 18 Jul 2000 09:38:33 -0700 Message-ID: <8DCFE693DDFFD111AC4100A0C9B8DB94015661E8@hdsmsx33.hd.intel.com> From: "Eissa, Mohamed" <mohamed.eissa@intel.com> To: ietf-pkix@imc.org Subject: Certificate Request Message Format (RFC 2511) Date: Tue, 18 Jul 2000 09:38:18 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="windows-1252" Hi, What is the relation/difference between Certificate Request Message Format (RFC 2511) and the RSA PKCS standards? Mohamed Received: from mail-fwd.verio-web.com ([161.58.16.59]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id JAA01130 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 09:31:29 -0700 (PDT) Received: from 161.58.117.181 (161.58.117.181) by mail11b.verio-web.com (RS ver 1.0.57s) with SMTP id 0612873; Tue, 18 Jul 2000 12:33:42 -0400 (EDT) Sender: rsalz Message-ID: <397486B5.60D3B134@caveosystems.com> Date: Tue, 18 Jul 2000 12:32:53 -0400 From: Rich Salz <rsalz@caveosystems.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: Ambarish Malpani <ambarish@valicert.com> CC: Khaja.Ahmed@identrus.com, ietf-pkix@imc.org Subject: Re: Need for an XML based cert check protocol with RPP capability . References: <27FF4FAEA8CDD211B97E00902745CBE2B4169F@seine.valicert.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 If the protocol says "you can ask this server" then code must be written to put "this server" into the request packet. If the rules say "ask the bank" then you must open your connect to "the bank." Either way, there is no savings. Please post a worked example. > By having a merchant application > just ask the bank whether a certificate can be used for a particular > purpose, you significantly reduce the deployment problems > somebody like Identrus will have with new certificate types and > different policy rules. Exactly. Just ask the bank. It's a business/programming rule, not a protocol issue. /r$ Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id JAA00620 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 09:24:42 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id RAA01172; Tue, 18 Jul 2000 17:36:54 +0100 Message-ID: <3974844A.DB80A88D@algroup.co.uk> Date: Tue, 18 Jul 2000 17:22:34 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au> CC: "'Stephen Kent'" <kent@bbn.com>, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <C7006C79F23FD411AFCC00E018C353B4025916@exchange.gadens.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Adrian McCullagh wrote: > > Stephen, > > I do not want to get into an argument with you. Yes I am a lawyer but I > also have a technical background so your suggestion otherwise, I thought was > not moving the discussion forward. Admittedly, I do not possess the > technical knowledge that you have. > > Your example is well put but is this really a digital signature or is it a > set of bits (a mark) that has been affixed using the same technology known > as digital signature technology. > > You mention the difference between the 2 intents. I would be surprised, if > anyone (other than the technically minded) even knows that a challenge > response is even being "signed". There is no intent at all in this case. It > is the technology as designed that is effecting the response to the > challenge. I am surprised that "you" sign authentication challenges, just > for authentication purposes. Is it really a signature? Are you really > signing the authentication challenge or is it the software on your machine > effecting the response to the challenge? > > To me this is not a signature. It may use digital signature technology but > it is not a signature. This is probably the problem. It is the use of the > word "signature" which is a technical term but has been used by the PKI > community to cover a myriad of uses. Some uses of the term by the PKI > community are confusing. If it is not a signature to you, then surely no digital signature is a signature to you, since they are _always_ done by the machine. As far as I'm concerned (and, I suspect, most other people on this list), a digital signature is a technical term that describes a way to bind some data to a (private) key. You can then assign some significance to the intent of that "signature", or, at least, people want to. A real issue with that assignment is that the signature has always been done by software on behalf of the user. Demonstrating that the user had intent is troublesome. > I also do not agree with your position that the NR bit can signal any intent > either way. With respect, intent is ascertained at the time of signing. A > certificate has nothing what so ever to do with signing. Its primary > purpose is to identify a public key that corresponds to a private key that > may be held by some previously identified person or entity. The public key > is used to verify a digital signature that has supposedly been created using > the corresponding private key. That is it as far as I understand it unless > there is some other primary purpose that I do not know. I do not see the > relationship between digitally signing a document and the contents of a > certificate. Verification of the signature at some later time is a different > issue which may involve the use of a certificate but this may not be so. The relationship is that the creator of the certificate has stated what he intends the use of the signature to be. So, if the NR bit is not set, the owner of the private key has effectively stated that they do not expect the key to be used for NR! Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA00577 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 09:24:33 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FXW00401J0ZTL@ext-mail.valicert.com> for ietf-pkix@imc.org; Tue, 18 Jul 2000 09:26:59 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FXW004LHJ0ZDY@ext-mail.valicert.com>; Tue, 18 Jul 2000 09:26:59 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <360062YV>; Tue, 18 Jul 2000 09:18:56 -0700 Content-return: allowed Date: Tue, 18 Jul 2000 09:18:54 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: Need for an XML based cert check protocol with RPP capability . To: "'rsalz@CaveoSystems.com'" <rsalz@CaveoSystems.com>, Khaja.Ahmed@identrus.com Cc: ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE2B4169F@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Hi Rich, Let me try and provide part of the justification: > If your rules say "ask the bank" then there is no need to encode > this in a protocol. Encode it in your code. :) > Identrus is trying to provide an infrastructure that will be used across a whole slew of products - e-mail, web, databases, etc. Sure, they could come up with their own "standards" for how validation would be done. Then, they would have to convince all relevant vendors to implement that standard. Tomorrow, if there is another similar body that comes up with their own "standard", they will need to do the same thing and software vendors will end up choosing which of the n different standards they should follow. The whole point of trying to use work that comes out of the IETF is that you avoid this segmentation of how different groups choose to do the same thing. > Second, Identrus is a closed PKI without cross-certification. > Identrus certs are only to be used among Identrus participants who > agree to follow Identrus rules. That's a linch-pin for making the > whole risk-management aspect fly. > [My personal opinions here]: Identrus members are banks. These banks will want to issue certs to their members that are useful in both Identrus and non-Identrus environments. I would fully expect, over time, that banks will use the same CA for both purposes and have the CA certified by both Identrus and non-Identrus roots. As long as they follow the Identrus rules, it is unclear to me that Identrus would object to their doing so. Some certs might also be issued with policies that map adequately to Identrus policies. So, over time, I would fully expect Identrus path processing to become pretty complicated. Thirdly: Identrus has a set of rules and types of certificates it issues today. Again, I would expect these rules to evolve over time with new and different types of certificates, issued for different applications, under different policies. It would be pretty hard to imagine client applications that were smart enough to understand these new certificates types, when they haven't even been defined today. By having a merchant application just ask the bank whether a certificate can be used for a particular purpose, you significantly reduce the deployment problems somebody like Identrus will have with new certificate types and different policy rules. Hope this helps clarify the need for remote path processing and SCVP. Regards, Ambarish --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com Mountain View, CA 94043 > -----Original Message----- > From: rsalz@CaveoSystems.com [mailto:rsalz@CaveoSystems.com] > Sent: Monday, July 17, 2000 7:16 PM > To: Khaja.Ahmed@identrus.com; rsalz@CaveoSystems.com > Cc: ietf-pkix@imc.org > Subject: RE: Need for an XML based cert check protocol with RPP > capability . > > > >Regardless of the structure of the PKI, path validation has > to be done > >somewhere by someone the relying party trusts. This is > normally done by the > >relying party itself. It can however be done by a party the > Relying part > >trusts - Their bank for example. > > In the general case, yes. > > As I last understood it, the Identrus business rules said that the > relying party always asks its bank. And all the background > processing the > bank did was completely hidden by the bank. Bank A never exposed > the *presence* of any other bank to its customers. > > If your rules say "ask the bank" then there is no need to encode > this in a protocol. Encode it in your code. :) > > Second, Identrus is a closed PKI without cross-certification. > Identrus certs are only to be used among Identrus participants who > agree to follow Identrus rules. That's a linch-pin for making the > whole risk-management aspect fly. > > Have those rules changed? > > If not, then I'm still stumped. Could you provide a worked example? > (This might be falling outside the general interest of the list...) > /r$ > Received: from mailhost.b2bcommunications.com ([63.146.0.238]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA29730 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 08:57:53 -0700 (PDT) Received: from b2bcommunications.com ([192.168.10.52]) by mailhost.b2bcommunications.com (Netscape Messaging Server 4.15) with ESMTP id FXWHRV00.K2H; Tue, 18 Jul 2000 11:59:55 -0400 Message-ID: <39747F0E.773BF26E@b2bcommunications.com> Date: Tue, 18 Jul 2000 12:00:14 -0400 From: "Mitchell Arnone" <mitchell.arnone@b2bcommunications.com> X-Mailer: Mozilla 4.73 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: "Golkin Ken (CAP CMC)" <Ken_Golkin@mortgage.ge.com> CC: "'Adrian McCullagh'" <AMcCullagh@exchange.gadens.com.au>, "'Stephen Kent'" <kent@bbn.com>, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <3D1CC63B9E24D211B48B000000004C0B0388268E@chlmail.gecmc.ge.COM> Content-Type: multipart/alternative; boundary="------------E6FC777E9720998E5E8F0539" --------------E6FC777E9720998E5E8F0539 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I am sure I don't have the background in PKI as most of those contributing to this list but I would like to share some ideas: I have a hard time imagining use of digital signatures for anything that does not require Non-repudiation. There are a number of NR issues addressed with digital signatures including NR related to the creation of an object as well as Non-repudiation of activities such as delivery/receipt of messages, knowledge (proof that a message was read), and much more. Sometimes I feel that the term "signature" creates a paradigm that can become difficult to transcend but I cannot come up with a better descriptor of the intent behind the process. As for authentication, digital signatures (which requires access to the private key, Not a Digital Certificate) demonstrates proof positive that "a person is who they say they are" and provides a means by which unquestionable proof can be established that the owner of a given certificate responded to a challenge and subsequently gained access to some secure resource. It it important to remember that a digital certificate is public in nature and without the corresponding private key, it is meaningless. When a challenge is issued in the authentication process, the act of signing that challenge must manifest itself by requiring the user to submit his or her passcode to unlock the private key. If there is no challenge (i.e. the process of signing without the knowledge of the owner of the certificate) then the authentication process is completely invalidated. The following is a quote from FIPS 196: "To acceptably implement this standard, an implementation must meet the following criteria: 1) Each entity in an authentication exchange must use a FIPS approved digital signature algorithm to generate and/or verify digital signatures; 2) Each entity must generate (pseudo)random numbers using a FIPS approved (pseudo)random number generator; 3) Each entity acting as a claimant must be bound to a public/private key pair; the private key should remain in the sole control of the claimant who uses that key to sign a random challenge. The key binding requires a unique authentication identifier for each claimant, so that a verifier can distinguish between multiple claimants; and 4) One or both of the authentication protocols in this standard must be implemented. For each protocol, steps and token fields marked as [OPTIONAL] do not need to be implemented, except where indicated otherwise. However, all other steps and token fields must be implemented." In my mind, authentication and digital signatures are inseparable and we would be better served to refrain from focusing on the granular differences. Mitchell Arnone PKI Engineer "Golkin, Ken (CAP, CMC)" wrote: > > > This discussion seems to be confusing two different uses for > certificates > 1) Authentication (I am who I say I am) > 2) Signature (I signed a legally binding document) > > In the first case I showed my company issue picture ID (certificate) > to the guard at the door and he let me in the building this morning. > > In the second case I stopped at the hardware store on the way home > last night to buy a box of nails and some other things. At the check > out I showed them my charge card (certificate) then signed the sales > slip. Which legally obligated me to pay $24.86. > > The certificate policy (defined as: A named set of rules that > indicates the > applicability of a public key certificate to a particular > community or class of application with common security > requirements. For example, a particular certificate policy > might > indicate applicability of a type of public key certificate to > the > authentication of electronic data interchange transactions for > the trading of goods within a given price range.) in X.509 PKiX > roadmap makes it clear that all certificates are not created equal. > > The Canadian Government and United States Government PKI initiatives > have defined multiple levels of assurance, and as far as I can tell, > most business applications of PKI are following the government lead. > > If I'm loaning someone $250,000 to buy a house I obviously need a > greater level of assurance that they are who they are (and their bank > is who they say they are) then was required by the checkout at the > hardware store or the guard at the entrance. > > -----Original Message----- > From: Adrian McCullagh [mailto:AMcCullagh@exchange.gadens.com.au] > Sent: Monday, July 17, 2000 11:08 PM > To: 'Stephen Kent' > Cc: ietf-pkix@imc.org > Subject: RE: Signing what you don't understand > > Stephen, > > I do not want to get into an argument with you. Yes I am a lawyer but > I > also have a technical background so your suggestion otherwise, I > thought was > not moving the discussion forward. Admittedly, I do not possess the > technical knowledge that you have. > > Your example is well put but is this really a digital signature or is > it a > set of bits (a mark) that has been affixed using the same technology > known > as digital signature technology. > > You mention the difference between the 2 intents. I would be > surprised, if > anyone (other than the technically minded) even knows that a challenge > > response is even being "signed". There is no intent at all in this > case. It > is the technology as designed that is effecting the response to the > challenge. I am surprised that "you" sign authentication challenges, > just > for authentication purposes. Is it really a signature? Are you > really > signing the authentication challenge or is it the software on your > machine > effecting the response to the challenge? > > To me this is not a signature. It may use digital signature > technology but > it is not a signature. This is probably the problem. It is the use > of the > word "signature" which is a technical term but has been used by the > PKI > community to cover a myriad of uses. Some uses of the term by the PKI > > community are confusing. > > I also do not agree with your position that the NR bit can signal any > intent > either way. With respect, intent is ascertained at the time of > signing. A > certificate has nothing what so ever to do with signing. Its primary > purpose is to identify a public key that corresponds to a private key > that > may be held by some previously identified person or entity. The > public key > is used to verify a digital signature that has supposedly been created > using > the corresponding private key. That is it as far as I understand it > unless > there is some other primary purpose that I do not know. I do not see > the > relationship between digitally signing a document and the contents of > a > certificate. Verification of the signature at some later time is a > different > issue which may involve the use of a certificate but this may not be > so. > > Adrian McCullagh > Director of Electronic Commerce Tel: 617 3231 1522 > Gadens Lawyers Fax: 617 3229 5850 > level 39 > Central Plaza 1 > 345 Queen Street > Brisbane Australia 4000 > > Ph. D. Candidate > Thesis "The Incorporation of Trust Strategies in Digital Signature > Regimes for Elec. Comm." > Information Security Research Centre > Queensland University of Technology > > > -----Original Message----- > From: Stephen Kent [mailto:kent@bbn.com] > Sent: Tuesday, July 18, 2000 10:00 AM > To: Adrian McCullagh > Cc: ietf-pkix@imc.org > Subject: RE: Signing what you don't understand > > At 12:50 PM +1000 7/15/00, Adrian McCullagh wrote: > >Stephen > > > >I really do not understand your response. Why would anyone sign a > document > >that they do not understand. It does not make sense. If I sent you > a > >document written in Chinese and assume you can not read Chinese and > at the > >same time I said just sign this - Why would you sign it. Now if you > trusted > >me then you may sign it based upon the information about the document > that > I > >tell you. A classic case for Non-est-factum. But all the cases that > I > have > >read clearly rely upon some information provided by an Alleged > trusted > third > >party. Usually some relative. So without some external information > being > >provided by a third party it is not as far as I can determine > possible to > >rely upon non est factum. > > Because we sign authentication challenges, just for authentication > purposes, but not for NR purposes, it is prudent to distinguish > between the two intents. Your comments seem to ignore this use of > digital signature technology. One way of signalling intent is via the > NR bit. Although it has been argued that having this bit set to True > does not necessarily signal intent to sign for NR purposes, having it > set to False certainly signals an intent to not be bound re NR. > > (Your use of Latin and your e-mail "signature" suggests a legal, but > perhaps not a technical background. We've also decided, after much > debate, that PKIX deals with technical aspects of NR, not legal > details that may vary based upon jurisdiction.) > > >Also what does a "bit" in a certificate got to do with > non-repudiation. > The > >commercial world and the law does not in my opinion support this > position > of > >yours. You appear to be on a path to re-engineering the entire > commercial > >legal fabric and as such I with the greatest respect I do not > believe that > >society and the law will buy into it. With out the commercial > involvement > >PKI will not survive. > > The position is not just mine. Sorry of you don't understand, or > merely don't agree with the use of the NR bit, or its name, but we > had this debate a while ago and we're not having it again. > > > > >I do not understand how - "what you are proposing" - will work in > practical > >terms. > > I'm not "proposing," but I am citing existing Internet and ITU > standards and the applicability to the question at hand. > > Steve --------------E6FC777E9720998E5E8F0539 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> I am sure I don't have the background in PKI as most of those contributing to this list but I would like to share some ideas: <p>I have a hard time imagining use of digital signatures for anything that does not require Non-repudiation. There are a number of NR issues addressed with digital signatures including NR related to the creation of an object as well as Non-repudiation of activities such as delivery/receipt of messages, knowledge (proof that a message was read), and much more. Sometimes I feel that the term "signature" creates a paradigm that can become difficult to transcend but I cannot come up with a better descriptor of the intent behind the process. <p>As for authentication, digital signatures (which requires access to the private key, Not a Digital Certificate) demonstrates proof positive that "a person is who they say they are" and provides a means by which unquestionable proof can be established that the owner of a given certificate responded to a challenge and subsequently gained access to some secure resource. It it important to remember that a digital certificate is public in nature and without the corresponding private key, it is meaningless. When a challenge is issued in the authentication process, the act of signing that challenge must manifest itself by requiring the user to submit his or her passcode to unlock the private key. If there is no challenge (i.e. the process of signing without the knowledge of the owner of the certificate) then the authentication process is completely invalidated. <p>The following is a quote from FIPS 196: <p>"To acceptably implement this standard, an implementation must meet the following criteria: <p>1) Each entity in an authentication exchange must use a FIPS approved digital signature algorithm to generate and/or verify digital signatures; <p>2) Each entity must generate (pseudo)random numbers using a FIPS approved (pseudo)random number generator; <p>3) Each entity acting as a claimant must be bound to a public/private key pair; the private key should remain in the sole control of the claimant who uses that key to sign a random challenge. The key binding requires a unique authentication identifier for each claimant, so that a verifier can distinguish between multiple claimants; and <p>4) One or both of the authentication protocols in this standard must be implemented. For each protocol, steps and token fields marked as [OPTIONAL] do not need to be implemented, except where indicated otherwise. However, all other steps and token fields must be implemented." <p>In my mind, authentication and digital signatures are inseparable and we would be better served to refrain from focusing on the granular differences. <p>Mitchell Arnone <br>PKI Engineer <p>"Golkin, Ken (CAP, CMC)" wrote: <blockquote TYPE=CITE> <p><font size=-1>This discussion seems to be confusing two different uses for certificates</font> <br><font size=-1>1) Authentication (I am who I say I am)</font> <br><font size=-1>2) Signature (I signed a legally binding document)</font> <p><font size=-1>In the first case I showed my company issue picture ID (certificate) to the guard at the door and he let me in the building this morning.</font> <p><font size=-1>In the second case I stopped at the hardware store on the way home last night to buy a box of nails and some other things. At the check out I showed them my charge card (certificate) then signed the sales slip. Which legally obligated me to pay $24.86.</font> <p><font size=-1>The certificate policy (defined as: A named set of rules that indicates the</font> <br><font size=-1> applicability of a public key certificate to a particular</font> <br><font size=-1> community or class of application with common security</font> <br><font size=-1> requirements. For example, a particular certificate policy might</font> <br><font size=-1> indicate applicability of a type of public key certificate to the</font> <br><font size=-1> authentication of electronic data interchange transactions for</font> <br><font size=-1> the trading of goods within a given price range.) in X.509 PKiX roadmap makes it clear that all certificates are not created equal.</font> <p><font size=-1>The Canadian Government and United States Government PKI initiatives have defined multiple levels of assurance, and as far as I can tell, most business applications of PKI are following the government lead.</font> <p><font size=-1>If I'm loaning someone $250,000 to buy a house I obviously need a greater level of assurance that they are who they are (and their bank is who they say they are) then was required by the checkout at the hardware store or the guard at the entrance.</font> <p><font size=-1>-----Original Message-----</font> <br><font size=-1>From: Adrian McCullagh [<a href="mailto:AMcCullagh@exchange.gadens.com.au">mailto:AMcCullagh@exchange.gadens.com.au</a>]</font> <br><font size=-1>Sent: Monday, July 17, 2000 11:08 PM</font> <br><font size=-1>To: 'Stephen Kent'</font> <br><font size=-1>Cc: ietf-pkix@imc.org</font> <br><font size=-1>Subject: RE: Signing what you don't understand</font> <p><font size=-1>Stephen,</font> <p><font size=-1>I do not want to get into an argument with you. Yes I am a lawyer but I</font> <br><font size=-1>also have a technical background so your suggestion otherwise, I thought was</font> <br><font size=-1>not moving the discussion forward. Admittedly, I do not possess the</font> <br><font size=-1>technical knowledge that you have.</font> <p><font size=-1>Your example is well put but is this really a digital signature or is it a</font> <br><font size=-1>set of bits (a mark) that has been affixed using the same technology known</font> <br><font size=-1>as digital signature technology.</font> <p><font size=-1>You mention the difference between the 2 intents. I would be surprised, if</font> <br><font size=-1>anyone (other than the technically minded) even knows that a challenge</font> <br><font size=-1>response is even being "signed". There is no intent at all in this case. It</font> <br><font size=-1>is the technology as designed that is effecting the response to the</font> <br><font size=-1>challenge. I am surprised that "you" sign authentication challenges, just</font> <br><font size=-1>for authentication purposes. Is it really a signature? Are you really</font> <br><font size=-1>signing the authentication challenge or is it the software on your machine</font> <br><font size=-1>effecting the response to the challenge?</font> <p><font size=-1>To me this is not a signature. It may use digital signature technology but</font> <br><font size=-1>it is not a signature. This is probably the problem. It is the use of the</font> <br><font size=-1>word "signature" which is a technical term but has been used by the PKI</font> <br><font size=-1>community to cover a myriad of uses. Some uses of the term by the PKI</font> <br><font size=-1>community are confusing.</font> <p><font size=-1>I also do not agree with your position that the NR bit can signal any intent</font> <br><font size=-1>either way. With respect, intent is ascertained at the time of signing. A</font> <br><font size=-1>certificate has nothing what so ever to do with signing. Its primary</font> <br><font size=-1>purpose is to identify a public key that corresponds to a private key that</font> <br><font size=-1>may be held by some previously identified person or entity. The public key</font> <br><font size=-1>is used to verify a digital signature that has supposedly been created using</font> <br><font size=-1>the corresponding private key. That is it as far as I understand it unless</font> <br><font size=-1>there is some other primary purpose that I do not know. I do not see the</font> <br><font size=-1>relationship between digitally signing a document and the contents of a</font> <br><font size=-1>certificate. Verification of the signature at some later time is a different</font> <br><font size=-1>issue which may involve the use of a certificate but this may not be so.</font> <p><font size=-1>Adrian McCullagh</font> <br><font size=-1>Director of Electronic Commerce Tel: 617 3231 1522</font> <br><font size=-1>Gadens Lawyers Fax: 617 3229 5850</font> <br><font size=-1>level 39</font> <br><font size=-1>Central Plaza 1</font> <br><font size=-1>345 Queen Street</font> <br><font size=-1>Brisbane Australia 4000</font> <p><font size=-1>Ph. D. Candidate</font> <br><font size=-1>Thesis "The Incorporation of Trust Strategies in Digital Signature</font> <br><font size=-1>Regimes for Elec. Comm."</font> <br><font size=-1>Information Security Research Centre</font> <br><font size=-1>Queensland University of Technology</font> <br> <p><font size=-1>-----Original Message-----</font> <br><font size=-1>From: Stephen Kent [<a href="mailto:kent@bbn.com">mailto:kent@bbn.com</a>]</font> <br><font size=-1>Sent: Tuesday, July 18, 2000 10:00 AM</font> <br><font size=-1>To: Adrian McCullagh</font> <br><font size=-1>Cc: ietf-pkix@imc.org</font> <br><font size=-1>Subject: RE: Signing what you don't understand</font> <p><font size=-1>At 12:50 PM +1000 7/15/00, Adrian McCullagh wrote:</font> <br><font size=-1>>Stephen</font> <br><font size=-1>></font> <br><font size=-1>>I really do not understand your response. Why would anyone sign a document</font> <br><font size=-1>>that they do not understand. It does not make sense. If I sent you a</font> <br><font size=-1>>document written in Chinese and assume you can not read Chinese and at the</font> <br><font size=-1>>same time I said just sign this - Why would you sign it. Now if you</font> <br><font size=-1>trusted</font> <br><font size=-1>>me then you may sign it based upon the information about the document that</font> <br><font size=-1>I</font> <br><font size=-1>>tell you. A classic case for Non-est-factum. But all the cases that I</font> <br><font size=-1>have</font> <br><font size=-1>>read clearly rely upon some information provided by an Alleged trusted</font> <br><font size=-1>third</font> <br><font size=-1>>party. Usually some relative. So without some external information being</font> <br><font size=-1>>provided by a third party it is not as far as I can determine possible to</font> <br><font size=-1>>rely upon non est factum.</font> <p><font size=-1>Because we sign authentication challenges, just for authentication</font> <br><font size=-1>purposes, but not for NR purposes, it is prudent to distinguish</font> <br><font size=-1>between the two intents. Your comments seem to ignore this use of</font> <br><font size=-1>digital signature technology. One way of signalling intent is via the</font> <br><font size=-1>NR bit. Although it has been argued that having this bit set to True</font> <br><font size=-1>does not necessarily signal intent to sign for NR purposes, having it</font> <br><font size=-1>set to False certainly signals an intent to not be bound re NR.</font> <p><font size=-1>(Your use of Latin and your e-mail "signature" suggests a legal, but</font> <br><font size=-1>perhaps not a technical background. We've also decided, after much</font> <br><font size=-1>debate, that PKIX deals with technical aspects of NR, not legal</font> <br><font size=-1>details that may vary based upon jurisdiction.)</font> <p><font size=-1>>Also what does a "bit" in a certificate got to do with non-repudiation.</font> <br><font size=-1>The</font> <br><font size=-1>>commercial world and the law does not in my opinion support this position</font> <br><font size=-1>of</font> <br><font size=-1>>yours. You appear to be on a path to re-engineering the entire commercial</font> <br><font size=-1>>legal fabric and as such I with the greatest respect I do not believe that</font> <br><font size=-1>>society and the law will buy into it. With out the commercial involvement</font> <br><font size=-1>>PKI will not survive.</font> <p><font size=-1>The position is not just mine. Sorry of you don't understand, or</font> <br><font size=-1>merely don't agree with the use of the NR bit, or its name, but we</font> <br><font size=-1>had this debate a while ago and we're not having it again.</font> <p><font size=-1>></font> <br><font size=-1>>I do not understand how - "what you are proposing" - will work in practical</font> <br><font size=-1>>terms.</font> <p><font size=-1>I'm not "proposing," but I am citing existing Internet and ITU</font> <br><font size=-1>standards and the applicability to the question at hand.</font> <p><font size=-1>Steve</font></blockquote> </html> --------------E6FC777E9720998E5E8F0539-- Received: from certplus.com ([195.101.88.81]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA23557 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 08:03:52 -0700 (PDT) Received: from certplus.com (nt4_jmd.certplus.com [192.168.1.17]) by certplus.com (8.8.7/8.8.7) with ESMTP id PAA14178 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 15:34:49 +0200 Message-ID: <3974722C.A502ED86@certplus.com> Date: Tue, 18 Jul 2000 17:05:16 +0200 From: Jean-Marc Desperrier <jean-marc.desperrier@certplus.com> Organization: Certplus X-Mailer: Mozilla 4.72 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <OF75BDEB08.9FD76D19-ON85256920.004C132A@iris.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit John_Wray@iris.com wrote: > Quite apart from > requiring a signer to maintain a large number of distinct keys, I think > it's a bit much to expect every "legitimate user" to be well-enough versed > in the nuances of certificates to always request the same certificate > extensions in every certificate for a given key. Right. This kind of details has to be hidden to the average user. > Encoding the intent > explicitly as part of the signature allows me to choose at the time I > generate the signature what intent I wish to associate with the signature, > rather than having to have previously set up certification chains for all > intents I might wish to asserts. Maybe this can simply be done through the signed extensions that are available with PKCS#7 ? It sounds quite feasible and would not require any format change, just defining some new extensions and their role. Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA23170 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 07:57:59 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Tue, 18 Jul 2000 08:59:49 -0600 Message-Id: <s9741c85.002@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 5.5.3.1 Date: Tue, 18 Jul 2000 08:59:49 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <ietf-pkix@imc.org> Subject: RE: Current signature formats insufficient Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=_A0F8E0F5.22432D3E" This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --=_A0F8E0F5.22432D3E Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable I've been perhaps uncharacteristically quiet on this issue so far, having = gone though these discussions many, many times in the past. But let me = offer some observations.. First, I believe that it is important to differentiate between "authenticat= ion" and a "signature". =20 Although people could certainly quibble about wording (neither the = technical nor the legal community have been exemplary with respect to = clarity on these points), to my mind "authentication" has to do primarily = with the origin of a _session_, i.e., a sequence of data interchanges. = The authentication might very well involve a digital signature technical = mechanism during the session startup, e.g., during SSL, but it might also = involve the typical user name and password. The authentication may substantiate my right to do certain things, receive = certain information, update my bank account, sell shares of stock, etc. = So the legal and/or financial consequences of my actions may be quite = significant -- certainly hundreds of thousands and potentially millions of = dollars. (If only my E-trade account were really worth that much!:-) Whether or not an order transmitted over such an authenticated connection = is legally binding or not is normally established by virtual of a = pre-existing relationship, normally a contract, between the two participant= s. Whether I deposit money in the bank, or stock in my brokerage account, = or bales of cotton in a warehouse in Memphis; if the responsible institutio= n and I agree to certain security procedures by which an order may be = placed, then such an order would generally be viewed as legally binding, = even though there might be nothing that would even approximate a "signature= " per se on the transaction. I can for example place a telephone call to my broker, identify myself by = name, account number, PIN number, my current address, etc., and cause = whatever assets I have in that account to be sold, and the money wired to = a specific account, all with no written record at all -- certainly not at = my end. Could such a transaction be repudiated? Maybe, at least to the = extent of filing a claim against the person who received the money if it = was sent to a bogus account somewhere. But could I undo the transaction, = perhaps because I could get a better price today, vs. yesterday? Highly = unlikely. (Am I rather uncomfortable with the notion of having my assets so exposed = to possible manipulation? You bet! But that's beside the point.) Now let's talk about a signature, which is of course another form of = authentication. The essential difference is that a signature is (more or less) bound to = the transaction itself -- not to the pipe over which the transaction = flows. We sign the document, not the envelope, in other words. An authenticated session is essentially ephemeral -- the authentication = only persists for the duration of the session. Granted, the parties at = either end might capture the contents of that session, and might try to = match up the session authentication mechanism with the contents of the = session itself, but such a match-up would fall into the category of = business records. They may be exempt from the hearsay rule, and thereby = be admitted into evidence, but in and of themselves they do not provide = the type of (more or less) incontrovertible evidence to a neutral third = party that a signature does. This, of course, is why the Statute of Frauds over the last several = hundred years, at least in English-speaking countries, has required a = signed contract for the transference of real property and certain other = goods -- it doesn't depend on an ephemeral connection between an authentica= ted origin and the transaction itself, and the signed document is capable = of being validated by an independent third party, without recourse to = records maintained exclusively by the (alleged) parties to the transaction.= (Typically, such transactions are also required to be witnessed by an = independent observer, and perhaps even notarized. The function of that = observer is to provide corroborative evidence that the signature is not a = forgery, and presumably that the contract was a conscious, willing, and = volitional act by the parties -- there was no coercion, the parties = appeared to be "compos mentis," etc.) Unfortunately, there are some gray areas that don't fit neatly into these = two categories. One example which comes up frequently is that of a = receipt. S/MIME V3, as part of the Enhanced Security Services, provides = for the issuance of a receipt for certain types of e-mail by the e-mail = agent itself, i.e., an automaton. So here is a case where the user has delegated certain powers and = responsibilities to an agent -- in this case a computer program. This is = not particularly unusual -- a spouse, roommate, or other person living at = a particular address can also sign for the receipt of a package or = document. By itself, this signature does not prove that the person = actually received or read the document that was received, much less agreed = with it. It does, however, provide the basis for a reasonable (rebuttable)= presumption of delivery. It may, therefore, be deemed to constitute = effective legal notice to such an individual. =20 (Exactly what constitutes legal notice will probably be hotly debated by = consumer advocates, especially as a result of the new electronic signature = law recently signed by President Clinton. Since an electronic signature = under that all too sweeping and badly drafted bill can apparently be the = result of a simple mouse click or other procedural action, even one that = is not under the informed control of the user, all sorts of things may end = up being treated as legally binding signatures - it's probably too early = to tell.) But I would submit that an automatically generated digitally signed = receipt, even if it makes use of the subscriber's private key and = corresponding certificate, and even if the process by which the signature = was generated took place with at least the user's approval, if not = specific, conscious knowledge, is much closer to being a form of authentica= tion than it is a transactional signature. Although despite many, many rounds of argument we have so far failed to = adequately define the semantics of what a (technically) nonrepudiable = signature is, most of us would probably be capable of providing examples = of what it is not -- e.g., an automatically generated receipt for = something. For that reason, I might not be unwilling to use for this purpose a = private key that was held only in software, and which was unlocked when I = started up my workstation, even if I was not physically in attendance at = all times. Such a e-mail receipt capability could be signed by my user = agent without my having to enter a password or other unlocking mechanism = every time the private key was needed. But such a key and certificate should certainly NOT have the NR bit = asserted in it, regardless of what the CA's policy says or doesn't say, = unless I am a complete idiot. Obviously, a key that is maintained in = software and capable of being used without human intervention is also = capable of being misused or compromised by rogue software such as a Trojan = horse. So far, I've tried to illustrate what does NOT constitute a technically = norepudiable digital signature. I would claim that this includes the = following cases: 1. Where the thing that is signed is an authentication challenge prior to = the establishment of a session. Although the information that flows over = the pipe or session may very well have legal consequences and be binding = in the sense that the transaction cannot be undone, the legally binding = nature of the series of the transaction had little or nothing to do with = the digitally signed authentication challenge. The fact that a digital = signature was used for authentication was neither necessary nor sufficient = for the transactions (which were authenticate as having come from the = originator, but were individually NOT signed per se) to be legally = binding. 2. Automatically generated signatures for such actions as acknowledgments = or receipts may be binding in the sense of having constituted legal notice = of delivery, but again the use of a digital signature mechanism may = provide a heightened presumption of validity, but is not in itself either = strictly necessary, nor always completely sufficient, even to prove = delivery, any more than a human signature in such a case would necessarily = be iron-clad evidence. The criteria for what SHOULD constitute a technically nonrepudiable = signature, and the semantic and technical constraints that should probably = be imposed are much more difficult to state, and this note is already far = too long, so I'll save that discussion for another time. Bob --=_A0F8E0F5.22432D3E Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" http-equiv=3DContent-Type= > <META content=3D"MSHTML 5.00.2614.3401" name=3DGENERATOR></HEAD> <BODY style=3D"FONT: 8pt MS Sans Serif; MARGIN-LEFT: 2px; MARGIN-TOP: = 2px"> <DIV><FONT size=3D1>I've been perhaps uncharacteristically quiet on this = issue so=20 far, having gone though these discussions many, many times in the = past. =20 But let me offer some observations..</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>First, I believe that it is important to differentiate = between=20 "authentication" and a "signature". </FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Although people could certainly quibble about wording = (neither=20 the technical nor the legal community have been exemplary with respect = to=20 clarity on these points), to my mind "authentication" has to do primarily = with=20 the origin of a _session_, i.e., a sequence of data interchanges. = The=20 authentication might very well involve a digital signature technical = mechanism=20 during the session startup, e.g., during SSL, but it might also involve = the=20 typical user name and password.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>The authentication may substantiate my right to = do=20 certain things, receive certain information, update my bank account, sell = shares=20 of stock, etc. So the legal and/or financial consequences of my = actions=20 may be quite significant -- certainly hundreds of thousands and potentially= =20 millions of dollars. (If only my E-trade account were really worth that=20 much!:-)</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Whether or not an order transmitted over such an = authenticated=20 connection is legally binding or not is normally established by virtual of = a=20 pre-existing relationship, normally a contract, between the two=20 participants. Whether I deposit money in the bank, or stock in my=20 brokerage account, or bales of cotton in a warehouse in Memphis; if the=20 responsible institution and I agree to certain security procedures by = which an=20 order may be placed, then such an order would generally be viewed as = legally=20 binding, even though there might be nothing that would even approximate = a=20 "signature" per se on the transaction.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>I can for example place a telephone call to my = broker,=20 identify myself by name, account number, PIN number, my current address, = etc.,=20 and cause whatever assets I have in that account to be sold, and the money = wired=20 to a specific account, all with no written record at all -- certainly not = at my=20 end. Could such a transaction be repudiated? Maybe, at least to the = extent=20 of filing a claim against the person who received the money if it was sent = to a=20 bogus account somewhere. But could I undo the transaction, perhaps = because=20 I could get a better price today, vs. yesterday? Highly=20 unlikely.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>(Am I rather uncomfortable with the notion of having = my assets=20 so exposed to possible manipulation? You bet! But that's = beside the=20 point.)</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Now let's talk about a signature, which is of course = another=20 form of authentication.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>The essential difference is that a signature is (more = or less)=20 bound to the transaction itself -- not to the pipe over which the=20 transaction flows. We sign the document, not the envelope, in = other=20 words.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>An authenticated session is essentially ephemeral -- = the=20 authentication only persists for the duration of the session. = Granted, the=20 parties at either end might capture the contents of that session, and = might try=20 to match up the session authentication mechanism with the contents of = the=20 session itself, but such a match-up would fall into the category of = business=20 records. They may be exempt from the hearsay rule, and thereby be = admitted=20 into evidence, but in and of themselves they do not provide the type of = (more or=20 less) incontrovertible evidence to a neutral third party that a = signature=20 does.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>This, of course, is why the Statute of Frauds over the = last=20 several hundred years, at least in English-speaking countries, has = required a=20 signed contract for the transference of real property and certain other = goods --=20 it doesn't depend on an ephemeral connection between an authenticated = origin and=20 the transaction itself, and the signed document is capable of being = validated by=20 an independent third party, without recourse to records maintained = exclusively=20 by the (alleged) parties to the transaction.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>(Typically, such transactions are also required to = be=20 witnessed by an independent observer, and perhaps even notarized. = The=20 function of that observer is to provide corroborative evidence that the=20 signature is not a forgery, and presumably that the contract was a=20 conscious, willing, and volitional act by the parties -- there was no = coercion,=20 the parties appeared to be "compos mentis," etc.)</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Unfortunately, there are some gray areas that don't = fit neatly=20 into these two categories. One example which comes up frequently is = that=20 of a receipt. S/MIME V3, as part of the Enhanced Security = Services,=20 provides for the issuance of a receipt for certain types of e-mail by the = e-mail=20 agent itself, i.e., an automaton.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>So here is a case where the user has delegated certain = powers=20 and responsibilities to an agent -- in this case a computer program. = This=20 is not particularly unusual -- a spouse, roommate, or other person living = at a=20 particular address can also sign for the receipt of a package or document.&= nbsp;=20 By itself, this signature does not prove that the person actually received = or=20 read the document that was received, much less agreed with it. It = does,=20 however, provide the basis for a reasonable (rebuttable) presumption of=20 delivery. It may, therefore, be deemed to constitute effective = legal=20 notice to such an individual. </FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>(Exactly what constitutes legal notice will probably = be hotly=20 debated by consumer advocates, especially as a result of the new electronic= =20 signature law recently signed by President Clinton. Since an = electronic=20 signature under that all too sweeping and badly drafted bill can apparently= be=20 the result of a simple mouse click or other procedural action, even one = that is=20 not under the informed control of the user, all sorts of things may end up = being=20 treated as legally binding signatures - it's probably too early to=20 tell.)</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>But I would submit that an automatically generated = digitally=20 signed receipt, even if it makes use of the subscriber's private key = and=20 corresponding certificate, and even if the process by which the signature = was=20 generated took place with at least the user's approval, if not specific,=20= conscious knowledge, is much closer to being a form of authentication than = it is=20 a transactional signature.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>Although despite many, many rounds of argument we have = so far=20 failed to adequately define the semantics of what a (technically) = nonrepudiable=20 signature is, most of us would probably be capable of providing examples = of what=20 it is not -- e.g., an automatically generated receipt for=20 something.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>For that reason, I might not be unwilling to use for = this=20 purpose a private key that was held only in software, and which was = unlocked=20 when I started up my workstation, even if I was not physically in = attendance at=20 all times. Such a e-mail receipt capability could be signed by my = user=20 agent without my having to enter a password or other unlocking mechanism = every=20 time the private key was needed.</FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D1>But such a key and certificate should certainly NOT = have the=20 NR bit asserted in it, regardless of what the CA's policy says or doesn't = say,=20 unless I am a complete idiot. Obviously, a key that is maintained = in=20 software and capable of being used without human intervention is also = capable of=20 being misused or compromised by rogue software such as a Trojan=20 horse.</FONT></DIV> <DIV> </DIV> <DIV>So far, I've tried to illustrate what does NOT constitute a technicall= y=20 norepudiable digital signature. I would claim that this includes = the=20 following cases:</DIV> <DIV> </DIV> <DIV>1. Where the thing that is signed is an authentication = challenge=20 prior to the establishment of a session. Although the information = that=20 flows over the pipe or session may very well have legal consequences and = be=20 binding in the sense that the transaction cannot be undone, the legally = binding=20 nature of the series of the transaction had little or nothing to do with = the=20 digitally signed authentication challenge. The fact that a digital=20= signature was used for authentication was neither necessary nor sufficient = for=20 the transactions (which were authenticate as having come from the = originator,=20 but were individually NOT signed per se) to be legally binding.</DIV> <DIV> </DIV> <DIV>2. Automatically generated signatures for such actions as=20 acknowledgments or receipts may be binding in the sense of having = constituted=20 legal notice of delivery, but again the use of a digital signature = mechanism may=20 provide a heightened presumption of validity, but is not in itself = either=20 strictly necessary, nor always completely sufficient, even to prove = delivery,=20 any more than a human signature in such a case would necessarily be = iron-clad=20 evidence.</DIV> <DIV> </DIV> <DIV>The criteria for what SHOULD constitute a technically nonrepudiable=20= signature, and the semantic and technical constraints that should probably = be=20 imposed are much more difficult to state, and this note is already far too = long,=20 so I'll save that discussion for another time.</DIV> <DIV> </DIV> <DIV>Bob</DIV> <DIV> </DIV> <DIV> </DIV></BODY></HTML> --=_A0F8E0F5.22432D3E-- Received: from arista.iris.com (arista.iris.com [198.112.211.42]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA22519 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 07:44:30 -0700 (PDT) From: John_Wray@iris.com Subject: Re: Signing what you don't understand To: Stephen Kent <kent@bbn.com> Cc: John_Wray@iris.com, <ietf-pkix@imc.org> X-Mailer: Lotus Notes Release 5.0.2c February 2, 2000 Message-ID: <OF75BDEB08.9FD76D19-ON85256920.004C132A@iris.com> Date: Tue, 18 Jul 2000 10:47:05 -0400 X-MIMETrack: Serialize by Router on Arista/Iris(Build V505_07112000 |July 11, 2000) at 07/18/2000 10:47:02 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Steve, >>Anything in the certificate that's used to imply something about the intent >>behind a signature is asking for trouble, unless the specific certificate >>that a relying party should use is bound to the signature. What's to >>prevent me from obtaining certificates from two different CAs, certifying >>the same key, but with different settings of the NR bit in the two >>certificates, and then using the certificate with the NR bit clear to >>repudiate a signature I originally represented as being non-repudiable >>using the other certificate? > >Not necessarily. You seem to assume that a signer could escape >responsibility for signing in an NR context by producing a >certificate with the same public key but without the NR bit asserted. >I don't subscribe to that assumption. if I, as an RP, collect a cert >associated with the user and it has the right public key and NR >asserted, then why is my assertion of which cert was used in the >transaction untenable? A legitimate user should never put the same >public key into two certs that differ in terms of this key usage bit >(and probably not if they differ in other, significant ways). If >push came to shove and the user asserted that the NR-enabled cert was >not really issued at his request, a check of CA records for POP could >resolve the problem. [I assume that any CA issuing a cert with an NR >bit enabled ought to insist on POP, but maybe that's my unwarranted >assumption :-).] I think you're suggesting the use of a distinct key for each possible "signature intent" here (although the example deals with R vs. NR, there are more than just two flavors of signature intent). Quite apart from requiring a signer to maintain a large number of distinct keys, I think it's a bit much to expect every "legitimate user" to be well-enough versed in the nuances of certificates to always request the same certificate extensions in every certificate for a given key. >>The only way that using anything in the certificate could work is if the >>specific certificate that I intend a relying party to use to verify the >>signature is somehow bound into the signature. Binding a particular >>certificate to a signature has all sorts of other problems (e.g. do all my >>signatures become unverifiable when my certificate is renewed?), and would >>require a signature format change anyway, so why not simply assert the >>intent explicitly as part of the signature? > >Based on my comments above, I'm not sure we need to perform this >binding, but I agree with Denis's comments here, i.e., it's not >infeasible and the persistence of the signature is divorced from the >certificate lifetime by other mechanisms. What other mechanisms would cover that case of my issuing CA going out of business? If a CA's assets (including its keys) are sold as part of a bankruptcy process, I would think that trust in those keys would be fairly quickly revoked by other CAs that might have cross-certified it. In this case, invalidityDate on those revocations would probably be set so that no certificate that had been issued by the former CA's key would be trusted (to prevent the keys' new owners from issuing new backdated certificates). However, as a subscriber to the former CA, I don't see why my signatures should suddenly become less trustworthy, if my key can be verified via another path. >By the way, I'm not saying that a new format for signatures which are >designed precisely for NR purposes with general purpose documents is >a bad idea. I just commented on what appeared to be a lack of good >arguments for such a construct. I agree that the ability to have a >small token be able to understand such constructs could be valuable, >even though we still face a lot of problems with regard to secure >display of the contents of what is being signed. The most persuasive argument I can come up with is an architectural one, and assumes that there are more flavors of "signature intent" than just repudiable vs non-repudiable. There are three places I can see that one might try to encode the intent behind a signature: The particular key used, the particular certificate used, or explicitly as part of the signature structure. The intent behind a signature is fairly dynamic, possibly varying with each signature. On occasion I might want to sign a nonce simply to prove I possess a key; at other times I might want to sign a piece of e-mail to indicate that I have read it, i.e. to generate a return-receipt; at other times my signature might assert my agreement to the contents of a document; at other times it might be intended as an approval of some business process (i.e. "If the expenses listed in the document are as described, then they may be reimbursed"). However, both the certification hierarchy and the availability of keys are fairly static things - I either need to get my key re-certified for each possible signature intent I might want to assert, or I need to generate and certify a distinct key for each possible signature intent. Encoding the intent explicitly as part of the signature allows me to choose at the time I generate the signature what intent I wish to associate with the signature, rather than having to have previously set up certification chains for all intents I might wish to asserts. I would also claim that it's less error-prone and probably of greated legal validity to explicitly encode the intent along with the signature than to try to infer the certified intent from the contents of certificates issued by third-party CAs. John Received: from ntserver2.chrysalis-its.com ([209.47.245.163]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA19868 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 06:34:09 -0700 (PDT) From: FRousseau@chrysalis-its.com Received: by NTSERVER2 with Internet Mail Service (5.5.2650.21) id <P1AM8X7D>; Tue, 18 Jul 2000 09:37:11 -0400 Message-ID: <918C70B01822D411A87400B0D0204DFF04C09D@panda.chrysalis-its.com> To: carlisle.adams@entrust.com Cc: ietf-pkix@imc.org, stephen.farrell@baltimore.ie Subject: RE: Re: CRMF encValue Field Date: Tue, 18 Jul 2000 09:37:03 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF0BD.463510D2" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF0BD.463510D2 Content-Type: text/plain; charset="iso-8859-1" Hi Carlisle, I accept your responses, but I have an extra comment. According to ANSI X9.42, the Diffie-Hellman algorithm OID listed in an Appendix B2 of RFC2510bis represents the algorithm OID for a Diffie-Hellman public key, however the algorithm OID in the PrivateKeyInfo as mentioned in PKCS#11 identifies the "private key" algorithm OID. Note that Appendix A3 of ANSI X9.42 indicates that: "the syntax and encoding of private keys is considered to be implementation dependent and beyond the scope of this standard. It may, however, be useful for specific implementations or derivative standards to define a number type identified by dh-private-key to encode private keys". Shouldn't the algorithm OID for an ANSI X9.42 Diffie-Hellman private key be added to Appendix B2 for this case? Regards, Francois -----Original Message----- From: Carlisle Adams [mailto:carlisle.adams@entrust.com] Sent: Monday, July 17, 2000 2:54 PM To: 'FRousseau@chrysalis-its.com' Cc: ietf-pkix@imc.org; stephen.farrell@baltimore.ie Subject: RE: Re: CRMF encValue Field Hi Francois, > ---------- > From: > FRousseau@chrysalis-its.com[SMTP:FRousseau@chrysalis-its.com] > Sent: Monday, July 17, 2000 11:55 AM > To: stephen.farrell@baltimore.ie > Cc: ietf-pkix@imc.org > Subject: RE: Re: CRMF encValue Field > > Hi Stephen, > > I have noted that the recently published July version of RFC2510bis now > contains a note in Appendix D on "RFC 2511 Clarifications" about this > particular issue, however an exception was added for the Diffie-Hellman > algorithm OID and parameters whereas those defined in Appendix B2 of this > specification (i.e. RFC2510bis) MUST be used instead of the OID and > parameters defined in PKCS#11. Although I understand that this exception > was necessary since PKCS#11 currently only supports the PKCS#3 flavour of > Diffie-Hellman whereas Appendix B2 of RFC2510bis is about the ANSI X9.42 > flavour of Diffie-Hellman, this should have been mentioned in this > clarification. I suppose this could have been mentioned, but it seemed pretty unnecessary. Wouldn't people naturally expect the OIDs in this field to be consistent with the OIDs defined in Appendix B2? I doubt that there's much potential for confusion here, so extra wording for clarification seems redundant. > In addition, this same clarification indicates that in this case, the > intendedAlg field is unnecessary (since this information is included in > PrivateKeyInfo) and MUST be omitted. However, the algorithm identifier > field within the PrivateKeyInfo is encrypted, which means that the > "EncryptedValue" type would not contain any information in the clear about > the OID of the private key that it is carrying. Was this your intend, > please clarify? I also understand that including the intendedAlg field > would duplicate the occurrence of the parameters field, since the syntax > of the "AlgorithmIdentifier" type also contains a "parameters" field, > however by still indicating the algorithm OID, but forcing the > "parameters" field within the intendedAlg field to be NULL would allow the > "EncryptedValue" type to indicate what is the OID of the private key that > it is carrying, but not duplicate the parameters field. Wouldn't this > approach be better? No, this approach doesn't strike me as particularly better. It seems like a real kludge to include an AlgId for the same thing twice, but to specify (in commentary) that the parameters should be NULL for one of these and non-NULL (i.e., present) for the other. This reduces clarity for the reader/implementer and may run in to trouble with some compilers that are expecting actual parameter values. As for fact that the AlgId in PrivateKeyInfo is encrypted, why is this a concern? Does the receiver need to know this prior to decryption? Carlisle. ------_=_NextPart_001_01BFF0BD.463510D2 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: Re: CRMF encValue Field</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Hi Carlisle,</FONT> </P> <P><FONT SIZE=3D2>I accept your responses, but I have an extra comment. = According to ANSI X9.42, the Diffie-Hellman algorithm OID listed in an = Appendix B2 of RFC2510bis represents the algorithm OID for a = Diffie-Hellman public key, however the algorithm OID in the = PrivateKeyInfo as mentioned in PKCS#11 identifies the "private = key" algorithm OID. Note that Appendix A3 of ANSI X9.42 indicates = that: </FONT></P> <P><FONT SIZE=3D2>"the syntax and encoding of private keys is = considered to be implementation dependent and beyond the scope of this = standard. It may, however, be useful for specific implementations or = derivative standards to define a number type identified by = dh-private-key to encode private keys".</FONT></P> <P><FONT SIZE=3D2>Shouldn't the algorithm OID for an ANSI X9.42 = Diffie-Hellman private key be added to Appendix B2 for this = case?</FONT> </P> <P><FONT SIZE=3D2>Regards,</FONT> </P> <P><FONT SIZE=3D2>Francois</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Carlisle Adams [<A = HREF=3D"mailto:carlisle.adams@entrust.com">mailto:carlisle.adams@entrust= .com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Monday, July 17, 2000 2:54 PM</FONT> <BR><FONT SIZE=3D2>To: 'FRousseau@chrysalis-its.com'</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org; = stephen.farrell@baltimore.ie</FONT> <BR><FONT SIZE=3D2>Subject: RE: Re: CRMF encValue Field</FONT> </P> <BR> <P><FONT SIZE=3D2>Hi Francois,</FONT> </P> <P><FONT SIZE=3D2>> ----------</FONT> <BR><FONT SIZE=3D2>> From:</FONT> <BR><FONT SIZE=3D2>> = FRousseau@chrysalis-its.com[SMTP:FRousseau@chrysalis-its.com]</FONT> <BR><FONT SIZE=3D2>> Sent: = Monday, July 17, 2000 11:55 = AM</FONT> <BR><FONT SIZE=3D2>> To: stephen.farrell@baltimore.ie</FONT> <BR><FONT SIZE=3D2>> Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Subject: RE: Re: CRMF = encValue Field</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Hi Stephen, </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> I have noted that the recently published July = version of RFC2510bis now</FONT> <BR><FONT SIZE=3D2>> contains a note in Appendix D on "RFC 2511 = Clarifications" about this</FONT> <BR><FONT SIZE=3D2>> particular issue, however an exception was = added for the Diffie-Hellman</FONT> <BR><FONT SIZE=3D2>> algorithm OID and parameters whereas those = defined in Appendix B2 of this</FONT> <BR><FONT SIZE=3D2>> specification (i.e. RFC2510bis) MUST be used = instead of the OID and</FONT> <BR><FONT SIZE=3D2>> parameters defined in PKCS#11. Although I = understand that this exception</FONT> <BR><FONT SIZE=3D2>> was necessary since PKCS#11 currently only = supports the PKCS#3 flavour of</FONT> <BR><FONT SIZE=3D2>> Diffie-Hellman whereas Appendix B2 of = RFC2510bis is about the ANSI X9.42</FONT> <BR><FONT SIZE=3D2>> flavour of Diffie-Hellman, this should have = been mentioned in this</FONT> <BR><FONT SIZE=3D2>> clarification.</FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>I suppose this could have been mentioned, but it = seemed pretty unnecessary.</FONT> <BR><FONT SIZE=3D2>Wouldn't people naturally expect the OIDs in this = field to be consistent</FONT> <BR><FONT SIZE=3D2>with the OIDs defined in Appendix B2? I doubt = that there's much potential</FONT> <BR><FONT SIZE=3D2>for confusion here, so extra wording for = clarification seems redundant.</FONT> </P> <P><FONT SIZE=3D2>> In addition, this same clarification indicates = that in this case, the</FONT> <BR><FONT SIZE=3D2>> intendedAlg field is unnecessary (since this = information is included in</FONT> <BR><FONT SIZE=3D2>> PrivateKeyInfo) and MUST be omitted. However, = the algorithm identifier</FONT> <BR><FONT SIZE=3D2>> field within the PrivateKeyInfo is encrypted, = which means that the</FONT> <BR><FONT SIZE=3D2>> "EncryptedValue" type would not = contain any information in the clear about</FONT> <BR><FONT SIZE=3D2>> the OID of the private key that it is carrying. = Was this your intend,</FONT> <BR><FONT SIZE=3D2>> please clarify? I also understand that = including the intendedAlg field</FONT> <BR><FONT SIZE=3D2>> would duplicate the occurrence of the = parameters field, since the syntax</FONT> <BR><FONT SIZE=3D2>> of the "AlgorithmIdentifier" type = also contains a "parameters" field,</FONT> <BR><FONT SIZE=3D2>> however by still indicating the algorithm OID, = but forcing the</FONT> <BR><FONT SIZE=3D2>> "parameters" field within the = intendedAlg field to be NULL would allow the</FONT> <BR><FONT SIZE=3D2>> "EncryptedValue" type to indicate = what is the OID of the private key that</FONT> <BR><FONT SIZE=3D2>> it is carrying, but not duplicate the = parameters field. Wouldn't this</FONT> <BR><FONT SIZE=3D2>> approach be better?</FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>No, this approach doesn't strike me as particularly = better. It seems like a</FONT> <BR><FONT SIZE=3D2>real kludge to include an AlgId for the same thing = twice, but to specify (in</FONT> <BR><FONT SIZE=3D2>commentary) that the parameters should be NULL for = one of these and non-NULL</FONT> <BR><FONT SIZE=3D2>(i.e., present) for the other. This reduces = clarity for the</FONT> <BR><FONT SIZE=3D2>reader/implementer and may run in to trouble with = some compilers that are</FONT> <BR><FONT SIZE=3D2>expecting actual parameter values.</FONT> </P> <P><FONT SIZE=3D2>As for fact that the AlgId in PrivateKeyInfo is = encrypted, why is this a</FONT> <BR><FONT SIZE=3D2>concern? Does the receiver need to know this = prior to decryption?</FONT> </P> <P><FONT SIZE=3D2>Carlisle.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFF0BD.463510D2-- Received: from unknown-147.101.pilot.net (unknown-147-101.pilot.net [198.232.147.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA15730 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 05:42:25 -0700 (PDT) Received: from unknown-24-15.pilot.net (unknown-24-15.pilot.net [206.189.24.15]) by unknown-147.101.pilot.net with ESMTP id FAA27773; Tue, 18 Jul 2000 05:44:43 -0700 (PDT) Received: from ralsimcout.gecmc.ge.com (localhost [127.0.0.1]) by unknown-24-15.pilot.net with ESMTP id FAA17532; Tue, 18 Jul 2000 05:44:42 -0700 (PDT) Received: by ralsimcout.gecmc.ge.COM with Internet Mail Service (5.5.2651.58) id <3W64WGBY>; Tue, 18 Jul 2000 08:44:29 -0400 Message-ID: <3D1CC63B9E24D211B48B000000004C0B0388268E@chlmail.gecmc.ge.COM> From: "Golkin, Ken (CAP, CMC)" <Ken_Golkin@mortgage.ge.com> To: "'Adrian McCullagh'" <AMcCullagh@exchange.gadens.com.au>, "'Stephen Kent'" <kent@bbn.com> Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Date: Tue, 18 Jul 2000 08:44:40 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2651.58) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF0B5.F0B5DB20" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF0B5.F0B5DB20 Content-Type: text/plain; charset="iso-8859-1" This discussion seems to be confusing two different uses for certificates 1) Authentication (I am who I say I am) 2) Signature (I signed a legally binding document) In the first case I showed my company issue picture ID (certificate) to the guard at the door and he let me in the building this morning. In the second case I stopped at the hardware store on the way home last night to buy a box of nails and some other things. At the check out I showed them my charge card (certificate) then signed the sales slip. Which legally obligated me to pay $24.86. The certificate policy (defined as: A named set of rules that indicates the applicability of a public key certificate to a particular community or class of application with common security requirements. For example, a particular certificate policy might indicate applicability of a type of public key certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range.) in X.509 PKiX roadmap makes it clear that all certificates are not created equal. The Canadian Government and United States Government PKI initiatives have defined multiple levels of assurance, and as far as I can tell, most business applications of PKI are following the government lead. If I'm loaning someone $250,000 to buy a house I obviously need a greater level of assurance that they are who they are (and their bank is who they say they are) then was required by the checkout at the hardware store or the guard at the entrance. -----Original Message----- From: Adrian McCullagh [mailto:AMcCullagh@exchange.gadens.com.au] Sent: Monday, July 17, 2000 11:08 PM To: 'Stephen Kent' Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Stephen, I do not want to get into an argument with you. Yes I am a lawyer but I also have a technical background so your suggestion otherwise, I thought was not moving the discussion forward. Admittedly, I do not possess the technical knowledge that you have. Your example is well put but is this really a digital signature or is it a set of bits (a mark) that has been affixed using the same technology known as digital signature technology. You mention the difference between the 2 intents. I would be surprised, if anyone (other than the technically minded) even knows that a challenge response is even being "signed". There is no intent at all in this case. It is the technology as designed that is effecting the response to the challenge. I am surprised that "you" sign authentication challenges, just for authentication purposes. Is it really a signature? Are you really signing the authentication challenge or is it the software on your machine effecting the response to the challenge? To me this is not a signature. It may use digital signature technology but it is not a signature. This is probably the problem. It is the use of the word "signature" which is a technical term but has been used by the PKI community to cover a myriad of uses. Some uses of the term by the PKI community are confusing. I also do not agree with your position that the NR bit can signal any intent either way. With respect, intent is ascertained at the time of signing. A certificate has nothing what so ever to do with signing. Its primary purpose is to identify a public key that corresponds to a private key that may be held by some previously identified person or entity. The public key is used to verify a digital signature that has supposedly been created using the corresponding private key. That is it as far as I understand it unless there is some other primary purpose that I do not know. I do not see the relationship between digitally signing a document and the contents of a certificate. Verification of the signature at some later time is a different issue which may involve the use of a certificate but this may not be so. Adrian McCullagh Director of Electronic Commerce Tel: 617 3231 1522 Gadens Lawyers Fax: 617 3229 5850 level 39 Central Plaza 1 345 Queen Street Brisbane Australia 4000 Ph. D. Candidate Thesis "The Incorporation of Trust Strategies in Digital Signature Regimes for Elec. Comm." Information Security Research Centre Queensland University of Technology -----Original Message----- From: Stephen Kent [mailto:kent@bbn.com] Sent: Tuesday, July 18, 2000 10:00 AM To: Adrian McCullagh Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand At 12:50 PM +1000 7/15/00, Adrian McCullagh wrote: >Stephen > >I really do not understand your response. Why would anyone sign a document >that they do not understand. It does not make sense. If I sent you a >document written in Chinese and assume you can not read Chinese and at the >same time I said just sign this - Why would you sign it. Now if you trusted >me then you may sign it based upon the information about the document that I >tell you. A classic case for Non-est-factum. But all the cases that I have >read clearly rely upon some information provided by an Alleged trusted third >party. Usually some relative. So without some external information being >provided by a third party it is not as far as I can determine possible to >rely upon non est factum. Because we sign authentication challenges, just for authentication purposes, but not for NR purposes, it is prudent to distinguish between the two intents. Your comments seem to ignore this use of digital signature technology. One way of signalling intent is via the NR bit. Although it has been argued that having this bit set to True does not necessarily signal intent to sign for NR purposes, having it set to False certainly signals an intent to not be bound re NR. (Your use of Latin and your e-mail "signature" suggests a legal, but perhaps not a technical background. We've also decided, after much debate, that PKIX deals with technical aspects of NR, not legal details that may vary based upon jurisdiction.) >Also what does a "bit" in a certificate got to do with non-repudiation. The >commercial world and the law does not in my opinion support this position of >yours. You appear to be on a path to re-engineering the entire commercial >legal fabric and as such I with the greatest respect I do not believe that >society and the law will buy into it. With out the commercial involvement >PKI will not survive. The position is not just mine. Sorry of you don't understand, or merely don't agree with the use of the NR bit, or its name, but we had this debate a while ago and we're not having it again. > >I do not understand how - "what you are proposing" - will work in practical >terms. I'm not "proposing," but I am citing existing Internet and ITU standards and the applicability to the question at hand. Steve ------_=_NextPart_001_01BFF0B5.F0B5DB20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2651.75"> <TITLE>RE: Signing what you don't understand</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>This discussion seems to be confusing two different = uses for certificates</FONT> <BR><FONT SIZE=3D2>1) Authentication (I am who I say I am)</FONT> <BR><FONT SIZE=3D2>2) Signature (I signed a legally binding = document)</FONT> </P> <P><FONT SIZE=3D2>In the first case I showed my company issue picture = ID (certificate) to the guard at the door and he let me in the building = this morning. </FONT></P> <P><FONT SIZE=3D2>In the second case I stopped at the hardware store on = the way home last night to buy a box of nails and some other = things. At the check out I showed them my charge card = (certificate) then signed the sales slip. Which legally obligated = me to pay $24.86. </FONT></P> <P><FONT SIZE=3D2>The certificate policy (defined as: A named set of = rules that indicates the</FONT> <BR><FONT SIZE=3D2> applicability = of a public key certificate to a particular</FONT> <BR><FONT SIZE=3D2> community or = class of application with common security</FONT> <BR><FONT SIZE=3D2> requirements. = For example, a particular certificate policy might</FONT> <BR><FONT SIZE=3D2> indicate = applicability of a type of public key certificate to the</FONT> <BR><FONT SIZE=3D2> authentication = of electronic data interchange transactions for</FONT> <BR><FONT SIZE=3D2> the trading of = goods within a given price range.) in X.509 PKiX roadmap makes it clear = that all certificates are not created equal.</FONT></P> <P><FONT SIZE=3D2>The Canadian Government and United States Government = PKI initiatives have defined multiple levels of assurance, and as far = as I can tell, most business applications of PKI are following the = government lead.</FONT></P> <P><FONT SIZE=3D2>If I'm loaning someone $250,000 to buy a house I = obviously need a greater level of assurance that they are who they are = (and their bank is who they say they are) then was required by the = checkout at the hardware store or the guard at the entrance.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Adrian McCullagh [<A = HREF=3D"mailto:AMcCullagh@exchange.gadens.com.au">mailto:AMcCullagh@exch= ange.gadens.com.au</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Monday, July 17, 2000 11:08 PM</FONT> <BR><FONT SIZE=3D2>To: 'Stephen Kent'</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: Signing what you don't = understand</FONT> </P> <BR> <P><FONT SIZE=3D2>Stephen,</FONT> </P> <P><FONT SIZE=3D2>I do not want to get into an argument with you. = Yes I am a lawyer but I</FONT> <BR><FONT SIZE=3D2>also have a technical background so your suggestion = otherwise, I thought was</FONT> <BR><FONT SIZE=3D2>not moving the discussion forward. Admittedly, I do = not possess the</FONT> <BR><FONT SIZE=3D2>technical knowledge that you have.</FONT> </P> <P><FONT SIZE=3D2>Your example is well put but is this really a digital = signature or is it a</FONT> <BR><FONT SIZE=3D2>set of bits (a mark) that has been affixed using the = same technology known</FONT> <BR><FONT SIZE=3D2>as digital signature technology.</FONT> </P> <P><FONT SIZE=3D2>You mention the difference between the 2 = intents. I would be surprised, if</FONT> <BR><FONT SIZE=3D2>anyone (other than the technically minded) even = knows that a challenge</FONT> <BR><FONT SIZE=3D2>response is even being "signed". = There is no intent at all in this case. It</FONT> <BR><FONT SIZE=3D2>is the technology as designed that is effecting the = response to the</FONT> <BR><FONT SIZE=3D2>challenge. I am surprised that "you" = sign authentication challenges, just</FONT> <BR><FONT SIZE=3D2>for authentication purposes. Is it really a = signature? Are you really</FONT> <BR><FONT SIZE=3D2>signing the authentication challenge or is it the = software on your machine</FONT> <BR><FONT SIZE=3D2>effecting the response to the challenge? </FONT> </P> <P><FONT SIZE=3D2>To me this is not a signature. It may use = digital signature technology but</FONT> <BR><FONT SIZE=3D2>it is not a signature. This is probably the = problem. It is the use of the</FONT> <BR><FONT SIZE=3D2>word "signature" which is a technical term = but has been used by the PKI</FONT> <BR><FONT SIZE=3D2>community to cover a myriad of uses. Some uses = of the term by the PKI</FONT> <BR><FONT SIZE=3D2>community are confusing. </FONT> </P> <P><FONT SIZE=3D2>I also do not agree with your position that the NR = bit can signal any intent</FONT> <BR><FONT SIZE=3D2>either way. With respect, intent is = ascertained at the time of signing. A</FONT> <BR><FONT SIZE=3D2>certificate has nothing what so ever to do with = signing. Its primary</FONT> <BR><FONT SIZE=3D2>purpose is to identify a public key that corresponds = to a private key that</FONT> <BR><FONT SIZE=3D2>may be held by some previously identified person or = entity. The public key</FONT> <BR><FONT SIZE=3D2>is used to verify a digital signature that has = supposedly been created using</FONT> <BR><FONT SIZE=3D2>the corresponding private key. That is it as = far as I understand it unless</FONT> <BR><FONT SIZE=3D2>there is some other primary purpose that I do not = know. I do not see the</FONT> <BR><FONT SIZE=3D2>relationship between digitally signing a document = and the contents of a</FONT> <BR><FONT SIZE=3D2>certificate. Verification of the signature at some = later time is a different</FONT> <BR><FONT SIZE=3D2>issue which may involve the use of a certificate but = this may not be so.</FONT> </P> <P><FONT SIZE=3D2>Adrian McCullagh</FONT> <BR><FONT SIZE=3D2>Director of Electronic Commerce = Tel: 617 3231 1522</FONT> <BR><FONT SIZE=3D2>Gadens Lawyers = = = = Fax: 617 3229 = 5850 </FONT> <BR><FONT SIZE=3D2>level 39</FONT> <BR><FONT SIZE=3D2>Central Plaza 1</FONT> <BR><FONT SIZE=3D2>345 Queen Street</FONT> <BR><FONT SIZE=3D2>Brisbane Australia 4000</FONT> </P> <P><FONT SIZE=3D2>Ph. D. Candidate </FONT> <BR><FONT SIZE=3D2>Thesis "The Incorporation of Trust Strategies = in Digital Signature</FONT> <BR><FONT SIZE=3D2>Regimes for Elec. Comm."</FONT> <BR><FONT SIZE=3D2>Information Security Research Centre</FONT> <BR><FONT SIZE=3D2>Queensland University of Technology</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Stephen Kent [<A = HREF=3D"mailto:kent@bbn.com">mailto:kent@bbn.com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Tuesday, July 18, 2000 10:00 AM</FONT> <BR><FONT SIZE=3D2>To: Adrian McCullagh</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: Signing what you don't = understand</FONT> </P> <BR> <P><FONT SIZE=3D2>At 12:50 PM +1000 7/15/00, Adrian McCullagh = wrote:</FONT> <BR><FONT SIZE=3D2>>Stephen</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>I really do not understand your response. = Why would anyone sign a document</FONT> <BR><FONT SIZE=3D2>>that they do not understand. It does not = make sense. If I sent you a</FONT> <BR><FONT SIZE=3D2>>document written in Chinese and assume you can = not read Chinese and at the</FONT> <BR><FONT SIZE=3D2>>same time I said just sign this - Why would you = sign it. Now if you</FONT> <BR><FONT SIZE=3D2>trusted</FONT> <BR><FONT SIZE=3D2>>me then you may sign it based upon the = information about the document that</FONT> <BR><FONT SIZE=3D2>I</FONT> <BR><FONT SIZE=3D2>>tell you. A classic case for = Non-est-factum. But all the cases that I</FONT> <BR><FONT SIZE=3D2>have</FONT> <BR><FONT SIZE=3D2>>read clearly rely upon some information provided = by an Alleged trusted</FONT> <BR><FONT SIZE=3D2>third</FONT> <BR><FONT SIZE=3D2>>party. Usually some relative. So = without some external information being</FONT> <BR><FONT SIZE=3D2>>provided by a third party it is not as far as I = can determine possible to</FONT> <BR><FONT SIZE=3D2>>rely upon non est factum.</FONT> </P> <P><FONT SIZE=3D2>Because we sign authentication challenges, just for = authentication </FONT> <BR><FONT SIZE=3D2>purposes, but not for NR purposes, it is prudent to = distinguish </FONT> <BR><FONT SIZE=3D2>between the two intents. Your comments seem to = ignore this use of </FONT> <BR><FONT SIZE=3D2>digital signature technology. One way of signalling = intent is via the </FONT> <BR><FONT SIZE=3D2>NR bit. Although it has been argued that having this = bit set to True </FONT> <BR><FONT SIZE=3D2>does not necessarily signal intent to sign for NR = purposes, having it </FONT> <BR><FONT SIZE=3D2>set to False certainly signals an intent to not be = bound re NR.</FONT> </P> <P><FONT SIZE=3D2>(Your use of Latin and your e-mail = "signature" suggests a legal, but </FONT> <BR><FONT SIZE=3D2>perhaps not a technical background. We've also = decided, after much </FONT> <BR><FONT SIZE=3D2>debate, that PKIX deals with technical aspects of = NR, not legal </FONT> <BR><FONT SIZE=3D2>details that may vary based upon = jurisdiction.)</FONT> </P> <P><FONT SIZE=3D2>>Also what does a "bit" in a certificate = got to do with non-repudiation.</FONT> <BR><FONT SIZE=3D2>The</FONT> <BR><FONT SIZE=3D2>>commercial world and the law does not in my = opinion support this position</FONT> <BR><FONT SIZE=3D2>of</FONT> <BR><FONT SIZE=3D2>>yours. You appear to be on a path to = re-engineering the entire commercial</FONT> <BR><FONT SIZE=3D2>>legal fabric and as such I with the greatest = respect I do not believe that</FONT> <BR><FONT SIZE=3D2>>society and the law will buy into it. With = out the commercial involvement</FONT> <BR><FONT SIZE=3D2>>PKI will not survive.</FONT> </P> <P><FONT SIZE=3D2>The position is not just mine. Sorry of you = don't understand, or </FONT> <BR><FONT SIZE=3D2>merely don't agree with the use of the NR bit, or = its name, but we </FONT> <BR><FONT SIZE=3D2>had this debate a while ago and we're not having it = again.</FONT> </P> <P><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>I do not understand how - "what you are = proposing" - will work in practical</FONT> <BR><FONT SIZE=3D2>>terms.</FONT> </P> <P><FONT SIZE=3D2>I'm not "proposing," but I am citing = existing Internet and ITU </FONT> <BR><FONT SIZE=3D2>standards and the applicability to the question at = hand.</FONT> </P> <P><FONT SIZE=3D2>Steve</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFF0B5.F0B5DB20-- Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA08508 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 03:33:30 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA13910; Tue, 18 Jul 2000 06:35:55 -0400 (EDT) Message-Id: <200007181035.GAA13910@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-laap-01.txt Date: Tue, 18 Jul 2000 06:35:55 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Limited AttributeCertificate Acquisition Protocol Author(s) : S. Farrell, D. Chadwick Filename : draft-ietf-pkix-laap-01.txt Pages : 13 Date : 17-Jul-00 The PKIX working group is profiling the use of X.509 attribute certificates. This document specifies a deliberately limited protocol for requesting an attribute certificate from a server. It is intended to be complementary to the use of LDAP for AC retrieval, covering, for example, those cases where use of an LDAP server is not suitable due to the type of authorization model being employed. For many other cases, the use of LDAP is preferred. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-laap-01.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-laap-01.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-laap-01.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000717150035.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-laap-01.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-laap-01.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000717150035.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA08480 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 03:33:25 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA13862; Tue, 18 Jul 2000 06:35:50 -0400 (EDT) Message-Id: <200007181035.GAA13862@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-ac509prof-04.txt Date: Tue, 18 Jul 2000 06:35:50 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : An Internet AttributeCertificate Profile for Authorization Author(s) : S. Farrell, R. Housley Filename : draft-ietf-pkix-ac509prof-04.txt Pages : 37 Date : 17-Jul-00 This specification defines a profile for the use of X.509 Attribute Certificates in Internet Protocols. Attribute certificates may be used in a wide range of applications and environments covering a broad spectrum of interoperability goals and a broader spectrum of operational and assurance requirements. The goal of this document is to establish a common baseline for generic applications requiring broad interoperability as well as limited special purpose requirements. The profile places emphasis on attribute certificate support for Internet electronic mail, IPSec, and WWW security applications. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-ac509prof-04.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-ac509prof-04.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-ac509prof-04.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000717150022.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-ac509prof-04.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-ac509prof-04.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000717150022.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from mail.arabtrust.com (mail.arabtrust.com [216.247.149.19]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id BAA00677 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 01:20:36 -0700 (PDT) Received: from jean [195.39.160.115] by mail.arabtrust.com (SMTPD32-6.00) id A47B344A00C0; Tue, 18 Jul 2000 04:25:31 -0400 From: "Jean Abraham" <jean.med@arabtrust.com> To: <ietf-pkix@imc.org> Subject: Date: Tue, 18 Jul 2000 11:21:54 +0300 Message-ID: <LPBBLAPIGLOAGIHKOOGDEENNCBAA.jean.med@arabtrust.com> MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Hello, Can anyone tell me what language is the below written in? CBCParameter ::= IV FBParameter ::= SEQUENCE { iv IV, numberOfBits NumberO ........... ......... Thanks Best Regards Jean Abraham Key Manager Arabtrust Tel: +965 - 5629645/721/827 Ext: 408 Fax: +965 - 5662164 jean.med@arabtrust.com Received: from mail.arabtrust.com (mail.arabtrust.com [216.247.149.19]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA28930 for <ietf-pkix@imc.org>; Tue, 18 Jul 2000 00:54:36 -0700 (PDT) Received: from jean [195.39.160.115] by mail.arabtrust.com (SMTPD32-6.00) id AE5F443000EC; Tue, 18 Jul 2000 03:59:27 -0400 From: "Jean Abraham" <jean.med@arabtrust.com> To: <ietf-pkix@imc.org> Subject: Date: Tue, 18 Jul 2000 10:55:47 +0300 Message-ID: <LPBBLAPIGLOAGIHKOOGDCENMCBAA.jean.med@arabtrust.com> MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Hi, Can anyone help me in finding out or anyone in sending me error codes of luna tokens. (Luna CA and Luna 2) Thanks Best Regards Jean Abraham Key Manager Arabtrust Tel: +965 - 4849957 Ext: 12 Fax: +965 - 4838394 jean.med@arabtrust.com Received: from hamster.gadens.com.au (root@dns.gadens.com.au [203.32.220.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA10364 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 20:03:27 -0700 (PDT) Received: from exchange.gadens.com.au ([10.1.8.3]) by hamster.gadens.com.au (8.9.3/8.9.3) with ESMTP id NAA99268; Tue, 18 Jul 2000 13:05:06 +1000 (EST) (envelope-from AMcCullagh@exchange.gadens.com.au) Received: by exchange.gadens.com.au with Internet Mail Service (5.5.2650.21) id <3YWS62VJ>; Tue, 18 Jul 2000 13:08:28 +1000 Message-ID: <C7006C79F23FD411AFCC00E018C353B4025916@exchange.gadens.com.au> From: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au> To: "'Stephen Kent'" <kent@bbn.com> Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Date: Tue, 18 Jul 2000 13:08:27 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Stephen, I do not want to get into an argument with you. Yes I am a lawyer but I also have a technical background so your suggestion otherwise, I thought was not moving the discussion forward. Admittedly, I do not possess the technical knowledge that you have. Your example is well put but is this really a digital signature or is it a set of bits (a mark) that has been affixed using the same technology known as digital signature technology. You mention the difference between the 2 intents. I would be surprised, if anyone (other than the technically minded) even knows that a challenge response is even being "signed". There is no intent at all in this case. It is the technology as designed that is effecting the response to the challenge. I am surprised that "you" sign authentication challenges, just for authentication purposes. Is it really a signature? Are you really signing the authentication challenge or is it the software on your machine effecting the response to the challenge? To me this is not a signature. It may use digital signature technology but it is not a signature. This is probably the problem. It is the use of the word "signature" which is a technical term but has been used by the PKI community to cover a myriad of uses. Some uses of the term by the PKI community are confusing. I also do not agree with your position that the NR bit can signal any intent either way. With respect, intent is ascertained at the time of signing. A certificate has nothing what so ever to do with signing. Its primary purpose is to identify a public key that corresponds to a private key that may be held by some previously identified person or entity. The public key is used to verify a digital signature that has supposedly been created using the corresponding private key. That is it as far as I understand it unless there is some other primary purpose that I do not know. I do not see the relationship between digitally signing a document and the contents of a certificate. Verification of the signature at some later time is a different issue which may involve the use of a certificate but this may not be so. Adrian McCullagh Director of Electronic Commerce Tel: 617 3231 1522 Gadens Lawyers Fax: 617 3229 5850 level 39 Central Plaza 1 345 Queen Street Brisbane Australia 4000 Ph. D. Candidate Thesis "The Incorporation of Trust Strategies in Digital Signature Regimes for Elec. Comm." Information Security Research Centre Queensland University of Technology -----Original Message----- From: Stephen Kent [mailto:kent@bbn.com] Sent: Tuesday, July 18, 2000 10:00 AM To: Adrian McCullagh Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand At 12:50 PM +1000 7/15/00, Adrian McCullagh wrote: >Stephen > >I really do not understand your response. Why would anyone sign a document >that they do not understand. It does not make sense. If I sent you a >document written in Chinese and assume you can not read Chinese and at the >same time I said just sign this - Why would you sign it. Now if you trusted >me then you may sign it based upon the information about the document that I >tell you. A classic case for Non-est-factum. But all the cases that I have >read clearly rely upon some information provided by an Alleged trusted third >party. Usually some relative. So without some external information being >provided by a third party it is not as far as I can determine possible to >rely upon non est factum. Because we sign authentication challenges, just for authentication purposes, but not for NR purposes, it is prudent to distinguish between the two intents. Your comments seem to ignore this use of digital signature technology. One way of signalling intent is via the NR bit. Although it has been argued that having this bit set to True does not necessarily signal intent to sign for NR purposes, having it set to False certainly signals an intent to not be bound re NR. (Your use of Latin and your e-mail "signature" suggests a legal, but perhaps not a technical background. We've also decided, after much debate, that PKIX deals with technical aspects of NR, not legal details that may vary based upon jurisdiction.) >Also what does a "bit" in a certificate got to do with non-repudiation. The >commercial world and the law does not in my opinion support this position of >yours. You appear to be on a path to re-engineering the entire commercial >legal fabric and as such I with the greatest respect I do not believe that >society and the law will buy into it. With out the commercial involvement >PKI will not survive. The position is not just mine. Sorry of you don't understand, or merely don't agree with the use of the NR bit, or its name, but we had this debate a while ago and we're not having it again. > >I do not understand how - "what you are proposing" - will work in practical >terms. I'm not "proposing," but I am citing existing Internet and ITU standards and the applicability to the question at hand. Steve Received: from mail-fwd.verio-web.com ([161.58.16.59]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id TAA06887 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 19:14:55 -0700 (PDT) From: rsalz@CaveoSystems.com Received: from 161.58.117.181 (161.58.117.181) by mail11b.verio-web.com (RS ver 1.0.57s) with SMTP id 0519720; Mon, 17 Jul 2000 22:16:55 -0400 (EDT) Received: (from rsalz@localhost) by os390.caveosystems.com (8.9.3/8.9.3) id WAA25184; Mon, 17 Jul 2000 22:16:00 -0400 Date: Mon, 17 Jul 2000 22:16:00 -0400 Message-Id: <200007180216.WAA25184@os390.caveosystems.com> To: Khaja.Ahmed@identrus.com, rsalz@CaveoSystems.com Subject: RE: Need for an XML based cert check protocol with RPP capability . Cc: ietf-pkix@imc.org X-Loop-Detect: 1 >Regardless of the structure of the PKI, path validation has to be done >somewhere by someone the relying party trusts. This is normally done by the >relying party itself. It can however be done by a party the Relying part >trusts - Their bank for example. In the general case, yes. As I last understood it, the Identrus business rules said that the relying party always asks its bank. And all the background processing the bank did was completely hidden by the bank. Bank A never exposed the *presence* of any other bank to its customers. If your rules say "ask the bank" then there is no need to encode this in a protocol. Encode it in your code. :) Second, Identrus is a closed PKI without cross-certification. Identrus certs are only to be used among Identrus participants who agree to follow Identrus rules. That's a linch-pin for making the whole risk-management aspect fly. Have those rules changed? If not, then I'm still stumped. Could you provide a worked example? (This might be falling outside the general interest of the list...) /r$ Received: from cam-mailer1.bbn.com (cam-mailer1.bbn.com [171.78.68.5]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id RAA27408 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 17:15:21 -0700 (PDT) Received: from [128.33.238.30] (TC030.BBN.COM [128.33.238.30]) by cam-mailer1.bbn.com (8.8.8+Sun/8.8.8) with ESMTP id UAA07507; Mon, 17 Jul 2000 20:13:54 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04220803b5994d14f71c@[171.78.30.108]> In-Reply-To: <C7006C79F23FD411AFCC00E018C353B402590D@exchange.gadens.com.au> References: <C7006C79F23FD411AFCC00E018C353B402590D@exchange.gadens.com.au> Date: Mon, 17 Jul 2000 20:00:21 -0400 To: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au> From: Stephen Kent <kent@bbn.com> Subject: RE: Signing what you don't understand Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 12:50 PM +1000 7/15/00, Adrian McCullagh wrote: >Stephen > >I really do not understand your response. Why would anyone sign a document >that they do not understand. It does not make sense. If I sent you a >document written in Chinese and assume you can not read Chinese and at the >same time I said just sign this - Why would you sign it. Now if you trusted >me then you may sign it based upon the information about the document that I >tell you. A classic case for Non-est-factum. But all the cases that I have >read clearly rely upon some information provided by an Alleged trusted third >party. Usually some relative. So without some external information being >provided by a third party it is not as far as I can determine possible to >rely upon non est factum. Because we sign authentication challenges, just for authentication purposes, but not for NR purposes, it is prudent to distinguish between the two intents. Your comments seem to ignore this use of digital signature technology. One way of signalling intent is via the NR bit. Although it has been argued that having this bit set to True does not necessarily signal intent to sign for NR purposes, having it set to False certainly signals an intent to not be bound re NR. (Your use of Latin and your e-mail "signature" suggests a legal, but perhaps not a technical background. We've also decided, after much debate, that PKIX deals with technical aspects of NR, not legal details that may vary based upon jurisdiction.) >Also what does a "bit" in a certificate got to do with non-repudiation. The >commercial world and the law does not in my opinion support this position of >yours. You appear to be on a path to re-engineering the entire commercial >legal fabric and as such I with the greatest respect I do not believe that >society and the law will buy into it. With out the commercial involvement >PKI will not survive. The position is not just mine. Sorry of you don't understand, or merely don't agree with the use of the NR bit, or its name, but we had this debate a while ago and we're not having it again. > >I do not understand how - "what you are proposing" - will work in practical >terms. I'm not "proposing," but I am citing existing Internet and ITU standards and the applicability to the question at hand. Steve Received: from cam-mailer1.bbn.com (cam-mailer1.bbn.com [171.78.68.5]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id RAA27159 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 17:11:46 -0700 (PDT) Received: from [128.33.238.30] (TC030.BBN.COM [128.33.238.30]) by cam-mailer1.bbn.com (8.8.8+Sun/8.8.8) with ESMTP id UAA07522; Mon, 17 Jul 2000 20:14:07 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04220804b5994ed7610a@[171.78.30.108]> In-Reply-To: <OF639C14C1.CCA2AE57-ON8525691F.004CDB07@iris.com> References: <OF639C14C1.CCA2AE57-ON8525691F.004CDB07@iris.com> Date: Mon, 17 Jul 2000 20:11:11 -0400 To: John_Wray@iris.com From: Stephen Kent <kent@bbn.com> Subject: Re: Signing what you don't understand Cc: <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" John, >Anything in the certificate that's used to imply something about the intent >behind a signature is asking for trouble, unless the specific certificate >that a relying party should use is bound to the signature. What's to >prevent me from obtaining certificates from two different CAs, certifying >the same key, but with different settings of the NR bit in the two >certificates, and then using the certificate with the NR bit clear to >repudiate a signature I originally represented as being non-repudiable >using the other certificate? Not necessarily. You seem to assume that a signer could escape responsibility for signing in an NR context by producing a certificate with the same public key but without the NR bit asserted. I don't subscribe to that assumption. if I, as an RP, collect a cert associated with the user and it has the right public key and NR asserted, then why is my assertion of which cert was used in the transaction untenable? A legitimate user should never put the same public key into two certs that differ in terms of this key usage bit (and probably not if they differ in other, significant ways). If push came to shove and the user asserted that the NR-enabled cert was not really issued at his request, a check of CA records for POP could resolve the problem. [I assume that any CA issuing a cert with an NR bit enabled ought to insist on POP, but maybe that's my unwarranted assumption :-).] >The only way that using anything in the certificate could work is if the >specific certificate that I intend a relying party to use to verify the >signature is somehow bound into the signature. Binding a particular >certificate to a signature has all sorts of other problems (e.g. do all my >signatures become unverifiable when my certificate is renewed?), and would >require a signature format change anyway, so why not simply assert the >intent explicitly as part of the signature? Based on my comments above, I'm not sure we need to perform this binding, but I agree with Denis's comments here, i.e., it's not infeasible and the persistence of the signature is divorced from the certificate lifetime by other mechanisms. By the way, I'm not saying that a new format for signatures which are designed precisely for NR purposes with general purpose documents is a bad idea. I just commented on what appeared to be a lack of good arguments for such a construct. I agree that the ability to have a small token be able to understand such constructs could be valuable, even though we still face a lot of problems with regard to secure display of the contents of what is being signed. Steve Received: from blue.identrus.com ([216.213.93.121]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA26408 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 16:40:35 -0700 (PDT) Received: by blue.identrus.com with Internet Mail Service (5.5.2650.21) id <N9QAN1K5>; Mon, 17 Jul 2000 19:42:56 -0400 Message-ID: <A105E1C02F5DD31181A500508B5519EC30623F@blue.identrus.com> From: Khaja Ahmed <Khaja.Ahmed@identrus.com> To: "'Rich Salz '" <rsalz@caveosystems.com> Cc: "'''ietf-pkix@imc.org ' ' '" <ietf-pkix@imc.org> Subject: RE: Need for an XML based cert check protocol with RPP capability . Date: Mon, 17 Jul 2000 19:42:54 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF048.BA8E6580" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF048.BA8E6580 Content-Type: text/plain; charset="iso-8859-1" Regardless of the structure of the PKI, path validation has to be done somewhere by someone the relying party trusts. This is normally done by the relying party itself. It can however be done by a party the Relying part trusts - Their bank for example. The benefit of having path validation done at the bank is to off load the relying party. Two substantial and obvious benefits are: 1.) Decrease the computation burden on the relying party application - possibly a web server. Of course, one could argue just as easily "distributed processing" is more efficient but when the dust settled the decision was in favor of putting the burden on the bank. 2.) It was felt that by taking the burden of PKIX compliant path processing off the shoulders of those developing applications for relying paries, we would speed up adoption of the Identrus system. Khaja -----Original Message----- From: Rich Salz To: Khaja Ahmed Cc: ''ietf-pkix@imc.org ' ' Sent: 7/17/00 2:26 PM Subject: Re: Need for an XML based cert check protocol with RPP capability. I'm still confused. Identrus is a closed PKI, each customer speaks only to its bank and banks speak to each other. There is no cross-certification. There is a single root, and a single path from between any two Identrus participants. Taking those things together, I still don't see how/why RPP is necessary. ------_=_NextPart_001_01BFF048.BA8E6580 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: Need for an XML based cert check protocol with RPP = capability.</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Regardless of the structure of the PKI, path = validation has to be done somewhere by someone the relying party = trusts. This is normally done by the relying party itself. = It can however be done by a party the Relying part trusts - Their bank = for example.</FONT></P> <P><FONT SIZE=3D2>The benefit of having path validation done at the = bank is to off load the relying party. Two substantial and = obvious benefits are:</FONT></P> <P><FONT SIZE=3D2>1.) Decrease the computation burden on the relying = party application - possibly a web server. Of course, one could = argue just as easily "distributed processing" is more = efficient but when the dust settled the decision was in favor of = putting the burden on the bank.</FONT></P> <P><FONT SIZE=3D2>2.) It was felt that by taking the burden of PKIX = compliant path processing off the shoulders of those developing = applications for relying paries, we would speed up adoption of the = Identrus system.</FONT></P> <P><FONT SIZE=3D2>Khaja</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Rich Salz</FONT> <BR><FONT SIZE=3D2>To: Khaja Ahmed</FONT> <BR><FONT SIZE=3D2>Cc: ''ietf-pkix@imc.org ' '</FONT> <BR><FONT SIZE=3D2>Sent: 7/17/00 2:26 PM</FONT> <BR><FONT SIZE=3D2>Subject: Re: Need for an XML based cert check = protocol with RPP capability.</FONT> </P> <P><FONT SIZE=3D2>I'm still confused. Identrus is a closed PKI, = each customer speaks only</FONT> <BR><FONT SIZE=3D2>to its bank and banks speak to each other. There is = no</FONT> <BR><FONT SIZE=3D2>cross-certification.</FONT> <BR><FONT SIZE=3D2>There is a single root, and a single path from = between any two Identrus</FONT> <BR><FONT SIZE=3D2>participants. Taking those things together, I = still don't see how/why</FONT> <BR><FONT SIZE=3D2>RPP is necessary.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFF048.BA8E6580-- Received: from blue.identrus.com ([216.213.93.121]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA25840 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 16:16:49 -0700 (PDT) Received: by blue.identrus.com with Internet Mail Service (5.5.2650.21) id <N9QAN1KV>; Mon, 17 Jul 2000 19:19:11 -0400 Message-ID: <A105E1C02F5DD31181A500508B5519EC30623D@blue.identrus.com> From: Khaja Ahmed <Khaja.Ahmed@identrus.com> To: "'Denis '" <Denis.Pinkas@bull.net>, Khaja Ahmed <Khaja.Ahmed@identrus.com> Cc: "'''ietf-pkix@imc.org ' ' '" <ietf-pkix@imc.org> Subject: RE: Need for an XML based cert check protocol with RPP capability . Date: Mon, 17 Jul 2000 19:19:08 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF045.69078A20" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF045.69078A20 Content-Type: text/plain; charset="iso-8859-1" Denis, You certainly have thought through the scenario and are quite right in all your observations. Additional infomation below: -----Original Message----- From: Denis >> 2.) Allows the banks to provide value add services beyond >> certificate validation. i.e. validation of the transaction >> itself. The thinking is that the relying party (in some >> transactions) the seller doesn't simply want to know whether or >> not the buyer's certificate is good. He may want to know if she >> is good for money, has the required funds/credit rating etc. > ... but in that case some details of the transaction would need to >be passed along on that protocol (this is not the case today). >However, as soon as this is done, there are deep implications. >Let us take an example: Let us assume that the request is for funds >up to 100.000 $. Is the bank going to count down a credit line ? For "transaction validation" as distinct from just certificate validation, this is precisely the kind of hook(s) into financial systems that would be needed. Clearly banks have the ability to provide such services. This is really the sort of processing done with credit card and ATM card transactions. This is the true value of the Identrus system. >If no, then 8 relying parties might be fooled because everything was >nice for 2 such transactions, but not 10. >If yes, then there is some count down, but then the requesters had >better to be authenticated otherwise there would be some easy denial >of service attacks. Requestors are indeed authenticated. All requests are to be signed. We have adopted xmldsig for such signatures. >So what are your views on that topic ? Regards, Denis ------_=_NextPart_001_01BFF045.69078A20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: Need for an XML based cert check protocol with RPP = capability.</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Denis,</FONT> </P> <P><FONT SIZE=3D2>You certainly have thought through the scenario and = are quite right in all your observations. Additional infomation = below:</FONT></P> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Denis</FONT> <BR><FONT SIZE=3D2>>> 2.) Allows the banks to provide value add = services beyond</FONT> <BR><FONT SIZE=3D2>>> certificate validation. i.e. = validation of the transaction</FONT> <BR><FONT SIZE=3D2>>> itself. The thinking is that the = relying party (in some</FONT> <BR><FONT SIZE=3D2>>> transactions) the seller doesn't simply = want to know whether or</FONT> <BR><FONT SIZE=3D2>>> not the buyer's certificate is good. = He may want to know if she</FONT> <BR><FONT SIZE=3D2>>> is good for money, has the required = funds/credit rating etc.</FONT> </P> <P><FONT SIZE=3D2>> ... but in that case some details of the = transaction would need to</FONT> <BR><FONT SIZE=3D2>>be passed along on that protocol (this is not = the case today).</FONT> <BR><FONT SIZE=3D2>>However, as soon as this is done, there are deep = implications.</FONT> </P> <P><FONT SIZE=3D2>>Let us take an example: Let us assume that the = request is for funds</FONT> <BR><FONT SIZE=3D2>>up to 100.000 $. Is the bank going to count down = a credit line ?</FONT> </P> <P><FONT SIZE=3D2>For "transaction validation" as distinct = from just certificate validation, this is precisely the kind of hook(s) = into financial systems that would be needed. Clearly banks have = the ability to provide such services. This is really the sort of = processing done with credit card and ATM card transactions. This = is the true value of the Identrus system.</FONT></P> <P><FONT SIZE=3D2>>If no, then 8 relying parties might be fooled = because everything was</FONT> <BR><FONT SIZE=3D2>>nice for 2 such transactions, but not 10.</FONT> </P> <P><FONT SIZE=3D2>>If yes, then there is some count down, but then = the requesters had</FONT> <BR><FONT SIZE=3D2>>better to be authenticated otherwise there would = be some easy denial</FONT> <BR><FONT SIZE=3D2>>of service attacks.</FONT> </P> <BR> <P><FONT SIZE=3D2>Requestors are indeed authenticated. All = requests are to be signed. We have adopted xmldsig for such = signatures.</FONT> </P> <BR> <P><FONT SIZE=3D2>>So what are your views on that topic ?</FONT> </P> <P><FONT SIZE=3D2>Regards,</FONT> </P> <P><FONT SIZE=3D2>Denis</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFF045.69078A20-- Received: from sothmxs01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA23581 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 13:59:39 -0700 (PDT) Received: by sothmxs01.entrust.com with Internet Mail Service (5.5.2650.21) id <34W52P54>; Mon, 17 Jul 2000 17:01:31 -0400 Message-ID: <ED026032A3FCD211AEDA00105A9C469601E043D2@sothmxs05.entrust.com> From: Carlisle Adams <carlisle.adams@entrust.com> To: ietf-pkix@imc.org Subject: RE: I-D ACTION:draft-ietf-pkix-rfc2510bis-01.txt Date: Mon, 17 Jul 2000 17:00:01 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Hi all, > ---------- > From: Internet-Drafts@ietf.org[SMTP:Internet-Drafts@ietf.org] > Reply To: Internet-Drafts@ietf.org > Sent: Monday, July 17, 2000 6:42 AM > Cc: ietf-pkix@imc.org > Subject: I-D ACTION:draft-ietf-pkix-rfc2510bis-01.txt > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Public-Key Infrastructure (X.509) Working > Group of the IETF. > > Title : Internet X.509 Public Key Infrastructure > Certificate > Management Protocols > Author(s) : C. Adams, S. Farrell > Filename : draft-ietf-pkix-rfc2510bis-01.txt > Pages : 87 > Date : 14-Jul-00 > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-pkix-rfc2510bis-01.txt The following changes were made in going from the 00.txt version to the 01.txt version: p.20: defined PKIMessages as a SEQUENCE OF PKIMessage (also in ASN.1 module, p.73); p.22: changed SHOULD to MAY in PKIFreeText comment (also in ASN.1 module, p.74) -- request from Paul Hoffman; p.27: changed NestedMessageContent to be PKIMessages, rather than PKIMessage, and added text explaining why (i.e., to allow for batching requests at an RA) (also in ASN.1 module, p.75, and see also p.81); p.30: added error code 23 -- notAuthorized (forgot to change this in the ASN.1 module, but this can be done later...); p.32: added explanatory text regarding inclusion of a private key in POP -- requested on caTalk list; p.33: added explanatory sentence regarding CertHash -- requested on caTalk list; p.37: added pointer to Appendix D for comment on privateKey encoding (also on p.69 and p.79); p.42: added pointer to CertHash discussion in Section 3.2.8; p.53: added reference to a more recent version of PKCS #11; p.72: changed id-mod-cmp2000 from 14 to 16 (the correct value according to Russ' official list of PKIX OIDs); p.83: added discussion of encoding for privateKey -- requested by Francois Rousseau. A relatively small set of quite minor changes. Quite encouraging given all the interop testing that has occurred (even as recently as last week)...! Thanks to all of you who gave me input. Carlisle. Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA22850 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 13:14:25 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id WAA06381; Mon, 17 Jul 2000 22:16:42 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.3); Mon, 17 Jul 2000 22:16:42 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id WAA12182; Mon, 17 Jul 2000 22:16:41 +0200 (MET DST) From: Peter Sylvester <Peter.Sylvester@EdelWeb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.7.6/8.6.6) id WAA24924; Mon, 17 Jul 2000 22:16:41 +0200 (MET DST) Date: Mon, 17 Jul 2000 22:16:41 +0200 (MET DST) Message-Id: <200007172016.WAA24924@emeriau.edelweb.fr> To: rsalz@caveosystems.com, Khaja.Ahmed@identrus.com Subject: RE: Need for an XML based cert check protocol with RPP capability . Cc: ietf-pkix@imc.org > > >I don't understand why RPP is necessary in the Identrus model. > >You only need to set up peering relationships among banks, as long as > >each cert has a service locator of some type. > > > The reasoning behind this is that it makes it: > > 1.) Easier to build relying party applications because you dont burden them > with RFC.2459 section 6.1 compliant path processing. > > and > > 2.) Allows the banks to provide value add services beyond certificate > validation. i.e. validation of the transaction itself. The thinking is > that the relying party (in some transactions) the seller doesn't simply want > to know whether or not the buyer's certificate is good. He may want to know > if she is good for money, has the required funds/credit rating etc. > If I look at the models that are visible in the identrus web server: One type of transactions seems to be something like: Customer A creates a 'money transfer statement' and presents it to merchant B. The statement is 'secured' by the customer in a way that can be verified by customer A's bank, e.g. by a signature, and the statement contains sufficient information to allow an identrus participating bank to find customer A's bank (at least to identrus); Merchant B presents the statement (the whole one) to its bank Bbank in order to get an assertion. Merchant B asks knows how to extract the identification data from the statement and asks identrus about where is Abank. Bbank then asks Abank to validate the statement. Abank answers with an assertion. Bbank adds its own signature and returns assertion to merchant. If this is one of the models, then I do not see whether B should be required to know much more than the ability of validating the signature of its own banking server, or better, the ability of validating the assertion of Bbank. Peter Sylvester Received: from sothmxs01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA21472 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 11:53:26 -0700 (PDT) Received: by sothmxs01.entrust.com with Internet Mail Service (5.5.2650.21) id <34W52N6X>; Mon, 17 Jul 2000 14:55:18 -0400 Message-ID: <ED026032A3FCD211AEDA00105A9C469601E043CF@sothmxs05.entrust.com> From: Carlisle Adams <carlisle.adams@entrust.com> To: "'FRousseau@chrysalis-its.com'" <FRousseau@chrysalis-its.com> Cc: ietf-pkix@imc.org, stephen.farrell@baltimore.ie Subject: RE: Re: CRMF encValue Field Date: Mon, 17 Jul 2000 14:53:48 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Hi Francois, > ---------- > From: > FRousseau@chrysalis-its.com[SMTP:FRousseau@chrysalis-its.com] > Sent: Monday, July 17, 2000 11:55 AM > To: stephen.farrell@baltimore.ie > Cc: ietf-pkix@imc.org > Subject: RE: Re: CRMF encValue Field > > Hi Stephen, > > I have noted that the recently published July version of RFC2510bis now > contains a note in Appendix D on "RFC 2511 Clarifications" about this > particular issue, however an exception was added for the Diffie-Hellman > algorithm OID and parameters whereas those defined in Appendix B2 of this > specification (i.e. RFC2510bis) MUST be used instead of the OID and > parameters defined in PKCS#11. Although I understand that this exception > was necessary since PKCS#11 currently only supports the PKCS#3 flavour of > Diffie-Hellman whereas Appendix B2 of RFC2510bis is about the ANSI X9.42 > flavour of Diffie-Hellman, this should have been mentioned in this > clarification. I suppose this could have been mentioned, but it seemed pretty unnecessary. Wouldn't people naturally expect the OIDs in this field to be consistent with the OIDs defined in Appendix B2? I doubt that there's much potential for confusion here, so extra wording for clarification seems redundant. > In addition, this same clarification indicates that in this case, the > intendedAlg field is unnecessary (since this information is included in > PrivateKeyInfo) and MUST be omitted. However, the algorithm identifier > field within the PrivateKeyInfo is encrypted, which means that the > "EncryptedValue" type would not contain any information in the clear about > the OID of the private key that it is carrying. Was this your intend, > please clarify? I also understand that including the intendedAlg field > would duplicate the occurrence of the parameters field, since the syntax > of the "AlgorithmIdentifier" type also contains a "parameters" field, > however by still indicating the algorithm OID, but forcing the > "parameters" field within the intendedAlg field to be NULL would allow the > "EncryptedValue" type to indicate what is the OID of the private key that > it is carrying, but not duplicate the parameters field. Wouldn't this > approach be better? No, this approach doesn't strike me as particularly better. It seems like a real kludge to include an AlgId for the same thing twice, but to specify (in commentary) that the parameters should be NULL for one of these and non-NULL (i.e., present) for the other. This reduces clarity for the reader/implementer and may run in to trouble with some compilers that are expecting actual parameter values. As for fact that the AlgId in PrivateKeyInfo is encrypted, why is this a concern? Does the receiver need to know this prior to decryption? Carlisle. Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA20945 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 11:38:58 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.2/8.9.1) with ESMTP id UAA10672; Mon, 17 Jul 2000 20:40:33 +0200 Received: from bull.net (fradint10.bull.fr [129.181.85.10]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id UAA28900; Mon, 17 Jul 2000 20:40:36 +0200 Message-ID: <39735291.3A80FE6B@bull.net> Date: Mon, 17 Jul 2000 20:38:09 +0200 From: Denis <Denis.Pinkas@bull.net> X-Mailer: Mozilla 4.5 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: John_Wray@iris.com CC: Stephen Kent <kent@bbn.com>, denis.bider@denisbider.com, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <OF639C14C1.CCA2AE57-ON8525691F.004CDB07@iris.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit John, See my response below. > Anything in the certificate that's used to imply something about the intent > behind a signature is asking for trouble, unless the specific certificate > that a relying party should use is bound to the signature. What's to > prevent me from obtaining certificates from two different CAs, certifying > the same key, but with different settings of the NR bit in the two > certificates, and then using the certificate with the NR bit clear to > repudiate a signature I originally represented as being non-repudiable > using the other certificate? Nothing can *prevent* someone to do this, but that someone should be warned about the precautions to be used if this is done. > The only way that using anything in the certificate could work is if the > specific certificate that I intend a relying party to use to verify the > signature is somehow bound into the signature. Binding a particular > certificate to a signature has all sorts of other problems I do not think so. It has major benefits. > (e.g. do all my > signatures become unverifiable when my certificate is renewed?), Very, *very* briefly, time-stamped signatures may be proven to be valid long after the end of the validity period of the signer certificate. > and would > require a signature format change anyway, so why not simply assert the > intent explicitly as part of the signature? It is not a "change". It has to do with the right use of a signature format, that binds the identifier of the certificate to the digital signature. S/MIME has provisions for this. The recently posted draft to the S/MIME working on "Electronic Signature Formats" uses the same feature. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-smime-esformats-01.txt Denis > John > > Stephen Kent <kent@bbn.com> on 07/13/2000 09:48:56 AM > > To: <denis.bider@denisbider.com> > cc: <ietf-pkix@imc.org> > Subject: Re: Signing what you don't understand > > Denis, > > >The most important point of my previous message was buried under a pile of > >other stuff, so I am repeating it here: > > > > > >It is my proposal that a signature format is designed which will allow an > >entity to say: "I signed this data, but I didn't understand what I signed. > >You are free to use this signature as proof that I possess a certain > private > >key, but this is also the only purpose for which this signature can be > >used." > > We have had an analogous debate on this list last year. This is one > motivation for the use of the non-repudiation bit in certificates, > i.e., if this bit is NOT asserted, one can reasonably interpret the > signature as not binding. This does not require a change to the > signing format, but rather appropriate use of key usage bits in > certificates. As others have pointed out, the preferred way to > represent the distinction between binding and non-binding signatures > is via flags in certificates, e.g., key usage, cert policy, etc. > > Steve Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA20929 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 11:38:49 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.2/8.9.1) with ESMTP id UAA31386; Mon, 17 Jul 2000 20:40:29 +0200 Received: from bull.net (fradint10.bull.fr [129.181.85.10]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id UAA28898; Mon, 17 Jul 2000 20:40:33 +0200 Message-ID: <3973527C.40B0E3DD@bull.net> Date: Mon, 17 Jul 2000 20:37:48 +0200 From: Denis <Denis.Pinkas@bull.net> X-Mailer: Mozilla 4.5 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Khaja Ahmed <Khaja.Ahmed@identrus.com> CC: "''ietf-pkix@imc.org ' '" <ietf-pkix@imc.org> Subject: Re: Need for an XML based cert check protocol with RPP capability. References: <A105E1C02F5DD31181A500508B5519EC306239@blue.identrus.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Khaja, See my comments below. > > I don't understand why RPP is necessary in the Identrus model. > > You only need to set up peering relationships among banks, as > > long as each cert has a service locator of some type. > The reasoning behind this is that it makes it: > 1.) Easier to build relying party applications because you dont > burden them with RFC.2459 section 6.1 compliant path processing. True. > and > > 2.) Allows the banks to provide value add services beyond > certificate validation. i.e. validation of the transaction > itself. The thinking is that the relying party (in some > transactions) the seller doesn't simply want to know whether or > not the buyer's certificate is good. He may want to know if she > is good for money, has the required funds/credit rating etc. ... but in that case some details of the transaction would need to be passed along on that protocol (this is not the case today). However, as soon as this is done, there are deep implications. Let us take an example: Let us assume that the request is for funds up to 100.000 $. Is the bank going to count down a credit line ? If no, then 8 relying parties might be fooled because everything was nice for 2 such transactions, but not 10. If yes, then there is some count down, but then the requesters had better to be authenticated otherwise there would be some easy denial of service attacks. So what are your views on that topic ? Regards, Denis Received: from mail-fwd.verio-web.com (mail11a.verio-web.com [161.58.16.57]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id LAA20583 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 11:24:52 -0700 (PDT) Received: from 161.58.117.181 (161.58.117.181) by mail11a.verio-web.com (RS ver 1.0.57s) with SMTP id 0594954; Mon, 17 Jul 2000 14:27:04 -0400 (EDT) Sender: rsalz Message-ID: <39734FBE.9BD36537@caveosystems.com> Date: Mon, 17 Jul 2000 14:26:06 -0400 From: Rich Salz <rsalz@caveosystems.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: Khaja Ahmed <Khaja.Ahmed@identrus.com> CC: "''ietf-pkix@imc.org ' '" <ietf-pkix@imc.org> Subject: Re: Need for an XML based cert check protocol with RPP capability. References: <A105E1C02F5DD31181A500508B5519EC306239@blue.identrus.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 I'm still confused. Identrus is a closed PKI, each customer speaks only to its bank and banks speak to each other. There is no cross-certification. There is a single root, and a single path from between any two Identrus participants. Taking those things together, I still don't see how/why RPP is necessary. Received: from balinese.baltimore.ie (firewall-user@pc215-8.indigo.ie [194.125.215.8]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA20135 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 11:03:09 -0700 (PDT) Received: by balinese.baltimore.ie; id TAA27679; Mon, 17 Jul 2000 19:05:31 +0100 (GMT/IST) Received: from bobcat.baltimore.ie(192.168.20.10) by balinese.baltimore.ie via smap (V4.2) id xma027626; Mon, 17 Jul 00 19:05:00 +0100 Received: from baltimore.ie (lease216-21.baltimore.ie [192.168.21.216]) by bobcat.baltimore.ie (8.9.3/8.9.3) with ESMTP id TAA05161; Mon, 17 Jul 2000 19:05:00 +0100 Message-ID: <39734AE2.62979D92@baltimore.ie> Date: Mon, 17 Jul 2000 19:05:22 +0100 From: Stephen Farrell <stephen.farrell@baltimore.ie> Reply-To: stephen.farrell@baltimore.ie Organization: Baltimore Technologies Ltd. X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: FRousseau@chrysalis-its.com CC: ietf-pkix@imc.org, xme <stephen.farrell@baltimore.ie> Subject: Re: CRMF encValue Field References: <918C70B01822D411A87400B0D0204DFF04C093@panda.chrysalis-its.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi Francois, Why don't you propose some changes to the text if you think additional clarficiation is needed? Stephen. (BTW: Your mail broke my brain's long-sentence-parser:-) -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 647 7406 61 Fitzwilliam Lane, fax: +353 1 647 7499 Dublin 2. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com Received: from balinese.baltimore.ie (firewall-user@pc215-8.indigo.ie [194.125.215.8]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA19632 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 10:41:09 -0700 (PDT) Received: by balinese.baltimore.ie; id SAA25234; Mon, 17 Jul 2000 18:43:31 +0100 (GMT/IST) Received: from bobcat.baltimore.ie(192.168.20.10) by balinese.baltimore.ie via smap (V4.2) id xma025169; Mon, 17 Jul 00 18:42:43 +0100 Received: from baltimore.ie (lease216-21.baltimore.ie [192.168.21.216]) by bobcat.baltimore.ie (8.9.3/8.9.3) with ESMTP id SAA04699; Mon, 17 Jul 2000 18:42:42 +0100 Message-ID: <397345A9.CF00E656@baltimore.ie> Date: Mon, 17 Jul 2000 18:43:05 +0100 From: Stephen Farrell <stephen.farrell@baltimore.ie> Reply-To: stephen.farrell@baltimore.ie Organization: Baltimore Technologies Ltd. X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Khaja Ahmed <Khaja.Ahmed@identrus.com> CC: "''ietf-pkix@imc.org ' '" <ietf-pkix@imc.org>, xme <stephen.farrell@baltimore.ie> Subject: Re: Need for an XML based cert check protocol with RPP capability. References: <A105E1C02F5DD31181A500508B5519EC306239@blue.identrus.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Khaja, > 2.) Allows the banks to provide value add services beyond certificate > validation. i.e. validation of the transaction itself. The thinking > is that the relying party (in some transactions) the seller doesn't simply > want to know whether or not the buyer's certificate is good. He may want > to know if she is good for money, has the required funds/credit rating > etc. This is the where I think you get outside PKIX's scope (in fact, I'd argue, outside PKI's scope). I don't believe that either OCSP-X or SCVP is, or should be, a suitable protocol for carrying this application specific stuff. Sounds to me a bit like "if all you've got is a hammer, the whole world's a nail...", which I wouldn't consider a good basis for designing protocols. (Even though, in Baltimore's case, one of the things we do have is a thumping big PKI hammer:-) Of course, pragmatism may dictate otherwise for what I'd think will be a relatively short-ish period. Having said that, some types of RPP are in scope of PKIX, and do overlap with your #2 above. That is, I think that it is a real requirement in lots of environments, (including yours), to be able to carry RPP requests/responses inside other protocols, like the XML one you posit. So, my personal answer to your original question would be that SCVP is not the protocol you're looking for (and neither is OCSP-X, before someone asks!). Stephen. -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 647 7406 61 Fitzwilliam Lane, fax: +353 1 647 7499 Dublin 2. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com Received: from ntserver2.chrysalis-its.com ([209.47.245.163]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA19390 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 10:36:45 -0700 (PDT) From: FRousseau@chrysalis-its.com Received: by NTSERVER2 with Internet Mail Service (5.5.2650.21) id <36RJCYNM>; Mon, 17 Jul 2000 13:39:48 -0400 Message-ID: <918C70B01822D411A87400B0D0204DFF04C098@panda.chrysalis-its.com> To: John_Wray@iris.com Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Date: Mon, 17 Jul 2000 13:39:41 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF016.00C24D46" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF016.00C24D46 Content-Type: text/plain; charset="iso-8859-1" John, This why the Internet-Draft at http://www.ietf.org/internet-drafts/draft-ietf-smime-esformats-00.txt mandates the use of the "ESS signing certificate" attribute from RFC2634 to bind the certificate and public key that a relying party MUST use to verify a digital signature. Francois -----Original Message----- From: John_Wray@iris.com [mailto:John_Wray@iris.com] Sent: Monday, July 17, 2000 10:21 AM To: Stephen Kent Cc: denis.bider@denisbider.com; ietf-pkix@imc.org Subject: Re: Signing what you don't understand Anything in the certificate that's used to imply something about the intent behind a signature is asking for trouble, unless the specific certificate that a relying party should use is bound to the signature. What's to prevent me from obtaining certificates from two different CAs, certifying the same key, but with different settings of the NR bit in the two certificates, and then using the certificate with the NR bit clear to repudiate a signature I originally represented as being non-repudiable using the other certificate? The only way that using anything in the certificate could work is if the specific certificate that I intend a relying party to use to verify the signature is somehow bound into the signature. Binding a particular certificate to a signature has all sorts of other problems (e.g. do all my signatures become unverifiable when my certificate is renewed?), and would require a signature format change anyway, so why not simply assert the intent explicitly as part of the signature? John Stephen Kent <kent@bbn.com> on 07/13/2000 09:48:56 AM To: <denis.bider@denisbider.com> cc: <ietf-pkix@imc.org> Subject: Re: Signing what you don't understand Denis, >The most important point of my previous message was buried under a pile of >other stuff, so I am repeating it here: > > >It is my proposal that a signature format is designed which will allow an >entity to say: "I signed this data, but I didn't understand what I signed. >You are free to use this signature as proof that I possess a certain private >key, but this is also the only purpose for which this signature can be >used." We have had an analogous debate on this list last year. This is one motivation for the use of the non-repudiation bit in certificates, i.e., if this bit is NOT asserted, one can reasonably interpret the signature as not binding. This does not require a change to the signing format, but rather appropriate use of key usage bits in certificates. As others have pointed out, the preferred way to represent the distinction between binding and non-binding signatures is via flags in certificates, e.g., key usage, cert policy, etc. Steve ------_=_NextPart_001_01BFF016.00C24D46 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: Signing what you don't understand</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>John,</FONT> </P> <P><FONT SIZE=3D2>This why the Internet-Draft at</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"http://www.ietf.org/internet-drafts/draft-ietf-smime-esformats-0= 0.txt" = TARGET=3D"_blank">http://www.ietf.org/internet-drafts/draft-ietf-smime-e= sformats-00.txt</A> mandates the use of the "ESS signing = certificate" attribute from RFC2634 to bind the certificate and = public key that a relying party MUST use to verify a digital = signature.</FONT></P> <P><FONT SIZE=3D2>Francois</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: John_Wray@iris.com [<A = HREF=3D"mailto:John_Wray@iris.com">mailto:John_Wray@iris.com</A>]</FONT>= <BR><FONT SIZE=3D2>Sent: Monday, July 17, 2000 10:21 AM</FONT> <BR><FONT SIZE=3D2>To: Stephen Kent</FONT> <BR><FONT SIZE=3D2>Cc: denis.bider@denisbider.com; = ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: Signing what you don't = understand</FONT> </P> <P><FONT SIZE=3D2>Anything in the certificate that's used to imply = something about the intent</FONT> <BR><FONT SIZE=3D2>behind a signature is asking for trouble, unless the = specific certificate</FONT> <BR><FONT SIZE=3D2>that a relying party should use is bound to the = signature. What's to</FONT> <BR><FONT SIZE=3D2>prevent me from obtaining certificates from two = different CAs, certifying</FONT> <BR><FONT SIZE=3D2>the same key, but with different settings of the NR = bit in the two</FONT> <BR><FONT SIZE=3D2>certificates, and then using the certificate with = the NR bit clear to</FONT> <BR><FONT SIZE=3D2>repudiate a signature I originally represented as = being non-repudiable</FONT> <BR><FONT SIZE=3D2>using the other certificate?</FONT> </P> <P><FONT SIZE=3D2>The only way that using anything in the certificate = could work is if the</FONT> <BR><FONT SIZE=3D2>specific certificate that I intend a relying party = to use to verify the</FONT> <BR><FONT SIZE=3D2>signature is somehow bound into the signature. = Binding a particular</FONT> <BR><FONT SIZE=3D2>certificate to a signature has all sorts of other = problems (e.g. do all my</FONT> <BR><FONT SIZE=3D2>signatures become unverifiable when my certificate = is renewed?), and would</FONT> <BR><FONT SIZE=3D2>require a signature format change anyway, so why not = simply assert the</FONT> <BR><FONT SIZE=3D2>intent explicitly as part of the signature?</FONT> </P> <P><FONT SIZE=3D2>John</FONT> </P> <BR> <BR> <BR> <BR> <P><FONT SIZE=3D2>Stephen Kent <kent@bbn.com> on 07/13/2000 = 09:48:56 AM</FONT> </P> <P><FONT SIZE=3D2>To: = <denis.bider@denisbider.com></FONT> <BR><FONT SIZE=3D2>cc: <ietf-pkix@imc.org></FONT> <BR><FONT SIZE=3D2>Subject: Re: Signing what you don't = understand</FONT> </P> <BR> <P><FONT SIZE=3D2>Denis,</FONT> </P> <P><FONT SIZE=3D2>>The most important point of my previous message = was buried under a pile of</FONT> <BR><FONT SIZE=3D2>>other stuff, so I am repeating it here:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>It is my proposal that a signature format is = designed which will allow an</FONT> <BR><FONT SIZE=3D2>>entity to say: "I signed this data, but I = didn't understand what I signed.</FONT> <BR><FONT SIZE=3D2>>You are free to use this signature as proof that = I possess a certain</FONT> <BR><FONT SIZE=3D2>private</FONT> <BR><FONT SIZE=3D2>>key, but this is also the only purpose for which = this signature can be</FONT> <BR><FONT SIZE=3D2>>used."</FONT> </P> <P><FONT SIZE=3D2>We have had an analogous debate on this list last = year. This is one</FONT> <BR><FONT SIZE=3D2>motivation for the use of the non-repudiation bit in = certificates,</FONT> <BR><FONT SIZE=3D2>i.e., if this bit is NOT asserted, one can = reasonably interpret the</FONT> <BR><FONT SIZE=3D2>signature as not binding. This does not = require a change to the</FONT> <BR><FONT SIZE=3D2>signing format, but rather appropriate use of key = usage bits in</FONT> <BR><FONT SIZE=3D2>certificates. As others have pointed out, the = preferred way to</FONT> <BR><FONT SIZE=3D2>represent the distinction between binding and = non-binding signatures</FONT> <BR><FONT SIZE=3D2>is via flags in certificates, e.g., key usage, cert = policy, etc.</FONT> </P> <P><FONT SIZE=3D2>Steve</FONT> </P> <BR> <BR> <BR> </BODY> </HTML> ------_=_NextPart_001_01BFF016.00C24D46-- Received: from blue.identrus.com ([216.213.93.121]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA18733 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 09:59:22 -0700 (PDT) Received: by blue.identrus.com with Internet Mail Service (5.5.2650.21) id <N9QAN1B5>; Mon, 17 Jul 2000 13:01:42 -0400 Message-ID: <A105E1C02F5DD31181A500508B5519EC306239@blue.identrus.com> From: Khaja Ahmed <Khaja.Ahmed@identrus.com> To: "'Rich Salz '" <rsalz@caveosystems.com>, Khaja Ahmed <Khaja.Ahmed@identrus.com> Cc: "''ietf-pkix@imc.org ' '" <ietf-pkix@imc.org> Subject: RE: Need for an XML based cert check protocol with RPP capability . Date: Mon, 17 Jul 2000 13:01:42 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF010.AE5B5230" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF010.AE5B5230 Content-Type: text/plain; charset="iso-8859-1" -----Original Message----- From: Rich Salz >I don't understand why RPP is necessary in the Identrus model. >You only need to set up peering relationships among banks, as long as >each cert has a service locator of some type. The reasoning behind this is that it makes it: 1.) Easier to build relying party applications because you dont burden them with RFC.2459 section 6.1 compliant path processing. and 2.) Allows the banks to provide value add services beyond certificate validation. i.e. validation of the transaction itself. The thinking is that the relying party (in some transactions) the seller doesn't simply want to know whether or not the buyer's certificate is good. He may want to know if she is good for money, has the required funds/credit rating etc. ------_=_NextPart_001_01BFF010.AE5B5230 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: Need for an XML based cert check protocol with RPP = capability.</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2> </FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Rich Salz</FONT> </P> <P><FONT SIZE=3D2>>I don't understand why RPP is necessary in the = Identrus model.</FONT> <BR><FONT SIZE=3D2>>You only need to set up peering relationships = among banks, as long as</FONT> <BR><FONT SIZE=3D2>>each cert has a service locator of some = type.</FONT> </P> <BR> <P><FONT SIZE=3D2>The reasoning behind this is that it makes it:</FONT> </P> <P><FONT SIZE=3D2>1.) Easier to build relying party applications = because you dont burden them with RFC.2459 section 6.1 compliant path = processing.</FONT></P> <P><FONT SIZE=3D2>and</FONT> </P> <P><FONT SIZE=3D2>2.) Allows the banks to provide value add services = beyond certificate validation. i.e. validation of the transaction = itself. The thinking is that the relying party (in some = transactions) the seller doesn't simply want to know whether or not the = buyer's certificate is good. He may want to know if she is good = for money, has the required funds/credit rating etc.</FONT></P> </BODY> </HTML> ------_=_NextPart_001_01BFF010.AE5B5230-- Received: from blue.identrus.com ([216.213.93.121]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA18410 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 09:50:25 -0700 (PDT) Received: by blue.identrus.com with Internet Mail Service (5.5.2650.21) id <N9QAN1BS>; Mon, 17 Jul 2000 12:52:46 -0400 Message-ID: <A105E1C02F5DD31181A500508B5519EC306238@blue.identrus.com> From: Khaja Ahmed <Khaja.Ahmed@identrus.com> To: "'John_Wray@iris.com '" <John_Wray@iris.com>, "'Stephen Kent '" <kent@bbn.com> Cc: "'denis.bider@denisbider.com '" <denis.bider@denisbider.com>, "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Subject: RE: Signing what you don't understand Date: Mon, 17 Jul 2000 12:52:45 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF00F.6E645370" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF00F.6E645370 Content-Type: text/plain; charset="iso-8859-1" >Anything in the certificate that's used to imply something about the >intent >behind a signature is asking for trouble, unless the specific >certificate >that a relying party should use is bound to the signature. What's to >prevent me from obtaining certificates from two different CAs, >certifying >the same key, but with different settings of the NR bit in the two >certificates, and then using the certificate with the NR bit clear to >repudiate a signature I originally represented as being non-repudiable >using the other certificate? Does this make a case for keys generated in hardware that prevents cloning and backup? That would in turn imply that legally defensible NR comes at a fairly steep price. >The only way that using anything in the certificate could work is if the >specific certificate that I intend a relying party to use to verify the >signature is somehow bound into the signature. Binding a particular >certificate to a signature has all sorts of other problems (e.g. do all >my >signatures become unverifiable when my certificate is renewed?), and >would >require a signature format change anyway, so why not simply assert the >intent explicitly as part of the signature? Are there any proposals to do this? Are there revisions being contemplated to signature formats that include the certs? I find this very interesting and would like to know if any work is being done in this area. Thanks. Khaja Stephen Kent <kent@bbn.com> on 07/13/2000 09:48:56 AM To: <denis.bider@denisbider.com> cc: <ietf-pkix@imc.org> Subject: Re: Signing what you don't understand Denis, >The most important point of my previous message was buried under a pile of >other stuff, so I am repeating it here: > > >It is my proposal that a signature format is designed which will allow an >entity to say: "I signed this data, but I didn't understand what I signed. >You are free to use this signature as proof that I possess a certain private >key, but this is also the only purpose for which this signature can be >used." We have had an analogous debate on this list last year. This is one motivation for the use of the non-repudiation bit in certificates, i.e., if this bit is NOT asserted, one can reasonably interpret the signature as not binding. This does not require a change to the signing format, but rather appropriate use of key usage bits in certificates. As others have pointed out, the preferred way to represent the distinction between binding and non-binding signatures is via flags in certificates, e.g., key usage, cert policy, etc. Steve ------_=_NextPart_001_01BFF00F.6E645370 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: Signing what you don't understand</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>>Anything in the certificate that's used to imply = something about the</FONT> <BR><FONT SIZE=3D2>>intent</FONT> <BR><FONT SIZE=3D2>>behind a signature is asking for trouble, unless = the specific</FONT> <BR><FONT SIZE=3D2>>certificate</FONT> <BR><FONT SIZE=3D2>>that a relying party should use is bound to the = signature. What's to</FONT> <BR><FONT SIZE=3D2>>prevent me from obtaining certificates from two = different CAs,</FONT> <BR><FONT SIZE=3D2>>certifying</FONT> <BR><FONT SIZE=3D2>>the same key, but with different settings of the = NR bit in the two</FONT> <BR><FONT SIZE=3D2>>certificates, and then using the certificate = with the NR bit clear to</FONT> <BR><FONT SIZE=3D2>>repudiate a signature I originally represented = as being non-repudiable</FONT> <BR><FONT SIZE=3D2>>using the other certificate?</FONT> </P> <P><FONT SIZE=3D2>Does this make a case for keys generated in hardware = that prevents cloning and backup? That would in turn imply that = legally defensible NR comes at a fairly steep price.</FONT></P> <BR> <P><FONT SIZE=3D2>>The only way that using anything in the = certificate could work is if the</FONT> <BR><FONT SIZE=3D2>>specific certificate that I intend a relying = party to use to verify the</FONT> <BR><FONT SIZE=3D2>>signature is somehow bound into the = signature. Binding a particular</FONT> <BR><FONT SIZE=3D2>>certificate to a signature has all sorts of = other problems (e.g. do all</FONT> <BR><FONT SIZE=3D2>>my</FONT> <BR><FONT SIZE=3D2>>signatures become unverifiable when my = certificate is renewed?), and</FONT> <BR><FONT SIZE=3D2>>would</FONT> <BR><FONT SIZE=3D2>>require a signature format change anyway, so why = not simply assert the</FONT> <BR><FONT SIZE=3D2>>intent explicitly as part of the = signature?</FONT> </P> <P><FONT SIZE=3D2>Are there any proposals to do this? Are there = revisions being contemplated to signature formats that include the = certs? I find this very interesting and would like to know if any = work is being done in this area.</FONT></P> <P><FONT SIZE=3D2>Thanks.</FONT> </P> <P><FONT SIZE=3D2>Khaja</FONT> </P> <BR> <BR> <BR> <BR> <P><FONT SIZE=3D2>Stephen Kent <kent@bbn.com> on 07/13/2000 = 09:48:56 AM</FONT> </P> <P><FONT SIZE=3D2>To: = <denis.bider@denisbider.com></FONT> <BR><FONT SIZE=3D2>cc: <ietf-pkix@imc.org></FONT> <BR><FONT SIZE=3D2>Subject: Re: Signing what you don't = understand</FONT> </P> <BR> <P><FONT SIZE=3D2>Denis,</FONT> </P> <P><FONT SIZE=3D2>>The most important point of my previous message = was buried under a pile</FONT> <BR><FONT SIZE=3D2>of</FONT> <BR><FONT SIZE=3D2>>other stuff, so I am repeating it here:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>It is my proposal that a signature format is = designed which will allow</FONT> <BR><FONT SIZE=3D2>an</FONT> <BR><FONT SIZE=3D2>>entity to say: "I signed this data, but I = didn't understand what I</FONT> <BR><FONT SIZE=3D2>signed.</FONT> <BR><FONT SIZE=3D2>>You are free to use this signature as proof that = I possess a certain</FONT> <BR><FONT SIZE=3D2>private</FONT> <BR><FONT SIZE=3D2>>key, but this is also the only purpose for which = this signature can be</FONT> <BR><FONT SIZE=3D2>>used."</FONT> </P> <P><FONT SIZE=3D2>We have had an analogous debate on this list last = year. This is one</FONT> <BR><FONT SIZE=3D2>motivation for the use of the non-repudiation bit in = certificates,</FONT> <BR><FONT SIZE=3D2>i.e., if this bit is NOT asserted, one can = reasonably interpret the</FONT> <BR><FONT SIZE=3D2>signature as not binding. This does not = require a change to the</FONT> <BR><FONT SIZE=3D2>signing format, but rather appropriate use of key = usage bits in</FONT> <BR><FONT SIZE=3D2>certificates. As others have pointed out, the = preferred way to</FONT> <BR><FONT SIZE=3D2>represent the distinction between binding and = non-binding signatures</FONT> <BR><FONT SIZE=3D2>is via flags in certificates, e.g., key usage, cert = policy, etc.</FONT> </P> <P><FONT SIZE=3D2>Steve</FONT> </P> <BR> <BR> <BR> </BODY> </HTML> ------_=_NextPart_001_01BFF00F.6E645370-- Received: from ntserver2.chrysalis-its.com ([209.47.245.163]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA17318 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 08:52:58 -0700 (PDT) From: FRousseau@chrysalis-its.com Received: by NTSERVER2 with Internet Mail Service (5.5.2650.21) id <36RJCYF1>; Mon, 17 Jul 2000 11:56:01 -0400 Message-ID: <918C70B01822D411A87400B0D0204DFF04C093@panda.chrysalis-its.com> To: stephen.farrell@baltimore.ie Cc: ietf-pkix@imc.org Subject: RE: Re: CRMF encValue Field Date: Mon, 17 Jul 2000 11:55:53 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFF007.808B61DE" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFF007.808B61DE Content-Type: text/plain; charset="iso-8859-1" Hi Stephen, I have noted that the recently published July version of RFC2510bis now contains a note in Appendix D on "RFC 2511 Clarifications" about this particular issue, however an exception was added for the Diffie-Hellman algorithm OID and parameters whereas those defined in Appendix B2 of this specification (i.e. RFC2510bis) MUST be used instead of the OID and parameters defined in PKCS#11. Although I understand that this exception was necessary since PKCS#11 currently only supports the PKCS#3 flavour of Diffie-Hellman whereas Appendix B2 of RFC2510bis is about the ANSI X9.42 flavour of Diffie-Hellman, this should have been mentioned in this clarification. In addition, this same clarification indicates that in this case, the intendedAlg field is unnecessary (since this information is included in PrivateKeyInfo) and MUST be omitted. However, the algorithm identifier field within the PrivateKeyInfo is encrypted, which means that the "EncryptedValue" type would not contain any information in the clear about the OID of the private key that it is carrying. Was this your intend, please clarify? I also understand that including the intendedAlg field would duplicate the occurrence of the parameters field, since the syntax of the "AlgorithmIdentifier" type also contains a "parameters" field, however by still indicating the algorithm OID, but forcing the "parameters" field within the intendedAlg field to be NULL would allow the "EncryptedValue" type to indicate what is the OID of the private key that it is carrying, but not duplicate the parameters field. Wouldn't this approach be better? Regards, Francois ___________________________________ Francois Rousseau Director of Standards and Conformance Chrysalis-ITS 1688 Woodward Drive Ottawa, Ontario, CANADA, K2C 3R7 frousseau@chrysalis-its.com Tel. (613) 723-5076 ext. 419 http://www.chrysalis-its.com Fax. (613) 723-5078 -----Original Message----- From: Stephen Farrell [mailto:stephen.farrell@baltimore.ie] Sent: Friday, June 30, 2000 7:34 AM To: FRousseau@chrysalis-its.com Cc: ietf-pkix@imc.org Subject: Re: CRMF encValue Field Hi Francois, As I said yesterday, I'll check what the folks on Bob's ca-talk list have implemented. I do agree that handling pkcs#11 tokens is desirable, but I would guess is lower priority than not breaking current implementations. So pkcs#11 support (if different from what's implemented already), could either be added to 2510bis as an implenmentation note, or, if it gets complicated, in a separate "pkcs#11 key wrapping in CMP" draft. Let's wait & see what the developers have done. Regards, Stephen. > FRousseau@chrysalis-its.com wrote: > > Steve, > > As agreed yesterday at the PKI Forum meeting in Dublin, could you please check and add some > clarification in the next version of RFC2510bis about what exactly must be encoded in the > "encValue" field of the EncryptedValue structure, which is described in Section 6.4 of CRMF > [RFC2511]. This clarification will become necessary in order to ensure interoperability between > components using hardware or software from different vendors (i.e. clients, RAs and CAs) that > might use this CRMF "encValue" field. > > As discussed, please note that hardware cryptographic module vendors that implement PKCS#11 would > normally use the Cryptoki wrapping mechanism to encrypt any private key that has to be extracted > from their module to go in this "encValue" field. Since Section 11.9 of PKCS#11 v2.01 mandates for > wrapping a private key that: > > "Cryptoki Version 2.01 allows the use of secret keys for wrapping and unwrapping RSA private keys, > Diffie-Hellman private keys, and DSA private keys. For wrapping, a private key is BER-encoded > according to PKCS #8's PrivateKeyInfo ASN.1 type." > > I hope that the type "PrivateKeyInfo" from Section 6 of PKCS#8 is what is currently being > encrypted within this CRMF "encValue" field of the EncryptedValue structure for today CMP > implementations. > > Regards, > > Francois > ___________________________________ > Francois Rousseau > Director of Standards and Conformance > Chrysalis-ITS > 1688 Woodward Drive > Ottawa, Ontario, CANADA, K2C 3R7 > frousseau@chrysalis-its.com Tel. (613) 723-5076 ext. 419 > http://www.chrysalis-its.com Fax. (613) 723-5078 > > -----Original Message----- > From: Francois Rousseau > Sent: Thursday, May 25, 2000 3:42 PM > To: 'Carlisle Adams' > Cc: ietf-pkix@imc.org > Subject: Encryption of Private Keys in CRMF and CMP > > Carlisle, > > In Section 6.4 of RFC 2511 on CRMF, it is indicated that the EncryptedValue field "encValue" is a > BIT STRING, however I could not find any further detail in RFC 2511 nor in RFC 2510bis, which also > use this syntax, about how to create this encrypted value (restricted, in RFC 2510bis, to be > either private keys or certificates). > > Am I missing something? > > I understand that RFC 2511 EncryptedValue field "symmAlg" tells me the symmetric algorithm that > was used to encrypt a private key value and that Appendix B2 of RFC 2510bis mandates that > conforming implementations MUST support 3-DES (3-key-EDE, CBC mode) for this. However, this does > not tell me what exactly is being encrypted. > > Is it a type "PrivateKeyInfo" from Section 6 of PKCS#8 or a type "RSAPrivateKey" from Section > 11.1.2 of PKCS#1 for a RSA private key since RFC 2511 EncryptedValue field "intendedAlg" already > tell me the intended algorithm for which the private key will be used for? > > Thanks in advance for any help. > > Francois > ___________________________________ > Francois Rousseau > Director of Standards and Conformance > Chrysalis-ITS > 1688 Woodward Drive > Ottawa, Ontario, CANADA, K2C 3R7 > frousseau@chrysalis-its.com Tel. (613) 723-5076 ext. 419 > http://www.chrysalis-its.com Fax. (613) 723-5078 -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 647 7406 61 Fitzwilliam Lane, fax: +353 1 647 7499 Dublin 2. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com ------_=_NextPart_001_01BFF007.808B61DE Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: Re: CRMF encValue Field</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Hi Stephen,</FONT> </P> <P><FONT SIZE=3D2>I have noted that the recently published July version = of RFC2510bis now contains a note in Appendix D on "RFC 2511 = Clarifications" about this particular issue, however an exception = was added for the Diffie-Hellman algorithm OID and parameters whereas = those defined in Appendix B2 of this specification (i.e. RFC2510bis) = MUST be used instead of the OID and parameters defined in PKCS#11. = Although I understand that this exception was necessary since PKCS#11 = currently only supports the PKCS#3 flavour of Diffie-Hellman whereas = Appendix B2 of RFC2510bis is about the ANSI X9.42 flavour of = Diffie-Hellman, this should have been mentioned in this = clarification.</FONT></P> <P><FONT SIZE=3D2>In addition, this same clarification indicates that = in this case, the intendedAlg field is unnecessary (since this = information is included in PrivateKeyInfo) and MUST be omitted. = However, the algorithm identifier field within the PrivateKeyInfo is = encrypted, which means that the "EncryptedValue" type would = not contain any information in the clear about the OID of the private = key that it is carrying. Was this your intend, please clarify? I also = understand that including the intendedAlg field would duplicate the = occurrence of the parameters field, since the syntax of the = "AlgorithmIdentifier" type also contains a = "parameters" field, however by still indicating the algorithm = OID, but forcing the "parameters" field within the = intendedAlg field to be NULL would allow the "EncryptedValue" = type to indicate what is the OID of the private key that it is = carrying, but not duplicate the parameters field. Wouldn't this = approach be better?</FONT></P> <P><FONT SIZE=3D2>Regards,</FONT> </P> <P><FONT SIZE=3D2>Francois</FONT> <BR><FONT SIZE=3D2>___________________________________</FONT> <BR><FONT SIZE=3D2>Francois Rousseau</FONT> <BR><FONT SIZE=3D2>Director of Standards and Conformance</FONT> <BR><FONT SIZE=3D2>Chrysalis-ITS</FONT> <BR><FONT SIZE=3D2>1688 Woodward Drive</FONT> <BR><FONT SIZE=3D2>Ottawa, Ontario, CANADA, K2C 3R7</FONT> <BR><FONT = SIZE=3D2>frousseau@chrysalis-its.com Tel. = (613) 723-5076 ext. 419</FONT> <BR><FONT SIZE=3D2><A HREF=3D"http://www.chrysalis-its.com" = TARGET=3D"_blank">http://www.chrysalis-its.com</A> &nbs= p; Fax. (613) 723-5078</FONT> </P> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Stephen Farrell [<A = HREF=3D"mailto:stephen.farrell@baltimore.ie">mailto:stephen.farrell@balt= imore.ie</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Friday, June 30, 2000 7:34 AM</FONT> <BR><FONT SIZE=3D2>To: FRousseau@chrysalis-its.com</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: CRMF encValue Field</FONT> </P> <P><FONT SIZE=3D2>Hi Francois,</FONT> </P> <P><FONT SIZE=3D2>As I said yesterday, I'll check what the folks on = Bob's ca-talk list</FONT> <BR><FONT SIZE=3D2>have implemented. I do agree that handling pkcs#11 = tokens is desirable,</FONT> <BR><FONT SIZE=3D2>but I would guess is lower priority than not = breaking current</FONT> <BR><FONT SIZE=3D2>implementations. So pkcs#11 support (if different = from what's </FONT> <BR><FONT SIZE=3D2>implemented already), could either be added to = 2510bis as an</FONT> <BR><FONT SIZE=3D2>implenmentation note, or, if it gets complicated, in = a separate </FONT> <BR><FONT SIZE=3D2>"pkcs#11 key wrapping in CMP" = draft.</FONT> </P> <P><FONT SIZE=3D2>Let's wait & see what the developers have done.</F= ONT> </P> <P><FONT SIZE=3D2>Regards,</FONT> <BR><FONT SIZE=3D2>Stephen.</FONT> </P> <P><FONT SIZE=3D2>> FRousseau@chrysalis-its.com wrote:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Steve,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> As agreed yesterday at the PKI Forum meeting in = Dublin, could you please check and add some</FONT> <BR><FONT SIZE=3D2>> clarification in the next version of RFC2510bis = about what exactly must be encoded in the</FONT> <BR><FONT SIZE=3D2>> "encValue" field of the = EncryptedValue structure, which is described in Section 6.4 of = CRMF</FONT> <BR><FONT SIZE=3D2>> [RFC2511]. This clarification will become = necessary in order to ensure interoperability between</FONT> <BR><FONT SIZE=3D2>> components using hardware or software from = different vendors (i.e. clients, RAs and CAs) that</FONT> <BR><FONT SIZE=3D2>> might use this CRMF "encValue" = field.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> As discussed, please note that hardware = cryptographic module vendors that implement PKCS#11 would</FONT> <BR><FONT SIZE=3D2>> normally use the Cryptoki wrapping mechanism to = encrypt any private key that has to be extracted</FONT> <BR><FONT SIZE=3D2>> from their module to go in this = "encValue" field. Since Section 11.9 of PKCS#11 v2.01 = mandates for</FONT> <BR><FONT SIZE=3D2>> wrapping a private key that:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> "Cryptoki Version 2.01 allows the use of = secret keys for wrapping and unwrapping RSA private keys,</FONT> <BR><FONT SIZE=3D2>> Diffie-Hellman private keys, and DSA private = keys. For wrapping, a private key is BER-encoded</FONT> <BR><FONT SIZE=3D2>> according to PKCS #8's PrivateKeyInfo ASN.1 = type."</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> I hope that the type "PrivateKeyInfo" = from Section 6 of PKCS#8 is what is currently being</FONT> <BR><FONT SIZE=3D2>> encrypted within this CRMF "encValue" = field of the EncryptedValue structure for today CMP</FONT> <BR><FONT SIZE=3D2>> implementations.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Regards,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Francois</FONT> <BR><FONT SIZE=3D2>> ___________________________________</FONT> <BR><FONT SIZE=3D2>> Francois Rousseau</FONT> <BR><FONT SIZE=3D2>> Director of Standards and Conformance</FONT> <BR><FONT SIZE=3D2>> Chrysalis-ITS</FONT> <BR><FONT SIZE=3D2>> 1688 Woodward Drive</FONT> <BR><FONT SIZE=3D2>> Ottawa, Ontario, CANADA, K2C 3R7</FONT> <BR><FONT SIZE=3D2>> = frousseau@chrysalis-its.com Tel. (613) = 723-5076 ext. 419</FONT> <BR><FONT SIZE=3D2>> <A HREF=3D"http://www.chrysalis-its.com" = TARGET=3D"_blank">http://www.chrysalis-its.com</A> &nbs= p; Fax. (613) 723-5078</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: Francois Rousseau</FONT> <BR><FONT SIZE=3D2>> Sent: Thursday, May 25, 2000 3:42 PM</FONT> <BR><FONT SIZE=3D2>> To: 'Carlisle Adams'</FONT> <BR><FONT SIZE=3D2>> Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Subject: Encryption of Private Keys in CRMF and = CMP</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Carlisle,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> In Section 6.4 of RFC 2511 on CRMF, it is = indicated that the EncryptedValue field "encValue" is = a</FONT> <BR><FONT SIZE=3D2>> BIT STRING, however I could not find any = further detail in RFC 2511 nor in RFC 2510bis, which also</FONT> <BR><FONT SIZE=3D2>> use this syntax, about how to create this = encrypted value (restricted, in RFC 2510bis, to be</FONT> <BR><FONT SIZE=3D2>> either private keys or certificates).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Am I missing something?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> I understand that RFC 2511 EncryptedValue field = "symmAlg" tells me the symmetric algorithm that</FONT> <BR><FONT SIZE=3D2>> was used to encrypt a private key value and = that Appendix B2 of RFC 2510bis mandates that</FONT> <BR><FONT SIZE=3D2>> conforming implementations MUST support 3-DES = (3-key-EDE, CBC mode) for this. However, this does</FONT> <BR><FONT SIZE=3D2>> not tell me what exactly is being = encrypted.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Is it a type "PrivateKeyInfo" from = Section 6 of PKCS#8 or a type "RSAPrivateKey" from = Section</FONT> <BR><FONT SIZE=3D2>> 11.1.2 of PKCS#1 for a RSA private key since = RFC 2511 EncryptedValue field "intendedAlg" already</FONT> <BR><FONT SIZE=3D2>> tell me the intended algorithm for which the = private key will be used for?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Thanks in advance for any help.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Francois</FONT> <BR><FONT SIZE=3D2>> ___________________________________</FONT> <BR><FONT SIZE=3D2>> Francois Rousseau</FONT> <BR><FONT SIZE=3D2>> Director of Standards and Conformance</FONT> <BR><FONT SIZE=3D2>> Chrysalis-ITS</FONT> <BR><FONT SIZE=3D2>> 1688 Woodward Drive</FONT> <BR><FONT SIZE=3D2>> Ottawa, Ontario, CANADA, K2C 3R7</FONT> <BR><FONT SIZE=3D2>> = frousseau@chrysalis-its.com Tel. (613) = 723-5076 ext. 419</FONT> <BR><FONT SIZE=3D2>> <A HREF=3D"http://www.chrysalis-its.com" = TARGET=3D"_blank">http://www.chrysalis-its.com</A> &nbs= p; Fax. (613) 723-5078</FONT> </P> <P><FONT SIZE=3D2>-- </FONT> <BR><FONT = SIZE=3D2>____________________________________________________________</F= ONT> <BR><FONT SIZE=3D2>Stephen = Farrell = = = = </FONT> <BR><FONT SIZE=3D2>Baltimore Technologies, tel: (direct = line) +353 1 647 7406</FONT> <BR><FONT SIZE=3D2>61 Fitzwilliam = Lane, &= nbsp; fax: +353 1 647 = 7499</FONT> <BR><FONT SIZE=3D2>Dublin = 2. &nbs= p; <A = HREF=3D"mailto:stephen.farrell@baltimore.ie">mailto:stephen.farrell@balt= imore.ie</A></FONT> <BR><FONT = SIZE=3D2>Ireland &n= bsp; &n= bsp; <A = HREF=3D"http://www.baltimore.com" = TARGET=3D"_blank">http://www.baltimore.com</A></FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFF007.808B61DE-- Received: from smtp.scotland.net (unixpark3.scotland.net [148.176.231.3]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA16013 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 08:05:43 -0700 (PDT) Received: from e2h2p107.scotland.net ([148.176.238.108] helo=npwork2) by smtp.scotland.net with smtp (Exim 3.13 #2) id 13ECV2-00055N-00 for ietf-pkix@imc.org; Mon, 17 Jul 2000 16:08:04 +0100 From: "Nick Pope" <pope@secstan.com> To: <ietf-pkix@imc.org> Subject: Policy Requirements for Certification Service Providers Date: Mon, 17 Jul 2000 16:19:24 +0100 Message-ID: <001d01bff002$63c0e510$0500000a@npwork2> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 A draft specification "Policy Requirements for Certification Service Providers Issuing Qualified Certificates" is now avilable for public review and comment on web page: <http://www.etsi.org/sec/el-sign.htm> This is being distributed with the following request for comment: ---------------------------------------------------------------------- Request for comments on draft standard "Policy Requirements for Certification Service Providers Issuing Qualified Certificates" and for contributions on requirements for other classes The aim of this request is twofold. 1. Comment on "Policy Requirements for CSPs Issuing Qualified Certificates The major objective is to receive comments to and the draft identified above. The purpose of this standard is to specify policy requirements on the operation and management of Certification Service Providers issuing Qualified Certificates as laid down in the European Directive on electronic signatures (1999/93/EC). ESI WG plans to finalise the draft by mid-November. After approval by ETSI SEC the document is due for publication by the end of the year. Comments are requested on this document by 15th September 2000. 2. Requirements for other classes There are strong indications, that the current program should also address requirements for other trust levels and corresponding classes of certificates. In order to identify those needs and gather input for consistent requirements receivers of the present request are asked to consider contributing with concrete proposals to this area. The current structure and requirements may serve as a reference and comparison to define alternative requirements, e.g. for transactions of lower financial or legal implications. Accuracy of identification of certificate holders and assurance of trusted hardware and software components are examples of areas with a need to offer cost-efficient alternatives. Comments are requested on this issue by 15th September 2000.. Background The development of this standard policy document is one of the tasks the ETSI Electronic Signature and Infrastructure Working Group is progressing within the European Electronic Signature Standardisation Initiative (EESSI). The ETSI El Sign Web-site (see below) provides further information about the ETSI activities and the EESSI program. Requested action. Please send your comments and suggestions not later than 15 September to the ETSI El Sign e-mail list EL-SIGN@LIST.ETSI.FR, with copy to POPE@SECSTAN.COM. Please put "QCP" at the front of the Subject field of all submissions to the e-mail list on this topic. To register with the EL-SIGN list and download the draft document see: http://www.etsi.org/sec/el-sign.htm The purpose of the open e-mail list is to stimulate discussion of the published comments and contributions. Therefore, early submissions are welcome. We expect that discussions will go on through the open e-mail list under and after the comments period. With regards Nick Pope, Security & Standards ETSI task leader - Policies for CSPs pope@secstan.com and György Endersz, Telia Research AB Chair ETSI ESI Working Group gyorgy.g.endersz@telia.se Received: from arista.iris.com (arista.iris.com [198.112.211.42]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA15258 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 07:31:57 -0700 (PDT) From: John_Wray@iris.com Subject: Re: Signing what you don't understand To: Stephen Kent <kent@bbn.com> Cc: <denis.bider@denisbider.com>, <ietf-pkix@imc.org> X-Mailer: Lotus Notes Release 5.0.2c February 2, 2000 Message-ID: <OF639C14C1.CCA2AE57-ON8525691F.004CDB07@iris.com> Date: Mon, 17 Jul 2000 10:21:20 -0400 X-MIMETrack: Serialize by Router on Arista/Iris(Build V505_07112000 |July 11, 2000) at 07/17/2000 10:34:22 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Anything in the certificate that's used to imply something about the intent behind a signature is asking for trouble, unless the specific certificate that a relying party should use is bound to the signature. What's to prevent me from obtaining certificates from two different CAs, certifying the same key, but with different settings of the NR bit in the two certificates, and then using the certificate with the NR bit clear to repudiate a signature I originally represented as being non-repudiable using the other certificate? The only way that using anything in the certificate could work is if the specific certificate that I intend a relying party to use to verify the signature is somehow bound into the signature. Binding a particular certificate to a signature has all sorts of other problems (e.g. do all my signatures become unverifiable when my certificate is renewed?), and would require a signature format change anyway, so why not simply assert the intent explicitly as part of the signature? John Stephen Kent <kent@bbn.com> on 07/13/2000 09:48:56 AM To: <denis.bider@denisbider.com> cc: <ietf-pkix@imc.org> Subject: Re: Signing what you don't understand Denis, >The most important point of my previous message was buried under a pile of >other stuff, so I am repeating it here: > > >It is my proposal that a signature format is designed which will allow an >entity to say: "I signed this data, but I didn't understand what I signed. >You are free to use this signature as proof that I possess a certain private >key, but this is also the only purpose for which this signature can be >used." We have had an analogous debate on this list last year. This is one motivation for the use of the non-repudiation bit in certificates, i.e., if this bit is NOT asserted, one can reasonably interpret the signature as not binding. This does not require a change to the signing format, but rather appropriate use of key usage bits in certificates. As others have pointed out, the preferred way to represent the distinction between binding and non-binding signatures is via flags in certificates, e.g., key usage, cert policy, etc. Steve Received: from mail-fwd.verio-web.com (mail11a.verio-web.com [161.58.16.57]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA14541 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 07:00:12 -0700 (PDT) Received: from 161.58.117.181 (161.58.117.181) by mail11a.verio-web.com (RS ver 1.0.57s) with SMTP id 0543082; Mon, 17 Jul 2000 10:02:16 -0400 (EDT) Sender: rsalz Message-ID: <397311AD.575B7BCD@caveosystems.com> Date: Mon, 17 Jul 2000 10:01:17 -0400 From: Rich Salz <rsalz@caveosystems.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: Khaja Ahmed <Khaja.Ahmed@identrus.com> CC: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Subject: Re: Need for an XML based cert check protocol with RPP capability. References: <A105E1C02F5DD31181A500508B5519EC30622F@blue.identrus.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 I don't understand why RPP is necessary in the Identrus model. You only need to set up peering relationships among banks, as long as each cert has a service locator of some type. /r$ Received: from d12lmsgate-3.de.ibm.com (d12lmsgate-3.de.ibm.com [195.212.91.201]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA13468 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 06:05:44 -0700 (PDT) From: amir.herzberg@il.ibm.com Received: from d12relay02.de.ibm.com (d12relay02.de.ibm.com [9.165.215.23]) by d12lmsgate-3.de.ibm.com (1.0.0) with ESMTP id PAA298588 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 15:07:33 +0200 Received: from d12mta02.de.ibm.com (d12mta01_cs0 [9.165.222.237]) by d12relay02.de.ibm.com (8.8.8m3/NCO v2.07) with SMTP id PAA47358 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 15:07:31 +0200 Received: by d12mta02.de.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id C125691F.0048176B ; Mon, 17 Jul 2000 15:07:25 +0200 X-Lotus-FromDomain: IBMIL@IBMDE To: ietf-pkix@imc.org Message-ID: <C125691F.00481666.00@d12mta02.de.ibm.com> Date: Mon, 17 Jul 2000 16:09:53 +0300 Subject: Course foils available: Introduction to Cryptography and Electronic Commerce Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline I've put the entire set of .pdf foils I've made for the course `Introduction to Cryptography and Electronic Commerce` available from http://www.hrl.il.ibm.com/mpay/course.html. The material is presented `as-is` on a best effort basis, and may contain inaccuracies and errors (reports welcome); I make no warranties of precision and accuracy. I also list references to additional courses or tutorials in these areas (I'll be happy to add / host more here). I gave this course in the Inter-Disciplinary Center in Hertzelia, Israel, at 1999. Reuse is encouraged, please retain reference to this page and to the original title and author(s). Notice: downloading is free, but... most documents require `paying` using IBM Micro Payments demo money (which you'll get in the site). Our design is for this to be `non-obstrusive` for users who do not have the wallet installed, so even in this case you should see the page well and follow all links. Warning: a (natural?) bias to `my` topics exists in this course; I will attempt to improve this in the future (using your contributions?). Comments, suggestions and corrections (on both the course and on the IBM Micro Payments demo) will be appreciated. Best Regards, Amir Herzberg IBM Research Lab in Haifa (Tel Aviv Office) http://www.hrl.il.ibm.com Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA10869 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 03:40:10 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA26045; Mon, 17 Jul 2000 06:42:30 -0400 (EDT) Message-Id: <200007171042.GAA26045@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-dcs-05.txt Date: Mon, 17 Jul 2000 06:42:29 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols Author(s) : C. Adams, P. Sylvester, M. Zolotarev, R. Zuccherato Filename : draft-ietf-pkix-dcs-05.txt Pages : 47 Date : 14-Jul-00 This document describes a general data validation and certification service and the protocols to be used when communicating with it. The Data Validation and Certification Server is a Trusted Third Party (TTP) that can be used as one component in building reliable non- repudiation services (see [ISONR]). Useful Data Validation and Certification Server responsibilities in a PKI are to validate signed documents and to assert the validity of public key certificates at a given time. We give examples of how to use the Data Certification Server to extend the lifetime of a signature beyond key expiry or revocation and to query the Data Certification Server regarding the status of a public key certificate. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-dcs-05.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-dcs-05.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-dcs-05.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000714143903.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-dcs-05.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-dcs-05.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000714143903.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA10845 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 03:40:05 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA26015; Mon, 17 Jul 2000 06:42:25 -0400 (EDT) Message-Id: <200007171042.GAA26015@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-rfc2510bis-01.txt Date: Mon, 17 Jul 2000 06:42:24 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Certificate Management Protocols Author(s) : C. Adams, S. Farrell Filename : draft-ietf-pkix-rfc2510bis-01.txt Pages : 87 Date : 14-Jul-00 This document describes the Internet X.509 Public Key Infrastructure (PKI) Certificate Management Protocols. Protocol messages are defined for all relevant aspects of certificate creation and management. Note that 'certificate' in this document refers to an X.509v3 Certificate as defined in [COR95, X509-AM]. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-rfc2510bis-01.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-rfc2510bis-01.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-rfc2510bis-01.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000714143838.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-rfc2510bis-01.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-rfc2510bis-01.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000714143838.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from stonewall.baltimore.com ([195.152.140.4]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id BAA06389 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 01:57:32 -0700 (PDT) Message-ID: <61922E6DA745D311A42000508B2CFD14B967EE@baltimore.com> From: Paul Halliden <PHalliden@baltimore.com> To: "'Anders Rundgren'" <anders.rundgren@telia.com>, Denis Pinkas <Denis.Pinkas@bull.net>, Stefan Santesson <stefan@accurata.se>, tgindin@us.ibm.com, Paul Halliden <PHalliden@baltimore.com> Cc: IETF-PXIX <ietf-pkix@imc.org> Subject: RE: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Mon, 17 Jul 2000 09:59:35 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Anders: I said: >>The contentious point is that this requirement has been >dropped. the reason >>is that, in some jurisdictions there is simply no support for the >>"unmistakable" concept. Thus the subject name can be unique >within the CA's name space. >> You replied: >This last line is actually the thing requested by Denis and by me! I think you will find that Denis is arguing against the "unmistakable" concept (see the first paragraph of his mail dated 13 July). As I understand it, he has requested (Comment 1 in the same mail) that a CA does not re-allocate an expired DN to someone other than the original user of the name for the lifetime of the CA. By expired DN, I mean a DN allocated to a subscriber who no longer has any certificates issued by that CA. > >But even that is said to be impossible to achieve for reasons so >far not particularly well explained. I have not been arguing against that one - Indeed I think it is good practice especially if long life documents have been signed by the subject of a certificate. It will be difficult for some countries to achieve this especially where there is a gap of many years between one DN ceasing to be used and a new registration request involving the same DN. However, I don't think that should stop us aiming for the objective. Anders, are we now in agreement? Regards Paul Halliden Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA04287 for <ietf-pkix@imc.org>; Mon, 17 Jul 2000 00:17:49 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.2/8.9.1) with ESMTP id JAA38842; Mon, 17 Jul 2000 09:19:22 +0200 Received: from bull.net (fradint87.bull.fr [129.181.85.87]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id JAA37096; Mon, 17 Jul 2000 09:19:29 +0200 Message-ID: <3971E83B.ED299C97@bull.net> Date: Sun, 16 Jul 2000 18:52:11 +0200 From: Denis <Denis.Pinkas@bull.net> X-Mailer: Mozilla 4.5 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> CC: ietf-pkix@imc.org Subject: Re: I-D ACTION:draft-ietf-pkix-qc-04.txt References: <200007141954.PAA03098@roadblock.missi.ncsc.mil> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Dave, My response below. > > From: Denis <Denis.Pinkas@bull.net> > > > > > Full text proposal replacement for 3.1.1: > > > > 3.1.1 Issuer > > > > The issuer field SHALL identify the organization responsible for > > issuing the certificate. > > > > The identity of the issuer SHALL be specified using an appropriate > > subset of the following attributes: > > > > domainComponent; > > countryName; > > stateOrProvinceName; > > organizationName; > > localityName; and > > serialNumber. > > > > Additional attributes MAY be present but they SHOULD NOT be necessary to > identify the issuing > > organization. The first element of the DN shall be the country where the CA is > operating from. > > > > The last sentence conflicts with the presence of domainComponent as > one of the allowed attributes, as there is no well-defined method of > constructing a DN containing a mixture of DC and other attributes. Everything depends from the ordering. If the domainComponent comes in the second position, then there is no problem. If people may think it is the first componet, then it should be deleted. > If it is necessary to identify the local laws under which the QC is > interpreted, the jurisdiction should be identified using something other > than the first element of the issuer DN. An "organization responsible > for issuing the certificate" may operate in multiple jurisdictions, so > even where the DN begins with C=xx, interpreting "xx" as a jurisdiction > may be misleading (and should be performed with care :-). Did the > Stockholm discussion consider the possibility of multi-country CAs? The European Directive requires a supervision system where each (European) country must supervise the CAs which are established on its territory. Hence why "CN" shall come first. Denis > > Dave Received: from blue.identrus.com ([216.213.93.121]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA01571 for <ietf-pkix@imc.org>; Sun, 16 Jul 2000 21:27:33 -0700 (PDT) Received: by blue.identrus.com with Internet Mail Service (5.5.2650.21) id <N9QAND4V>; Mon, 17 Jul 2000 00:29:48 -0400 Message-ID: <A105E1C02F5DD31181A500508B5519EC30622F@blue.identrus.com> From: Khaja Ahmed <Khaja.Ahmed@identrus.com> To: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Subject: Need for an XML based cert check protocol with RPP capability. Date: Mon, 17 Jul 2000 00:29:43 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFEFA7.A25901B0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFEFA7.A25901B0 Content-Type: text/plain; charset="iso-8859-1" There are many applications being built under the Identrus trust model, which collectively will provide a global framework for e-commerce. Identrus has demonstrated that OCSP is a widely deployable standard that is not limited by specific application context or PKI implementation. The availability of OCSP from the IETF has been a key factor toward the interoperability goal. As a result of our work deploying OCSP and developing a global e-commerce framework that uses it, we see the need for some enhancements in protocols for certificate validation. The qualities we will need in a protocol for certificate checking in applications now being developed include, along with some background, the following: 1.) Remote Path Processing: In this model, the relying party (corporation or individual) has a relationship of trust with their banks. When there is a business decision to be made regarding trust in an on-line transaction, including certificate status, certificate path validation, and policy application, the customer must be able to rely on a simple response from their bank. Hence we would like the protocol to support path validation by the responder (Bank). 2.) XML encoding: The applications being developed and deployed use XML to encode messages. Given this, we would like to have a protocol that uses XML to encode the request. 3.) XML signatures: Identrus requires that all certificate checking requests be signed. We would like to use XML signatures for such requests. 4.) The Identrus model, shown at <http://www.identrus.com/solution.htm>, is based on the standard banking four-corner model. Hence a relying party will always go to his bank to validate a certificate even if the certificate was actually issued by some other bank. The protocol must support this. 5.) The protocol must support use of cached responses. As a corollary, it must permit the relying party to request a freshly generated response rather than one from it's cache. 6.) The protocol must permit checking of status on expired certificates. Identrus has a task force that is examining a couple of protocols to see if these capabilities. One is a proprietary protocol and the other is SCVP. For numerous and obvious (at least to this group) reasons we would prefer to use SCVP rather than anything proprietary. Does SCVP meet the above needs? Is it a matter of enhancing / modifying it to some degree to bring it in line with these needs? My limited understanding of these things suggests that SCVP is not an unreasonable candidate. Is there something else that, more fully, meets the above requirements? Are there other issues we should be considering? A discussion on this subject will be of great help in developing and / or selecting a suitable protocol. If the tremendous brainpower of this group could be brought to bear on this subject, it will undoubtedly yield the necessary results. Do let me know or contact me for further information / clarifications. Thanks and Regards. Khaja =========================================== Khaja E. Ahmed Chief Technology Officer Identrus, LLC. 16th Floor 140 E 45th St. New York, NY 10017 USA Telephone: 01.212.622.0673 Fax: 01.212.622.9196 Khaja.ahmed@identrus.com Office Direct: 01.925.989.6564 Office Main: 01.212.622.1524 ============================================ ------_=_NextPart_001_01BFEFA7.A25901B0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>Need for an XML based cert check protocol with RPP = capability.</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>There are many applications being built under the = Identrus trust model, which collectively will provide a global = framework for e-commerce. Identrus has demonstrated that OCSP is = a widely deployable standard that is not limited by specific = application context or PKI implementation. The availability of OCSP = from the IETF has been a key factor toward the interoperability = goal.</FONT></P> <P><FONT SIZE=3D2>As a result of our work deploying OCSP and developing = a global e-commerce framework that uses it, we see the need for some = enhancements in protocols for certificate validation. </FONT></P> <P><FONT SIZE=3D2>The qualities we will need in a protocol for = certificate checking in applications now being developed include, along = with some background, the following:</FONT></P> <P><FONT SIZE=3D2>1.) Remote Path Processing: In this model, the = relying party (corporation or individual) has a relationship of trust = with their banks. When there is a business decision to be made = regarding trust in an on-line transaction, including certificate = status, certificate path validation, and policy application, the = customer must be able to rely on a simple response from their = bank. Hence we would like the protocol to support path validation = by the responder (Bank).</FONT></P> <P><FONT SIZE=3D2>2.) XML encoding: The applications being = developed and deployed use XML to encode messages. Given this, we = would like to have a protocol that uses XML to encode the = request.</FONT></P> <P><FONT SIZE=3D2>3.) XML signatures: Identrus requires that all = certificate checking requests be signed. We would like to use XML = signatures for such requests.</FONT></P> <P><FONT SIZE=3D2>4.) The Identrus model, shown at <<A = HREF=3D"http://www.identrus.com/solution.htm" = TARGET=3D"_blank">http://www.identrus.com/solution.htm</A>>, is = based on the standard banking four-corner model. Hence a relying = party will always go to his bank to validate a certificate even if the = certificate was actually issued by some other bank. The = protocol must support this.</FONT></P> <P><FONT SIZE=3D2>5.) The protocol must support use of cached = responses. As a corollary, it must permit the relying party to = request a freshly generated response rather than one from it's = cache.</FONT></P> <P><FONT SIZE=3D2>6.) The protocol must permit checking of status on = expired certificates.</FONT> </P> <P><FONT SIZE=3D2>Identrus has a task force that is examining a couple = of protocols to see if these capabilities. One is a proprietary = protocol and the other is SCVP. For numerous and obvious (at = least to this group) reasons we would prefer to use SCVP rather than = anything proprietary. </FONT></P> <P><FONT SIZE=3D2>Does SCVP meet the above needs? Is it a matter = of enhancing / modifying it to some degree to bring it in line with = these needs? My limited understanding of these things suggests = that SCVP is not an unreasonable candidate. Is there something = else that, more fully, meets the above requirements? Are there = other issues we should be considering? </FONT></P> <P><FONT SIZE=3D2>A discussion on this subject will be of great help in = developing and / or selecting a suitable protocol. If the = tremendous brainpower of this group could be brought to bear on this = subject, it will undoubtedly yield the necessary results.</FONT></P> <P><FONT SIZE=3D2>Do let me know or contact me for further information = / clarifications.</FONT> <BR><FONT SIZE=3D2>Thanks and Regards. </FONT> <BR><FONT SIZE=3D2>Khaja </FONT> <BR><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D = </FONT> <BR><FONT SIZE=3D2>Khaja E. Ahmed </FONT> <BR><FONT SIZE=3D2>Chief Technology Officer </FONT> <BR><FONT SIZE=3D2>Identrus, LLC. </FONT> <BR><FONT SIZE=3D2>16th Floor </FONT> <BR><FONT SIZE=3D2>140 E 45th St. </FONT> <BR><FONT SIZE=3D2>New York, NY 10017 USA </FONT> <BR><FONT SIZE=3D2>Telephone: 01.212.622.0673 </FONT> <BR><FONT SIZE=3D2>Fax: 01.212.622.9196 </FONT> <BR><FONT SIZE=3D2>Khaja.ahmed@identrus.com </FONT> <BR><FONT SIZE=3D2>Office Direct: 01.925.989.6564 </FONT> <BR><FONT SIZE=3D2>Office Main: 01.212.622.1524 </FONT> <BR><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D = </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFEFA7.A25901B0-- Received: from blue.identrus.com ([216.213.93.121]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA16132 for <ietf-pkix@imc.org>; Sun, 16 Jul 2000 13:18:52 -0700 (PDT) Received: by blue.identrus.com with Internet Mail Service (5.5.2650.21) id <N9QANDTH>; Sun, 16 Jul 2000 16:20:59 -0400 Message-ID: <A105E1C02F5DD31181A500508B5519EC30622C@blue.identrus.com> From: Khaja Ahmed <Khaja.Ahmed@identrus.com> To: "'Eric Rescorla '" <ekr@speedy.rtfm.com>, "'Adrian McCullagh '" <AMcCullagh@exchange.gadens.com.au> Cc: "''Stephen Kent' '" <kent@bbn.com>, "'denis.bider@denisbider.com '" <denis.bider@denisbider.com>, "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Subject: RE: Signing what you don't understand Date: Sun, 16 Jul 2000 16:20:58 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFEF63.5A55B4C0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFEF63.5A55B4C0 Content-Type: text/plain; charset="iso-8859-1" Perhaps I have not followed this thread in its entirety and if this has already been sorted out please ignore this but... I am wondering if it is meaningful to discuss digital signatures without considering things like: 1.) The applicable certificate policy. 2.) Was nonRepudiation enabled in KeyUsage 3.) The governing law under which the certificate has been issued and is being used. (Closed contractual community vs. local / regiona / national law) I am not sure what we will learn from this dicussion without these facets added to it. Do the above account for automatic signatures? Is it expected (indeed required) that the signer have (demonstrably) full knowledge of what was being signed? Do people think it is worth our while (or even possible) to take a hypothical certificate policy, add some assumptions about governing law and see where this discussion goes? At Identrus we are examining this issue in the context of our own policies and governing law and would like to see what the collective wisdom of this group brings to light. Thanks and Regards. Khaja =========================================== Khaja E. Ahmed Chief Technology Officer Identrus, LLC. 16th Floor 140 E 45th St. New York, NY 10017 USA Telephone: 01.212.622.0673 Fax: 01.212.622.9196 Khaja.ahmed@identrus.com Office Direct: 01.925.989.6564 Office Main: 01.212.622.1524 ============================================ -----Original Message----- From: Eric Rescorla To: Adrian McCullagh Cc: 'Stephen Kent'; denis.bider@denisbider.com; ietf-pkix@imc.org Sent: 7/15/00 1:09 AM Subject: Re: Signing what you don't understand Adrian McCullagh <AMcCullagh@exchange.gadens.com.au> writes: > I really do not understand your response. Why would anyone sign a document > that they do not understand. It does not make sense. People perform digital signatures of data they don't understand all the time. One most common case is cryptographic protocols which use digital signature for authentication of various kinds of keying material. (SSL and IKE both do this). Note that these signatures are often completely automatic. Now, as a matter of cryptographic practice, one generally arranges that neither party completely controls the input to the signature to to prevent one party from forcing another to sign an arbitrary document. However, as a matter of defense in depth, it's also nice to have those keys tagged in such a way that even if the protocol protections were broken, the signature still couldn't be used against the signer. Part of the issue here is that digital signature is a cryptographic primitive that can be used for other purposes than those which holographic signatures are currently used. -Ekr [Eric Rescorla ekr@rtfm.com] ------_=_NextPart_001_01BFEF63.5A55B4C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: Signing what you don't understand</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Perhaps I have not followed this thread in its = entirety and if this has already been sorted out please ignore this = but...</FONT></P> <P><FONT SIZE=3D2>I am wondering if it is meaningful to discuss digital = signatures without considering things like:</FONT> </P> <P><FONT SIZE=3D2>1.) The applicable certificate policy.</FONT> <BR><FONT SIZE=3D2>2.) Was nonRepudiation enabled in KeyUsage</FONT> <BR><FONT SIZE=3D2>3.) The governing law under which the certificate = has been issued and is being used. (Closed contractual community = vs. local / regiona / national law)</FONT></P> <P><FONT SIZE=3D2>I am not sure what we will learn from this dicussion = without these facets added to it.</FONT> </P> <P><FONT SIZE=3D2>Do the above account for automatic signatures? Is it = expected (indeed required) that the signer have (demonstrably) full = knowledge of what was being signed?</FONT></P> <P><FONT SIZE=3D2>Do people think it is worth our while (or even = possible) to take a hypothical certificate policy, add some assumptions = about governing law and see where this discussion = goes?</FONT></P> <P><FONT SIZE=3D2>At Identrus we are examining this issue in the = context of our own policies and governing law and would like to see = what the collective wisdom of this group brings to light.</FONT></P> <P><FONT SIZE=3D2>Thanks and Regards.</FONT> </P> <P><FONT SIZE=3D2>Khaja</FONT> <BR><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D = </FONT> <BR><FONT SIZE=3D2>Khaja E. Ahmed </FONT> <BR><FONT SIZE=3D2>Chief Technology Officer</FONT> <BR><FONT SIZE=3D2>Identrus, LLC. </FONT> <BR><FONT SIZE=3D2>16th Floor </FONT> <BR><FONT SIZE=3D2>140 E 45th St. </FONT> <BR><FONT SIZE=3D2>New York, NY 10017 USA </FONT> <BR><FONT SIZE=3D2>Telephone: 01.212.622.0673 </FONT> <BR><FONT SIZE=3D2>Fax: 01.212.622.9196 </FONT> <BR><FONT SIZE=3D2>Khaja.ahmed@identrus.com </FONT> <BR><FONT SIZE=3D2>Office Direct: 01.925.989.6564 </FONT> <BR><FONT SIZE=3D2>Office Main: 01.212.622.1524 </FONT> <BR><FONT = SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D = </FONT> </P> <P><FONT SIZE=3D2> </FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Eric Rescorla</FONT> <BR><FONT SIZE=3D2>To: Adrian McCullagh</FONT> <BR><FONT SIZE=3D2>Cc: 'Stephen Kent'; denis.bider@denisbider.com; = ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Sent: 7/15/00 1:09 AM</FONT> <BR><FONT SIZE=3D2>Subject: Re: Signing what you don't = understand</FONT> </P> <P><FONT SIZE=3D2>Adrian McCullagh = <AMcCullagh@exchange.gadens.com.au> writes:</FONT> <BR><FONT SIZE=3D2>> I really do not understand your response. = Why would anyone sign a</FONT> <BR><FONT SIZE=3D2>document</FONT> <BR><FONT SIZE=3D2>> that they do not understand. It does not = make sense.</FONT> <BR><FONT SIZE=3D2>People perform digital signatures of data they don't = understand all the</FONT> <BR><FONT SIZE=3D2>time. One most common case is cryptographic = protocols which use</FONT> <BR><FONT SIZE=3D2>digital signature for authentication of various = kinds of keying</FONT> <BR><FONT SIZE=3D2>material. (SSL and IKE both do this). Note that = these signatures</FONT> <BR><FONT SIZE=3D2>are often completely automatic.</FONT> </P> <P><FONT SIZE=3D2>Now, as a matter of cryptographic practice, one = generally arranges</FONT> <BR><FONT SIZE=3D2>that neither party completely controls the input to = the signature to</FONT> <BR><FONT SIZE=3D2>to prevent one party from forcing another to sign an = arbitrary</FONT> <BR><FONT SIZE=3D2>document. However, as a matter of defense in depth, = it's also nice</FONT> <BR><FONT SIZE=3D2>to have those keys tagged in such a way that even if = the protocol</FONT> <BR><FONT SIZE=3D2>protections were broken, the signature still = couldn't be used against</FONT> <BR><FONT SIZE=3D2>the signer.</FONT> </P> <P><FONT SIZE=3D2>Part of the issue here is that digital signature is a = cryptographic</FONT> <BR><FONT SIZE=3D2>primitive that can be used for other purposes than = those which</FONT> <BR><FONT SIZE=3D2>holographic signatures are currently used.</FONT> </P> <P><FONT SIZE=3D2>-Ekr</FONT> </P> <P><FONT SIZE=3D2>[Eric = Rescorla &nbs= p; &nbs= p; = ekr@rtfm.com]</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BFEF63.5A55B4C0-- Received: from blount.mail.mindspring.net (blount.mail.mindspring.net [207.69.200.226]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id WAA23697 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 22:32:38 -0700 (PDT) Received: from romeo.rtfm.com (user-33qtiij.dialup.mindspring.com [199.174.202.83]) by blount.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id BAA12592; Sat, 15 Jul 2000 01:33:47 -0400 (EDT) Received: (ekr@localhost) by romeo.rtfm.com (8.9.3/8.6.4) id WAA03080; Fri, 14 Jul 2000 22:09:26 -0700 (PDT) Sender: ekr@rtfm.com To: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au> Cc: "'Stephen Kent'" <kent@bbn.com>, denis.bider@denisbider.com, ietf-pkix@imc.org Subject: Re: Signing what you don't understand References: <C7006C79F23FD411AFCC00E018C353B402590D@exchange.gadens.com.au> Reply-to: EKR <rescorla@mindspring.com> Mime-Version: 1.0 (generated by tm-edit 7.108) Content-Type: text/plain; charset=US-ASCII From: Eric Rescorla <ekr@speedy.rtfm.com> Date: 14 Jul 2000 22:09:25 -0700 In-Reply-To: Adrian McCullagh's message of "Sat, 15 Jul 2000 12:50:52 +1000" Message-ID: <kjitu8asje.fsf@romeo.rtfm.com> Lines: 26 X-Mailer: Gnus v5.6.45/XEmacs 20.4 - "Emerald" Adrian McCullagh <AMcCullagh@exchange.gadens.com.au> writes: > I really do not understand your response. Why would anyone sign a document > that they do not understand. It does not make sense. People perform digital signatures of data they don't understand all the time. One most common case is cryptographic protocols which use digital signature for authentication of various kinds of keying material. (SSL and IKE both do this). Note that these signatures are often completely automatic. Now, as a matter of cryptographic practice, one generally arranges that neither party completely controls the input to the signature to to prevent one party from forcing another to sign an arbitrary document. However, as a matter of defense in depth, it's also nice to have those keys tagged in such a way that even if the protocol protections were broken, the signature still couldn't be used against the signer. Part of the issue here is that digital signature is a cryptographic primitive that can be used for other purposes than those which holographic signatures are currently used. -Ekr [Eric Rescorla ekr@rtfm.com] Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA19796 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 20:44:01 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FXP00G01ZSYIP@ext-mail.valicert.com> for ietf-pkix@imc.org; Fri, 14 Jul 2000 20:46:10 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FXP00GGYZSY4L@ext-mail.valicert.com>; Fri, 14 Jul 2000 20:46:10 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <36006BV8>; Fri, 14 Jul 2000 20:38:18 -0700 Content-return: allowed Date: Fri, 14 Jul 2000 20:38:18 -0700 From: Frank Balluffi <frankb@valicert.com> Subject: RE: Signing what you don't understand To: "'Adrian McCullagh'" <AMcCullagh@exchange.gadens.com.au>, "'Stephen Kent'" <kent@bbn.com>, denis.bider@denisbider.com Cc: ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE20177AFA4@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Adrian, I do not think Steve is advocating anyone sign a document they do not understand. I think he is saying a signature by itself is not binding to a person or a device. A certificate binds a signature to a person or a device. Frank > -----Original Message----- > From: Adrian McCullagh [mailto:AMcCullagh@exchange.gadens.com.au] > Sent: Friday, July 14, 2000 10:51 PM > To: 'Stephen Kent'; denis.bider@denisbider.com > Cc: ietf-pkix@imc.org > Subject: RE: Signing what you don't understand > > > Stephen > > I really do not understand your response. Why would anyone > sign a document > that they do not understand. It does not make sense. If I sent you a > document written in Chinese and assume you can not read > Chinese and at the > same time I said just sign this - Why would you sign it. Now > if you trusted > me then you may sign it based upon the information about the > document that I > tell you. A classic case for Non-est-factum. But all the > cases that I have > read clearly rely upon some information provided by an > Alleged trusted third > party. Usually some relative. So without some external > information being > provided by a third party it is not as far as I can determine > possible to > rely upon non est factum. > > Also what does a "bit" in a certificate got to do with > non-repudiation. The > commercial world and the law does not in my opinion support > this position of > yours. You appear to be on a path to re-engineering the > entire commercial > legal fabric and as such I with the greatest respect I do not > believe that > society and the law will buy into it. With out the > commercial involvement > PKI will not survive. > > I do not understand how - "what you are proposing" - will > work in practical > terms. > > > > Adrian McCullagh > Director of Electronic Commerce Tel: 617 3231 1522 > Gadens Lawyers Fax: > 617 3229 5850 > level 39 > Central Plaza 1 > 345 Queen Street > Brisbane Australia 4000 > > Ph. D. Candidate > Thesis "The Incorporation of Trust Strategies in Digital Signature > Regimes for Elec. Comm." > Information Security Research Centre > Queensland University of Technology > > > > -----Original Message----- > From: Stephen Kent [mailto:kent@bbn.com] > Sent: Thursday, July 13, 2000 11:49 PM > To: denis.bider@denisbider.com > Cc: ietf-pkix@imc.org > Subject: Re: Signing what you don't understand > > > Denis, > > >The most important point of my previous message was buried > under a pile of > >other stuff, so I am repeating it here: > > > > > >It is my proposal that a signature format is designed which > will allow an > >entity to say: "I signed this data, but I didn't understand > what I signed. > >You are free to use this signature as proof that I possess a certain > private > >key, but this is also the only purpose for which this > signature can be > >used." > > We have had an analogous debate on this list last year. This is one > motivation for the use of the non-repudiation bit in certificates, > i.e., if this bit is NOT asserted, one can reasonably interpret the > signature as not binding. This does not require a change to the > signing format, but rather appropriate use of key usage bits in > certificates. As others have pointed out, the preferred way to > represent the distinction between binding and non-binding signatures > is via flags in certificates, e.g., key usage, cert policy, etc. > > Steve > Received: from hamster.gadens.com.au (root@dns.gadens.com.au [203.32.220.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA15225 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 19:46:02 -0700 (PDT) Received: from exchange.gadens.com.au ([10.1.8.3]) by hamster.gadens.com.au (8.9.3/8.9.3) with ESMTP id MAA34277; Sat, 15 Jul 2000 12:47:28 +1000 (EST) (envelope-from AMcCullagh@exchange.gadens.com.au) Received: by exchange.gadens.com.au with Internet Mail Service (5.5.2650.21) id <3YWS6GZB>; Sat, 15 Jul 2000 12:50:55 +1000 Message-ID: <C7006C79F23FD411AFCC00E018C353B402590D@exchange.gadens.com.au> From: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au> To: "'Stephen Kent'" <kent@bbn.com>, denis.bider@denisbider.com Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Date: Sat, 15 Jul 2000 12:50:52 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Stephen I really do not understand your response. Why would anyone sign a document that they do not understand. It does not make sense. If I sent you a document written in Chinese and assume you can not read Chinese and at the same time I said just sign this - Why would you sign it. Now if you trusted me then you may sign it based upon the information about the document that I tell you. A classic case for Non-est-factum. But all the cases that I have read clearly rely upon some information provided by an Alleged trusted third party. Usually some relative. So without some external information being provided by a third party it is not as far as I can determine possible to rely upon non est factum. Also what does a "bit" in a certificate got to do with non-repudiation. The commercial world and the law does not in my opinion support this position of yours. You appear to be on a path to re-engineering the entire commercial legal fabric and as such I with the greatest respect I do not believe that society and the law will buy into it. With out the commercial involvement PKI will not survive. I do not understand how - "what you are proposing" - will work in practical terms. Adrian McCullagh Director of Electronic Commerce Tel: 617 3231 1522 Gadens Lawyers Fax: 617 3229 5850 level 39 Central Plaza 1 345 Queen Street Brisbane Australia 4000 Ph. D. Candidate Thesis "The Incorporation of Trust Strategies in Digital Signature Regimes for Elec. Comm." Information Security Research Centre Queensland University of Technology -----Original Message----- From: Stephen Kent [mailto:kent@bbn.com] Sent: Thursday, July 13, 2000 11:49 PM To: denis.bider@denisbider.com Cc: ietf-pkix@imc.org Subject: Re: Signing what you don't understand Denis, >The most important point of my previous message was buried under a pile of >other stuff, so I am repeating it here: > > >It is my proposal that a signature format is designed which will allow an >entity to say: "I signed this data, but I didn't understand what I signed. >You are free to use this signature as proof that I possess a certain private >key, but this is also the only purpose for which this signature can be >used." We have had an analogous debate on this list last year. This is one motivation for the use of the non-repudiation bit in certificates, i.e., if this bit is NOT asserted, one can reasonably interpret the signature as not binding. This does not require a change to the signing format, but rather appropriate use of key usage bits in certificates. As others have pointed out, the preferred way to represent the distinction between binding and non-binding signatures is via flags in certificates, e.g., key usage, cert policy, etc. Steve Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id RAA26615 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 17:05:24 -0700 (PDT) Received: from ISI.EDU (jet.isi.edu [128.9.160.87]) by boreas.isi.edu (8.9.3/8.9.3) with ESMTP id RAA04191; Fri, 14 Jul 2000 17:07:26 -0700 (PDT) Message-Id: <200007150007.RAA04191@boreas.isi.edu> To: IETF-Announce: ; Subject: RFC 2875 on Diffie-Hellman Proof-of-Possession Algorithms Cc: rfc-ed@ISI.EDU, ietf-pkix@imc.org Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary=NextPart Date: Fri, 14 Jul 2000 17:07:26 -0700 From: RFC Editor <rfc-ed@ISI.EDU> --NextPart A new Request for Comments is now available in online RFC libraries. RFC 2875 Title: Diffie-Hellman Proof-of-Possession Algorithms Author(s): H. Prafullchandra, J. Schaad Status: Standards Track Date: July 2000 Mailbox: hemma@cp.net, jimsch@nwlink.com Pages: 23 Characters: 45231 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-pkix-dhpop-03.txt URL: ftp://ftp.isi.edu/in-notes/rfc2875.txt This document describes two methods for producing an integrity check value from a Diffie-Hellman key pair. This behavior is needed for such operations as creating the signature of a PKCS #10 certification request. These algorithms are designed to provide a proof-of-possession rather than general purpose signing. This document is a product of the Public-Key Infrastructure (X.509) Working Group of the IETF. This is now a Proposed Standard Protocol. This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF list and the RFC-DIST list. Requests to be added to or deleted from the IETF distribution list should be sent to IETF-REQUEST@IETF.ORG. Requests to be added to or deleted from the RFC-DIST distribution list should be sent to RFC-DIST-REQUEST@RFC-EDITOR.ORG. Details on obtaining RFCs via FTP or EMAIL may be obtained by sending an EMAIL message to rfc-info@RFC-EDITOR.ORG with the message body help: ways_to_get_rfcs. For example: To: rfc-info@RFC-EDITOR.ORG Subject: getting rfcs help: ways_to_get_rfcs Requests for special distribution should be addressed to either the author of the RFC in question, or to RFC-Manager@RFC-EDITOR.ORG. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution.echo Submissions for Requests for Comments should be sent to RFC-EDITOR@RFC-EDITOR.ORG. Please consult RFC 2223, Instructions to RFC Authors, for further information. Joyce K. Reynolds and Sandy Ginoza USC/Information Sciences Institute ... Below is the data which will enable a MIME compliant Mail Reader implementation to automatically retrieve the ASCII version of the RFCs. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="RFC-INFO@RFC-EDITOR.ORG" Content-Type: text/plain Content-ID: <000714170514.RFC@RFC-EDITOR.ORG> RETRIEVE: rfc DOC-ID: rfc2875 --OtherAccess Content-Type: Message/External-body; name="rfc2875.txt"; site="ftp.isi.edu"; access-type="anon-ftp"; directory="in-notes" Content-Type: text/plain Content-ID: <000714170514.RFC@RFC-EDITOR.ORG> --OtherAccess-- --NextPart-- Received: from mail.moh.hnet.bc.ca (mail.moh.hnet.bc.ca [142.36.56.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA20357 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 16:14:28 -0700 (PDT) Received: from moh.hnet.bc.ca ([142.36.11.183]) by mail.moh.hnet.bc.ca (Netscape Messaging Server 3.61) with ESMTP id AAA5F7F; Fri, 14 Jul 2000 16:16:15 -0700 Message-ID: <396F9F48.6BFD726A@moh.hnet.bc.ca> Date: Fri, 14 Jul 2000 16:16:24 -0700 From: "Doug M Williscroft" <doug.williscroft@moh.hnet.bc.ca> X-Mailer: Mozilla 4.51 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: amir.herzberg@il.ibm.com CC: ietf-pkix@imc.org Subject: Re: Trading Partner Web Certificates References: <C1256913.0024AC22.00@d12mta02.de.ibm.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit amir.herzberg@il.ibm.com wrote: > Doug, your design below requires distribution of the private key of the > trading partner to each of its employees allowed to access your site. This > clearly creates significant exposure to this key. Amir, You are correct that the primary risk is in the broad distribution of the private key within an organization. Since the key is *intended* to identify the organization this would not be a risk *at all* if it could be 'guaranteed' that the private key could not be removed from the machine on which it has been installed. IE5 offers exactly this function, though I understand that there is reasonable doubt about the quality of the function. I understand that there is the possibility of attacks against the design and implementation of the MS base cryptoprovider. All documents I have seen on this topic are in reference to older versions of IE, though some of the criticisms were against core design choices made in the cryptoAPI. Even so the avenues of attack are enormously reduced over simple SSL and uid/pwd. To reduce/eliminate the risk you identify, it would be nice to see a cryptoprovider that could truly "lock-down" the private key. As I see it, a equally important issue is ease of administration; it would be helpful if there were a way for an organization to easily and centrally install the trading partner certificate on all relevant machines. > What are the reasons for > taking this risk, rather than having the trading partner (or you) issue > certificates to each employee of the business partner allowed to access > your site? Why do we not issue individual certs to individual staff of external trading partners: * Cost of issuance is unnecessarily high: requires tight integration with external trading partner hiring practices. Furthermore, organizational linkages are so loose, and lag times so great, that certificates cannot be certain to be revoked in a timely manner. Individuals would potentially retain access to our system long after they had left the employ of the trading partner. By using a locked down trading partner cert, once the ex-employee leaves the premises, they lose access. * Cost of certificate administration very high for trading partners. Several of our larger trading partners have staff that move from workstation to workstation. Individual certs introduce the need to manage the details of which workstations get which certificates. "Trading partner" certificates sidestep this issue entirely. Why not have trading partner issue individual certs: * Almost all (99% +) of our trading partners do not have the technical or financial ability to operate an internal CA. * Some smaller portion of them (80%?)do not have the financial wherewithal to contract CA services. * Purchasing low assurance commercial certificates presents administrative issues (one year expiry increases effort required by both ourselves and the trading partners). * For many of our trading partners the cost of administering individual certificates is very high (shared workstations and roaming). -- Doug Williscroft HealthNet/BC Architecture and Standards Branch Ministry of Health Information Management Group Telephone: (250) 952-2497 _______________________________________________ Received: from mail.spyrus.com (mail.spyrus.com [207.212.34.20]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA16522 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 14:41:51 -0700 (PDT) Received: from rhousley_laptop ([209.172.119.209]) by mail.spyrus.com (8.9.3/8.9.3) with ESMTP id OAA11257; Fri, 14 Jul 2000 14:43:24 -0700 (PDT) Message-Id: <4.2.0.58.20000714172353.00a797e0@mail.spyrus.com> X-Sender: rhousley@mail.spyrus.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 14 Jul 2000 17:25:04 -0400 To: Renato Portela <RPortela@sibs.mailcom.pt> From: Russ Housley <housley@spyrus.com> Subject: Re: ASN.1 Cc: <ietf-pkix@imc.org> In-Reply-To: <63DA964A0E78D211B53E0008C7A4F56D014DC135@sibsex.sibs> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed RFC 2459 uses the 1988 version of ASN.1. X.509 uses the most current version. Both result in the exact same bits on the wire. Russ At 02:51 PM 07/14/2000 +0100, Renato Portela wrote: >Hi, > >The X.509 and the RFC2459 both define a certificate but the asn.1 used to >define it is different. >Why are they different? >The encoding result of those Certificates is equal? > >The RFC2560 import Certificate from AuthenticationFramework. >Should I use that definition or the definition of Certificate in RFC2459? > >Thanks in advance >Renato Portela Received: from wfhqex05.wangfed.com (netva01.wangfed.com [206.137.100.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA14719; Fri, 14 Jul 2000 14:00:17 -0700 (PDT) Received: by wfhqex05.wangfed.com with Internet Mail Service (5.5.2650.21) id <3GNFB4M2>; Fri, 14 Jul 2000 17:01:39 -0400 Message-ID: <4B0D36365AD3D2118FF40060972A16C0016D013D@wfhqex01.wangfed.com> From: "Pawling, John" <John.Pawling@wang.com> To: "Pawling, John" <John.Pawling@wang.com> Subject: v1.71 Certificate Management Library Now Available Date: Fri, 14 Jul 2000 17:01:32 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" All, Wang Government Services, Inc. (WGSI), A Getronics Company, has delivered the Version 1.71 Certificate Management Library (CML). The v1.71 CML is freely available to everyone from the Fortezza Developers CML Page <http://www.armadillo.huntsville.al.us/software/certmgmt/index.html>. The v1.71 CML is described in the v1.7 CML Application Programming Interface (API) document. It implements the 1997 X.509 certification path processing rules. It meets the majority of RFC 2459 and SDN.706 requirements. It (optionally) provides local cache management functions and (optionally) obtains data objects using LDAP. It can (optionally) be used in conjunction with the v1.31 Certificate Path Development Library (CPDL) developed by CygnaCom Solutions, an Entrust Technologies company, to provide robust certification path building capabilities such as using cross certificates. The CML has been used to validate X.509 Certificates and Certificate Revocation Lists (CRL) signed using the Digital Signature Algorithm (DSA) and RSA. Further enhancements, ports and testing of the CML are still in process. Further releases of the CML will be provided as significant capabilities are added. The following v1.71 CML files are available: CMLv171win.zip: MS Windows Dynamically Linked Libraries (DLL) CML171so.tar.Z: Sun Solaris Libraries CML171sr.tar.Z: Source, including Windows project files The aforementioned files and the v1.7 CML API document (CMv1_7api.doc, CMv1_7api.pdf), test certs (cml171data.zip) and readme.txt files are stored on the Fortezza Developers CML Page. The v1.71 CML includes the following enhancements (compared with the v1.7 CML release): 1) Tested with the SNACC, Crypto Token Interface Libraries (CTIL) and LibCert DLL delivered with the v1.7 S/MIME Freeware Library (SFL) available from Fortezza Developer's S/MIME Page <http://www.armadillo.huntsville.al.us/software/smime>. 2) Re-configured directory structure for CML source code files so that it is consistent with the SFL and Access Control Library (ACL). 3) Diffie-Hellman logic in CM_RetrieveKey and CM_DecodeCert cleaned up. 4) Corrected several bugs reported by customers. 5) Performed regression testing to ensure that aforementioned enhancements did not break existing CML functionality. WGSI welcomes all feedback regarding the CML software and documents. If bugs are reported, then we will investigate each reported bug and, if required, will produce a patch or an updated release of the software to repair the bug. All source code for the CML is being provided at no cost and with no financial limitations regarding its use and distribution. Organizations can use the CML without paying any royalties or licensing fees. The CML was originally developed by the U.S. Government. WGSI is enhancing and supporting the CML under contract to the U.S. Government. The U.S. Government is furnishing the CML software at no cost to the vendor subject to the conditions of the CML Public License provided with the CML software. The CML software is not subject to U.S. Government encryption export regulations, so it is freely available to everyone. The v1.71 CML uses the WGSI v1.3 Enhanced SNACC ASN.1 Library to encode/decode objects. WGSI has successfully tested the v1.71 CML with the SNACC and CTIL DLLs delivered in conjunction with the v1.7 SFL. Source code for the WGSI-developed CTILs is available from the Fortezza Developer's S/MIME Page. The actual crypto libraries are not provided with the CML or SFL. They must be independently obtained from the appropriate source. The v1.71 CML can be used in conjunction with the v1.31 CPDL to successfully meet all of the requirements of the Bridge Certification Authority Demonstration effort which includes cross-certified Entrust, Spyrus and Motorola v3 certificate domains. The CML171sr.tar.Z file includes the CPDL source code and public license. <http://www.cygnacom.com/cpl> provides more information regarding the CPDL. The Internet Mail Consortium (IMC) has established a CML web page <http://www.imc.org/imc-cml> and a CML mail list which is used to: distribute information regarding CML releases; discuss CML-related issues; and allow CML users to provide feedback, comments, bug reports, etc. Subscription information for the imc-cml mailing list is at the IMC web site listed above. All comments regarding the CML source code and documents are welcome. This CML release announcement was sent to several mail lists, but please send all messages regarding the CML to the imc-cml mail list ONLY. Please do not send messages regarding the CML to any of the IETF mail lists. We will respond to all messages sent to the imc-cml mail list. ============================================ John Pawling, john.pawling@wang.com Wang Government Services, Inc., A Getronics Company ============================================ Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA13357 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 13:24:22 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FXP00E01FG0NZ@ext-mail.valicert.com> for ietf-pkix@imc.org; Fri, 14 Jul 2000 13:26:24 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FXP00E2BFG0MC@ext-mail.valicert.com>; Fri, 14 Jul 2000 13:26:24 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <36006AMS>; Fri, 14 Jul 2000 13:18:34 -0700 Content-return: allowed Date: Fri, 14 Jul 2000 13:18:33 -0700 From: Frank Balluffi <frankb@valicert.com> Subject: RE: To: "'Renato Portela'" <RPortela@sibs.mailcom.pt>, "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Message-id: <27FF4FAEA8CDD211B97E00902745CBE20177AFA1@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Renato, RFC 2459 contains two complete ASN.1 definitions: one in 1988 syntax (beginning on page 69), and one in 1993 syntax (beginning on page 90) X.509 uses the 1993 syntax. I BELIEVE that the IETF and X5 are committed to aligning both documents. RFC 2459 has one obvious advantage over X.509. RFC 2459 is free. Frank > -----Original Message----- > From: Renato Portela [mailto:RPortela@sibs.mailcom.pt] > Sent: Friday, July 14, 2000 9:51 AM > To: 'ietf-pkix@imc.org' > Subject: > > > Hi, > > The X.509 and the RFC2459 both define a certificate but the > asn.1 used to > define it is different. > Why are they different? > The encoding result of those Certificates is equal? > > The RFC2560 import Certificate from AuthenticationFramework. > Should I use that definition or the definition of Certificate > in RFC2459? > > Thanks in advance > Renato Portela > Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id NAA12492 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 13:11:05 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id VAA22255; Fri, 14 Jul 2000 21:24:21 +0100 Message-ID: <396F740C.18151C78@algroup.co.uk> Date: Fri, 14 Jul 2000 21:11:56 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: "Heimberg, Jim" <Jim.Heimberg@GD-CS.COM> CC: "'Paul Koning'" <pkoning@xedia.com>, anders.rundgren@telia.com, PHalliden@baltimore.com, Denis.Pinkas@bull.net, stefan@accurata.se, ietf-pkix@imc.org Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt References: <2575327B6755D211A0E100805F9FF954050804B3@ndhmex02.ndhm.gsc.gte.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit "Heimberg, Jim" wrote: > > OK, maybe my meager mind is confused, this being Friday and all. I can't > refrain from asking the obvious question. Is there confusion between what a > distinguished name is and what a common name is. Since the DN is a > contatenation of the common name and the domain path to it in the common > directory structure for that domain, I have trouble envisioning DNs that are > not unique unless there is a plan afoot to create duplicate domains using > the same domain names. ??? Will this never end? The problem is that there is no "domain path to it in the common directory structure for that domain" coz that's the bit that never happened (i.e. a global infrastructure for unique DN allocation). Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from roadblock.missi.ncsc.mil (roadblock.missi.ncsc.mil [144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA11771 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 13:03:05 -0700 (PDT) Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id PAA03102 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 15:54:24 -0400 (EDT) Message-Id: <200007141954.PAA03098@roadblock.missi.ncsc.mil> Date: Fri, 14 Jul 2000 16:01:37 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: I-D ACTION:draft-ietf-pkix-qc-04.txt To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: cxrt6dHql/sZR1qYMdw+uQ== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc > From: Denis <Denis.Pinkas@bull.net> > > Full text proposal replacement for 3.1.1: > > 3.1.1 Issuer > > The issuer field SHALL identify the organization responsible for > issuing the certificate. > > The identity of the issuer SHALL be specified using an appropriate > subset of the following attributes: > > domainComponent; > countryName; > stateOrProvinceName; > organizationName; > localityName; and > serialNumber. > > Additional attributes MAY be present but they SHOULD NOT be necessary to identify the issuing > organization. The first element of the DN shall be the country where the CA is operating from. > The last sentence conflicts with the presence of domainComponent as one of the allowed attributes, as there is no well-defined method of constructing a DN containing a mixture of DC and other attributes. If it is necessary to identify the local laws under which the QC is interpreted, the jurisdiction should be identified using something other than the first element of the issuer DN. An "organization responsible for issuing the certificate" may operate in multiple jurisdictions, so even where the DN begins with C=xx, interpreting "xx" as a jurisdiction may be misleading (and should be performed with care :-). Did the Stockholm discussion consider the possibility of multi-country CAs? Dave Received: from cam-mailer1.bbn.com (cam-mailer1.bbn.com [171.78.68.5]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA09628 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 12:29:21 -0700 (PDT) Received: from [128.33.238.40] (TC040.BBN.COM [128.33.238.40]) by cam-mailer1.bbn.com (8.8.8+Sun/8.8.8) with ESMTP id PAA13387; Fri, 14 Jul 2000 15:31:09 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04220801b593769c4f3b@[128.33.238.97]> In-Reply-To: <000301bfeb5f$e6cf77c0$0201010a@intergalactic> References: <000301bfeb5f$e6cf77c0$0201010a@intergalactic> Date: Thu, 13 Jul 2000 09:48:56 -0400 To: <denis.bider@denisbider.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Signing what you don't understand Cc: <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" Denis, >The most important point of my previous message was buried under a pile of >other stuff, so I am repeating it here: > > >It is my proposal that a signature format is designed which will allow an >entity to say: "I signed this data, but I didn't understand what I signed. >You are free to use this signature as proof that I possess a certain private >key, but this is also the only purpose for which this signature can be >used." We have had an analogous debate on this list last year. This is one motivation for the use of the non-repudiation bit in certificates, i.e., if this bit is NOT asserted, one can reasonably interpret the signature as not binding. This does not require a change to the signing format, but rather appropriate use of key usage bits in certificates. As others have pointed out, the preferred way to represent the distinction between binding and non-binding signatures is via flags in certificates, e.g., key usage, cert policy, etc. Steve Received: from cam-mailer1.bbn.com (cam-mailer1.bbn.com [171.78.68.5]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA09590 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 12:29:13 -0700 (PDT) Received: from [128.33.238.40] (TC040.BBN.COM [128.33.238.40]) by cam-mailer1.bbn.com (8.8.8+Sun/8.8.8) with ESMTP id PAA13396; Fri, 14 Jul 2000 15:31:11 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <v04220800b5911c78c3d2@[128.33.238.73]> In-Reply-To: <14697.62855.86517.298866@xedia.com> References: <73388857A695D31197EF00508B08F2988A3C17@ntmsg0131.corpmail.telstra.com.au> <v0422080bb58299d62029@[171.78.30.107]> <14697.62855.86517.298866@xedia.com> Date: Thu, 13 Jul 2000 09:53:37 -0400 To: Paul Koning <pkoning@xedia.com> From: Stephen Kent <kent@bbn.com> Subject: RE: I-D ACTION:draft-ietf-pkix-time-stamp-08.txt. HASH Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" ><snip> >The Internet protocol design rule is "be strict in what you send, >tolerant in what you receive". It has been known for decades that >this is the correct rule. (That doesn't keep some other standards >bodies from ignoring it, unfortunately. Then again, there are still >standards bodies that use two-way connection setup handshakes...) The quote you cite is based on advice from the late Jon Postel, someone I knew well for over 20 years, and with whom I served on the IAB for over 12 years. As I acknowledged earlier, it is appropriate advice in general, but not necessarily appropriate for security protocols, and it certainly is not an "Internet protocol design rule." Felexibility in input acceptance in security protocols provides attackers with more options for attacks, hardly a desirable feature. Our goal is to constrain interfaces so as to better understand them and the security implications of various combinations of input parameters. So, merely citing this general advice is not a basis for making such decisions in security protocols. >Protocols should check those invariants that have to be valid for >correct operation to result, or for interoperability to be possible. >Checks beyond that are counterproductive. If we can be confident that a failure to check certain inputs will not result in adverse effects under any circumstances, then we need not check them. However, when a TTP such as a TSA is signing a token it is not clear that this is true. >In particular, the more you check, the more often you have to ECO your >specs and your implementation as new extensions are registered. And >the more often you have to release bugfixes. Agreed. But our primary focus is security, so the issue is what constitutes the right tradeoff. New hash algorithms do not arise so quickly that a TSA can't anticipate them and the associated size of the hash value. Looking at the time it takes for a standards bodies to approve such things and assign OIDs, this does not seem hard. Also, we're not talking about changes to client software, but rather server software/hardware, which is much more amenable to such change management. Steve Received: from roadblock.missi.ncsc.mil (roadblock.missi.ncsc.mil [144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA05052 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 11:34:37 -0700 (PDT) Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id OAA10768 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 14:25:56 -0400 (EDT) Message-Id: <200007141825.OAA10764@roadblock.missi.ncsc.mil> Date: Fri, 14 Jul 2000 14:33:09 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: Current signature formats insufficient To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: EXX+lHhq0omcjTkkP3ogsA== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc > From: "Simon McMahon" <simon@onthenet.com.au> > > I dont agree with either digital alternative for indicating the signers > intention in a legally binding way, i.e. boosting or removing > non-repudiation. Agree! > Firstly that the certificate's usage attributes should > dictate anything about the private key since they may not both be stored on > the same device and the association is not trivial to check, I don't understand this. The association between private and public keys is trivial to check, regardless of where the certificate is stored. If there is a device that generates keypairs and exports only the public key for certification (i.e. no private key export), the CA could certify public keys generated by such devices under physical control of the CA or its agents. The CA can then legitimately make a usage statement that a particular private key may be or cannot be copied, and such a statement is useful input into a non-repudiation process. Even with cryptomodules of lesser assurance, a statement that the private key has been copied or should not be copied is useful, though to a lesser degree. > or, secondly, > that the signature format should indicate my intention when I signed. All of > my intentions should be indicated in the content of what I signed. Agree! Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA01768 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 10:55:09 -0700 (PDT) Received: from mega (t1o69p83.telia.com [62.20.144.83]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id TAA02637; Fri, 14 Jul 2000 19:56:52 +0200 (CEST) Message-ID: <001701bfedc5$26f65000$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Denis Pinkas" <Denis.Pinkas@bull.net>, "Stefan Santesson" <stefan@accurata.se>, <tgindin@us.ibm.com>, "Paul Halliden" <PHalliden@baltimore.com> Cc: "IETF-PXIX" <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Fri, 14 Jul 2000 20:55:58 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id KAA01769 Paul, >Tom >> >In fact, X.509v3 section 11.2 has a note which >>states "a certification authority shall not issue certificates for two >>users with the same name", >> >This is not the point at dispute. The QC text used to have an additional >requirement that a QC contained "an unmistakable identity ... which ... >relates to a specific entity." It also contained the concept of "a >corresponding officially registered identity". > >The contentious point is that this requirement has been dropped. the reason >is that, in some jurisdictions there is simply no support for the >"unmistakable" concept. Thus the subject name can be unique within the CA's >name space. This last line is actually the thing requested by Denis and by me! But even that is said to be impossible to achieve for reasons so far not particularly well explained. I.e. this requirement is purely technical and has nothing to do with official identities etc. It simply requires CAs to keep track of its own subjects and not issue ambigious DNs or resissue already used DNs. Involves IMO no politics or magic, just plain engineering. If resolved it affects things like cert compares. Anders Received: from sothmxs01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA01620 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 10:52:19 -0700 (PDT) Received: by sothmxs01.entrust.com with Internet Mail Service (5.5.2650.21) id <34W5H6P3>; Fri, 14 Jul 2000 13:53:56 -0400 Message-ID: <ED026032A3FCD211AEDA00105A9C4696016E584E@sothmxs05.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'d.w.chadwick@salford.ac.uk'" <d.w.chadwick@salford.ac.uk>, ietf-pkix@imc.org, Sean Mullan <sean.mullan@sun.com> Subject: RE: Reverse paths Date: Fri, 14 Jul 2000 13:52:33 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" The forward element would be populated in the CA entry of the subject of the cross-certificate and the reverse element would be populated in the CA entry of the issuer of the cross-certificate. The only difference between what is specified in the LDAPv2 schema and this proposal is that issuer must populate the reverse element of its own entry. In the LDAPv2 schema, ONLY the subject CA's entry needed to contain the cross-certificate. I'm certainly not advocating requiring bilateral cross-certification, and I don't think Sean is either. Cheers Sharon > -----Original Message----- > From: David Chadwick [mailto:d.w.chadwick@salford.ac.uk] > Sent: Friday, July 14, 2000 11:32 AM > To: ietf-pkix@imc.org; Sean Mullan; Sharon Boeyen > Subject: RE: Reverse paths > > > Sharon, > > > I would like to support Sean's request that for the LDAPv3 schema we > > consider making the reverse element mandatory along with the forward > > element. This would be a great step forward in supporting > > interoperability among PKI products and services and, since it does > > not impact existing LDAPv2 systems, > > > > doesn't cause those previously deployed systems to be > non-conformant. > > > > With both elements mandatory, regardless of the direction > the path is > > being built, the certificate using system will be able to locate the > > information it seeks. > > How do we handle one-way cross certification where CA A trusts > CA B but not vice versa. In this case either the forward or reverse > path might be missing (depending upon which side you are coming > from). > > David > > > > *************************************************** > > David Chadwick > IS Institute, University of Salford, Salford M5 4WT > Tel +44 161 295 5351 Fax +44 161 745 8169 > Mobile +44 790 167 0359 > Email D.W.Chadwick@salford.ac.uk > Home Page http://www.salford.ac.uk/its024/chadwick.htm > Understanding X.500 http://www.salford.ac.uk/its024/X500.htm > X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm > Entrust key validation string MLJ9-DU5T-HV8J > > *************************************************** > Received: from e4.ny.us.ibm.com (e4.ny.us.ibm.com [32.97.182.104]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA01329 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 10:42:12 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e4.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id NAA90616; Fri, 14 Jul 2000 13:44:21 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id NAA14792; Fri, 14 Jul 2000 13:44:17 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 8525691C.00616FA5 ; Fri, 14 Jul 2000 13:44:15 -0400 X-Lotus-FromDomain: IBMUS To: Paul Halliden <PHalliden@baltimore.com> cc: Stefan Santesson <stefan@accurata.se>, Anders Rundgren <anders.rundgren@telia.com>, IETF-PXIX <ietf-pkix@imc.org> Message-ID: <8525691C.00616DF0.00@D51MTA04.pok.ibm.com> Date: Fri, 14 Jul 2000 13:44:10 -0400 Subject: RE: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Responses below. I think you might want to read draft-ietf-pkix-pi-00.txt. I do understand, and I hope that most of the WG does as well, that there is principled political resistance in the USA and several other countries to the existence of a national ID number, and that no such number is likely to come into existence in those countries. The PI draft is intended to give RP's what they need to identify or distinguish subjects without trying to create such a number in countries where it is not wanted. Tom Gindin Paul Halliden <PHalliden@baltimore.com> on 07/14/2000 01:02:29 PM To: Tom Gindin/Watson/IBM@IBMUS, Stefan Santesson <stefan@accurata.se> cc: Anders Rundgren <anders.rundgren@telia.com>, IETF-PXIX <ietf-pkix@imc.org> Subject: RE: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Tom > In fact, X.509v3 section 11.2 has a note which >states "a certification authority shall not issue certificates for two >users with the same name", > This is not the point at dispute. The QC text used to have an additional requirement that a QC contained "an unmistakable identity ... which ... relates to a specific entity." It also contained the concept of "a corresponding officially registered identity". [Tom Gindin] There are several points at dispute. Stefan explicitly questioned the "requirement that 2 physical persons never can have the same DN". The contentious point is that this requirement has been dropped. the reason is that, in some jurisdictions there is simply no support for the "unmistakable" concept. Thus the subject name can be unique within the CA's name space. There is still a potential for mistaking that identity with someone else not registered by the CA. There is also ambiguity as to whether two different names in the same space refer to the same physical person - especially over time when a lot of the evidence supporting identity (address, appearance, etc) can change. In some countries, you can address this issue by, e.g. referring to some unique national identity number. In others, such as the UK and USA there is no such thing. [Tom Gindin] I actually do know something about this issue. Have you read the Permanent Identifier draft which Denis Pinkas and I wrote? In it, an individual may be identified by an ID issued by any assignment authority, which does NOT have to be a government agency. Regards Paul Halliden Received: from stonewall.baltimore.com ([195.152.140.4]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id KAA00614 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 10:00:39 -0700 (PDT) Message-ID: <61922E6DA745D311A42000508B2CFD14B967EB@baltimore.com> From: Paul Halliden <PHalliden@baltimore.com> To: "'tgindin@us.ibm.com'" <tgindin@us.ibm.com>, Stefan Santesson <stefan@accurata.se> Cc: Anders Rundgren <anders.rundgren@telia.com>, IETF-PXIX <ietf-pkix@imc.org> Subject: RE: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Fri, 14 Jul 2000 18:02:29 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Tom > In fact, X.509v3 section 11.2 has a note which >states "a certification authority shall not issue certificates for two >users with the same name", > This is not the point at dispute. The QC text used to have an additional requirement that a QC contained "an unmistakable identity ... which ... relates to a specific entity." It also contained the concept of "a corresponding officially registered identity". The contentious point is that this requirement has been dropped. the reason is that, in some jurisdictions there is simply no support for the "unmistakable" concept. Thus the subject name can be unique within the CA's name space. There is still a potential for mistaking that identity with someone else not registered by the CA. There is also ambiguity as to whether two different names in the same space refer to the same physical person - especially over time when a lot of the evidence supporting identity (address, appearance, etc) can change. In some countries, you can address this issue by, e.g. referring to some unique national identity number. In others, such as the UK and USA there is no such thing. Regards Paul Halliden Received: from e3.ny.us.ibm.com (e3.ny.us.ibm.com [32.97.182.103]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA29914 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 09:33:12 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e3.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id MAA79470; Fri, 14 Jul 2000 12:35:20 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id MAA180236; Fri, 14 Jul 2000 12:35:17 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 8525691C.005B1AD1 ; Fri, 14 Jul 2000 12:35:06 -0400 X-Lotus-FromDomain: IBMUS To: Stefan Santesson <stefan@accurata.se> cc: Anders Rundgren <anders.rundgren@telia.com>, IETF-PXIX <ietf-pkix@imc.org> Message-ID: <8525691C.005B16F9.00@D51MTA04.pok.ibm.com> Date: Fri, 14 Jul 2000 12:34:54 -0400 Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Is it not a technical requirement that the combination of the subject name and the subject alternate name (at a minimum) be different if the individuals are different? In fact, X.509v3 section 11.2 has a note which states "a certification authority shall not issue certificates for two users with the same name", and this note is reproduced in X.509v4 section 7.2. I don't think that QC's have a lesser requirement along these lines than ordinary PKC's. My own view is that this requirement should be interpreted as including a Subject Alternate Name extension as part of the name, at least when the extension is critical. However, this point is open to debate. Tom Gindin Stefan Santesson <stefan@accurata.se> on 07/14/2000 08:17:09 AM To: Anders Rundgren <anders.rundgren@telia.com>, IETF-PXIX <ietf-pkix@imc.org> cc: Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Anders, The "technical profile" specify what attributes to use, what type of information to put in them and also states technical uniqueness requirements. The technical uniqueness requirement from RFC 2459 stands. The requirement that 2 physical persons never can have the same DN, is to go beyond a technical uniqueness concept. I tried to have a "functional" requirement in there (the unmistakable identity requirement), but got the whole European ETSI group against me saying that such requirement, regardless how desirable it might be, can't be 100% globally accomplished in a practical world (in all countries). We must recognize that the real world have a context factor that we never can capture in a technical standard. Last IETF/PKIX meeting decided that Denis "Permanent Identifier" topic should be advanced in a separate work item to be merged later, if successful, with RFC 2459 or the QC profile. That work has first to prove that you can make a useful "technical" definition of the uniquness requirement in "permanent identifiers", which still remains to be done. /Stefan At 12:49 2000-07-14 +0200, you wrote: ><snip> > >Denis wrote: > > >> >In order to make the text unambiguous it is important to say that: "The > >> DN MUST be unique for > >> >each subject entity certified by the one CA as defined by the issuer > >> name field during the whole > >> >life time of the CA, i.e. two different living human beings cannot have > >> the same DN." > > >Stefan responded: > > >I agree that this is a good practice. There are however limitations on how > >far you can make requirements on practice in a technical profile. > > >QC is not 2459. QC is supposed to support legal systems and MARKET needs. >For a CA that adhere to the word "Qualified" this is not a hard thing to >require. >It is anyway obliged to keep track of its subjects. So what is the >problem???? > >Without restrictions on DNs QC is IMO redundant. With the restriction >requested by Denis >you got a useful product (sorry - "techical profile" if that feels better). > >May I kindly ask potential issuers of QCs to either stand by this statement or >not? > >Anders Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA27956 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 09:12:23 -0700 (PDT) Received: from mega (t3o69p3.telia.com [62.20.145.3]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id SAA29670; Fri, 14 Jul 2000 18:14:20 +0200 (CEST) Message-ID: <002b01bfedb6$d3fac100$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Paul Koning" <pkoning@xedia.com>, <PHalliden@baltimore.com>, <Denis.Pinkas@bull.net>, <stefan@accurata.se>, <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Fri, 14 Jul 2000 19:13:26 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id JAA27957 Paul K (not to be confused with Paul H :-)), <snip> > Anders> Pardon me but I don't get it. If my statement about ETSI is > Anders> correct the whole idea of certification is flawed but you say > Anders> my statement is incorrect. IMO that means that the > Anders> adminstration DO know their subjects which you claim they > Anders> don't for liberty reasons. > >Actually, no. For one thing, in the USA there are no "subjects". But >even if you mean "citizens", the administration doesn't know them >all. There are plenty of ways to become known to the various >administrations (get a driver's license, register to vote, etc.) but >those various registries aren't necessarily tied together, the names >used aren't necessarily the same, and you aren't under legal >compulsion to do any of these things if you can put up with the >inconvenience of not doing so. And for the very same reasons there will probably never be a single national US CA issuing QCs. But there will be local, commercial, and private US QC CAs who will have RAs that in some way make sure that the same identity (DN) is not given to two subjects/citizens! A solution to the obvious non-consensus situation is that you make different QC policy IDs that sets the "quality level" and then let the market decide and enable RP software to be automated. Anders Received: from Newman.GSC.GTE.Com (SYSTEM@NS0.GDGSC.Com [192.160.62.66]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA26222 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 08:52:30 -0700 (PDT) Received: from gscex01.gsc.gte.com ("port 1894"@gscex01.ndhm.gsc.gte.com [155.95.162.170]) by Newman.GSC.GTE.Com (PMDF V5.2-30 #38015) with ESMTP id <01JRR8OBXB22001R3H@Newman.GSC.GTE.Com> for ietf-pkix@imc.org; Fri, 14 Jul 2000 11:54:35 -0400 (EDT) Received: by GSCEX01.gsc.gte.com with Internet Mail Service (5.5.2448.0) id <3L3TH0J9>; Fri, 14 Jul 2000 11:54:33 -0400 Content-return: allowed Date: Fri, 14 Jul 2000 11:54:25 -0400 From: "Heimberg, Jim" <Jim.Heimberg@GD-CS.COM> Subject: RE: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt To: "'Paul Koning'" <pkoning@xedia.com>, anders.rundgren@telia.com Cc: PHalliden@baltimore.com, Denis.Pinkas@bull.net, stefan@accurata.se, ietf-pkix@imc.org Message-id: <2575327B6755D211A0E100805F9FF954050804B3@ndhmex02.ndhm.gsc.gte.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-type: text/plain; charset="iso-8859-1" OK, maybe my meager mind is confused, this being Friday and all. I can't refrain from asking the obvious question. Is there confusion between what a distinguished name is and what a common name is. Since the DN is a contatenation of the common name and the domain path to it in the common directory structure for that domain, I have trouble envisioning DNs that are not unique unless there is a plan afoot to create duplicate domains using the same domain names. ??? Jim -----Original Message----- From: Paul Koning [mailto:pkoning@xedia.com] Sent: Friday, July 14, 2000 11:47 AM To: anders.rundgren@telia.com Cc: PHalliden@baltimore.com; Denis.Pinkas@bull.net; stefan@accurata.se; ietf-pkix@imc.org Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt >>>>> "Anders" == Anders Rundgren <anders.rundgren@telia.com> writes: Anders> Paul, <snip> >>> I assume that the ETSI group means that CA/RAs in some countries >>> can't keep track of the people they certify. >>> >> No! In law and administration of some countries, there is no >> concept of "unmistakable identity". I was taught that this is >> deliberate policy in protection of civil liberties. The principle >> is that, if an administration has control over an unmistakable >> identity Anders> Pardon me but I don't get it. If my statement about ETSI is Anders> correct the whole idea of certification is flawed but you say Anders> my statement is incorrect. IMO that means that the Anders> adminstration DO know their subjects which you claim they Anders> don't for liberty reasons. Actually, no. For one thing, in the USA there are no "subjects". But even if you mean "citizens", the administration doesn't know them all. There are plenty of ways to become known to the various administrations (get a driver's license, register to vote, etc.) but those various registries aren't necessarily tied together, the names used aren't necessarily the same, and you aren't under legal compulsion to do any of these things if you can put up with the inconvenience of not doing so. In particular -- and we've been through this before in detail many months ago -- the whole concept of unmistakable identity doesn't work in the USA. There isn't any central registry of identities, and names aren't immutable. paul Received: from dfw7-1.relay.mail.uu.net (dfw7-1.relay.mail.uu.net [199.171.54.106]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA25532 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 08:44:44 -0700 (PDT) Received: from xedia.com by dfw7sosrv11.alter.net with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQixvb11630; Fri, 14 Jul 2000 15:46:40 GMT Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA24441; Fri, 14 Jul 00 11:42:46 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id LAA05898; Fri, 14 Jul 2000 11:46:37 -0400 From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <14703.13789.171267.456032@xedia.com> Date: Fri, 14 Jul 2000 11:46:37 -0400 (EDT) To: anders.rundgren@telia.com Cc: PHalliden@baltimore.com, Denis.Pinkas@bull.net, stefan@accurata.se, ietf-pkix@imc.org Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt References: <003601bfedb0$3740bdc0$0201a8c0@mega.vincent.se> X-Mailer: VM 6.72 under 21.1 (patch 9) "Canyonlands" XEmacs Lucid >>>>> "Anders" == Anders Rundgren <anders.rundgren@telia.com> writes: Anders> Paul, <snip> >>> I assume that the ETSI group means that CA/RAs in some countries >>> can't keep track of the people they certify. >>> >> No! In law and administration of some countries, there is no >> concept of "unmistakable identity". I was taught that this is >> deliberate policy in protection of civil liberties. The principle >> is that, if an administration has control over an unmistakable >> identity Anders> Pardon me but I don't get it. If my statement about ETSI is Anders> correct the whole idea of certification is flawed but you say Anders> my statement is incorrect. IMO that means that the Anders> adminstration DO know their subjects which you claim they Anders> don't for liberty reasons. Actually, no. For one thing, in the USA there are no "subjects". But even if you mean "citizens", the administration doesn't know them all. There are plenty of ways to become known to the various administrations (get a driver's license, register to vote, etc.) but those various registries aren't necessarily tied together, the names used aren't necessarily the same, and you aren't under legal compulsion to do any of these things if you can put up with the inconvenience of not doing so. In particular -- and we've been through this before in detail many months ago -- the whole concept of unmistakable identity doesn't work in the USA. There isn't any central registry of identities, and names aren't immutable. paul Received: from mta03-svc.ntlworld.com (mta03-svc.ntlworld.com [62.253.162.43]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA24338 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 08:31:53 -0700 (PDT) Received: from dwc-acer ([62.252.108.177]) by mta03-svc.ntlworld.com (InterMail vM.4.01.02.27 201-229-119-110) with ESMTP id <20000714153359.HAW16423.mta03-svc.ntlworld.com@dwc-acer>; Fri, 14 Jul 2000 16:33:59 +0100 From: "David Chadwick" <d.w.chadwick@salford.ac.uk> Organization: University of Salford To: ietf-pkix@imc.org, Sean Mullan <sean.mullan@sun.com>, Sharon Boeyen <sharon.boeyen@entrust.com> Date: Fri, 14 Jul 2000 16:32:23 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: RE: Reverse paths Reply-to: d.w.chadwick@salford.ac.uk Message-ID: <396F4097.21137.DDAC2CB@localhost> Priority: normal In-reply-to: <ED026032A3FCD211AEDA00105A9C4696016E584C@sothmxs05.entrust.com> X-mailer: Pegasus Mail for Win32 (v3.12c) Sharon, > I would like to support Sean's request that for the LDAPv3 schema we > consider making the reverse element mandatory along with the forward > element. This would be a great step forward in supporting > interoperability among PKI products and services and, since it does > not impact existing LDAPv2 systems, > > doesn't cause those previously deployed systems to be non-conformant. > > With both elements mandatory, regardless of the direction the path is > being built, the certificate using system will be able to locate the > information it seeks. How do we handle one-way cross certification where CA A trusts CA B but not vice versa. In this case either the forward or reverse path might be missing (depending upon which side you are coming from). David > *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA23374 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 08:25:06 -0700 (PDT) Received: from mega (t3o69p46.telia.com [62.20.145.46]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id RAA02170; Fri, 14 Jul 2000 17:26:59 +0200 (CEST) Message-ID: <003601bfedb0$3740bdc0$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Paul Halliden" <PHalliden@baltimore.com>, "Denis Pinkas" <Denis.Pinkas@bull.net>, "Stefan Santesson" <stefan@accurata.se>, "IETF-PXIX" <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Fri, 14 Jul 2000 18:26:06 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id IAA23376 Paul, <snip> >>I assume that the ETSI group means that CA/RAs in some >>countries can't keep track of the people they certify. >> >No! In law and administration of some countries, there is no concept of >"unmistakable identity". I was taught that this is deliberate policy in >protection of civil liberties. The principle is that, if an administration >has control over an unmistakable identity Pardon me but I don't get it. If my statement about ETSI is correct the whole idea of certification is flawed but you say my statement is incorrect. IMO that means that the adminstration DO know their subjects which you claim they don't for liberty reasons. Note: We are NOT talking about social security numbers. That's another issue. <snip> >>How useful are legally binding signatures under such circumstances? >We have managed to have legally effective signatures for over 1000 years >under such circumstances - so quite useful I guess. But in the older days you did not met millions of people on web and there where no CAs issuing certificates either. And they did not possess powerful databases capable of storing data about the entire terrestial population (which is in reach for a PC these days). Even in limited naming-domain like a typical school-class, you refer to "Mary M" and "Mary K" for very good reasons. Paul, maybe you could name a potential QC CA that wants to issue ambigious DNs??? Anders Received: from sothmxs01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA21086 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 06:55:47 -0700 (PDT) Received: by sothmxs01.entrust.com with Internet Mail Service (5.5.2650.21) id <34W5HY1L>; Fri, 14 Jul 2000 09:57:23 -0400 Message-ID: <ED026032A3FCD211AEDA00105A9C4696016E584C@sothmxs05.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'d.w.chadwick@salford.ac.uk'" <d.w.chadwick@salford.ac.uk>, ietf-pkix@imc.org, Sean Mullan <sean.mullan@sun.com> Subject: RE: Reverse paths Date: Fri, 14 Jul 2000 09:56:00 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Hi David, The LDAPv2 schema discussion on this topic was an VERY lengthy debate. If you're feeling particularly masochistic, check out the pkix mail list archive covering about June - Oct of 1998 (but allow yourself plenty of time because there are probably several hundreds of messages on this and related topics during that time). The text that is in the PKIX LDAPv2 schema is the compromise that was agreed as a result of that disucssion. A couple of the major factors that I believe led to the decision to have reverse element optional were: a) A large deployment within the US Gov did not populate the reverse element and did not use the reverse element to develop paths. If we mandated population of the reverse element, we would have caused that deployment to be non-conformant. b) Back then, hierarchies were dominant and in hierarchies it is generally much more efficient to build paths from the subscriber cert to the root of the hierarchy, and in this trust model, the reverse element is not required. However, since 98 I think we've seen much greater support for the distributed trust model as well as for mixed mode environments where hierarchies are cross-certified through the distributed trust model. The US Federal Bridge CA project is an example. While I agree that the forward element is required, especially for the hierarchical trust model, I think this is an appropriate time to revisit the reverse element. While we need to maintain backward compatibility with the LDAPv2 schema, we don't necessarily need to be bound by the same restrictions. In a hierarchical trust model, there is no dispute that it is more efficient to build a path from the subscriber cert to the root. In a distributed trust model, I definitely agree with Sean that it is more efficient to build your path from the trust anchor toward the subscriber cert (pruning branches as you proceed). In a mixed environment, it may be most efficient to build from a subscriber cert to a hierarchical root and then build from the trust anchor toward that root, pruning as you go. I don't think we need to get into a discussion of what direction is most efficient though, because that would probably lead to an endless debate again. Instead I would suggest that we just recognize that some certificate using systems will, at times, build in one direction and some certificate using systems will, at times, build in the opposite direction. I would like to support Sean's request that for the LDAPv3 schema we consider making the reverse element mandatory along with the forward element. This would be a great step forward in supporting interoperability among PKI products and services and, since it does not impact existing LDAPv2 systems, doesn't cause those previously deployed systems to be non-conformant. With both elements mandatory, regardless of the direction the path is being built, the certificate using system will be able to locate the information it seeks. Sharon > -----Original Message----- > From: David Chadwick [mailto:d.w.chadwick@salford.ac.uk] > Sent: Thursday, July 13, 2000 10:27 AM > To: ietf-pkix@imc.org; Sean Mullan > Subject: Reverse paths > > > Date sent: Wed, 12 Jul 2000 19:40:47 +0100 > From: Sean Mullan <sean.mullan@sun.com> > To: d.w.chadwick@salford.ac.uk, > ietf-pkix@imc.org, ietf-ldapext@netscape.com > Subject: Re: I-D > ACTION:draft-ietf-pkix-ldap-schema-00.txt > > Sean > this thread should be opened up to the whole PKIX list. I am happy > to put this into the LDAPv3 schema if that is what is wanted, but > there must have been some earlier discussion as to why it is > optional and not mandatory. > David > > > > Building certification paths in a 'reverse' > > direction (from trust anchor to EE) is a valid way to build > > certification paths. However, RFC 2587 (PKIX LDAPv2 schema) > specifies > > that the storage of cross certificates in the reverse > component of the > > crossCertificatePair is optional. It is not possible to efficiently > > build a certification path in a 'reverse' direction unless the > > certificates are populated in the reverse component of the > > crossCertificatePair attribute. Specifying that this feature is > > optional makes it difficult to build paths in a reverse > direction in a > > trust model where lots of cross certificates and multiple > directories > > are involved and you don't know if the CAs support the optional > > storage. > > > > I would like to suggest that RFC 2587 be amended/updated > > to make storage of cross certificates in the reverse > component of the > > crossCertificatePair attribute mandatory. > > > > Thanks, > > Sean > > > > *************************************************** > > David Chadwick > IS Institute, University of Salford, Salford M5 4WT > Tel +44 161 295 5351 Fax +44 161 745 8169 > Mobile +44 790 167 0359 > Email D.W.Chadwick@salford.ac.uk > Home Page http://www.salford.ac.uk/its024/chadwick.htm > Understanding X.500 http://www.salford.ac.uk/its024/X500.htm > X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm > Entrust key validation string MLJ9-DU5T-HV8J > > *************************************************** > Received: from mail0.sibs.pt (mail0.sibs.pt [195.138.0.101]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id GAA20692 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 06:48:12 -0700 (PDT) Received: (qmail 23048 invoked from network); 14 Jul 2000 13:42:38 -0000 Received: from unknown (HELO mail.sibs.pt) (172.17.0.2) by 172.16.0.3 with SMTP; 14 Jul 2000 13:42:38 -0000 Received: from edi.van ([194.117.48.12]) by mail.sibs.pt (Netscape Mail Server v2.02) with ESMTP id AAA28256 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 14:49:19 +0100 Received: from SIBSEX.sibs ([192.168.250.26]) by edi.van (8.8.2/8.8.2) with ESMTP id OAA15770 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 14:47:20 +0100 (PST) Received: by sibsex.sibs with Internet Mail Service (5.5.2448.0) id <3WPPFQ6H>; Fri, 14 Jul 2000 14:51:14 +0100 Message-ID: <63DA964A0E78D211B53E0008C7A4F56D014DC135@sibsex.sibs> From: Renato Portela <RPortela@sibs.mailcom.pt> To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Date: Fri, 14 Jul 2000 14:51:11 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Hi, The X.509 and the RFC2459 both define a certificate but the asn.1 used to define it is different. Why are they different? The encoding result of those Certificates is equal? The RFC2560 import Certificate from AuthenticationFramework. Should I use that definition or the definition of Certificate in RFC2459? Thanks in advance Renato Portela Received: from stonewall.baltimore.com ([195.152.140.4]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id GAA20267 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 06:33:06 -0700 (PDT) Message-ID: <61922E6DA745D311A42000508B2CFD14B967E6@baltimore.com> From: Paul Halliden <PHalliden@baltimore.com> To: "'Anders Rundgren'" <anders.rundgren@telia.com>, Denis Pinkas <Denis.Pinkas@bull.net>, Stefan Santesson <stefan@accurata.se>, IETF-PXIX <ietf-pkix@imc.org> Subject: RE: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Fri, 14 Jul 2000 14:35:02 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Anders <snip> >Could I maybe have the e-mail to one of those ETSI-morons? > Not very professional language :-( >I assume that the ETSI group means that CA/RAs in some >countries can't keep track of the people they certify. > No! In law and administration of some countries, there is no concept of "unmistakable identity". I was taught that this is deliberate policy in protection of civil liberties. The principle is that, if an administration has control over an unmistakable identity - they also have the undesirable ability to deny such an identity and therefore create non-people. Whether, in these days the threat is real or not, does not matter. The fact is that the concept of unmistakable identity does not exist and mandating it in a technical specification will not change that. There is, of course, nothing to stop those countries that do have the concept, making use of it. <snip> >How useful are legally binding signatures under such circumstances? > We have managed to have legally effective signatures for over 1000 years under such circumstances - so quite useful I guess. Regards Paul Halliden Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA19392 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 05:55:51 -0700 (PDT) Received: from mega (t5o69p114.telia.com [213.64.110.114]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id OAA27031; Fri, 14 Jul 2000 14:57:54 +0200 (CEST) Message-ID: <000a01bfed9b$633d78b0$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Denis Pinkas" <Denis.Pinkas@bull.net>, "Stefan Santesson" <stefan@accurata.se>, "IETF-PXIX" <ietf-pkix@imc.org> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Fri, 14 Jul 2000 15:57:02 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id FAA19397 Stefan, >The requirement that 2 physical persons never can have the same DN, is to >go beyond a technical uniqueness concept. > >I tried to have a "functional" requirement in there (the unmistakable >identity requirement), but got the whole European ETSI group against me You did? Could I maybe have the e-mail to one of those ETSI-morons? >saying that such requirement, regardless how desirable it might be, can't >be 100% globally accomplished in a practical world (in all countries). I assume that the ETSI group means that CA/RAs in some countires can't keep track of the people they certify. How useful are legally binding signatures under such circumstances? Because if a CA *can* keep track of people, the technical part is a no-issue as they can always add a disambiguiting element such as serialNumber. Note: w.o. turning to social security numbers or other politically sensitive actions... >Last IETF/PKIX meeting decided that Denis "Permanent Identifier" topic >should be advanced in a separate work item to be merged later, if >successful, with RFC 2459 or the QC profile. This is an entirely other issue as Permant Identifiers is a step up from requiring DNs to not be reissued as Permanent identifiers allows changing DNs while still linking to the same identity. Anders Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.102]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA17863 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 05:13:48 -0700 (PDT) Received: from santesson.accurata.se ([212.28.208.198]) by popmail.inbox.se (8.9.3/8.9.3) with ESMTP id OAA25846; Fri, 14 Jul 2000 14:15:52 +0200 Message-Id: <4.3.2.7.2.20000714140329.05c54950@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 14 Jul 2000 14:17:09 +0200 To: Anders Rundgren <anders.rundgren@telia.com>, IETF-PXIX <ietf-pkix@imc.org> From: Stefan Santesson <stefan@accurata.se> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt In-Reply-To: <006f01bfed81$30883460$0201a8c0@mega.vincent.se> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Anders, The "technical profile" specify what attributes to use, what type of information to put in them and also states technical uniqueness requirements. The technical uniqueness requirement from RFC 2459 stands. The requirement that 2 physical persons never can have the same DN, is to go beyond a technical uniqueness concept. I tried to have a "functional" requirement in there (the unmistakable identity requirement), but got the whole European ETSI group against me saying that such requirement, regardless how desirable it might be, can't be 100% globally accomplished in a practical world (in all countries). We must recognize that the real world have a context factor that we never can capture in a technical standard. Last IETF/PKIX meeting decided that Denis "Permanent Identifier" topic should be advanced in a separate work item to be merged later, if successful, with RFC 2459 or the QC profile. That work has first to prove that you can make a useful "technical" definition of the uniquness requirement in "permanent identifiers", which still remains to be done. /Stefan At 12:49 2000-07-14 +0200, you wrote: ><snip> > >Denis wrote: > > >> >In order to make the text unambiguous it is important to say that: "The > >> DN MUST be unique for > >> >each subject entity certified by the one CA as defined by the issuer > >> name field during the whole > >> >life time of the CA, i.e. two different living human beings cannot have > >> the same DN." > > >Stefan responded: > > >I agree that this is a good practice. There are however limitations on how > >far you can make requirements on practice in a technical profile. > > >QC is not 2459. QC is supposed to support legal systems and MARKET needs. >For a CA that adhere to the word "Qualified" this is not a hard thing to >require. >It is anyway obliged to keep track of its subjects. So what is the >problem???? > >Without restrictions on DNs QC is IMO redundant. With the restriction >requested by Denis >you got a useful product (sorry - "techical profile" if that feels better). > >May I kindly ask potential issuers of QCs to either stand by this statement or >not? > >Anders Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA16161 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 03:54:39 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA10813; Fri, 14 Jul 2000 06:56:45 -0400 (EDT) Message-Id: <200007141056.GAA10813@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-scvp-03.txt Date: Fri, 14 Jul 2000 06:56:45 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Simple Certificate Validation Protocol (SCVP) Author(s) : A. Malpani, P. Hoffman Filename : draft-ietf-pkix-scvp-03.txt Pages : Date : 13-Jul-00 The SCVP protocol allows a client to offload certificate handling to a server. The server can give a variety of valuable information about the certificate, such as whether or not the certificate is valid, a chain to a trusted root, and so on. SCVP has many purposes, including simplifying client implementations and allowing companies to centralize their trust and policy managment. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-scvp-03.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-scvp-03.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-scvp-03.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000713145852.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-scvp-03.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-scvp-03.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000713145852.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from sunheger1.nm.informatik.uni-muenchen.de (sunheger1.nm.informatik.uni-muenchen.de [129.187.214.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA15678 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 03:26:58 -0700 (PDT) Received: (from vogt@localhost) by sunheger1.nm.informatik.uni-muenchen.de (8.9.3+Sun/8.9.3) id MAA20947; Fri, 14 Jul 2000 12:26:45 +0200 (MET DST) Date: Fri, 14 Jul 2000 12:26:45 +0200 (MET DST) Message-Id: <200007141026.MAA20947@sunheger1.nm.informatik.uni-muenchen.de> From: USM 2000 Organization Committee <usm2000@informatik.uni-muenchen.de> To: usm2000@informatik.uni-muenchen.de Subject: USM 2000 Call for Participation [Please accept our apologies if you receive this mail more than once...] USM 2000 - Announcement and Call for Participation It is just another two months until the USM 2000 will take place here in Munich. Therefore, we want to invite you to join us and participate at the conference. The discounted, early bird registration rates are valid until August 1st. You can save 50 Euro! So don't wait - register today. Below you find more detailed information on the conference and the preliminary program. You also find all this information on our web server. In particular, you will find the registration forms there. WWW: http://usm2000.informatik.uni-muenchen.de/ Registration: http://usm2000.informatik.uni-muenchen.de/registration.shtml We are looking forward to seeing you! Best regards, Claudia Linnhoff-Popien and Heinz-Gerd Hegering ------------------------------------------ Prof. Dr. Claudia Linnhoff-Popien Institut fuer Informatik Ludwig-Maximilians-Universitaet Muenchen Oettingenstr. 67, D-80538 Muenchen Tel.: +49 (89) 2178 2149 (FAX: -2147) http://www.informatik.uni-muenchen.de mailto:linnhoff@informatik.uni-muenchen.de ----------------------------------------------------------------------------- 3rd IFIP/GI International Conference on Trends towards a Universal Service Market Munich, Germany September 12-14, 2000 sponsored and supported by International Federation for Information Processing (IFIP) Gesellschaft für Informatik e.V. (GI) Ludwig-Maximilians-Universität München (LMU) Leibniz-Rechenzentrum München (LRZ) BWM AG DG Bank Siemens AG Munich Network Management Team (MNM-Team) Redwood Technologies Ltd. Software-Offensive Bayern General Information USM 2000 is the third event in a series of international IFIP conferences on Trends in Distributed Systems. It continues TreDS'96, held in Aachen, Germany and TrEC'98 with special focus on Electronic Commerce in Hamburg, Germany. The technological progress in the internet and telecommunication domains as well as deregulation efforts of the telecommunication markets currently under way in many countries enable an integration of data and telecommunication. Distributed platforms get adapted to the needs of telecommunication networks. This leads to a global distributed system with millions of objects, running on top of middleware platforms and interacting with each other to provide services. USM 2000 brings together researchers, service vendors and users in the field of universal service markets. USM 2000 takes place in Munich, Germany, the city of the famous Oktoberfest, which will start two days after the conference on September 16, 2000. Topics The USM 2000 considers services of a universal market in relation to middleware, distributed applications and management. Areas of special interest include: Component Based Systems, Service Creation Service Market Models, Accounting and Customer Care Quality of Service for Distributed Applications Trading, Brokering and Information Management Management of Virtual Networks Service and Application Management Ubiquitous Services and Nomadic Computing Distributed and Mobile Objects Agent Technology for Integrated Management Advances in Middleware Architectures, e.g. CORBA, DCOM, Jini Telecommunication Architectures related to Distributed Systems USM 2000 Preliminary Program Tuesday 12 September 2000 09.30 - 10.00 Welcome Claudia Linnhoff-Popien / Heinz-Gerd Hegering Conference Chairs Prof. Dr. rer. nat. Axel Schenzle Prorector Ludwig-Maximilians-University (LMU) Munich 10.00 - 11.00 Invited Talk "Beyond the TINA lesson: distributed processing for integrated fixed and mobile communications" Dr Sebastiano Trigila Telecommunications Network Department at Fondazione Ugo Bordoni, Rome, Italy 11.00 - 11.30 Coffee Break 11.30 - 13.00 Session Electronic Auctions and Trading Chair: Lea Kutvonen, University of Helsinki, Finland "Market-Skilled Agents for Automating the Bandwidth Commerce" Monique Calisti, Boi Faltings, EPFL Lausanne, Switzerland Sandro Mazziotta, Swisscom AG, Bern, Switzerland "Integrating Trading and Load Balancing for Efficient Management of Services in Distributed Systems" Dirk Thißen, RWTH Aachen, Germany Helmut Neukirchen, Medical University of Lübeck, Germany "Mapping Enterprise Roles to CORBA Objects using Trader" Alistair Barros, Keith Duddy, Michael Lawley, Zoran Milosevic, Kerry Raymond, Andrew Wood, DSTC, Brisbane, Australia 13.00 - 14.30 Lunch Break 14.30 - 16.00 Session Internet-Based Service Markets Chair: Winfried Lamersdorf, University of Hamburg, Germany "A Scheme for Component Based Service Deployment" Steve Rudkin, Alan Smith, BT Laboratories, United Kingdom "Performance Modeling of a Service Provisioning Design" Mohamed El-Darieby, Jerome Rolia, Carleton University, Ottawa, Canada "Correlation DialTone - Building Internet-Based Distributed Event Correlation Services" Gabriel Jakobson, Girish Pathak, GTE Laboratories, Waltham, USA 16.00 - 16.30 Coffee Break 16.30 - 18.00 Poster Session Mobile Agents and Applications Chair: Otto Spaniol, RWTH Aachen, Germany "Towards Context-Aware User Modeling" Michael Samulowitz, Siemens AG, München, Germany "Context notification in mobile environment to find the right person in time" Cora Burger, University of Stuttgart, Germany "Automated Adaption for Mobile Computing Based on Mobile Agents" Thomas Springer, Alexander Schill, University of Technology, Dresden, Germany "How to Efficiently Deploy Mobile Agents for an Integrated Management" Steffen Lipperts, RWTH Aachen, Germany "A Scalable Location Aware Service Platform for Mobile Applications based on Java RMI" Olaf Droegehorn, Kirti Singh-Kurbel, Markus Franz, Roland Sorge, Rita Winkler, Klaus David, IHP GmbH, Frankfurt (Oder), Germany Wednesday 13 September 2000 09.00 - 10.00 Invited Talk "Quality of Service and Service Provisioning on a Competitive Market" Prof Dr Lambert J.M. Nieuwenhuis KPN Research/University Twente, Netherlands 10.00 - 10.30 Coffee Break 10.30 - 12.00 Session Quality of Service Chair: Gerd Schürmann, GMD FOKUS, Berlin, Germany "Programming Internet Quality of Service" John Vicente, Intel Corporation, USA Michael Kounavis, Daniel Villela, Columbia University, USA Michah Lerner, AT&T Labs, USA Andrew Campbell, Columbia University, USA "Monitoring Quality of Service across Organizational Boundaries" Rainer Hauck, Helmut Reiser, University of Munich, Germany "Automated Allocation of Multiprovider Service Demands" Monique Calisti, Boi Faltings, EPFL Lausanne, Switzerland 12.00 - 13.30 Lunch Break 13.30 - 15.00 Session Mobile and Distributed Services Chair: Axel Küpper, RWTH Aachen, Germany "A Vehicular Software Architecture Enabling Dynamic Alterability of Services Sets" Volker Feil, Ulrich Gemkow, University of Stuttgart, Germany Matthias Stümpfle, DaimlerChrysler AG, Stuttgart, Germany "JBSA: An Infrastructure for Seamless Mobile Systems Integration" Stefan Müller-Wilken, Winfried Lamersdorf, University of Hamburg, Germany "Mobtel - A Mobile Distributed Telemedical System for Application in the Neuropsychological Therapy" Hendrik Schulze, Klaus Irmscher, University of Leipzig, Germany 15.00 - 15.30 Coffee Break 15.30 - 17.00 Poster session Trends in Data- and Telecommunications Chair: Sebastian Abeck, University of Karlsruhe, Germany "Design-Aspects for the integration of CORBA-based Value Added Services and Intelligent Networks" Frank Imhoff, Marcos dos Santos Rocha, RWTH Aachen, Germany "Experiences Building a Service Execution Node for Distributed IN Systems" Menelaos K. Perdikeas, Fotis G. Chatzipapadopoulos, Iakovos S. Venieris, Nation Technical University of Athens, Greece "Leasing in a Market for Computing Capacity" Spyros Lalis, Alexandros Karipidis, University of Crete, Greece "Virtual Malls for Web Commerce: Observations and Case Study" Anton Nijholt University of Twente, Netherlands "A QoS Meta Model to Define a Generic Environment for QoS Management" Jérôme Daniel, Bruno Traverson, EDF Division R&D, Clamart, France Sylvie Vignes, ENST, Paris, France 17.00 - 17.30 Break 17.30 - Social Event Thursday 14 September 2000 09.00 - 10.00 Invited Talk "The TAO of Patterns - Understanding Middleware and Component Architectures" Michael Stal Siemens AG, München, Germany 10.00 - 10.30 Coffee Break 10.30 - 12.00 Session Middleware Architectures Chair: John Vicente, Intel Corporation, USA "Trade-offs in a Secure Jini Service Architecture" Peer Hasselmeyer, Roger Kehr, Marco Voß, University of Technology, Darmstadt, Germany "Loadable Smart Proxies and Native-Code Shipping for CORBA" Rainer Koster, Thorsten Kramp, University of Kaiserslautern, Germany "A Middleware Architecture for Scalable, QoS-Aware and Self-Organizing Global Services" Franz J. Hauck, Erich Meier, Ulrich Becker, Martin Geier, Uwe Rastofer, Martin Steckermeier, University of Erlangen-Nürnberg, Germany 12.00 - 13.30 Lunch Break 13.30 - 15.00 Session Service Management Chair: Bernhard Neumair, DeTeSystem, Munich, Germany "Fuzzy Modeling of Cooperative Service Management" Pradeep Ray, University of New South Wales, Sydney, Australia Seyed A. Shahrestani, University of Western Sydney, Australia "Customer Service Management: An Information Model for Communication Services" Michael Langer, Michael Nerb, Leibniz Supercomputing Center, Munich, Germany "Specification of a Service Management Architecture to Run Distributed and Networked Systems" Christian Mayerl, Zoltan Nochta, Markus Müller, Martin Schauer, Andreas Uremovic, Sebastian Abeck, University of Karlsruhe, Germany 15.00 - 15.15 Conclusions Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA15416 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 03:21:09 -0700 (PDT) Received: from ireserver.Ireland.Sun.COM ([129.156.220.7]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id DAA10503; Fri, 14 Jul 2000 03:23:11 -0700 (PDT) Received: from sun.com (boston [129.156.220.153]) by ireserver.Ireland.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v1.9) with ESMTP id LAA26570; Fri, 14 Jul 2000 11:23:10 +0100 (BST) Sender: Sean.Mullan@ireland.sun.com Message-ID: <396EEA0E.3B40642B@sun.com> Date: Fri, 14 Jul 2000 11:23:10 +0100 From: Sean Mullan <sean.mullan@sun.com> X-Mailer: Mozilla 4.51 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: d.w.chadwick@salford.ac.uk CC: ietf-pkix@imc.org, ietf-ldapext@netscape.com, Boeyen@entrust.com Subject: Re: I-D ACTION:draft-ietf-pkix-ldap-schema-00.txt References: <396DDA12.874.862330B@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David, David Chadwick wrote: > > Date sent: Wed, 12 Jul 2000 19:31:31 +0100 > From: Sean Mullan <sean.mullan@sun.com> > To: d.w.chadwick@salford.ac.uk > Copies to: ietf-pkix@imc.org, ietf-ldapext@netscape.com > Subject: Re: I-D ACTION:draft-ietf-pkix-ldap-schema-00.txt > > > Hi David, > > > > Some comments on the draft below. > > Sean, replies intersperced below > > > Section 3.2 Certificate Match > > > > I think the X.509 certificate matching rules are missing some > > essential and important fields in the certificateAssertion structure > > for filtering on certificates. We may want to consider defining a > > superset. I submitted these comments to the X.509 editors but > > apparently it was too late to integrate them into the 2000 update. > > > > * you should be able to match on more than one pathToName and on > > non-X500 > > name types. This is inconsistent with name constraints which allow > > you to constrain to more than one name and different name types. > > > > I agree that alternative name types should be allowed. But maybe it > is not necessary to have multiple names, since you can do several > Searches providing one name for each search (remember that the > name presented should be allowed to have a cert path created to it) Yes, but I think this is a bit more complex. I think ideally you should be able to define in one matching rule all the selection criteria for a certificate. So if a certificate contains more than one alt name, the matching rule should allow you to match on more than one alt name. For ex, in one search I would like to get all the certs issued by some DN that allow a path to be built to the subject altnames of "cn=mullan,o=sun,c=us" and "sean.mullan@sun.com". If I break this into 2 searches, I am likely to get duplicate certs or certs that allows paths to be built to one of the names but not both. Specifying 2 matching rules in one search would have similar problems. > How do we want to handle this: > i) issue a defect on X.509 (Sharon can you comment on this) > ii) let the LDAP matching rule be a superset of the X.509 one? > > I would favour the former route myself. I agree - if it doesn't take too long. > > * you should be able to match on more than the subject alt name > > type. > > Agreed. This is a lack of clarity in the ID. It is intended that the > whole name can be presented along with the type. The text is > ambiguous in this respect and I will fix it. It will also be clearer when > version 1 is published that contains BNF for each of the fields. > Steven Legg has been doing this for me. The X.509 certificateAssertion only allows you to match on the alt name type - that's the problem I was referring to - that should be fixed. > > You > > should also be able to match on the subject alt name itself, and > > specify more than one subject alt name as certificates can contain > > more than one. > > > > Concerning multiple names, I think this can be solved by performing > multiple searches with a single name in each search. See comment above why I think this is more complex. > > * you should be able to match on the subject public key as well as > > the subject public > > key algorithm OID. > > > > you can match on the subject key identifier (3rd component) but not the subject public key itself. > > * you should be able to match on the basic constraints extension, > > especially the > > maxPathLen value. This is useful for finding potential > > certificates when building certification paths from the target to > > the most-trusted CA. For ex, if a partial path has been built, any > > candidate certificate must have a maxPathLen value greater than or > > equal to the number of certificates in the partial path. > > > > Interestingly this has been defined for attribute certificates and not > pk certs. I actually think that the way matching for ACs has been > handled is far superior than for PKcerts. ie. a separate matching > rule for each extension, rather than one long complex rule for pk > certs. However, there would be nothing to stop an implementation > dynamically attaching the basicAttConstraintsMatch to public key certs. In > fact this matching rule could be renamed the basicConstraintsMatch > anyway as the syntax is the same for both ACs and PKCs. This is > my preferred approach. Sounds good but I think there might be an issue. What happens if you want to define a matching rule to only retrieve certs that contain a specific basic constraints value AND a certain issuer name? In this case, you would define 2 matching rules and specify both of them in the valuesReturnFilter control. But then you would get all certs with the requested issuer name and any basic constraints value and all certs with any issuer name and the requested basic constraints value. That's not what you wanted. I think we may want to enhance the valuesReturnFilter control (through a flag, perhaps) to allow the user to apply all of the elements of the filter to each attribute value. Let's discuss this more offline, if you like. > > I think it is very important to include the Certificate pair matching > > rules, as these are very useful when building certification paths and > > trying to discover which of many cross certificates satisfy various > > validation constraints, and eliminating those that do not. > > > > OK, this can be done. It is just time consuming and I wanted to > know if there was a demand first. > > > Other comments: > > > > * What RFC format are you using for the encoding of DNs - 1779? This > > should be referenced. > > It should be 2253 for LDAPv3. > > > > > Section 4.2 Certificate List Match > > > > There is an error in the CertificateListAssertion definition in X.509 > > 2000. The authorityKeyIdentifier component should be marked OPTIONAL. > > This probably doesn't affect your definition, but I just wanted to > > make you aware of it. > > Agreed, Sharon, can you make a note of this defect > > David > p.s. what do you think about Bruce's assertion that none of this is > needed and instead we should have a bunch of simple attributes in > the LDAP entry I'll have to go back and read Bruce's draft but I agree with your responses to Bruce in an earlier message. Comments later ... Thanks, Sean Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA11975 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 02:48:20 -0700 (PDT) Received: from mega (t4o69p113.telia.com [62.20.145.233]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id LAA25157; Fri, 14 Jul 2000 11:50:22 +0200 (CEST) Message-ID: <006f01bfed81$30883460$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Magnus (RSA)" <magnus@rsasecurity.com>, "IETF-PXIX" <ietf-pkix@imc.org>, "Denis" <Denis.Pinkas@bull.net>, "Stefan Santesson" <stefan@accurata.se> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Fri, 14 Jul 2000 12:49:29 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id CAA11976 <snip> Denis wrote: >> >In order to make the text unambiguous it is important to say that: "The >> DN MUST be unique for >> >each subject entity certified by the one CA as defined by the issuer >> name field during the whole >> >life time of the CA, i.e. two different living human beings cannot have >> the same DN." Stefan responded: >I agree that this is a good practice. There are however limitations on how >far you can make requirements on practice in a technical profile. QC is not 2459. QC is supposed to support legal systems and MARKET needs. For a CA that adhere to the word "Qualified" this is not a hard thing to require. It is anyway obliged to keep track of its subjects. So what is the problem???? Without restrictions on DNs QC is IMO redundant. With the restriction requested by Denis you got a useful product (sorry - "techical profile" if that feels better). May I kindly ask potential issuers of QCs to either stand by this statement or not? Anders Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA10879 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 02:19:52 -0700 (PDT) Received: from ireserver.Ireland.Sun.COM ([129.156.220.7]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id CAA21115; Fri, 14 Jul 2000 02:21:56 -0700 (PDT) Received: from sun.com (boston [129.156.220.153]) by ireserver.Ireland.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v1.9) with ESMTP id KAA10683; Fri, 14 Jul 2000 10:21:55 +0100 (BST) Sender: Sean.Mullan@ireland.sun.com Message-ID: <396EDBB3.9CA802E4@sun.com> Date: Fri, 14 Jul 2000 10:21:55 +0100 From: Sean Mullan <sean.mullan@sun.com> X-Mailer: Mozilla 4.51 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: Sean Turner <turners@ieca.com> CC: d.w.chadwick@salford.ac.uk, ietf-pkix@imc.org Subject: Re: Reverse paths References: <396DDFA7.1132.8780334@localhost> <396E4635.25C26806@ieca.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sean Turner wrote: > > Reverse path is building is a valid option, but I think the premise when we mandated the forward > element was to build the path from the EE cert up because you'd at a minimum have the signer's > certificate (or a pointer to it). You'd then verify down the chain you built. > > Sean - are you suggesting mandating the reverse element instead of the forward element or in > addition to it? In addition. Making it optional doesn't help much for those clients that need or want to build paths in the reverse direction. --Sean > > spt > > David Chadwick wrote: > > > Date sent: Wed, 12 Jul 2000 19:40:47 +0100 > > From: Sean Mullan <sean.mullan@sun.com> > > To: d.w.chadwick@salford.ac.uk, ietf-pkix@imc.org, ietf-ldapext@netscape.com > > Subject: Re: I-D ACTION:draft-ietf-pkix-ldap-schema-00.txt > > > > Sean > > this thread should be opened up to the whole PKIX list. I am happy > > to put this into the LDAPv3 schema if that is what is wanted, but > > there must have been some earlier discussion as to why it is > > optional and not mandatory. > > David > > > > > Building certification paths in a 'reverse' > > > direction (from trust anchor to EE) is a valid way to build > > > certification paths. However, RFC 2587 (PKIX LDAPv2 schema) specifies > > > that the storage of cross certificates in the reverse component of the > > > crossCertificatePair is optional. It is not possible to efficiently > > > build a certification path in a 'reverse' direction unless the > > > certificates are populated in the reverse component of the > > > crossCertificatePair attribute. Specifying that this feature is > > > optional makes it difficult to build paths in a reverse direction in a > > > trust model where lots of cross certificates and multiple directories > > > are involved and you don't know if the CAs support the optional > > > storage. > > > > > > I would like to suggest that RFC 2587 be amended/updated > > > to make storage of cross certificates in the reverse component of the > > > crossCertificatePair attribute mandatory. > > > > > > Thanks, > > > Sean > > > > > > > *************************************************** > > > > David Chadwick > > IS Institute, University of Salford, Salford M5 4WT > > Tel +44 161 295 5351 Fax +44 161 745 8169 > > Mobile +44 790 167 0359 > > Email D.W.Chadwick@salford.ac.uk > > Home Page http://www.salford.ac.uk/its024/chadwick.htm > > Understanding X.500 http://www.salford.ac.uk/its024/X500.htm > > X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm > > Entrust key validation string MLJ9-DU5T-HV8J > > > > *************************************************** -- ************************************************************ Sean Mullan Java Security & Networking http://java.sun.com/security Sun Microsystems tel: +353 1 819 9176 East Point Business Park fax: +353 1 819 9262 Dublin 3 mailto:sean.mullan@sun.com Ireland ************************************************************ Received: from popmail.inbox.se (popmail.inbox.se [193.12.72.102]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA10834 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 02:18:52 -0700 (PDT) Received: from santesson.accurata.se ([212.28.208.198]) by popmail.inbox.se (8.9.3/8.9.3) with ESMTP id LAA24528; Fri, 14 Jul 2000 11:20:46 +0200 Message-Id: <4.3.2.7.2.20000714104945.00c4d660@mail.accurata.se> X-Sender: mb517@mail.accurata.se X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 14 Jul 2000 11:22:03 +0200 To: "Anders Rundgren" <anders.rundgren@telia.com>, "Magnus (RSA)" <magnus@rsasecurity.com>, "IETF-PXIX" <ietf-pkix@imc.org>, "Denis" <Denis.Pinkas@bull.net> From: Stefan Santesson <stefan@accurata.se> Subject: Re: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt In-Reply-To: <002f01bfed6f$5ab4bbd0$0201a8c0@mega.vincent.se> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Anders, At 10:41 2000-07-14 +0200, Anders Rundgren wrote: >Denis, > ><snip> > > >In section 4.1.2.6 Subject, RFC 2459 states: "The DN MUST be unique for > each subject entity > >certified by the one CA as defined by the issuer name field." > > > >In order to make the text unambiguous it is important to say that: "The > DN MUST be unique for > >each subject entity certified by the one CA as defined by the issuer > name field during the whole > >life time of the CA, i.e. two different living human beings cannot have > the same DN." > > >That is definitely a Quality that QCs should have! I have already asked >about that zillions >of times with no comments so I guess the authors do not agree.... I agree that this is a good practice. There are however limitations on how far you can make requirements on practice in a technical profile. I think your requirement is more suitable in the applicable policy and in the national legislation within the country under which a CA is eastblished. ><snip> > > > >Section 4, Security considerations. The current text is as follows: > > >"Comparing two qualified certificates to determine if they represent > >the same physical entity may provide misleading results and should be > >performed with care." > > > >This sentence does not help. Replace by: > > > >"Comparing two qualified certificates, that contain different DNs, to > determine if they represent > > > >the same physical entity cannot be made." Well, this is not true. Comparison can certainly be made in many cases within a known context. What the current text implies is that you muste be careful and not compare names in contexts where comaprisons don't give the desired result. The definition of context is outside the scope of the technical standards work, causing this maby "odd" wording. If the wording is bad, then I suggest that you come up with some better wording. I'm sure that we can then uppgrade the process with this. At least on the way to draft standard. >This is of course correct but the interesting case is when DNs are >equal. But I assume >that you mean that you can ALWAYS count on the equality case due to the >guarantee that >a QC CA must never reissue a DN. Again. There are som contexts where comparison is both possible and useful. You just have to be careful (at least when creating the application comparing certificates) that you compare withing a working context. >Again, I really like this (and have myself requested this several times) >but this is also departs quite a bit from QC-4! > >IMO, the two issues mentioned are genuine MARKET REQUIREMENTS rather than >just "technicalities". > >Anders /Stefan Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA07833 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 00:40:45 -0700 (PDT) Received: from mega (t5o69p47.telia.com [213.64.110.47]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id JAA01592; Fri, 14 Jul 2000 09:42:38 +0200 (CEST) Message-ID: <002f01bfed6f$5ab4bbd0$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Magnus (RSA)" <magnus@rsasecurity.com>, "Stefan Santesson" <stefan@accurata.se>, "IETF-PXIX" <ietf-pkix@imc.org>, "Denis" <Denis.Pinkas@bull.net> Subject: QC DN "qualities". Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Fri, 14 Jul 2000 10:41:46 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id AAA07834 Denis, <snip> >In section 4.1.2.6 Subject, RFC 2459 states: "The DN MUST be unique for each subject entity >certified by the one CA as defined by the issuer name field." > >In order to make the text unambiguous it is important to say that: "The DN MUST be unique for >each subject entity certified by the one CA as defined by the issuer name field during the whole >life time of the CA, i.e. two different living human beings cannot have the same DN." That is definitely a Quality that QCs should have! I have already asked about that zillions of times with no comments so I guess the authors do not agree.... <snip> >Section 4, Security considerations. The current text is as follows: >"Comparing two qualified certificates to determine if they represent >the same physical entity may provide misleading results and should be >performed with care." >This sentence does not help. Replace by: > >"Comparing two qualified certificates, that contain different DNs, to determine if they represent > >the same physical entity cannot be made." This is of course correct but the interesting case is when DNs are equal. But I assume that you mean that you can ALWAYS count on the equality case due to the guarantee that a QC CA must never reissue a DN. Again, I really like this (and have myself requested this several times) but this is also departs quite a bit from QC-4! IMO, the two issues mentioned are genuine MARKET REQUIREMENTS rather than just "technicalities". Anders Received: from janus.hosting4u.net (janus.hosting4u.net [209.15.2.37]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id AAA07219 for <ietf-pkix@imc.org>; Fri, 14 Jul 2000 00:16:36 -0700 (PDT) Received: (qmail 11278 invoked from network); 14 Jul 2000 07:18:30 -0000 Received: from taurus.hosting4u.net (209.15.2.33) by mail-gate.hosting4u.net with SMTP; 14 Jul 2000 07:18:30 -0000 Received: from nma.com ([63.204.17.82]) by taurus.hosting4u.net ; Fri, 14 Jul 2000 02:18:15 -0500 Message-ID: <396EBEB9.F8E7939A@nma.com> Date: Fri, 14 Jul 2000 00:18:17 -0700 From: Ed Gerck <egerck@nma.com> X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: denis.bider@denisbider.com CC: ietf-pkix@imc.org, Bob Jueneman <bjueneman@novell.com> Subject: indeed, was Re: Current signature formats insufficient References: <000001bfeb13$d25fe870$0201010a@intergalactic> Content-Type: multipart/alternative; boundary="------------7C245A30570FD376592A4B45" --------------7C245A30570FD376592A4B45 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit denis bider wrote: > It is my opinion that the following efforts need to be made: > - The current signature formats need to be extended so as to include > information about the extent to which the data being signed was verified by > the signer - or simply whether the signature can be interpreted as binding > or not. Indeed. Around September 1999 I made the same call in this WG, when PKIX was discussing non-repudiation concepts. To motivate a simple but already useful scenario, I suggested a second-order model for validity in four mutually-exclusive but mutually-neighboring levels. I also pointed out that we don't need new things for this -- we just to need to encode the already existing DS and NR bits in keyUsage somewhat more cleverly. This would easily provide space to encode four different levels of validity, in the four possible states of the DS (digital signature) and NR (nonrepudiation) bits in keyUsage. Let me extend and exemplify this approach, now that the need to define more signature attributtes begins to be felt more acutely. These four levels can be so summarized for the benefit of discussions here, as I posted to PKIX then (but now with the new two-letter acronyms UP/NP/RP/IP instead of what I used then: SYN/DS/POA/NR) in terms of a 4-level encoding using the DS and NR bits in keyUsage: Application DS NR Result ----------- ----- ----------------------------------------- signed object: 0 0 UP -- unknown presumption when signing 1 0 NP -- no presumption when signing 0 1 RP -- rebuttable presumption when signing 1 1 IP -- irrebuttable presumption when signing authenticated connection: 0 x no presumption of authentication 1 x rebuttable presumption of authentication Based on conversations I've had on and off of this list, including the DIGSIG list, it would be useful to examine these correspondences also to *induce* four levels of liability (as Bob Jueneman suggested, for example). And they can also be used to induce four levels of power, four levels of rights and four levels of duties. The cornerstone in this approach is the four levels of validity, as the basic yardstick which organizes the other decision spaces of liability, power, rights and duties. The whole discussion becomes more interesting when the third-order theory is used with 4^3 = 64 levels of validity, because then we can distinguish between the validity of the tangible object (called entity), the validity of the text (called reference) and the validity of the meaning (called sense), each one with four levels. But, for now, 4 levels suffice -- thus describing the object's validity as a whole. In this case, describing the signature's validity. It may be interesting to note also that these four levels are able to explain the hypothesis predicated in the null-theory model used in relational databases, which deals with *incomplete information* -- i.e., when the validity of information is not known with certainty (a very real-world problem). The idea followed in database theory was to use special values called "null values" as placeholders for information that is incomplete. And, lo and behold, they were found already in 1979 by E. F. Codd (the father of relational database theory) -- in three different types of null values, with the complete information itself being the fourth type in our classification of validity. Thus, based also on other examples from other areas, I consider these four validity types (as identification types) to be basic types in our grading and understanding of *information* -- and, therefore, a recurring theme in our use of information and incomplete information. The relationship between the four types considered in the null-theory approach in database theory, the four types of identification considered in the second-order theory (I-2) summarized here, the legal-based description of signature validity, and the two-letter certificate/signature validity label is: I-2 identification null-theory legal validity cert/sig D- Distinguished complete irrebuttable presumption IP A- Ambiguous one of many rebuttable presumption RP O- Obscure no specification no presumption NP F- Formless no-information unknown presumption UP To exemplify, using a text-book database case: 1. the first line corresponds to the middle name of "Franklin Delano Roosevelt", as he signed the Yalta Agreement -- it has 'complete information', the middle name is "Delano". The validity is Distinguished (i.e., unique and singular), there is 'irrebuttable presumption' of the validity of that middle name, and the the cert/sig label would be IP for that middle name in a signed message. 2. The second line corresponds to the middle name of "Winston Churchill", as he signed the Yalta Agreement without his middle name -- it has 'one of many' information because we know that Churchill was from a titled English family, so he most probably had a middle name. We just do not know which, out of the many possible and common in the UK. The validity is Ambiguous, there is 'rebuttable presumption' if we assume any middle name in a balance of probabilities, and the cert/sign label would be RP if any particular middle name is assumed in a signed message. 3. The third line corresponds to "Charles DeGaulle", as he signed the Yalta Agreement -- it has 'no specification' information because DeGaulle was French and would not use a middle name. So, we most probably expect DeGaulle not to have a middle name, which means that there would not exist a specifiable value for it. The validity is Obscure because the middle name is not specified as non-existent with certainty, even though we do not expect it to exist. There is 'no presumption' in a balance of probabilities if we assume any middle name, since a middle name is supposed not to exist. The cert/sign label would be NP if any particular middle name is assumed in a signed message. 4. The fourth line corresponds to "Joseph Stalin", as he signed the Yalta Agreement -- it has 'no-information' because nothing can be inferred for that middle name. Stalin was Georgian, so he probably had a patronymic as a middle name but might have abandoned it together with his original last name (Dzhugashvili). The validity is Formless because we do not know if the middle name exists but we cannot see it, or if it does not exist at all. There is 'unknown presumption' because it is unknown in a balance of probabilities whether a middle name exists or not. The cert/sign label would be UP if any particular middle name is assumed in a signed message. Other examples can be built, illustrating the concept. The grade of a student in a course, for example. If we know the grade, it corresponds to the first line D; if we know that the student took the exam but we do not know the grade yet, then we have the second line A; if we know that the student recently registered at the course, then we have the third line O; if we know that the course ended but we do not know whether the student stayed in the course until the exam, then we have the fourth line F. BTW, if keyUsage is (0,0,0,0,0,0,0,0) then this can be unambiguously assigned to UP, as it seems natural. Since UP is actually a neutral case (neither affirmative nor denial), the case for CA or CRL bits in keyUsage can be handled well with DS=NR=0 and can have the usual meanings. So, there seems to be a practical way to encode four different levels of validity for signatures, without breaking PKIX's current framework. We just need to break some new ground -- digital signatures are not simply binding or not. There are degrees of binding as well. And four seems to be a convenient number to start. Cheers, Ed Gerck --------------7C245A30570FD376592A4B45 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> <tt></tt> <tt></tt> <p><tt>denis bider wrote:</tt> <blockquote TYPE=CITE><tt>It is my opinion that the following efforts need to be made:</tt> <br><tt> - The current signature formats need to be extended so as to include</tt> <br><tt>information about the extent to which the data being signed was verified by</tt> <br><tt>the signer - or simply whether the signature can be interpreted as binding</tt> <br><tt>or not.</tt></blockquote> <tt>Indeed.</tt><tt></tt> <p><tt>Around September 1999 I made the same call in this WG, when PKIX was</tt> <br><tt>discussing non-repudiation concepts. To motivate a simple but already</tt> <br><tt>useful scenario, I suggested a second-order model for validity in four</tt> <br><tt>mutually-exclusive but mutually-neighboring levels.</tt><tt></tt> <p><tt>I also pointed out that we don't need new things for this -- we just to</tt> <br><tt>need to encode the already existing DS and NR bits in keyUsage somewhat</tt> <br><tt>more cleverly. This would easily provide space to encode four different</tt> <br><tt>levels of validity, in the four possible states of the DS (digital</tt> <br><tt>signature) and NR (nonrepudiation) bits in keyUsage.</tt><tt></tt> <p><tt>Let me extend and exemplify this approach, now that the need to define</tt> <br><tt>more signature attributtes begins to be felt more acutely. These four</tt> <br><tt>levels can be so summarized for the benefit of discussions here, as I</tt> <br><tt>posted to PKIX then (but now with the new two-letter acronyms UP/NP/RP/IP</tt> <br><tt>instead of what I used then: SYN/DS/POA/NR) in terms of a 4-level encoding</tt> <br><tt>using the DS and NR bits in keyUsage:</tt><tt></tt> <p><tt>Application DS NR Result</tt> <br><tt>----------- ----- -----------------------------------------</tt> <br><tt>signed object: 0 0 UP -- unknown presumption when signing</tt> <br><tt> 1 0 NP -- no presumption when signing</tt> <br><tt> 0 1 RP -- rebuttable presumption when signing</tt> <br><tt> 1 1 IP -- irrebuttable presumption when signing</tt> <br><tt>authenticated</tt> <br><tt>connection: 0 x no presumption of authentication</tt> <br><tt> 1 x rebuttable presumption of authentication</tt> <br><tt></tt> <tt></tt> <p><tt>Based on conversations I've had on and off of this list, including the</tt> <br><tt>DIGSIG list, it would be useful to examine these correspondences also</tt> <br><tt>to *induce* four levels of liability (as Bob Jueneman suggested, for</tt> <br><tt>example). And they can also be used to induce four levels of power, four</tt> <br><tt>levels of rights and four levels of duties.</tt><tt></tt> <p><tt>The cornerstone in this approach is the four levels of validity, as the</tt> <br><tt>basic yardstick which organizes the other decision spaces of liability,</tt> <br><tt>power, rights and duties.</tt><tt></tt> <p><tt>The whole discussion becomes more interesting when the third-order theory</tt> <br><tt>is used with 4^3 = 64 levels of validity, because then we can distinguish</tt> <br><tt>between the validity of the tangible object (called entity), the validity</tt> <br><tt>of the text (called reference) and the validity of the meaning (called</tt> <br><tt>sense), each one with four levels. But, for now, 4 levels suffice -- thus</tt> <br><tt>describing the object's validity as a whole. In this case, describing</tt> <br><tt>the signature's validity.</tt><tt></tt> <p><tt>It may be interesting to note also that these four levels are able to</tt> <br><tt>explain the hypothesis predicated in the null-theory model used in</tt> <br><tt>relational databases, which deals with *incomplete information* --</tt> <br><tt>i.e., when the validity of information is not known with certainty</tt> <br><tt>(a very real-world problem). The idea followed in database theory was</tt> <br><tt>to use special values called "null values" as placeholders for information</tt> <br><tt>that is incomplete. And, lo and behold, they were found already in 1979</tt> <br><tt>by E. F. Codd (the father of relational database theory) -- in three</tt> <br><tt>different types of null values, with the complete information itself</tt> <br><tt>being the fourth type in our classification of validity. Thus, based</tt> <br><tt>also on other examples from other areas, I consider these four validity</tt> <br><tt>types (as identification types) to be basic types in our grading and</tt> <br><tt>understanding of *information* -- and, therefore, a recurring theme</tt> <br><tt>in our use of information and incomplete information.</tt><tt></tt> <p><tt>The relationship between the four types considered in the null-theory</tt> <br><tt>approach in database theory, the four types of identification considered</tt> <br><tt>in the second-order theory (I-2) summarized here, the legal-based</tt> <br><tt>description of signature validity, and the two-letter</tt> <br><tt>certificate/signature validity label is:</tt><tt></tt> <p><tt>I-2 identification null-theory legal validity cert/sig</tt><tt></tt> <p><tt>D- Distinguished complete irrebuttable presumption IP</tt> <br><tt>A- Ambiguous one of many rebuttable presumption RP</tt> <br><tt>O- Obscure no specification no presumption NP</tt> <br><tt>F- Formless no-information unknown presumption UP</tt><tt></tt> <p><tt>To exemplify, using a text-book database case:</tt><tt></tt> <p><tt>1. the first line corresponds to the middle name of "Franklin Delano</tt> <br><tt>Roosevelt", as he signed the Yalta Agreement -- it has 'complete</tt> <br><tt>information', the middle name is "Delano". The validity is</tt> <br><tt>Distinguished (i.e., unique and singular), there is 'irrebuttable</tt> <br><tt>presumption' of the validity of that middle name, and the the</tt> <br><tt>cert/sig label would be IP for that middle name in a signed message.</tt><tt></tt> <p><tt>2. The second line corresponds to the middle name of "Winston</tt> <br><tt>Churchill", as he signed the Yalta Agreement without his middle</tt> <br><tt>name -- it has 'one of many' information because we know that</tt> <br><tt>Churchill was from a titled English family, so he most probably had</tt> <br><tt>a middle name. We just do not know which, out of the many possible</tt> <br><tt>and common in the UK. The validity is Ambiguous, there is 'rebuttable</tt> <br><tt>presumption' if we assume any middle name in a balance of probabilities,</tt> <br><tt>and the cert/sign label would be RP if any particular middle name is</tt> <br><tt>assumed in a signed message.</tt><tt></tt> <p><tt>3. The third line corresponds to "Charles DeGaulle", as he</tt> <br><tt>signed the Yalta Agreement -- it has 'no specification'</tt> <br><tt>information because DeGaulle was French and would not use a</tt> <br><tt>middle name. So, we most probably expect DeGaulle not to have</tt> <br><tt>a middle name, which means that there would not exist a specifiable</tt> <br><tt>value for it. The validity is Obscure because the middle name is</tt> <br><tt>not specified as non-existent with certainty, even though we</tt> <br><tt>do not expect it to exist. There is 'no presumption' in a balance</tt> <br><tt>of probabilities if we assume any middle name, since a middle</tt> <br><tt>name is supposed not to exist. The cert/sign label would be NP</tt> <br><tt>if any particular middle name is assumed in a signed message.</tt><tt></tt> <p><tt>4. The fourth line corresponds to "Joseph Stalin", as he</tt> <br><tt>signed the Yalta Agreement -- it has 'no-information'</tt> <br><tt>because nothing can be inferred for that middle name. Stalin</tt> <br><tt>was Georgian, so he probably had a patronymic as a middle</tt> <br><tt>name but might have abandoned it together with his original</tt> <br><tt>last name (Dzhugashvili). The validity is Formless because</tt> <br><tt>we do not know if the middle name exists but we cannot see</tt> <br><tt>it, or if it does not exist at all. There is 'unknown presumption'</tt> <br><tt>because it is unknown in a balance of probabilities whether</tt> <br><tt>a middle name exists or not. The cert/sign label would be</tt> <br><tt>UP if any particular middle name is assumed in a signed</tt> <br><tt>message.</tt><tt></tt> <p><tt>Other examples can be built, illustrating the concept. The grade</tt> <br><tt>of a student in a course, for example. If we know the grade, it</tt> <br><tt>corresponds to the first line D; if we know that the student took the</tt> <br><tt>exam but we do not know the grade yet, then we have the second line A;</tt> <br><tt>if we know that the student recently registered at the course, then</tt> <br><tt>we have the third line O; if we know that the course ended but we do</tt> <br><tt>not know whether the student stayed in the course until the exam,</tt> <br><tt>then we have the fourth line F.</tt><tt></tt> <p><tt>BTW, if keyUsage is (0,0,0,0,0,0,0,0) then this can be unambiguously</tt> <br><tt>assigned to UP, as it seems natural. Since UP is actually a neutral case</tt> <br><tt>(neither affirmative nor denial), the case for CA or CRL bits in</tt> <br><tt>keyUsage can be handled well with DS=NR=0 and can have the usual meanings.</tt><tt></tt> <p><tt>So, there seems to be a practical way to encode four different levels of</tt> <br><tt>validity for signatures, without breaking PKIX's current framework. We</tt> <br><tt>just need to break some new ground -- digital signatures are not simply</tt> <br><tt>binding or not. There are degrees of binding as well. And four seems to</tt> <br><tt>be a convenient number to start.</tt><tt></tt> <p><tt>Cheers,</tt><tt></tt> <p><tt>Ed Gerck</tt></html> --------------7C245A30570FD376592A4B45-- Received: from smtp-out1.bellatlantic.net (smtp-out1.bellatlantic.net [199.45.39.156]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA10849 for <ietf-pkix@imc.org>; Thu, 13 Jul 2000 15:44:13 -0700 (PDT) Received: from ieca.com (adsl-151-200-26-46.bellatlantic.net [151.200.26.46]) by smtp-out1.bellatlantic.net (8.9.1/8.9.1) with ESMTP id SAA11392; Thu, 13 Jul 2000 18:46:00 -0400 (EDT) Message-ID: <396E4635.25C26806@ieca.com> Date: Thu, 13 Jul 2000 18:44:05 -0400 From: Sean Turner <turners@ieca.com> Organization: IECA, Inc. X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: d.w.chadwick@salford.ac.uk, Sean Mullan <sean.mullan@sun.com> CC: ietf-pkix@imc.org Subject: Re: Reverse paths References: <396DDFA7.1132.8780334@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Reverse path is building is a valid option, but I think the premise when we mandated the forward element was to build the path from the EE cert up because you'd at a minimum have the signer's certificate (or a pointer to it). You'd then verify down the chain you built. Sean - are you suggesting mandating the reverse element instead of the forward element or in addition to it? spt David Chadwick wrote: > Date sent: Wed, 12 Jul 2000 19:40:47 +0100 > From: Sean Mullan <sean.mullan@sun.com> > To: d.w.chadwick@salford.ac.uk, ietf-pkix@imc.org, ietf-ldapext@netscape.com > Subject: Re: I-D ACTION:draft-ietf-pkix-ldap-schema-00.txt > > Sean > this thread should be opened up to the whole PKIX list. I am happy > to put this into the LDAPv3 schema if that is what is wanted, but > there must have been some earlier discussion as to why it is > optional and not mandatory. > David > > > Building certification paths in a 'reverse' > > direction (from trust anchor to EE) is a valid way to build > > certification paths. However, RFC 2587 (PKIX LDAPv2 schema) specifies > > that the storage of cross certificates in the reverse component of the > > crossCertificatePair is optional. It is not possible to efficiently > > build a certification path in a 'reverse' direction unless the > > certificates are populated in the reverse component of the > > crossCertificatePair attribute. Specifying that this feature is > > optional makes it difficult to build paths in a reverse direction in a > > trust model where lots of cross certificates and multiple directories > > are involved and you don't know if the CAs support the optional > > storage. > > > > I would like to suggest that RFC 2587 be amended/updated > > to make storage of cross certificates in the reverse component of the > > crossCertificatePair attribute mandatory. > > > > Thanks, > > Sean > > > > *************************************************** > > David Chadwick > IS Institute, University of Salford, Salford M5 4WT > Tel +44 161 295 5351 Fax +44 161 745 8169 > Mobile +44 790 167 0359 > Email D.W.Chadwick@salford.ac.uk > Home Page http://www.salford.ac.uk/its024/chadwick.htm > Understanding X.500 http://www.salford.ac.uk/its024/X500.htm > X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm > Entrust key validation string MLJ9-DU5T-HV8J > > *************************************************** Received: from smtp03.mrf.mail.rcn.net (smtp03.mrf.mail.rcn.net [207.172.4.62]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA06870 for <ietf-pkix@imc.org>; Thu, 13 Jul 2000 12:02:50 -0700 (PDT) Received: from 208-58-194-27.s535.tnt9.lnhva.md.dialup.rcn.com ([208.58.194.27] helo=rankney) by smtp03.mrf.mail.rcn.net with smtp (Exim 3.15 #2) id 13CoHw-00061x-00; Thu, 13 Jul 2000 15:04:48 -0400 Message-ID: <001d01bfecff$fe9bc420$1bc23ad0@rankney> From: "Rich Ankney" <rankney@erols.com> To: <tgindin@us.ibm.com>, "Michael Zolotarev" <mzolotarev@baltimore.com> Cc: "Adrian McCullagh" <AMcCullagh@exchange.gadens.com.au>, "'Simon McMahon'" <simon@onthenet.com.au>, "Tony Bartoletti" <azb@llnl.gov>, "P.J. Ponder" <ponder@freenet.tlh.fl.us>, "Paul Koning" <pkoning@xedia.com>, <ietf-pkix@imc.org>, <denis.bider@denisbider.com> Subject: Re: Current signature formats insufficient Date: Thu, 13 Jul 2000 15:24:38 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 I agree. This is similar to the "commitment type" in the ETSI electronic signature work, the "signature purpose" in ANSI X9.45 and ASTM E-2084, and the "business purpose of assurance" in X12. / Rich -----Original Message----- From: tgindin@us.ibm.com <tgindin@us.ibm.com> To: Michael Zolotarev <mzolotarev@baltimore.com> Cc: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au>; 'Simon McMahon' <simon@onthenet.com.au>; Tony Bartoletti <azb@llnl.gov>; P.J. Ponder <ponder@freenet.tlh.fl.us>; Paul Koning <pkoning@xedia.com>; ietf-pkix@imc.org <ietf-pkix@imc.org>; denis.bider@denisbider.com <denis.bider@denisbider.com> Date: Thursday, July 13, 2000 11:30 AM Subject: RE: Current signature formats insufficient > Qualification of a signature to say a) I saw this, but I am not >agreeing with it; b) I agree with this; c) I promise to do this (or other >similar qualifications) strikes me as a good use of PKCS #7 Authenticated >Attributes, CMS Signed Attributes or XML Signature Properties. I thought >that Denis' original proposal was intended to allow a smart card itself to >incorporate some very simple assertions about signature conditions into the >signature. If the smart card is restricted to a single format, it might be >able to place such an assertion into that format. If it's like one of >today's smart cards, it's not very format aware which is why placing the >assertion into the signature itself was attractive. > > Tom Gindin > >Michael Zolotarev <mzolotarev@baltimore.com> on 07/13/2000 12:45:09 AM > >To: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au>, "'Simon > McMahon'" <simon@onthenet.com.au>, Michael Zolotarev > <mzolotarev@baltimore.com>, Tony Bartoletti <azb@llnl.gov>, "P.J. > Ponder" <ponder@freenet.tlh.fl.us> >cc: Paul Koning <pkoning@xedia.com>, ietf-pkix@imc.org, > denis.bider@denisbider.com >Subject: RE: Current signature formats insufficient > > > >Adrian, > >God, do you guys ever come to understand Russian sense of humor? > >I was just trying to show that introducing a special key usage bit is not >going to solve the problem. Which is, of course, to indicate whether a >signer agrees or not with the content of the message. > >I was saying that you can do it only by having a statement (AGREE or DO NOT >AGREE) INSIDE the content, and signing that content with your key. Exactly >as you do it on the paper: "Solemnly agree:_______". > >Following the 'key usage bit' approach you'd have to have two different >keys >- one for 'agree with the content', and another for 'do not agree with >content'. > >My 'agree with doubts' list was an [unsuccessful] attempt to demonstrate >what kind of absurd you can get into with using the key usage flags. > >Best regards >Michael > >PS Are you in Sydney, BTW? > > > >> -----Original Message----- >> From: Adrian McCullagh [mailto:AMcCullagh@exchange.gadens.com.au] >> Sent: Thursday, July 13, 2000 2:29 PM >> To: 'Simon McMahon'; Michael Zolotarev; Tony Bartoletti; P.J. Ponder >> Cc: Paul Koning; ietf-pkix@imc.org; denis.bider@denisbider.com >> Subject: RE: Current signature formats insufficient >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Michael & Simon; >> >> I do not agree with your position. >> >> You either agree or you do not agree. The positions are mutually >> exclusive. The issue of qualification if put forward only complicates >> the situation. If you want to qualify then you must in my opinion >> fall within the "do not agree" position. >> >> Why complicate the situation with: >> >> > 1. Strongly agree >> > 2. Agree >> > 3. Agree with reservations >> > 4. Agree with a certain doubt >> >> What is the difference between agree and strongly agree. It does not >> add anything by qualifying the agreed position. A certainly doubt >> that a Court would take notice of varying positions of agreement. You >> either agree or do not agree. >> >> >> >> - -----Original Message----- >> From: Simon McMahon [mailto:simon@onthenet.com.au] >> Sent: Thursday, July 13, 2000 2:09 PM >> To: Michael Zolotarev; Tony Bartoletti; P.J. Ponder >> Cc: Paul Koning; ietf-pkix@imc.org; denis.bider@denisbider.com >> Subject: Re: Current signature formats insufficient >> >> >> Michael wrote : >> > Using a special key usage bit to specify your agreement is not very >> > practical. Why? You'd have to define the following set: >> > >> > 1. Strongly agree >> > 2. Agree >> > 3. Agree with reservations >> > 4. Agree with a certain doubt >> > >> >> Thats right - the content contains all the details about what and how >> much >> committment is being made. The signature format is irrelevant accept >> that it >> has to be validatable. >> >> Simon. >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Personal Edition 6.0.2 >> >> iQA/AwUBOWy4RZWt1NGjt4vzEQL3iQCg6potAez5JhLSDtdGF26UaeG2ziUAoOmy >> sdwXFWc2hVsvm4P00KfXJz21 >> =H1pM >> -----END PGP SIGNATURE----- >> > > > Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA05778 for <ietf-pkix@imc.org>; Thu, 13 Jul 2000 11:11:28 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id LAA14572; Thu, 13 Jul 2000 11:07:39 -0700 (PDT) Message-Id: <4.2.2.20000713110611.00ad2bb0@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 13 Jul 2000 11:14:54 -0700 To: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au>, "'Simon McMahon'" <simon@onthenet.com.au>, "'Ben Laurie'" <ben@algroup.co.uk>, Frank Balluffi <frankb@valicert.com> From: Tony Bartoletti <azb@llnl.gov> Subject: RE: Current signature formats insufficient Cc: denis.bider@denisbider.com, ietf-pkix@imc.org In-Reply-To: <C7006C79F23FD411AFCC00E018C353B40258F1@exchange.gadens.com .au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 03:03 PM 7/13/00 +1000, Adrian McCullagh wrote: >The first paper provides an argument that the concept of witnessing is >inappropriate for the electronic commerce environment. A new position >legally should be the concept of verifying. At law a witness must have an >uninterrupted view of the signer actually affixing the mark that will bind >the signer to the contents of the document. Now a witness can not actually >see such an affixation in the digital environment. All a witness can do is >see the person pressing some keys. The program could be doing anything. So >in my scenario the verifier will first verify that there does exist, >attached to the document, a digital signature that has been affixed using >the alleged signers private key. Once verified the verifier will affix >their digital signature that will clearly note the second signer as a >verifier and not as the person who is to be bound by the contents of the >document. My paper expands this concept somewhat. Not being a lawyer myself ... In the paper tradition, I assume (based in part on the Almedio case you described earlier) that the witness has at least some implied obligation to reasonably ensure that the signer, beyond simply affixing their signature, understands what is being signed. (In the case you describe, is seemed plain that it should have been obvious to the witnesses that the signers likely could not understand the terms sufficiently.) Does this quality of "witnessing" carry over into the digital realm? (Another multiple-choice test protocol, perhaps? :) ____tony____ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA05240 for <ietf-pkix@imc.org>; Thu, 13 Jul 2000 10:53:56 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id KAA03010; Thu, 13 Jul 2000 10:49:32 -0700 (PDT) Message-Id: <4.2.2.20000713104918.00b2d8e0@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 13 Jul 2000 10:56:48 -0700 To: "Simon McMahon" <simon@onthenet.com.au>, "Adrian McCullagh" <AMcCullagh@exchange.gadens.com.au>, "'Ben Laurie'" <ben@algroup.co.uk>, "Frank Balluffi" <frankb@valicert.com> From: Tony Bartoletti <azb@llnl.gov> Subject: Re: Current signature formats insufficient Cc: <denis.bider@denisbider.com>, <ietf-pkix@imc.org> In-Reply-To: <013a01bfec84$ae7ed890$8802a8c0@eracom.com.au> References: <C7006C79F23FD411AFCC00E018C353B40258EE@exchange.gadens.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 02:41 PM 7/13/00 +1000, Simon McMahon wrote: >My point is that witnessing is the right way to boost non-repudiation (that >failed in this case) to a level where big dollars are involved. Non >witnessed signatures, standard or digital, must therefore be more vulnerable >to repudiation claims. A digital witness would need to assure that the >witnessed signature was made with a trustworthy signing device and that the >signer understood what was being signed. I agree. >I can concieve of a trustworthy signing device, not at home but at a bank >branch or kiosk, that accepts a smart card with my private key on it. >Authenticates me and makes me say 'Y' to "do you understand and wish to sign >what you have read above ?" (wherever "above" happens to be) and then >applies my signature. It then counter signs my signature with its private >key which the RP can recognise as that of a trusted device. The RP may not >know for sure that I actually understood what I was supposed to have read, >only a human witness, in my opinion could do that, but the RP has high >assurance that the signature is not the result of a hacked PC with an SC >reader. Now, I'm thinking of a protocol where (again from a trusted installation such as a kiosk) once you supposedly have read the "terms of agreement", the process walks you through several, randomly generated multiple choice questions regarding these terms, presented in random order. Failure to get 100% on this "quiz" takes you back to the screens to review the terms. Success on this quiz is digitally certified and accompanies the signed agreement. This (though a bit awkward) would make it considerably harder to claim "I didn't understand what I was signing." ___tony___ >Simon McMahon > > Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from e4.ny.us.ibm.com (e4.ny.us.ibm.com [32.97.182.104]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA27695 for <ietf-pkix@imc.org>; Thu, 13 Jul 2000 08:31:14 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e4.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id LAA136566; Thu, 13 Jul 2000 11:33:17 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id LAA35560; Thu, 13 Jul 2000 11:33:14 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 8525691B.00556E52 ; Thu, 13 Jul 2000 11:33:08 -0400 X-Lotus-FromDomain: IBMUS To: "Simon McMahon" <simon@onthenet.com.au> cc: "Adrian McCullagh" <AMcCullagh@exchange.gadens.com.au>, "'Tony Bartoletti'" <azb@llnl.gov>, "'Ben Laurie'" <ben@algroup.co.uk>, "Frank Balluffi" <frankb@valicert.com>, denis.bider@denisbider.com, ietf-pkix@imc.org Message-ID: <8525691B.00556C5A.00@D51MTA04.pok.ibm.com> Date: Thu, 13 Jul 2000 11:33:02 -0400 Subject: Re: Current signature formats insufficient Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline I think the witness is also usually witnessing the signer's identity, that the signer is physically present and is not obviously being coerced. In fact, he's a lot better at witnessing these things than that the signer read the document in full, far less than that he understood it. A biometric device might be a valid witness to some of these things, but not all, and the other devices involved are witnesses to much less. The smart card itself is witnessing only that certain procedures involving it directly have (or have not) been carried out, and that it was sent the data it is signing. Tom Gindin "Simon McMahon" <simon@onthenet.com.au> on 07/13/2000 02:26:48 AM To: "Adrian McCullagh" <AMcCullagh@exchange.gadens.com.au>, "'Tony Bartoletti'" <azb@llnl.gov>, "'Ben Laurie'" <ben@algroup.co.uk>, "Frank Balluffi" <frankb@valicert.com> cc: <denis.bider@denisbider.com>, <ietf-pkix@imc.org> Subject: Re: Current signature formats insufficient Adrian, > If you would like I have 2 academic papers that deal with the issues raised > here from a legal perspective. Both papers have been published by > universities but I am not sure whether they are on the internet. > I'm sure they will be tough reading but, yes, please post the URLs if they exist or post binaries direct to me (I think mailing list policy is not to post binary attachments). I understand that a human withness to a digital signature is at a disadvantage for the reason you stated, but couldn't the law recognise a certified "device" operating under its normal operating conditions as a witness to the affixation of a digital signature to some content ? It is after all the device doing it. A human witness could still be involved but would be witnessing something else, e.g. that the signer understood the content. German law obviously already recognises certified signing devices as relevant to legally binding signatures. It looks to me like the concept of a witness is overloaded because humans are naturally pretty versatile. Breaking down what a witness does, or is, might make it easier to digitize their functions. Maybe that is what your paper's "verifier" is. What happened to "Current signature formats insufficient" ? Better post me those papers quick ! Thanks, Simon McMahon Received: from e3.ny.us.ibm.com (e3.ny.us.ibm.com [32.97.182.103]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA27079 for <ietf-pkix@imc.org>; Thu, 13 Jul 2000 08:24:54 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e3.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id LAA95430; Thu, 13 Jul 2000 11:26:51 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id LAA180544; Thu, 13 Jul 2000 11:26:47 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 8525691B.0054D824 ; Thu, 13 Jul 2000 11:26:43 -0400 X-Lotus-FromDomain: IBMUS To: Michael Zolotarev <mzolotarev@baltimore.com> cc: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au>, "'Simon McMahon'" <simon@onthenet.com.au>, Tony Bartoletti <azb@llnl.gov>, "P.J. Ponder" <ponder@freenet.tlh.fl.us>, Paul Koning <pkoning@xedia.com>, ietf-pkix@imc.org, denis.bider@denisbider.com Message-ID: <8525691B.0054D5B6.00@D51MTA04.pok.ibm.com> Date: Thu, 13 Jul 2000 11:26:32 -0400 Subject: RE: Current signature formats insufficient Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Qualification of a signature to say a) I saw this, but I am not agreeing with it; b) I agree with this; c) I promise to do this (or other similar qualifications) strikes me as a good use of PKCS #7 Authenticated Attributes, CMS Signed Attributes or XML Signature Properties. I thought that Denis' original proposal was intended to allow a smart card itself to incorporate some very simple assertions about signature conditions into the signature. If the smart card is restricted to a single format, it might be able to place such an assertion into that format. If it's like one of today's smart cards, it's not very format aware which is why placing the assertion into the signature itself was attractive. Tom Gindin Michael Zolotarev <mzolotarev@baltimore.com> on 07/13/2000 12:45:09 AM To: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au>, "'Simon McMahon'" <simon@onthenet.com.au>, Michael Zolotarev <mzolotarev@baltimore.com>, Tony Bartoletti <azb@llnl.gov>, "P.J. Ponder" <ponder@freenet.tlh.fl.us> cc: Paul Koning <pkoning@xedia.com>, ietf-pkix@imc.org, denis.bider@denisbider.com Subject: RE: Current signature formats insufficient Adrian, God, do you guys ever come to understand Russian sense of humor? I was just trying to show that introducing a special key usage bit is not going to solve the problem. Which is, of course, to indicate whether a signer agrees or not with the content of the message. I was saying that you can do it only by having a statement (AGREE or DO NOT AGREE) INSIDE the content, and signing that content with your key. Exactly as you do it on the paper: "Solemnly agree:_______". Following the 'key usage bit' approach you'd have to have two different keys - one for 'agree with the content', and another for 'do not agree with content'. My 'agree with doubts' list was an [unsuccessful] attempt to demonstrate what kind of absurd you can get into with using the key usage flags. Best regards Michael PS Are you in Sydney, BTW? > -----Original Message----- > From: Adrian McCullagh [mailto:AMcCullagh@exchange.gadens.com.au] > Sent: Thursday, July 13, 2000 2:29 PM > To: 'Simon McMahon'; Michael Zolotarev; Tony Bartoletti; P.J. Ponder > Cc: Paul Koning; ietf-pkix@imc.org; denis.bider@denisbider.com > Subject: RE: Current signature formats insufficient > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Michael & Simon; > > I do not agree with your position. > > You either agree or you do not agree. The positions are mutually > exclusive. The issue of qualification if put forward only complicates > the situation. If you want to qualify then you must in my opinion > fall within the "do not agree" position. > > Why complicate the situation with: > > > 1. Strongly agree > > 2. Agree > > 3. Agree with reservations > > 4. Agree with a certain doubt > > What is the difference between agree and strongly agree. It does not > add anything by qualifying the agreed position. A certainly doubt > that a Court would take notice of varying positions of agreement. You > either agree or do not agree. > > > > - -----Original Message----- > From: Simon McMahon [mailto:simon@onthenet.com.au] > Sent: Thursday, July 13, 2000 2:09 PM > To: Michael Zolotarev; Tony Bartoletti; P.J. Ponder > Cc: Paul Koning; ietf-pkix@imc.org; denis.bider@denisbider.com > Subject: Re: Current signature formats insufficient > > > Michael wrote : > > Using a special key usage bit to specify your agreement is not very > > practical. Why? You'd have to define the following set: > > > > 1. Strongly agree > > 2. Agree > > 3. Agree with reservations > > 4. Agree with a certain doubt > > > > Thats right - the content contains all the details about what and how > much > committment is being made. The signature format is irrelevant accept > that it > has to be validatable. > > Simon. > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Edition 6.0.2 > > iQA/AwUBOWy4RZWt1NGjt4vzEQL3iQCg6potAez5JhLSDtdGF26UaeG2ziUAoOmy > sdwXFWc2hVsvm4P00KfXJz21 > =H1pM > -----END PGP SIGNATURE----- > Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA25513 for <ietf-pkix@imc.org>; Thu, 13 Jul 2000 07:32:14 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.2/8.9.1) with ESMTP id QAA19750 for <ietf-pkix@imc.org>; Thu, 13 Jul 2000 16:33:31 +0200 Received: from bull.net (fradint93.bull.fr [129.181.85.93]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id QAA23776 for <ietf-pkix@imc.org>; Thu, 13 Jul 2000 16:33:30 +0200 Message-ID: <396DD2DA.E722CADE@bull.net> Date: Thu, 13 Jul 2000 16:31:54 +0200 From: Denis <Denis.Pinkas@bull.net> X-Mailer: Mozilla 4.5 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: IETF-PXIX <ietf-pkix@imc.org> Subject: Re: I-D ACTION:draft-ietf-pkix-qc-04.txt References: <200007071120.HAA20875@ietf.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Comments on QC-04 (draft-ietf-pkix-qc-04.txt) A major improvement has been done with the publication of QC-4, since the notion of "unmistakable identity" has now disappeared . However, the new text still does not solve the issues that have been raised on that topic. COMMENT 1 The most important section is section 2.4. (Uniqueness of names) where the word "unique" is not used anywhere, except in the title). This section says: In section 4.1.2.6 Subject, RFC 2459 states: "The DN MUST be unique for each subject entity certified by the one CA as defined by the issuer name field." In order to make the text unambiguous it is important to say that: "The DN MUST be unique for each subject entity certified by the one CA as defined by the issuer name field during the whole life time of the CA, i.e. two different living human beings cannot have the same DN." The current text, copied below, does not bring anything really useful for the topic, and could advantageously be deleted. In the context of qualified certificates, a distinguished name denotes a set of attribute values [X.501] which forms a name that is unambiguous within a certain domain that forms either a real or a virtual DIT (Directory Information Tree)[X.501]. In the case of subject names the domain is assumed to be at least the issuing domain of the CA. COMMENT 2 Section 3.1.1. Issuer states: "The issuer field SHALL identify the organization responsible for issuing the certificate, and SHALL include a registered name of the organization". The basic question is what is the meaning of a "registered" name. Who should be the registration authority ? Do we have such an authority for registered names in the IETF ? Is this authority adequate for such a usage ? Instead of trying to answer the question, it makes more sense to omit the second part of the sentence which leads to the following sentence: "The issuer field SHALL identify the organization responsible for issuing the certificate". COMMENT 3 Section 3.1.1. Issuer states: "The legal jurisdiction for the issuing CA SHOULD be consistent with the issuer name.". However the abstract says: " The goal of this document is to define a general syntax independent of local legal requirements." and also " It is important to note that the profile does not define any legal requirements for Qualified Certificates.". This is contradictory. From the discussions that recently took place in Stockholm, the agreement was to mandate the inclusion of the country where from the CA is operating. In this way, by indirection, the country where the CA is established may implement a supervision scheme, if required. The text should be modified to reflect this. It should be noticed that taking this into consideration, the first element of a DN for an issuer must then be a country name. This should be reflected in the text. Full text proposal replacement for 3.1.1: 3.1.1 Issuer The issuer field SHALL identify the organization responsible for issuing the certificate. The identity of the issuer SHALL be specified using an appropriate subset of the following attributes: domainComponent; countryName; stateOrProvinceName; organizationName; localityName; and serialNumber. Additional attributes MAY be present but they SHOULD NOT be necessary to identify the issuing organization. The first element of the DN shall be the country where the CA is operating from. COMMENT 4 The text is not consistent when talking about certificate policies and public statements. In section 2.2. Statement of Purpose, the text says: "For a certificate to serve the purpose of being a Qualified Certificate, this profile assumes that the CA will have to include in the certificate a public statement that explicitly defines this intent." In section 3.2.2.Certificate Policies, the text says: " A statement by the issuer stating the purpose of the certificate as discussed in Section 2.2 SHOULD be evident through indicated policies." The later statement is not that "evident" at all, in particular since from section 2.2. any certificate policy may be used, provided that it is consistent with the policy for a QC. The basic question is the following: How is it possible to know that a certificate is a QC ? There are two possible answers: a) use a QC statement to tell it (and this "costs" a new extension), b) use some pre-defined Certificate Policy OID to tell it (and this costs no new extension). The text from section 2.2. mandates the inclusion of a QC statement. However, all current software is able to test for the presence of any Certificate Policy OID in a certificate and thus the current software could easily check for the presence of pre-defined Certificate Policy OIDs for QCs. The QC statement mandates the use of a new extension, that no one has yet implemented, both for the construction of the certificate and the checking of a certification path. Should we really mandate the presence of the QC statement (as being the only way to indicate that a certificate is a QC) or should we also allow the use of pre-defined Certificate Policy OID (making the QC statement non mandatory) ? I think both options should be mentioned as possible Note: I must recognise that the following text belonging to section 3.2.2 is not understandable to me: " In order to enhance path validation based on policy object identifiers any statement related to Qualified Certificates, as defined in 3.2.5, SHOULD also be defined by included certificate policies." COMMENT 5 Section 3.2.5. Qualified Certificate Statements, defines an extension for inclusion of defined statements related to Qualified Certificates. However, there is a major problem with the way the extension is built. It is constructed as: QCStatements ::= SEQUENCE OF QCStatement Since nothing is said in the text about the criticality this extension is, by implication, non critical. This means that any individual QCStatement is not mandatory to understand. So unless an application specifically looks for some pre-defined statement, it will miss the others and is not required to "understand them. Also remember that only ONE such extension may be present. In a profile of this document (not a PKIX document) this extension is being used to specify the maximum amount of money which is permissible for one transaction, this is what is referred in QC-04 as "a maximum reliance limit for the certificate indicating restrictions on CA's liability". The basic question is whether we should have a separate extension for a maximum reliance from a CA. If the maximum reliance limit statement is part of the new extension, there is no guarantee that it will ever be seen or recognized. In principle any QCStatement in a non critical extension may be ignored by the application. If the maximum reliance limit statement is in a separate extension marked critical, no application could miss it, if it is present. The requirement comes from an annex of the European Directive. The definition of a maximum reliance limit is optional and it makes sense to have a dedicated extension to support it. I would thus propose to suppress the following sentence from 3.2.5: "As an example this MAY include a maximum reliance limit for the certificate indicating restrictions on CA's liability." Instead I would propose to define a separate extension to support a maximum reliance limit. COMMENT 6 Section 4, Security considerations. This section has major problems. It uses some arguments to provide wrong conclusions. The current text is as follows: " Since the public keys are for public use with legal implications for involved parties, certain conditions should exist before CAs issues certificates as Qualified Certificates. The associated private keys must be unique for the subject, and must be maintained under the subject's sole control. That is, a CA should not issue a qualified certificate if the private key is shared among entities, or the means to use the private key is not protected against unintended usage. This implies that the CA must perform proof-of-possession of the private key. In addition, it implies that the CA have some knowledge about the subject's cryptographic module." The text says that a "CA should not issue a qualified certificate if the private key is shared among entities". This is fine, but the CA has no way to know whether the private key has been given to someone else. Proof-of-possession of the private key does not solve the issue as well, since everyone who has been given the private key could provide proof-of-possession. What is transparent from the text, but not said correctly, is that if a physical device is used, then it becomes "more difficult" to share the private key. Proposed text full replacement for the text above: "The private keys must be maintained under the subject's sole control. That is, a CA should not issue a qualified certificate if the means to use the private key is not protected against unintended usage. It implies that the CA should have some knowledge about the subject's cryptographic module." It should be realized also that proof-of-possession is NOT needed at all what using good cryptography practice. As soon as the identifier of the certificate being used is protected by the digital signature, then proof-of-possession becomes unnecessary. Why not say it ? COMMENT 7 Section 4, Security considerations. The current text is as follows: "Comparing two qualified certificates to determine if they represent the same physical entity may provide misleading results and should be performed with care." This sentence does not help. Replace by: "Comparing two qualified certificates, that contain different DNs, to determine if they represent the same physical entity cannot be made." Denis Received: from mta03-svc.ntlworld.com (mta03-svc.ntlworld.com [62.253.162.43]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA25242 for <ietf-pkix@imc.org>; Thu, 13 Jul 2000 07:25:35 -0700 (PDT) Received: from dwc-acer ([62.252.104.255]) by mta03-svc.ntlworld.com (InterMail vM.4.01.02.27 201-229-119-110) with ESMTP id <20000713142736.UOVS16423.mta03-svc.ntlworld.com@dwc-acer>; Thu, 13 Jul 2000 15:27:36 +0100 From: "David Chadwick" <d.w.chadwick@salford.ac.uk> Organization: University of Salford To: ietf-pkix@imc.org, Sean Mullan <sean.mullan@sun.com> Date: Thu, 13 Jul 2000 15:26:31 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Reverse paths Reply-to: d.w.chadwick@salford.ac.uk Message-ID: <396DDFA7.1132.8780334@localhost> Priority: normal In-reply-to: <396CBBAF.39D848B6@sun.com> X-mailer: Pegasus Mail for Win32 (v3.12c) Date sent: Wed, 12 Jul 2000 19:40:47 +0100 From: Sean Mullan <sean.mullan@sun.com> To: d.w.chadwick@salford.ac.uk, ietf-pkix@imc.org, ietf-ldapext@netscape.com Subject: Re: I-D ACTION:draft-ietf-pkix-ldap-schema-00.txt Sean this thread should be opened up to the whole PKIX list. I am happy to put this into the LDAPv3 schema if that is what is wanted, but there must have been some earlier discussion as to why it is optional and not mandatory. David > Building certification paths in a 'reverse' > direction (from trust anchor to EE) is a valid way to build > certification paths. However, RFC 2587 (PKIX LDAPv2 schema) specifies > that the storage of cross certificates in the reverse component of the > crossCertificatePair is optional. It is not possible to efficiently > build a certification path in a 'reverse' direction unless the > certificates are populated in the reverse component of the > crossCertificatePair attribute. Specifying that this feature is > optional makes it difficult to build paths in a reverse direction in a > trust model where lots of cross certificates and multiple directories > are involved and you don't know if the CAs support the optional > storage. > > I would like to suggest that RFC 2587 be amended/updated > to make storage of cross certificates in the reverse component of the > crossCertificatePair attribute mandatory. > > Thanks, > Sean > *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** Received: from mta01-svc.ntlworld.com (mta01-svc.ntlworld.com [62.253.162.41]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA24800 for <ietf-pkix@imc.org>; Thu, 13 Jul 2000 07:02:02 -0700 (PDT) Received: from dwc-acer ([62.252.104.255]) by mta01-svc.ntlworld.com (InterMail vM.4.01.02.27 201-229-119-110) with ESMTP id <20000713140401.PWPE26680.mta01-svc.ntlworld.com@dwc-acer>; Thu, 13 Jul 2000 15:04:01 +0100 From: "David Chadwick" <d.w.chadwick@salford.ac.uk> Organization: University of Salford To: Sean Mullan <sean.mullan@sun.com>, ietf-pkix@imc.org, ietf-ldapext@netscape.com Date: Thu, 13 Jul 2000 15:02:42 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: I-D ACTION:draft-ietf-pkix-ldap-schema-00.txt Reply-to: d.w.chadwick@salford.ac.uk CC: Boeyen@entrust.com Message-ID: <396DDA12.874.862330B@localhost> Priority: normal In-reply-to: <396CB983.81DC54B3@sun.com> X-mailer: Pegasus Mail for Win32 (v3.12c) Date sent: Wed, 12 Jul 2000 19:31:31 +0100 From: Sean Mullan <sean.mullan@sun.com> To: d.w.chadwick@salford.ac.uk Copies to: ietf-pkix@imc.org, ietf-ldapext@netscape.com Subject: Re: I-D ACTION:draft-ietf-pkix-ldap-schema-00.txt > Hi David, > > Some comments on the draft below. Sean, replies intersperced below > Section 3.2 Certificate Match > > I think the X.509 certificate matching rules are missing some > essential and important fields in the certificateAssertion structure > for filtering on certificates. We may want to consider defining a > superset. I submitted these comments to the X.509 editors but > apparently it was too late to integrate them into the 2000 update. > > * you should be able to match on more than one pathToName and on > non-X500 > name types. This is inconsistent with name constraints which allow > you to constrain to more than one name and different name types. > I agree that alternative name types should be allowed. But maybe it is not necessary to have multiple names, since you can do several Searches providing one name for each search (remember that the name presented should be allowed to have a cert path created to it) How do we want to handle this: i) issue a defect on X.509 (Sharon can you comment on this) ii) let the LDAP matching rule be a superset of the X.509 one? I would favour the former route myself. > * you should be able to match on more than the subject alt name > type. Agreed. This is a lack of clarity in the ID. It is intended that the whole name can be presented along with the type. The text is ambiguous in this respect and I will fix it. It will also be clearer when version 1 is published that contains BNF for each of the fields. Steven Legg has been doing this for me. > You > should also be able to match on the subject alt name itself, and > specify more than one subject alt name as certificates can contain > more than one. > Concerning multiple names, I think this can be solved by performing multiple searches with a single name in each search. > * you should be able to match on the subject public key as well as > the subject public > key algorithm OID. > you can match on the subject key identifier (3rd component) > * you should be able to match on the basic constraints extension, > especially the > maxPathLen value. This is useful for finding potential > certificates when building certification paths from the target to > the most-trusted CA. For ex, if a partial path has been built, any > candidate certificate must have a maxPathLen value greater than or > equal to the number of certificates in the partial path. > Interestingly this has been defined for attribute certificates and not pk certs. I actually think that the way matching for ACs has been handled is far superior than for PKcerts. ie. a separate matching rule for each extension, rather than one long complex rule for pk certs. However, there would be nothing to stop an implementation dynamically attaching the basicAttConstraintsMatch to public key certs. In fact this matching rule could be renamed the basicConstraintsMatch anyway as the syntax is the same for both ACs and PKCs. This is my preferred approach. > I think it is very important to include the Certificate pair matching > rules, as these are very useful when building certification paths and > trying to discover which of many cross certificates satisfy various > validation constraints, and eliminating those that do not. > OK, this can be done. It is just time consuming and I wanted to know if there was a demand first. > Other comments: > > * What RFC format are you using for the encoding of DNs - 1779? This > should be referenced. It should be 2253 for LDAPv3. > > Section 4.2 Certificate List Match > > There is an error in the CertificateListAssertion definition in X.509 > 2000. The authorityKeyIdentifier component should be marked OPTIONAL. > This probably doesn't affect your definition, but I just wanted to > make you aware of it. Agreed, Sharon, can you make a note of this defect David p.s. what do you think about Bruce's assertion that none of this is needed and instead we should have a bunch of simple attributes in the LDAP entry David > *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** Received: from mail.inka.de (mail@quechua.inka.de [212.227.14.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA04628 for <ietf-pkix@imc.org>; Thu, 13 Jul 2000 00:07:23 -0700 (PDT) Received: from localhost (ccciii.yapay.inka.de [212.227.15.177]) by mail.inka.de with esmtp id 13Cd7V-0000xB-00; Thu, 13 Jul 2000 09:09:18 +0200 Received: from stroeder.com (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 2821B2FC7A; Thu, 13 Jul 2000 09:09:17 +0200 (CEST) Sender: michael@ms.inka.de Message-ID: <396D6B1C.CB5807DB@stroeder.com> Date: Thu, 13 Jul 2000 09:09:16 +0200 From: Michael =?iso-8859-1?Q?Str=F6der?= <michael@stroeder.com> Organization: stroeder.com X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16 i686) X-Accept-Language: de-DE, de, en MIME-Version: 1.0 To: Simon McMahon <simon@onthenet.com.au> Cc: ietf-pkix@imc.org Subject: Re: Current signature formats insufficient References: <C7006C79F23FD411AFCC00E018C353B40258F1@exchange.gadens.com.au> <019e01bfec93$66dfe4c0$8802a8c0@eracom.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Simon McMahon wrote: > > German law obviously already recognises certified signing devices as > relevant to legally binding signatures. Maybe there's a misunderstanding here (or maybe it's because I came into this discussion lately): The german "Signaturgesetz" only describes how strong a certification service has to be to be accepted for legally binding signatures eventually being implemented in a law in the future. But at the moment no electronic signature is accepted as a legally binding signature at all. Ciao, Michael. Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA02603 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 23:18:38 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id QAA75679; Thu, 13 Jul 2000 16:18:30 +1000 (EST) Message-ID: <019e01bfec93$66dfe4c0$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: "Adrian McCullagh" <AMcCullagh@exchange.gadens.com.au>, "'Tony Bartoletti'" <azb@llnl.gov>, "'Ben Laurie'" <ben@algroup.co.uk>, "Frank Balluffi" <frankb@valicert.com> Cc: <denis.bider@denisbider.com>, <ietf-pkix@imc.org> References: <C7006C79F23FD411AFCC00E018C353B40258F1@exchange.gadens.com.au> Subject: Re: Current signature formats insufficient Date: Thu, 13 Jul 2000 16:26:48 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Adrian, > If you would like I have 2 academic papers that deal with the issues raised > here from a legal perspective. Both papers have been published by > universities but I am not sure whether they are on the internet. > I'm sure they will be tough reading but, yes, please post the URLs if they exist or post binaries direct to me (I think mailing list policy is not to post binary attachments). I understand that a human withness to a digital signature is at a disadvantage for the reason you stated, but couldn't the law recognise a certified "device" operating under its normal operating conditions as a witness to the affixation of a digital signature to some content ? It is after all the device doing it. A human witness could still be involved but would be witnessing something else, e.g. that the signer understood the content. German law obviously already recognises certified signing devices as relevant to legally binding signatures. It looks to me like the concept of a witness is overloaded because humans are naturally pretty versatile. Breaking down what a witness does, or is, might make it easier to digitize their functions. Maybe that is what your paper's "verifier" is. What happened to "Current signature formats insufficient" ? Better post me those papers quick ! Thanks, Simon McMahon Received: from aspams52.cai.com (aspams52.cai.com [155.35.248.76]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id WAA00155 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 22:30:06 -0700 (PDT) Received: by aspams52.cai.com with Internet Mail Service (5.5.2650.21) id <3X7A0F3R>; Thu, 13 Jul 2000 14:36:28 +1000 Message-ID: <11981F9F5649D411BC92009027D0D18C57705E@aspams01.cai.com> From: "Ramsay, Ron" <Ron.Ramsay@ca.com> To: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au>, "'Simon McMahon'" <simon@onthenet.com.au>, Michael Zolotarev <mzolotarev@baltimore.com>, Tony Bartoletti <azb@llnl.gov>, "P.J. Ponder" <ponder@freenet.tlh.fl.us> Cc: Paul Koning <pkoning@xedia.com>, ietf-pkix@imc.org, denis.bider@denisbider.com Subject: RE: Current signature formats insufficient Date: Thu, 13 Jul 2000 14:36:29 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Adrian, You appear to be agreeing with Michael, and I do, too. The signature means "I signed this document (blob)". If I have to agree with the contents of the document, the document (blob) should contain a place for this. Ron. -----Original Message----- From: Adrian McCullagh [mailto:AMcCullagh@exchange.gadens.com.au] Sent: Thursday, 13 July 2000 14:29 To: 'Simon McMahon'; Michael Zolotarev; Tony Bartoletti; P.J. Ponder Cc: Paul Koning; ietf-pkix@imc.org; denis.bider@denisbider.com Subject: RE: Current signature formats insufficient -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael & Simon; I do not agree with your position. You either agree or you do not agree. The positions are mutually exclusive. The issue of qualification if put forward only complicates the situation. If you want to qualify then you must in my opinion fall within the "do not agree" position. Why complicate the situation with: > 1. Strongly agree > 2. Agree > 3. Agree with reservations > 4. Agree with a certain doubt What is the difference between agree and strongly agree. It does not add anything by qualifying the agreed position. A certainly doubt that a Court would take notice of varying positions of agreement. You either agree or do not agree. - -----Original Message----- From: Simon McMahon [mailto:simon@onthenet.com.au] Sent: Thursday, July 13, 2000 2:09 PM To: Michael Zolotarev; Tony Bartoletti; P.J. Ponder Cc: Paul Koning; ietf-pkix@imc.org; denis.bider@denisbider.com Subject: Re: Current signature formats insufficient Michael wrote : > Using a special key usage bit to specify your agreement is not very > practical. Why? You'd have to define the following set: > > 1. Strongly agree > 2. Agree > 3. Agree with reservations > 4. Agree with a certain doubt > Thats right - the content contains all the details about what and how much committment is being made. The signature format is irrelevant accept that it has to be validatable. Simon. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Edition 6.0.2 iQA/AwUBOWy4RZWt1NGjt4vzEQL3iQCg6potAez5JhLSDtdGF26UaeG2ziUAoOmy sdwXFWc2hVsvm4P00KfXJz21 =H1pM -----END PGP SIGNATURE----- Received: from stargate.zergo.com.au (IDENT:root@stargate.zergo.com.au [203.2.208.130]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id WAA28147 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 22:13:42 -0700 (PDT) Received: from sydneymail1.baltimore.com.au (sydneymail1.jp.zergo.com.au [192.168.71.5]) by stargate.zergo.com.au (8.9.1/8.8.7) with ESMTP id OAA00607; Thu, 13 Jul 2000 14:53:07 +1000 Received: by sydneymail1.jp.zergo.com.au with Internet Mail Service (5.5.2650.21) id <35GGB22B>; Thu, 13 Jul 2000 14:46:10 +1000 Message-ID: <D44EACB40164D311BEF00090274EDCCA88340D@sydneymail1.jp.zergo.com.au> From: Michael Zolotarev <mzolotarev@baltimore.com> To: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au>, "'Simon McMahon'" <simon@onthenet.com.au>, Michael Zolotarev <mzolotarev@baltimore.com>, Tony Bartoletti <azb@llnl.gov>, "P.J. Ponder" <ponder@freenet.tlh.fl.us> Cc: Paul Koning <pkoning@xedia.com>, ietf-pkix@imc.org, denis.bider@denisbider.com Subject: RE: Current signature formats insufficient Date: Thu, 13 Jul 2000 14:45:09 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Adrian, God, do you guys ever come to understand Russian sense of humor? I was just trying to show that introducing a special key usage bit is not going to solve the problem. Which is, of course, to indicate whether a signer agrees or not with the content of the message. I was saying that you can do it only by having a statement (AGREE or DO NOT AGREE) INSIDE the content, and signing that content with your key. Exactly as you do it on the paper: "Solemnly agree:_______". Following the 'key usage bit' approach you'd have to have two different keys - one for 'agree with the content', and another for 'do not agree with content'. My 'agree with doubts' list was an [unsuccessful] attempt to demonstrate what kind of absurd you can get into with using the key usage flags. Best regards Michael PS Are you in Sydney, BTW? > -----Original Message----- > From: Adrian McCullagh [mailto:AMcCullagh@exchange.gadens.com.au] > Sent: Thursday, July 13, 2000 2:29 PM > To: 'Simon McMahon'; Michael Zolotarev; Tony Bartoletti; P.J. Ponder > Cc: Paul Koning; ietf-pkix@imc.org; denis.bider@denisbider.com > Subject: RE: Current signature formats insufficient > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Michael & Simon; > > I do not agree with your position. > > You either agree or you do not agree. The positions are mutually > exclusive. The issue of qualification if put forward only complicates > the situation. If you want to qualify then you must in my opinion > fall within the "do not agree" position. > > Why complicate the situation with: > > > 1. Strongly agree > > 2. Agree > > 3. Agree with reservations > > 4. Agree with a certain doubt > > What is the difference between agree and strongly agree. It does not > add anything by qualifying the agreed position. A certainly doubt > that a Court would take notice of varying positions of agreement. You > either agree or do not agree. > > > > - -----Original Message----- > From: Simon McMahon [mailto:simon@onthenet.com.au] > Sent: Thursday, July 13, 2000 2:09 PM > To: Michael Zolotarev; Tony Bartoletti; P.J. Ponder > Cc: Paul Koning; ietf-pkix@imc.org; denis.bider@denisbider.com > Subject: Re: Current signature formats insufficient > > > Michael wrote : > > Using a special key usage bit to specify your agreement is not very > > practical. Why? You'd have to define the following set: > > > > 1. Strongly agree > > 2. Agree > > 3. Agree with reservations > > 4. Agree with a certain doubt > > > > Thats right - the content contains all the details about what and how > much > committment is being made. The signature format is irrelevant accept > that it > has to be validatable. > > Simon. > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Edition 6.0.2 > > iQA/AwUBOWy4RZWt1NGjt4vzEQL3iQCg6potAez5JhLSDtdGF26UaeG2ziUAoOmy > sdwXFWc2hVsvm4P00KfXJz21 > =H1pM > -----END PGP SIGNATURE----- > Received: from hamster.gadens.com.au (root@dns.gadens.com.au [203.32.220.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA27395 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 21:59:23 -0700 (PDT) Received: from exchange.gadens.com.au ([10.1.8.3]) by hamster.gadens.com.au (8.9.3/8.9.3) with ESMTP id PAA82770; Thu, 13 Jul 2000 15:00:07 +1000 (EST) (envelope-from AMcCullagh@exchange.gadens.com.au) Received: by exchange.gadens.com.au with Internet Mail Service (5.5.2650.21) id <3YWS61XM>; Thu, 13 Jul 2000 15:03:31 +1000 Message-ID: <C7006C79F23FD411AFCC00E018C353B40258F1@exchange.gadens.com.au> From: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au> To: "'Simon McMahon'" <simon@onthenet.com.au>, "'Tony Bartoletti'" <azb@llnl.gov>, "'Ben Laurie'" <ben@algroup.co.uk>, Frank Balluffi <frankb@valicert.com> Cc: denis.bider@denisbider.com, ietf-pkix@imc.org Subject: RE: Current signature formats insufficient Date: Thu, 13 Jul 2000 15:03:29 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Simon, I agree that there is a cost involved but the cost of not taking this approach will in my opinion be greater to society in the long run. There will be an increase in identity fraud cases, an increase in the cost of collecting admissible evidence, and the increase of other crimes such as unauthorised access that could otherwise be reduced (as opposed to eliminated). If you would like I have 2 academic papers that deal with the issues raised here from a legal perspective. Both papers have been published by universities but I am not sure whether they are on the internet. The first paper is entitled "Electronic signatures : Understand the past to develop the future" The second paper is entitled "Non-repudiation in the Electronic Commerce Environment" The first paper provides an argument that the concept of witnessing is inappropriate for the electronic commerce environment. A new position legally should be the concept of verifying. At law a witness must have an uninterrupted view of the signer actually affixing the mark that will bind the signer to the contents of the document. Now a witness can not actually see such an affixation in the digital environment. All a witness can do is see the person pressing some keys. The program could be doing anything. So in my scenario the verifier will first verify that there does exist, attached to the document, a digital signature that has been affixed using the alleged signers private key. Once verified the verifier will affix their digital signature that will clearly note the second signer as a verifier and not as the person who is to be bound by the contents of the document. My paper expands this concept somewhat. I am completing a paper the analyses trusted systems and digital signature regimes and establishes that most jurisdictions have ignored the trusted mechanism that was established for some 600 years in the paper based environment and have misdirected there attention upon the verification process. Adrian McCullagh Director of Electronic Commerce Gadens Lawyers Tel: 617 3231 1522 Fax: 617 3229 5850 level 39 Central Plaza 1 345 Queen Street Brisbane Australia 4000 -----Original Message----- From: Simon McMahon [mailto:simon@onthenet.com.au] Sent: Thursday, July 13, 2000 2:41 PM To: Adrian McCullagh; 'Tony Bartoletti'; 'Ben Laurie'; Frank Balluffi Cc: denis.bider@denisbider.com; ietf-pkix@imc.org Subject: Re: Current signature formats insufficient Adrian wrote : [snip] > The issue that I am raising in legal terms is called "Non Est Factum" - "not > my act". [snip] A great argument for certified signing devices but they cost a lot to create, or at least now they do because volumes aren't high enough. There will still be demand for low cost signing devices (hackable PCs with uncertified software and SCs). I dont see what this has to do with signature formats however, although I agree its an interesting and important issue. Surely in the case you cited the Alememdios' signatures would have been witnessed by representatives of the bank and they should have made sure the Alemedios understood what they signed by supplying their own translator. I guess thats why the Alemedios won. My point is that witnessing is the right way to boost non-repudiation (that failed in this case) to a level where big dollars are involved. Non witnessed signatures, standard or digital, must therefore be more vulnerable to repudiation claims. A digital witness would need to assure that the witnessed signature was made with a trustworthy signing device and that the signer understood what was being signed. I can concieve of a trustworthy signing device, not at home but at a bank branch or kiosk, that accepts a smart card with my private key on it. Authenticates me and makes me say 'Y' to "do you understand and wish to sign what you have read above ?" (wherever "above" happens to be) and then applies my signature. It then counter signs my signature with its private key which the RP can recognise as that of a trusted device. The RP may not know for sure that I actually understood what I was supposed to have read, only a human witness, in my opinion could do that, but the RP has high assurance that the signature is not the result of a hacked PC with an SC reader. Simon McMahon Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA26984 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 21:38:57 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id OAA57051; Thu, 13 Jul 2000 14:38:31 +1000 (EST) Message-ID: <014401bfec85$6e637300$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: "Adrian McCullagh" <AMcCullagh@exchange.gadens.com.au>, "Michael Zolotarev" <mzolotarev@baltimore.com>, "Tony Bartoletti" <azb@llnl.gov>, "P.J. Ponder" <ponder@freenet.tlh.fl.us> Cc: "Paul Koning" <pkoning@xedia.com>, <ietf-pkix@imc.org>, <denis.bider@denisbider.com> References: <C7006C79F23FD411AFCC00E018C353B40258F0@exchange.gadens.com.au> Subject: Re: Current signature formats insufficient Date: Thu, 13 Jul 2000 14:46:49 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 > You either agree or you do not agree. The positions are mutually > exclusive. The issue of qualification if put forward only complicates > the situation. If you want to qualify then you must in my opinion > fall within the "do not agree" position. > I think that is the idea - to weaken the level of comittment regarding the signed content to the point where I am not legally liable for it. So you are right that there should only be "agree" and "not-agree" - 1 bit. But that point should be made in the content or by using a non-NR key not in the signature encoding. Simon. Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA26686 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 21:33:44 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id OAA56060; Thu, 13 Jul 2000 14:32:59 +1000 (EST) Message-ID: <013a01bfec84$ae7ed890$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: "Adrian McCullagh" <AMcCullagh@exchange.gadens.com.au>, "'Tony Bartoletti'" <azb@llnl.gov>, "'Ben Laurie'" <ben@algroup.co.uk>, "Frank Balluffi" <frankb@valicert.com> Cc: <denis.bider@denisbider.com>, <ietf-pkix@imc.org> References: <C7006C79F23FD411AFCC00E018C353B40258EE@exchange.gadens.com.au> Subject: Re: Current signature formats insufficient Date: Thu, 13 Jul 2000 14:41:15 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Adrian wrote : [snip] > The issue that I am raising in legal terms is called "Non Est Factum" - "not > my act". [snip] A great argument for certified signing devices but they cost a lot to create, or at least now they do because volumes aren't high enough. There will still be demand for low cost signing devices (hackable PCs with uncertified software and SCs). I dont see what this has to do with signature formats however, although I agree its an interesting and important issue. Surely in the case you cited the Alememdios' signatures would have been witnessed by representatives of the bank and they should have made sure the Alemedios understood what they signed by supplying their own translator. I guess thats why the Alemedios won. My point is that witnessing is the right way to boost non-repudiation (that failed in this case) to a level where big dollars are involved. Non witnessed signatures, standard or digital, must therefore be more vulnerable to repudiation claims. A digital witness would need to assure that the witnessed signature was made with a trustworthy signing device and that the signer understood what was being signed. I can concieve of a trustworthy signing device, not at home but at a bank branch or kiosk, that accepts a smart card with my private key on it. Authenticates me and makes me say 'Y' to "do you understand and wish to sign what you have read above ?" (wherever "above" happens to be) and then applies my signature. It then counter signs my signature with its private key which the RP can recognise as that of a trusted device. The RP may not know for sure that I actually understood what I was supposed to have read, only a human witness, in my opinion could do that, but the RP has high assurance that the signature is not the result of a hacked PC with an SC reader. Simon McMahon Received: from hamster.gadens.com.au (root@dns.gadens.com.au [203.32.220.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA26140 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 21:26:35 -0700 (PDT) Received: from exchange.gadens.com.au ([10.1.8.3]) by hamster.gadens.com.au (8.9.3/8.9.3) with ESMTP id OAA81186; Thu, 13 Jul 2000 14:25:50 +1000 (EST) (envelope-from AMcCullagh@exchange.gadens.com.au) Received: by exchange.gadens.com.au with Internet Mail Service (5.5.2650.21) id <3YWS61S7>; Thu, 13 Jul 2000 14:29:13 +1000 Message-ID: <C7006C79F23FD411AFCC00E018C353B40258F0@exchange.gadens.com.au> From: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au> To: "'Simon McMahon'" <simon@onthenet.com.au>, Michael Zolotarev <mzolotarev@baltimore.com>, Tony Bartoletti <azb@llnl.gov>, "P.J. Ponder" <ponder@freenet.tlh.fl.us> Cc: Paul Koning <pkoning@xedia.com>, ietf-pkix@imc.org, denis.bider@denisbider.com Subject: RE: Current signature formats insufficient Date: Thu, 13 Jul 2000 14:29:12 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael & Simon; I do not agree with your position. You either agree or you do not agree. The positions are mutually exclusive. The issue of qualification if put forward only complicates the situation. If you want to qualify then you must in my opinion fall within the "do not agree" position. Why complicate the situation with: > 1. Strongly agree > 2. Agree > 3. Agree with reservations > 4. Agree with a certain doubt What is the difference between agree and strongly agree. It does not add anything by qualifying the agreed position. A certainly doubt that a Court would take notice of varying positions of agreement. You either agree or do not agree. - -----Original Message----- From: Simon McMahon [mailto:simon@onthenet.com.au] Sent: Thursday, July 13, 2000 2:09 PM To: Michael Zolotarev; Tony Bartoletti; P.J. Ponder Cc: Paul Koning; ietf-pkix@imc.org; denis.bider@denisbider.com Subject: Re: Current signature formats insufficient Michael wrote : > Using a special key usage bit to specify your agreement is not very > practical. Why? You'd have to define the following set: > > 1. Strongly agree > 2. Agree > 3. Agree with reservations > 4. Agree with a certain doubt > Thats right - the content contains all the details about what and how much committment is being made. The signature format is irrelevant accept that it has to be validatable. Simon. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Edition 6.0.2 iQA/AwUBOWy4RZWt1NGjt4vzEQL3iQCg6potAez5JhLSDtdGF26UaeG2ziUAoOmy sdwXFWc2hVsvm4P00KfXJz21 =H1pM -----END PGP SIGNATURE----- Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA24956 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 21:00:02 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id OAA50347; Thu, 13 Jul 2000 14:00:53 +1000 (EST) Message-ID: <012001bfec80$2bf94a30$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: "Michael Zolotarev" <mzolotarev@baltimore.com>, "Tony Bartoletti" <azb@llnl.gov>, "P.J. Ponder" <ponder@freenet.tlh.fl.us> Cc: "Paul Koning" <pkoning@xedia.com>, <ietf-pkix@imc.org>, <denis.bider@denisbider.com> References: <D44EACB40164D311BEF00090274EDCCA883396@sydneymail1.jp.zergo.com.au> Subject: Re: Current signature formats insufficient Date: Thu, 13 Jul 2000 14:09:11 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Michael wrote : > Using a special key usage bit to specify your agreement is not very > practical. Why? You'd have to define the following set: > > 1. Strongly agree > 2. Agree > 3. Agree with reservations > 4. Agree with a certain doubt > Thats right - the content contains all the details about what and how much committment is being made. The signature format is irrelevant accept that it has to be validatable. Simon. Received: from stargate.zergo.com.au (IDENT:root@stargate.zergo.com.au [203.2.208.130]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA24285 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 20:53:25 -0700 (PDT) Received: from sydneymail1.baltimore.com.au (sydneymail1.jp.zergo.com.au [192.168.71.5]) by stargate.zergo.com.au (8.9.1/8.8.7) with ESMTP id OAA00313; Thu, 13 Jul 2000 14:01:13 +1000 Received: by sydneymail1.jp.zergo.com.au with Internet Mail Service (5.5.2650.21) id <3Z6RSJ4Q>; Thu, 13 Jul 2000 13:53:26 +1000 Message-ID: <D44EACB40164D311BEF00090274EDCCA8833AD@sydneymail1.jp.zergo.com.au> From: Michael Zolotarev <mzolotarev@baltimore.com> To: Simon McMahon <simon@onthenet.com.au> Cc: ietf-pkix@imc.org Subject: RE: Current signature formats insufficient Date: Thu, 13 Jul 2000 13:53:25 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" > > So, what are we left with? Do I hear "Can we make a signature to > communicate > > extra attributes"? > > > > Yes, we can. > > But should we ? I think signatures are fine the way they are. > That's what I meant by saying 'we can'. I should've made myself clearer. Received: from stargate.zergo.com.au (IDENT:root@stargate.zergo.com.au [203.2.208.130]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA22467 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 20:33:39 -0700 (PDT) Received: from sydneymail1.baltimore.com.au (sydneymail1.jp.zergo.com.au [192.168.71.5]) by stargate.zergo.com.au (8.9.1/8.8.7) with ESMTP id NAA06045; Thu, 13 Jul 2000 13:40:37 +1000 Received: by sydneymail1.jp.zergo.com.au with Internet Mail Service (5.5.2650.21) id <3Z6RSJ4C>; Thu, 13 Jul 2000 13:33:45 +1000 Message-ID: <D44EACB40164D311BEF00090274EDCCA883396@sydneymail1.jp.zergo.com.au> From: Michael Zolotarev <mzolotarev@baltimore.com> To: Tony Bartoletti <azb@llnl.gov>, "P.J. Ponder" <ponder@freenet.tlh.fl.us>, Michael Zolotarev <mzolotarev@baltimore.com> Cc: Paul Koning <pkoning@xedia.com>, simon@onthenet.com.au, ietf-pkix@imc.org, denis.bider@denisbider.com Subject: RE: Current signature formats insufficient Date: Thu, 13 Jul 2000 13:33:45 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Tony, A signature on the message serves two purposes: A. to ensure the origin and integrity of the message - that the message came from me, and it was not modified en-route. B. to indicate that a signer was AWARE (!) of the content of the message. The critical point is that my AWARENESS(!) of the content does NOT imply that I agree or disagree with the message. This is a common mistake people do. If I wanted to stress out that I agree with what the message says, I'd need to do the following: Put a claim into the message, like "I, Michael Zolotarev, strongly agree with that statement". That'd be enough, provided that the origin and integrity of the message is ensured by MY signature. Using a special key usage bit to specify your agreement is not very practical. Why? You'd have to define the following set: 1. Strongly agree 2. Agree 3. Agree with reservations 4. Agree with a certain doubt And so on. It is less a joke that you might think, really. regards M Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA16547 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 19:16:06 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id MAA31221; Thu, 13 Jul 2000 12:17:48 +1000 (EST) Message-ID: <00df01bfec71$c566a000$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: "Michael Zolotarev" <mzolotarev@baltimore.com> Cc: <ietf-pkix@imc.org> References: <D44EACB40164D311BEF00090274EDCCA8832CF@sydneymail1.jp.zergo.com.au> Subject: Re: Current signature formats insufficient Date: Thu, 13 Jul 2000 12:23:58 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Tom wrote : > Actually, the assurance indicator is put on by the smart card under > conditions which the home PC cannot hack. The more severe limitation would > naturally be on NR signatures without the indicator. > But the RP could only rely on the assurance indicator if the CA says so which implies (to me) that the CA checked that signing equipment is reliable. Only a CA can tell a RP what to trust and it does this with a certificate. P.S. Sorry but my last post didn't go to the list but Tom quoted it in his reply. Michael wrote : > << Simon, in case you need somebody to say something nice to you :) - I'm > fully agree with you. If you read my previous mail, you'll see that our > opinions are identical.>> Gee thanks ;) > [snip] > So, what are we left with? Do I hear "Can we make a signature to communicate > extra attributes"? > > Yes, we can. But should we ? I think signatures are fine the way they are. You know, this sounds alot like the TSA signing key debate where the TSA private key was being overloaded to sign time stamps and self-signed certs. Its all about to overload keys or not to overload them. I guess this might make a nice precedent. IMO to allow a key intended for NR signatures to make non-NR signatures creates an ambiguity that undermines the NR-ness of the NR signatures. Thats bad ! Use a differnent key for your non-NR signatures. Non repudiation is critical to PKI and too easy to break, or at least undermine to the point where its too hard to enforce legally. Simon. Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA16529 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 19:16:02 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id MAA31215; Thu, 13 Jul 2000 12:17:48 +1000 (EST) Message-ID: <00de01bfec71$c4eae050$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: "Paul Koning" <pkoning@xedia.com> Cc: <ietf-pkix@imc.org> References: <000901bfeb64$38642f50$0201010a@intergalactic><013901bfeba8$419218f0$8802a8c0@eracom.com.au> <14700.33504.767573.577814@xedia.com> Subject: Re: Current signature formats insufficient Date: Thu, 13 Jul 2000 12:23:05 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Paul wrote : > > With classic signatures, the norm is that you see what you sign. (One > exception is the standard story about the overworked executive who's > handed a stack of 50 memos to sign, with little yellow tabs marking > "here's the spot" and someone slips in a ringer. Don't know how > common that is outside novels.) > Thats right but people make classic signatures with less care when they take into account their environment. If you are in a reputable establishment, or your workplace, where accountablility for fraud is higher you are more likely to forego the formality of reading every word of what you are signing. The risk is their but people (reasonably) tend to limit their effort with respect to their perception of that risk. > With digital signatures, the norm is that you have no idea. As Denis > mentioned, current smartcards have no way of showing you what you're > signing. If you use an application that signs things (like a mailer) > the binding is a little better. There you still have to trust that > the text you entered is in fact what's being signed -- in other words, > that the program is trustworthy, correct, and unsubverted by trojan > horses. One good reason for using PGP, because you can check this, > unlike closed source mailers. > The smart card is not "the signing device" the PC with all its software is. It is, fortunately, able to show you everything before it uses your card to sign what you saw. It is also, unfortunately, hackable if exposed to a hostile environment. Most PCs hanging off the Internet or using uncertified software fall into this category. The fix is to make more secure (more expensive) signing devices or reduce the liability resulting from a hack on a less secure (cheaper) one. I dont see how any of this is an argument to change signature formats. Its an argument to use NR keys in more secure devices and non-NR keys in PCs. I still think there is a case for limited liability NR keys in hackable (cheap) PCs because thats what people will want to do. Buy and sell stuff (not their house) over the Internet from their home PC. Simon. Received: from hamster.gadens.com.au (root@dns.gadens.com.au [203.32.220.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA15653 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 19:01:53 -0700 (PDT) Received: from exchange.gadens.com.au ([10.1.8.3]) by hamster.gadens.com.au (8.9.3/8.9.3) with ESMTP id MAA74707; Thu, 13 Jul 2000 12:02:37 +1000 (EST) (envelope-from AMcCullagh@exchange.gadens.com.au) Received: by exchange.gadens.com.au with Internet Mail Service (5.5.2650.21) id <3YWS6112>; Thu, 13 Jul 2000 12:06:00 +1000 Message-ID: <C7006C79F23FD411AFCC00E018C353B40258EE@exchange.gadens.com.au> From: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au> To: "'Tony Bartoletti'" <azb@llnl.gov>, "'Ben Laurie'" <ben@algroup.co.uk>, Frank Balluffi <frankb@valicert.com> Cc: "'denis.bider@denisbider.com'" <denis.bider@denisbider.com>, ietf-pkix@imc.org Subject: RE: Current signature formats insufficient Date: Thu, 13 Jul 2000 12:05:59 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Tony I apologise to everyone for the length of this response. The objective test that I mentioned is in fact the position of a reasonable person. That is what is reasonable in the circumstances. Only the facts in the case will determine this. The real problem as I see it is that a person who has been attributed as having digitally signing a digital document could claim that the digital signature is theirs and was affixed by them but it was not their act. This is different to a forgery case as in such cases the digital signature may have been generated by a key that corresponds to their private key but was generated through the act of a third party. That is, the third party has acquired through some means a copy of the private key of the alleged signer. Hence a forged digital signature. The issue that I am raising in legal terms is called "Non Est Factum" - "not my act". The legal case books have numerous examples of cases involving the issue of Non est Factum. The best way to describe it is by drawing upon a real case that occurred in Australia. I understand that the law in this case corresponds to US, Canadian and UK legal principles. The Facts: ========== Mr & Mrs Almedio were 2 elderly Italians that lived in Sydney. Their son was a business man whose business was having difficulties and as such his Bank was pressing for more collateral security. The son who grew up in Australia was fluent in Italian and in English. His parent could only speak a little English and could not read English at all. (You wonder how they survived for over 20 years in a predominately English speaking country). Now the son was asked by the Bank to get his parents to guaranty an extension to his current loan facility. The son went to his parents and presented to them the guaranty document. The guaranty was to cover the full amount of the loan and not just the extension. His parents could not read the document and were advised by the son that the document was to secure the extension of $50,000. The full extent of the loan facility was in excess of $500,000. In effect the parents were signing a document without understanding what they were signing and had no way of understanding as they could not read the document. They were relying on and trusting their son as regards to the contents of the document. Obviously, the son's business went into liquidation and the Bank tried to rely on the guaranty that had been signed by the parents. There was no dispute as to the authenticity of the signatures. The parents relied on the lack of intention to sign the document as regards to it true effect. In effect, they argued successfully that it was not their act. They lacked the necessary intention. Now the evidence to support such a case is extensive. It is not an easy case to prove. End Case ======== By analogy, this is what could happen when signing a digital document. The actual signing mechanism is a black box and hopefully what is actually being signed in memory corresponds with the human readable display on the screen. Now the next issue is what evidence will the signer need to successfully support a claim of non est factum. I have not analysed this thoroughly but it is an issue that needs to be addressed. The answer may be in the security classification of software where there may exist a trusted path between the memory where the document resides and the display screen and the key board. This is highly unlikely to occur as it would, I think, require a re-engineering of the current versions of the popular commercial Operating Systems. Without a trusted path the signer will not be in a position to adequately know what is being signed. I think what needs to be done is for the digital signing of document be mapped out so that the necessary evidential issues are addressed. This will permit a court to have confidence in the technology and thus be in a better position when it comes to a dispute. Also the current digital signature legislation apart from Germany totally ignores the trust required in the signing mechanism. In Germany the signing component must be classified to at least ITSEC E4 (Common Criteria EAL 4) but ITSEC as has been identified previously on this list does not address the crypto module. So Fips 140-1 should be used. The UTAH Dig Sig Act deals with trustworthy systems at the CA level. Now the CA has nothing to do with the signing of documents. The CA at best will store public keys that are used for the verification of signatures not the affixing of signatures. Really a post event analysis. A further complication is that in many cases the onus of proof concerning the authenticity of the digital signature will reside with the relying party. But that is another issue. Adrian McCullagh Director of Electronic Commerce Tel: 617 3231 1522 Gadens Lawyers Fax: 617 3229 5850 level 39 Central Plaza 1 345 Queen Street Brisbane Australia 4000 Ph. D. Candidate Thesis "The Incorporation of Trust Strategies in Digital Signature Regimes for Elec. Comm." Information Security Research Centre Queensland University of Technology ---intentionally deleted material--- There are limits to the courts reliance on a purely objective view. The courts tend to consider what must also be "reasonable." If I were a pizza delivery person, and I'd crafted an ordinary-looking receipt, whose fine print on the back reads "I hereby transfer title to my house ...", I doubt that your signature on that receipt will enable me to take your house from you. Most of the "real" legal questions with digital signatures and our new "cyber" environment will pivot upon the evolving problem of deciding what are "reasonable expectations", given the technology and other, less objective considerations. ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA15027 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 18:54:27 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id SAA26011; Wed, 12 Jul 2000 18:54:24 -0700 (PDT) Message-Id: <4.2.2.20000712184349.00ad3700@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 12 Jul 2000 19:01:40 -0700 To: "P.J. Ponder" <ponder@freenet.tlh.fl.us>, Michael Zolotarev <mzolotarev@baltimore.com> From: Tony Bartoletti <azb@llnl.gov> Subject: RE: Current signature formats insufficient Cc: Paul Koning <pkoning@xedia.com>, simon@onthenet.com.au, ietf-pkix@imc.org, denis.bider@denisbider.com In-Reply-To: <Pine.OSF.4.21.0007122138500.25388-100000@fn3.freenet.tlh.f l.us> References: <D44EACB40164D311BEF00090274EDCCA8832CF@sydneymail1.jp.zergo.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 09:48 PM 7/12/00 -0400, P.J. Ponder wrote: >The idea of a non-binding signature seems implausible to me - why sign, >except to attest to something? If you don't want to be bound, just don't >sign. When communicating over a channel, there may be cases where your "signature" key is employed in serving to tamperproof, or authenticate the data transmitted. Although, strictly speaking, you are "attesting" that "you indeed sent that piece of data (authentication)" or at very least attesting "my key came into contact with that data", you may well want it understood that you may not agree with what the content might imply, when interpreted semantically. You might write me, saying "What was that statement you disagreed with so strongly", and so I send it to you, signed so that you know I was the one who sent it. Can you turn around and now claim I agree with that statement? How does one convey the "level of attestation" intended by a signature? It would be one matter if signatures were restricted to whole-documents formed of complete sentences. One could qualify a submission with "I don't agree with this part". But in protocols, signatures are often formed over oddly-constructed pieces of data that (some fear) might easily be taken out of context. The "key-usage" bits are/were intended to help manage this situation. (Or so I thought.) ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from fn3.freenet.tlh.fl.us (fn3.tfn.net [150.176.31.250]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA11238 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 18:23:12 -0700 (PDT) Received: from localhost (ponder@localhost) by fn3.freenet.tlh.fl.us (8.8.8/8.6.9) with ESMTP id VAA31034; Wed, 12 Jul 2000 21:48:13 -0400 (EDT) Date: Wed, 12 Jul 2000 21:48:13 -0400 (EDT) From: "P.J. Ponder" <ponder@freenet.tlh.fl.us> To: Michael Zolotarev <mzolotarev@baltimore.com> cc: Paul Koning <pkoning@xedia.com>, simon@onthenet.com.au, ietf-pkix@imc.org, denis.bider@denisbider.com Subject: RE: Current signature formats insufficient In-Reply-To: <D44EACB40164D311BEF00090274EDCCA8832CF@sydneymail1.jp.zergo.com.au> Message-ID: <Pine.OSF.4.21.0007122138500.25388-100000@fn3.freenet.tlh.fl.us> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Thu, 13 Jul 2000, Michael Zolotarev wrote: < . . . . > > Issue 4: > Existing legal framework, and its ability to accept a notion of > 'non-binding' signature. < . . . . > > Issue 4. > It is more a legal problem, then PKIX. And I'd better shut up on this one. > Hey, any lawyers out there? Tell us what you think, and please restrain > yourself from using harsh language. If you don't want to be bound, don't sign. If you can't see what you're signing, you're a fool to sign it. I've eaten many a pizza delivered to the door, and never signed for one. Signing for a package acknowledges that you have received the package, not that the contents are what you ordered, or the right size or color or pin configuration - just that the delivery person gave it to you and you received it - sort of like a 'chain of custody' thing. And that is binding - you have attested to the fact that you received the package. The idea of a non-binding signature seems implausible to me - why sign, except to attest to something? If you don't want to be bound, just don't sign. Received: from stargate.zergo.com.au (IDENT:root@stargate.zergo.com.au [203.2.208.130]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id RAA07352 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 17:48:32 -0700 (PDT) Received: from sydneymail1.baltimore.com.au (sydneymail1.jp.zergo.com.au [192.168.71.5]) by stargate.zergo.com.au (8.9.1/8.8.7) with ESMTP id KAA04190; Thu, 13 Jul 2000 10:56:11 +1000 Received: by sydneymail1.jp.zergo.com.au with Internet Mail Service (5.5.2650.21) id <3YQ0JPT2>; Thu, 13 Jul 2000 10:49:10 +1000 Message-ID: <D44EACB40164D311BEF00090274EDCCA8832CF@sydneymail1.jp.zergo.com.au> From: Michael Zolotarev <mzolotarev@baltimore.com> To: Paul Koning <pkoning@xedia.com>, simon@onthenet.com.au Cc: ietf-pkix@imc.org, denis.bider@denisbider.com Subject: RE: Current signature formats insufficient Date: Thu, 13 Jul 2000 10:49:08 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" << Simon, in case you need somebody to say something nice to you :) - I'm fully agree with you. If you read my previous mail, you'll see that our opinions are identical.>> Now, back to the subject: The discussion is trying to address a lot of different issues at the same time, and it's becoming a mess. Let me filter it out a bit. Issue 1: Existing 'typical' signing environment (i.e. OS, communication h/w, etc) and its vulnerability in case of a hacker attack. Issue 2: A concern that a user does not always see what he/she signs. Issue 3: Potential use of biometrics to make signing more convenient and secure for the end user. Issue 4: Existing legal framework, and its ability to accept a notion of 'non-binding' signature. Issue 5: Existing signature-associated structure and protocols, with regards to the ability to express different attributes of signing environment. Now, if you look at it calmly, you'll see that: Issue 1 has got nothing to do with PKIX. We can talk about how easy it is to hack WinNT, and for how much - but why on this list? Issue 2 Has nothing to do with PKIX. The user does not always see what he signs? - fine, come up with a device that shows (do not forget to implement 'do not show' tick box, ticked by default). Issue 3 has very little to do with PKIX. It is of common interest, I believe, but it is rather technological, then anything else. We had a discussion about biometrics already, in lengths, in the qualified certs thread. Issue 4. It is more a legal problem, then PKIX. And I'd better shut up on this one. Hey, any lawyers out there? Tell us what you think, and please restrain yourself from using harsh language. Issue 5. The formats of the signature, algorithms, and protocols must be considered with NO RELATIONS at all to the environment. We MUST abstract aspects of signing from the details of platforms, UI and whatever else. We should assume that the environment is solid, and that the only thing that we have to protect is the signature itself. So, what are we left with? Do I hear "Can we make a signature to communicate extra attributes"? Yes, we can. M > -----Original Message----- > From: Paul Koning [mailto:pkoning@xedia.com] > Sent: Thursday, July 13, 2000 12:38 AM > To: simon@onthenet.com.au > Cc: ietf-pkix@imc.org; denis.bider@denisbider.com > Subject: Re: Current signature formats insufficient > > > >>>>> "Simon" == Simon McMahon <simon@onthenet.com.au> writes: > > Simon> Hi all, My 2c worth. > > Simon> You should look to the analog-signature as an analogy. It's > Simon> the content of what you sign that includes the terms and > Simon> therefore the extent to which the signer is bound. Carelessly > Simon> given signatures should be legally binding, otherwise > Simon> ignorance will be used as a defense for repudiation, and only > Simon> fraudulently or forcefully obtained signatues should be able > Simon> to be sucessfully repudiated by recourse to the law and > Simon> courts. > > I think that's a fine analogy, and it also serves to illustrate the > issue that Denis is concerned about. > > With classic signatures, the norm is that you see what you sign. (One > exception is the standard story about the overworked executive who's > handed a stack of 50 memos to sign, with little yellow tabs marking > "here's the spot" and someone slips in a ringer. Don't know how > common that is outside novels.) > > With digital signatures, the norm is that you have no idea. As Denis > mentioned, current smartcards have no way of showing you what you're > signing. If you use an application that signs things (like a mailer) > the binding is a little better. There you still have to trust that > the text you entered is in fact what's being signed -- in other words, > that the program is trustworthy, correct, and unsubverted by trojan > horses. One good reason for using PGP, because you can check this, > unlike closed source mailers. > > The new (USA) digital signature law scares me, because it makes no > sense so long as digital signature mechanisms continue to provide no > meaningful way for the user to know what is being signed. > > paul > Received: from e2.ny.us.ibm.com (e2.ny.us.ibm.com [32.97.182.102]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA05307 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 15:25:50 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e2.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id SAA79246; Wed, 12 Jul 2000 18:27:20 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id SAA16394; Wed, 12 Jul 2000 18:27:16 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 8525691A.007B581D ; Wed, 12 Jul 2000 18:27:14 -0400 X-Lotus-FromDomain: IBMUS To: Aram Perez <aram@pacbell.net> cc: PKIX <ietf-pkix@imc.org> Message-ID: <8525691A.007B55D9.00@D51MTA04.pok.ibm.com> Date: Wed, 12 Jul 2000 18:27:07 -0400 Subject: Re: Signing what you don't understand: a practical example Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Responses below. Do we need a standard abbreviation similar to AFAIK for wording which contains an escape clause (like one of my answers below), and if so, what should it be? Tom Gindin Aram Perez <aram@pacbell.net> on 07/12/2000 12:28:44 PM To: PKIX <ietf-pkix@imc.org> cc: Subject: Re: Signing what you don't understand: a practical example Hi Tom, > [Tom Gindin] The same problem exists with current smart cards, but some > people are putting indicators that a key is on a smart card into their > certificates already. Either the CA generates the key on and delivers the > smart card, or the user shows up with card in hand. Hopefully, a BCSC > would not allow signature key backup. When you say "some people are putting indicators that a key is on a smart card into their certificates already", does the CA check that fact? Who's liable if the indicator is positive when in fact I have no smart card? If the CA generates the key, how do I know the CA doesn't keep a copy? [Tom Gindin] 1) The CA is certainly supposed to check that a key is on a smart card before including a CertificatePolicy or ExtendedKeyUsage which implies that the key is on one; 2) The CA is approximately as liable (warning: weasel wording ahead!) for certifying this fact properly as for certifying the contents of SubjectAltName properly; 3) As far as key generation goes, this is just a higher value smart card - if the CA can be trusted for generation today he can probably be trusted for it on these. Regards, Aram Perez Received: from slack.lne.com (gw.lne.com [209.157.136.81]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA03203 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 13:17:26 -0700 (PDT) Received: (from ericm@localhost) by slack.lne.com (8.9.3/8.9.3) id NAA26748; Wed, 12 Jul 2000 13:19:03 -0700 Date: Wed, 12 Jul 2000 13:19:03 -0700 From: Eric Murray <ericm@lne.com> To: Jean-Marc Desperrier <jean-marc.desperrier@certplus.com> Cc: ietf-pkix@imc.org Subject: Re: Current signature formats insufficient Message-ID: <20000712131903.L23134@slack.lne.com> References: <000001bfeb13$d25fe870$0201010a@intergalactic> <396C9695.FA8478BA@itsec-debis.de> <396CAC51.AB17E261@certplus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3us In-Reply-To: <396CAC51.AB17E261@certplus.com> On Wed, Jul 12, 2000 at 07:35:13PM +0200, Jean-Marc Desperrier wrote: > Jan Holger Schmidt wrote: > > > Hopefully there will be soon secure/trustworthy devices, where you can use your > > 'binding' key with a lower risk of signing something you couldn't see. However, > > to build them for many document formats will be a challange. > > The best for now is to recommend to insert the smart card just before signing a > legally binding document, and remove it just after. > Which does not prove the document you sign is the one you read, but still lowers the > risks a lot. I'll agree that leaving a smartcard in the slot (and unlocked) wil soon be Really Dumb.. but only inserting it when it's needed doesn't add much to your security. PC/SC, the most common host-side smart-card-reader API, can wake up a process that's waiting for a smartcard insertion event. That process could be the one that's signing your document or it could be rogue code that's going to have your smartcard sign something bad, and/or start a keyboard sniffer that'll capture the smartcard PIN. So I don't think that it lowers the risk very much. -- Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5 Security consulting: security models, reviews, protocols, crypto. Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA01544 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 11:38:54 -0700 (PDT) Received: from ireserver.Ireland.Sun.COM ([129.156.220.7]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id LAA25686; Wed, 12 Jul 2000 11:40:49 -0700 (PDT) Received: from sun.com (boston [129.156.220.153]) by ireserver.Ireland.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v1.9) with ESMTP id TAA16963; Wed, 12 Jul 2000 19:40:47 +0100 (BST) Sender: Sean.Mullan@ireland.sun.com Message-ID: <396CBBAF.39D848B6@sun.com> Date: Wed, 12 Jul 2000 19:40:47 +0100 From: Sean Mullan <sean.mullan@sun.com> X-Mailer: Mozilla 4.51 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: d.w.chadwick@salford.ac.uk, ietf-pkix@imc.org, ietf-ldapext@netscape.com Subject: Re: I-D ACTION:draft-ietf-pkix-ldap-schema-00.txt References: <200007121032.GAA15215@ietf.org> <396CB983.81DC54B3@sun.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit One other comment - I have mentioned this previously when commenting on RFC 2587, but as of yet no changes have been made. Building certification paths in a 'reverse' direction (from trust anchor to EE) is a valid way to build certification paths. However, RFC 2587 (PKIX LDAPv2 schema) specifies that the storage of cross certificates in the reverse component of the crossCertificatePair is optional. It is not possible to efficiently build a certification path in a 'reverse' direction unless the certificates are populated in the reverse component of the crossCertificatePair attribute. Specifying that this feature is optional makes it difficult to build paths in a reverse direction in a trust model where lots of cross certificates and multiple directories are involved and you don't know if the CAs support the optional storage. I would like to suggest that RFC 2587 be amended/updated to make storage of cross certificates in the reverse component of the crossCertificatePair attribute mandatory. Thanks, Sean Sean Mullan wrote: > > Hi David, > > Some comments on the draft below. > > Internet-Drafts@ietf.org wrote: > > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. > > > > Title : Internet X.509 Public Key Infrastructure Additional > > LDAP Schema for PKIs and PMIs > > Author(s) : D. Chadwick > > Filename : draft-ietf-pkix-ldap-schema-00.txt > > Pages : 11 > > Date : 11-Jul-00 > > Section 3.2 Certificate Match > > I think the X.509 certificate matching rules are missing some essential and > important fields in the certificateAssertion structure for filtering on > certificates. We may want to consider defining a superset. I submitted these > comments to the X.509 editors but apparently it was too late to integrate them > into the 2000 update. > > * you should be able to match on more than one pathToName and on non-X500 > name types. This is inconsistent with name constraints which allow you > to constrain to more than one name and different name types. > > * you should be able to match on more than the subject alt name type. You > should also be able to match on the subject alt name itself, and specify more than > one subject alt name as certificates can contain more than one. > > * you should be able to match on the subject public key as well as the subject public > key algorithm OID. > > * you should be able to match on the basic constraints extension, especially the > maxPathLen value. This is useful for finding potential certificates when > building certification paths from the target to the most-trusted CA. For ex, > if a partial path has been built, any candidate certificate must have a > maxPathLen value greater than or equal to the number of certificates in the > partial path. > > I think it is very important to include the Certificate pair matching rules, as > these are very useful when building certification paths and trying to discover > which of many cross certificates satisfy various validation constraints, and eliminating > those that do not. > > Other comments: > > * What RFC format are you using for the encoding of DNs - 1779? This should be referenced. > > Section 4.2 Certificate List Match > > There is an error in the CertificateListAssertion definition in X.509 2000. The > authorityKeyIdentifier component should be marked OPTIONAL. This probably doesn't > affect your definition, but I just wanted to make you aware of it. > > --Sean Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA01220 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 11:29:40 -0700 (PDT) Received: from ireserver.Ireland.Sun.COM ([129.156.220.7]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id LAA20798; Wed, 12 Jul 2000 11:31:33 -0700 (PDT) Received: from sun.com (boston [129.156.220.153]) by ireserver.Ireland.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v1.9) with ESMTP id TAA15831; Wed, 12 Jul 2000 19:31:31 +0100 (BST) Sender: Sean.Mullan@ireland.sun.com Message-ID: <396CB983.81DC54B3@sun.com> Date: Wed, 12 Jul 2000 19:31:31 +0100 From: Sean Mullan <sean.mullan@sun.com> X-Mailer: Mozilla 4.51 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: d.w.chadwick@salford.ac.uk CC: ietf-pkix@imc.org, ietf-ldapext@netscape.com Subject: Re: I-D ACTION:draft-ietf-pkix-ldap-schema-00.txt References: <200007121032.GAA15215@ietf.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi David, Some comments on the draft below. Internet-Drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. > > Title : Internet X.509 Public Key Infrastructure Additional > LDAP Schema for PKIs and PMIs > Author(s) : D. Chadwick > Filename : draft-ietf-pkix-ldap-schema-00.txt > Pages : 11 > Date : 11-Jul-00 Section 3.2 Certificate Match I think the X.509 certificate matching rules are missing some essential and important fields in the certificateAssertion structure for filtering on certificates. We may want to consider defining a superset. I submitted these comments to the X.509 editors but apparently it was too late to integrate them into the 2000 update. * you should be able to match on more than one pathToName and on non-X500 name types. This is inconsistent with name constraints which allow you to constrain to more than one name and different name types. * you should be able to match on more than the subject alt name type. You should also be able to match on the subject alt name itself, and specify more than one subject alt name as certificates can contain more than one. * you should be able to match on the subject public key as well as the subject public key algorithm OID. * you should be able to match on the basic constraints extension, especially the maxPathLen value. This is useful for finding potential certificates when building certification paths from the target to the most-trusted CA. For ex, if a partial path has been built, any candidate certificate must have a maxPathLen value greater than or equal to the number of certificates in the partial path. I think it is very important to include the Certificate pair matching rules, as these are very useful when building certification paths and trying to discover which of many cross certificates satisfy various validation constraints, and eliminating those that do not. Other comments: * What RFC format are you using for the encoding of DNs - 1779? This should be referenced. Section 4.2 Certificate List Match There is an error in the CertificateListAssertion definition in X.509 2000. The authorityKeyIdentifier component should be marked OPTIONAL. This probably doesn't affect your definition, but I just wanted to make you aware of it. --Sean Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA00865 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 11:19:47 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id LAA11796; Wed, 12 Jul 2000 11:21:04 -0700 (PDT) Message-Id: <4.2.2.20000712112651.00ac7100@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 12 Jul 2000 11:28:21 -0700 To: Aram Perez <aram@pacbell.net>, ietf-pkix@imc.org From: Tony Bartoletti <azb@llnl.gov> Subject: Re: Current signature formats insufficient In-Reply-To: <B59201C4.13C1%aram@pacbell.net> References: <396CAC51.AB17E261@certplus.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 11:06 AM 7/12/00 -0700, Aram Perez wrote: >Jean-Marc Desperrier wrote: > >[snip] > > > > And use a software key, with authentification only key usage, for ssl > > authenfication > > and the like. > >If by "authentication only key usage" you mean the DS bit, what happens when >a key has both the DS and NR bits set? Use the CA's CP/CPS for guidance? ;) ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA00524 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 11:07:35 -0700 (PDT) Received: from [192.168.1.57] ([208.233.228.110]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FXL002MXJM9XY@mta5.snfc21.pbi.net> for ietf-pkix@imc.org; Wed, 12 Jul 2000 11:06:10 -0700 (PDT) Date: Wed, 12 Jul 2000 11:06:45 -0700 From: Aram Perez <aram@pacbell.net> Subject: Re: Current signature formats insufficient In-reply-to: <396CAC51.AB17E261@certplus.com> To: ietf-pkix@imc.org Message-id: <B59201C4.13C1%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Jean-Marc Desperrier wrote: [snip] > > And use a software key, with authentification only key usage, for ssl > authenfication > and the like. If by "authentication only key usage" you mean the DS bit, what happens when a key has both the DS and NR bits set? Regards, Aram Perez Received: from poptop.llnl.gov (poptop.llnl.gov [128.115.41.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA00101 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 10:52:31 -0700 (PDT) Received: from catalyst (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id KAA17010; Wed, 12 Jul 2000 10:45:20 -0700 (PDT) Message-Id: <4.2.2.20000712104349.00b12910@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 12 Jul 2000 10:52:37 -0700 To: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au>, "'Ben Laurie'" <ben@algroup.co.uk>, Frank Balluffi <frankb@valicert.com> From: Tony Bartoletti <azb@llnl.gov> Subject: RE: Current signature formats insufficient Cc: "'denis.bider@denisbider.com'" <denis.bider@denisbider.com>, ietf-pkix@imc.org In-Reply-To: <C7006C79F23FD411AFCC00E018C353B40258E1@exchange.gadens.com .au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 06:16 AM 7/12/00 +1000, Adrian McCullagh wrote: >Ben; > >The law does not see it that way. In the UK if you sign a document as >a receipt and there are terms on the receipt then you are deemed to >have read the terms and agreed to be bound by them. (see the case of >L'Strange v. Graucob). The law will not take your subjective view >into account. The law will look upon the action from an objective >view. This is only a simplified version and yes there are exceptions >but the general rule is that if a man comes to your door with a >package and asks you to sign the acknowledgement of receipt you will >be bound by the terms on the back of the document. The same position >also applies in the USA and in Australia. There are limits to the courts reliance on a purely objective view. The courts tend to consider what must also be "reasonable." If I were a pizza delivery person, and I'd crafted an ordinary-looking receipt, whose fine print on the back reads "I hereby transfer title to my house ...", I doubt that your signature on that receipt will enable me to take your house from you. Most of the "real" legal questions with digital signatures and our new "cyber" environment will pivot upon the evolving problem of deciding what are "reasonable expectations", given the technology and other, less objective considerations. ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from certplus.com ([195.101.88.81]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA29486 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 10:34:04 -0700 (PDT) Received: from certplus.com (nt4_jmd.certplus.com [192.168.1.17]) by certplus.com (8.8.7/8.8.7) with ESMTP id SAA32065 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 18:05:11 +0200 Message-ID: <396CAC51.AB17E261@certplus.com> Date: Wed, 12 Jul 2000 19:35:13 +0200 From: Jean-Marc Desperrier <jean-marc.desperrier@certplus.com> Organization: Certplus X-Mailer: Mozilla 4.72 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Current signature formats insufficient References: <000001bfeb13$d25fe870$0201010a@intergalactic> <396C9695.FA8478BA@itsec-debis.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Jan Holger Schmidt wrote: > Hopefully there will be soon secure/trustworthy devices, where you can use your > 'binding' key with a lower risk of signing something you couldn't see. However, > to build them for many document formats will be a challange. The best for now is to recommend to insert the smart card just before signing a legally binding document, and remove it just after. Which does not prove the document you sign is the one you read, but still lowers the risks a lot. And use a software key, with authentification only key usage, for ssl authenfication and the like. Received: from smtp.scotland.net (unixpark3.scotland.net [148.176.231.3]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA28305 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 09:42:15 -0700 (PDT) Received: from e1h3p178.scotland.net ([148.176.235.179] helo=jrwork) by smtp.scotland.net with smtp (Exim 3.13 #2) id 13CPc2-0004Gs-00; Wed, 12 Jul 2000 17:43:54 +0100 Message-ID: <004c01bfec20$0e8af6c0$0400000a@jrwork> From: "John Ross" <ross@secstan.com> To: <denis.bider@denisbider.com>, <tgindin@us.ibm.com> Cc: <ietf-pkix@imc.org> Subject: Re: Signing what you don't understand: a practical example Date: Wed, 12 Jul 2000 17:41:39 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Please have a look at the following internet draft: "Electronic Signature Formats for long term electronic signature" at http://www.ietf.org/html.charters/smime-charter.html I believe it proposes solutions to the problems being raised here. Regards John Ross -----Original Message----- From: "denis bider" <denis.bider@globera.com> To: <tgindin@us.ibm.com> Cc: <ietf-pkix@imc.org> Date: 12 July 2000 16:10 Subject: RE: Signing what you don't understand: a practical example >Hello Tom, > >I don't quite understand why such an indicator within a certificate would be >needed for this technique to have any real use. > >The current possible outcomes of a standard signature verification process >are: >- valid, and >- invalid. > >What I am proposing is, essentially, that the possible range of returns be >widened to at least: >- valid (== technically and semantically valid) >- valid but not binding (== technically valid, semantically invalid) >- invalid (== technically and semantically invalid) > >The security device I was mentioning was only intended to show a practical >situation where the widened range of possible returns, as outlined above, >WILL be needed sooner or later. Ie, it is just *a* usage scenario; it is not >an attempt to encompass all possible usage scenarios. > >Regards, > >denis > > >-----Original Message----- >From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com] >Sent: 12. julij 2000 03:11 >To: Aram Perez >Cc: ietf-pkix@imc.org >Subject: Re: Signing what you don't understand: a practical example > > > For Denis' technique to have any real use, there would also need to be >an indicator somewhere in the certificate that "the private key of this >pair is held in a Bider-compliant smart card". Doing that (and it could go >into any of several extensions, or a new one could be defined), is >considerably easier than changing the signature format. > For PKCS 1.5, of course, he could change that format just by defining >a hash function parameter value (if PKCS #1 would agree), or a new OID for >SHA-1 (SHA1OnBiderCard ??). Getting verifiers to understand either of >these might be interesting, though. > > Tom Gindin > >Aram Perez <aram@pacbell.net> on 07/11/2000 08:44:48 PM > >To: ietf-pkix@imc.org >cc: >Subject: Re: Signing what you don't understand: a practical example > > > >Hi Denis, > >[snip] >> 2. Encode the algorithm ID for the hash function and the hash value into >an >> ASN.1 value of type DigestInfo (see Section 11) with the Distinguished >> Encoding Rules (DER), where the type DigestInfo has the syntax >> >> DigestInfo ::= SEQUENCE { >> digestAlgorithm AlgorithmIdentifier, >> digest OCTET STRING, >> flags BIT STRING OPTIONAL >> } >> >> Meaning of 'flags' bits: >> first bit: content-not-understood >> subsequent bits: not defined at this time >> >> In case the value of the first bit of 'flags' is 0, the 'flags' field may >> be omitted for purposes of backward compatibility. However, this is not >> recommended. If omitted, the interpretation of the 'flags' field is >> application-dependent. >> >> The first field identifies the hash function and the second contains the >> hash value. Let T be the DER encoding. >> >> 3. If emLen is less than ||T|| + 10 then output "intended encoded message >> length too short". >> >> 4. Generate an octet string PS consisting of emLen-||T||-2 octets with >value >> FF (hexadecimal). The length of PS will be at least 8 octets. >> >> 5. Concatenate PS, the DER encoding T, and other padding to form the >encoded >> message EM as >> >> EM = 01 || PS || 00 || T >> >> 6. Output EM. > >[Warning: Long sentence ahead.] If you received a signed message from me, >formatted per your instructions and with the flags parameter, how would you >know that I was using the security device you have described, that the >message was displayed on that device and that I really understood what I >signed? I can easily create an identical message on my insecure PC with >today's smartcards or just with the right software. > >Regards, >Aram Perez > > > Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA27649 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 09:33:50 -0700 (PDT) Received: from [192.168.1.57] ([208.233.228.110]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FXL00K6XF317V@mta5.snfc21.pbi.net> for ietf-pkix@imc.org; Wed, 12 Jul 2000 09:28:14 -0700 (PDT) Date: Wed, 12 Jul 2000 09:28:44 -0700 From: Aram Perez <aram@pacbell.net> Subject: Re: Signing what you don't understand: a practical example In-reply-to: <8525691A.005897F9.00@D51MTA04.pok.ibm.com> To: PKIX <ietf-pkix@imc.org> Message-id: <B591EACB.13AF%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Hi Tom, > [Tom Gindin] The same problem exists with current smart cards, but some > people are putting indicators that a key is on a smart card into their > certificates already. Either the CA generates the key on and delivers the > smart card, or the user shows up with card in hand. Hopefully, a BCSC > would not allow signature key backup. When you say "some people are putting indicators that a key is on a smart card into their certificates already", does the CA check that fact? Who's liable if the indicator is positive when in fact I have no smart card? If the CA generates the key, how do I know the CA doesn't keep a copy? Regards, Aram Perez Received: from e4.ny.us.ibm.com (e4.ny.us.ibm.com [32.97.182.104]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA24228 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 09:06:01 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e4.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id MAA101274; Wed, 12 Jul 2000 12:07:59 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id MAA138446; Wed, 12 Jul 2000 12:07:55 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 8525691A.00589A8B ; Wed, 12 Jul 2000 12:07:47 -0400 X-Lotus-FromDomain: IBMUS To: Aram Perez <aram@pacbell.net> cc: PKIX <ietf-pkix@imc.org> Message-ID: <8525691A.005897F9.00@D51MTA04.pok.ibm.com> Date: Wed, 12 Jul 2000 12:07:39 -0400 Subject: Re: Signing what you don't understand: a practical example Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Hi Aram: Response below. Tom Aram Perez <aram@pacbell.net> on 07/11/2000 09:35:54 PM To: PKIX <ietf-pkix@imc.org> cc: Subject: Re: Signing what you don't understand: a practical example Hi Tom, > For Denis' technique to have any real use, there would also need to be > an indicator somewhere in the certificate that "the private key of this > pair is held in a Bider-compliant smart card". Doing that (and it could go > into any of several extensions, or a new one could be defined), is > considerably easier than changing the signature format. But how does the CA know that I'm using a "Bider-compliant smart card" (BCSC)? Do I have to physically show up somewhere with my BCSC to prove that I have one? Since the BCSC isn't fully specified, I don't know if it allows me to keep a backup copy of my signature key. If it does, then I might/probably could feed the backup into a software only system. [Tom Gindin] The same problem exists with current smart cards, but some people are putting indicators that a key is on a smart card into their certificates already. Either the CA generates the key on and delivers the smart card, or the user shows up with card in hand. Hopefully, a BCSC would not allow signature key backup. Regards, Aram Perez [snip] Received: from ra.bpsi.net (ra.bpsi.net [199.199.134.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA23456 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 08:55:31 -0700 (PDT) Received: from bpsi.net (port402.bpsi.net [209.54.245.202]) by ra.bpsi.net (8.9.0/8.9.0) with ESMTP id KAA04606; Wed, 12 Jul 2000 10:57:17 -0500 (CDT) Message-ID: <396C94FE.97A3949C@bpsi.net> Date: Wed, 12 Jul 2000 10:55:42 -0500 From: Dale Gustafson <dale.gustafson@bpsi.net> X-Mailer: Mozilla 4.73 [en]C-CCK-MCD NSCPCD47 (Win95; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: denis.bider@denisbider.com CC: ietf-pkix@imc.org Subject: Re: Current signature formats insufficient References: <000201bfeb5f$79a796f0$0201010a@intergalactic> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Denis, denis bider wrote: [snip] > However, I think that we have to admit that the solution you identified as > "all singing / all dancing" is, in fact, the bare minimum that needs to be > implemented before we can move into a true, paperless electronic era. Did not intend to imply any limits on how sophisticated and elegant security products might become -- just noting the ever present tradeoff between security and useability/functionality. There will no doubt be many significant developments over the next few years. Getting back to your main point. Clearly, the signer must have authoritative control over the electronic document signing process. For example, if one signs a (paper) legal document today, it is not unusual for the one or both parties to "edit" the document via hand-written changes which are initialed by both parties, etc. (prior to signing/dating) and become part of the written agreement. I'm not aware of a similar capability in the digital world yet. Perhaps others could comment on whether this is a significant and immediate requirement that is not being addressed today and, if yes, whether the PKIX can help at this time. Perhaps there are other presentation layer standardization efforts that are also applicable. Apparently there are -- messages from Antonio and Malte arrive as I edit this (timing is everything :-) A limitation of putting such control information in the signature block (or in the x.509 certificate) is that much has to be anticipated well in advance of a signing event. Logically, additions and / or changes should be included in the electronic document before it is signed and the format of those adds / modifies likely need to be document-specific. Best Regards, Dale Gustafson Received: from gatekeeper.itsec-debis.de (gatekeeper.itsec-debis.de [195.227.50.6]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA23217 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 08:54:12 -0700 (PDT) Received: from gatekeeper (gatekeeper [192.168.2.1] (may be forged)) by gatekeeper.itsec-debis.de (8.8.8+Sun/8.8.8) with SMTP id RAA14898; Wed, 12 Jul 2000 17:53:46 +0200 (MET DST) Received: by itsec-debis.de id SAA02017; Wed, 12 Jul 2000 18:07:26 +0200 Message-ID: <396C9695.FA8478BA@itsec-debis.de> Date: Wed, 12 Jul 2000 18:02:29 +0200 From: Jan Holger Schmidt <jh-schmidt@itsec-debis.de> Reply-To: jh-schmidt@itsec-debis.de Organization: Debis IT Security Services X-Mailer: Mozilla 4.51 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: denis.bider@denisbider.com CC: ietf-pkix@imc.org Subject: Re: Current signature formats insufficient References: <000001bfeb13$d25fe870$0201010a@intergalactic> Content-Type: multipart/mixed; boundary="------------565DA3E73CA116F553BF61C4" This is a multi-part message in MIME format. --------------565DA3E73CA116F553BF61C4 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Denis, to change the signature format would not solve your problem. As you say, you can not be aware of what you sign. So how do you know, that the signature is in the right format and the bit for "non-binding" isn't set in the right way? As already adressed by others you should do this with different keys having different certificates (e.g. one for non repudiation ('binding') and one for authentication ('non binding'). When you don't trust your PC to select the right key from the card, you could either protect the different keys with different PINs or you cold store the keys on different cards. Hopefully there will be soon secure/trustworthy devices, where you can use your 'binding' key with a lower risk of signing something you couldn't see. However, to build them for many document formats will be a challange. Best regards Jan --------------565DA3E73CA116F553BF61C4 Content-Type: text/x-vcard; charset=us-ascii; name="jh-schmidt.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Jan Holger Schmidt Content-Disposition: attachment; filename="jh-schmidt.vcf" begin:vcard n:Schmidt;Jan Holger tel;fax:+49 - 228 - 9841-60 tel;work:+49 - 228 - 9841-520 x-mozilla-html:FALSE org:debis IT Security Services adr:;;Rabinstr. 8;Bonn;;;Germany version:2.1 email;internet:jh.schmidt@debis.com fn:Jan Holger Schmidt end:vcard --------------565DA3E73CA116F553BF61C4-- Received: from slack.lne.com ([209.157.136.81]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA22809 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 08:51:47 -0700 (PDT) Received: (from ericm@localhost) by slack.lne.com (8.9.3/8.9.3) id IAA25860; Wed, 12 Jul 2000 08:53:06 -0700 Date: Wed, 12 Jul 2000 08:53:06 -0700 From: Eric Murray <ericm@lne.com> To: Paul Koning <pkoning@xedia.com> Cc: ietf-pkix@imc.org Subject: Re: Current signature formats insufficient Message-ID: <20000712085306.E23134@slack.lne.com> References: <000901bfeb64$38642f50$0201010a@intergalactic> <013901bfeba8$419218f0$8802a8c0@eracom.com.au> <14700.33504.767573.577814@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3us In-Reply-To: <14700.33504.767573.577814@xedia.com> On Wed, Jul 12, 2000 at 10:38:24AM -0400, Paul Koning wrote: > >>>>> "Simon" == Simon McMahon <simon@onthenet.com.au> writes: > > Simon> Hi all, My 2c worth. > > Simon> You should look to the analog-signature as an analogy. It's > Simon> the content of what you sign that includes the terms and > Simon> therefore the extent to which the signer is bound. Carelessly > Simon> given signatures should be legally binding, otherwise > Simon> ignorance will be used as a defense for repudiation, and only > Simon> fraudulently or forcefully obtained signatues should be able > Simon> to be sucessfully repudiated by recourse to the law and > Simon> courts. > > I think that's a fine analogy, and it also serves to illustrate the > issue that Denis is concerned about. > > With classic signatures, the norm is that you see what you sign. (One > exception is the standard story about the overworked executive who's > handed a stack of 50 memos to sign, with little yellow tabs marking > "here's the spot" and someone slips in a ringer. Don't know how > common that is outside novels.) I don't know how often ringers are slipped in, but normal people are expected/encouraged to sign things without reading them fully all the time. A good example is when buying a house. I have bought two houses (both in California), and at the final document signing meeting for each, signed between 20 and 40 documents. Both I and my girlfriend who I bought the houses with read fast and have negotiated many contracts so we're somewhat practiced in reading contractese. We split up the docs to read and skimmed them rather than reading in depth. It took us twice as long as the escrow agents had allotted to do the signatures. People who read slower and aren't familiar with contractese would take all day to read every document carefully. It's obvious that they don't expect most people to read the documents, and certainly not to read them carefully. > With digital signatures, the norm is that you have no idea. As Denis > mentioned, current smartcards have no way of showing you what you're > signing. If you use an application that signs things (like a mailer) > the binding is a little better. There you still have to trust that > the text you entered is in fact what's being signed -- in other words, > that the program is trustworthy, correct, and unsubverted by trojan > horses. One good reason for using PGP, because you can check this, > unlike closed source mailers. With PGP you can check the source of the mailer/encryption program. Being able to do so doesn't help your checking for trojans in the OS and it's there that it's easy to attack the smartcard or mailer signing program- just substitute the hash of the Bad Document for the hash of the Good Document before it's signed. > The new (USA) digital signature law scares me, because it makes no > sense so long as digital signature mechanisms continue to provide no > meaningful way for the user to know what is being signed. Everyone is pretending that the OS is secure because no one wants to have to fix it. -- Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5 Security consulting: security models, reviews, protocols, crypto. Received: from e4.ny.us.ibm.com (e4.ny.us.ibm.com [32.97.182.104]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA22725 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 08:51:06 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e4.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id LAA46204; Wed, 12 Jul 2000 11:53:04 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id LAA178132; Wed, 12 Jul 2000 11:53:01 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 8525691A.00573C21 ; Wed, 12 Jul 2000 11:52:50 -0400 X-Lotus-FromDomain: IBMUS To: denis.bider@denisbider.com cc: ietf-pkix@imc.org Message-ID: <8525691A.005739EC.00@D51MTA04.pok.ibm.com> Date: Wed, 12 Jul 2000 11:52:42 -0400 Subject: RE: Signing what you don't understand: a practical example Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline An RP will trust the presence of such a high-assurance indicator above the value of an ordinary digital signature only if he is credibly assured that the indicator's presence actually proves something. The natural way to do this is to indicate the presence of a high-assurance device in the certificate. If no such indication is present, the RP has no reason to believe that the attack Aram describes is very difficult - so he won't trust a signature with the indicator any more than one without it. Tom Gindin "denis bider" <denis.bider@globera.com> on 07/12/2000 11:08:21 AM Please respond to <denis.bider@denisbider.com> To: Tom Gindin/Watson/IBM@IBMUS cc: <ietf-pkix@imc.org> Subject: RE: Signing what you don't understand: a practical example Hello Tom, I don't quite understand why such an indicator within a certificate would be needed for this technique to have any real use. The current possible outcomes of a standard signature verification process are: - valid, and - invalid. What I am proposing is, essentially, that the possible range of returns be widened to at least: - valid (== technically and semantically valid) - valid but not binding (== technically valid, semantically invalid) - invalid (== technically and semantically invalid) The security device I was mentioning was only intended to show a practical situation where the widened range of possible returns, as outlined above, WILL be needed sooner or later. Ie, it is just *a* usage scenario; it is not an attempt to encompass all possible usage scenarios. Regards, denis -----Original Message----- From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com] Sent: 12. julij 2000 03:11 To: Aram Perez Cc: ietf-pkix@imc.org Subject: Re: Signing what you don't understand: a practical example For Denis' technique to have any real use, there would also need to be an indicator somewhere in the certificate that "the private key of this pair is held in a Bider-compliant smart card". Doing that (and it could go into any of several extensions, or a new one could be defined), is considerably easier than changing the signature format. For PKCS 1.5, of course, he could change that format just by defining a hash function parameter value (if PKCS #1 would agree), or a new OID for SHA-1 (SHA1OnBiderCard ??). Getting verifiers to understand either of these might be interesting, though. Tom Gindin Aram Perez <aram@pacbell.net> on 07/11/2000 08:44:48 PM To: ietf-pkix@imc.org cc: Subject: Re: Signing what you don't understand: a practical example Hi Denis, [snip] > 2. Encode the algorithm ID for the hash function and the hash value into an > ASN.1 value of type DigestInfo (see Section 11) with the Distinguished > Encoding Rules (DER), where the type DigestInfo has the syntax > > DigestInfo ::= SEQUENCE { > digestAlgorithm AlgorithmIdentifier, > digest OCTET STRING, > flags BIT STRING OPTIONAL > } > > Meaning of 'flags' bits: > first bit: content-not-understood > subsequent bits: not defined at this time > > In case the value of the first bit of 'flags' is 0, the 'flags' field may > be omitted for purposes of backward compatibility. However, this is not > recommended. If omitted, the interpretation of the 'flags' field is > application-dependent. > > The first field identifies the hash function and the second contains the > hash value. Let T be the DER encoding. > > 3. If emLen is less than ||T|| + 10 then output "intended encoded message > length too short". > > 4. Generate an octet string PS consisting of emLen-||T||-2 octets with value > FF (hexadecimal). The length of PS will be at least 8 octets. > > 5. Concatenate PS, the DER encoding T, and other padding to form the encoded > message EM as > > EM = 01 || PS || 00 || T > > 6. Output EM. [Warning: Long sentence ahead.] If you received a signed message from me, formatted per your instructions and with the flags parameter, how would you know that I was using the security device you have described, that the message was displayed on that device and that I really understood what I signed? I can easily create an identical message on my insecure PC with today's smartcards or just with the right software. Regards, Aram Perez Received: from mail.brokat.de ([212.9.175.131]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA21916 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 08:39:43 -0700 (PDT) Received: by mail.brokat.de (Smail3.2.0.111/mail.brokat.de) via LF.net GmbH Internet Services via remoteip 172.17.6.61 via remotehost brokat.com with esmtp for mail.imc.org id m13COfM-005lMGC; Wed, 12 Jul 2000 17:43:16 +0200 (CEST) Message-ID: <396C91DF.9DB8A6C1@brokat.com> Date: Wed, 12 Jul 2000 17:42:23 +0200 From: Malte Borcherding <Malte.Borcherding@brokat.com> Organization: BROKAT Infosystems AG X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en,de MIME-Version: 1.0 To: denis.bider@denisbider.com CC: ietf-pkix@imc.org Subject: Re: Signing what you don't understand: a practical example References: <000b01bfec13$0546e810$0201010a@intergalactic> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Denis, as pointed out by others in previous mails, the key usage extension in a certificate is currently the usual place to carry the information you require. In case this is not enough (say, because you want to use the same key pair for different purposes), you might want to include a signature policy into your signature. Such a concept is described in the ETSI Standard ES 201733, available at http://www.etsi.org/SEC/el-sign.htm , or as Internet-Draft at http://www.ietf.org/internet-drafts/draft-ietf-smime-esformats-00.txt . Such a policy can carry information about the commitment type and the signature environment. Apart from that, it can also contain information on how the signature has to be verified in order to be regarded as valid. Furthermore, this standard also binds the certificate cryptographically to the signature, such that it is clear which certificate is meant to be used for verification. As for the question of a secure signature apparatus including a secure viewer, this has been (and still is) subject to heavy debate in the various standards related to legally binding digital signatures. Bottom line: There is currently no practical solution for a highly secure display component which at the same time can be used for many different document formats and has any chance of widespread use. Some mobile devices come close to the required security, as they are generally less subject to malicious attacks. Lack of technical security has to be met by processes, like educating users on how to keep theit PCs free of viruses. Malte denis bider wrote: > > Hello Tom, > > I don't quite understand why such an indicator within a certificate would be > needed for this technique to have any real use. > > The current possible outcomes of a standard signature verification process > are: > - valid, and > - invalid. > > What I am proposing is, essentially, that the possible range of returns be > widened to at least: > - valid (== technically and semantically valid) > - valid but not binding (== technically valid, semantically invalid) > - invalid (== technically and semantically invalid) > > The security device I was mentioning was only intended to show a practical > situation where the widened range of possible returns, as outlined above, > WILL be needed sooner or later. Ie, it is just *a* usage scenario; it is not > an attempt to encompass all possible usage scenarios. > > Regards, > > denis > > -----Original Message----- > From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com] > Sent: 12. julij 2000 03:11 > To: Aram Perez > Cc: ietf-pkix@imc.org > Subject: Re: Signing what you don't understand: a practical example > > For Denis' technique to have any real use, there would also need to be > an indicator somewhere in the certificate that "the private key of this > pair is held in a Bider-compliant smart card". Doing that (and it could go > into any of several extensions, or a new one could be defined), is > considerably easier than changing the signature format. > For PKCS 1.5, of course, he could change that format just by defining > a hash function parameter value (if PKCS #1 would agree), or a new OID for > SHA-1 (SHA1OnBiderCard ??). Getting verifiers to understand either of > these might be interesting, though. > > Tom Gindin > > Aram Perez <aram@pacbell.net> on 07/11/2000 08:44:48 PM > > To: ietf-pkix@imc.org > cc: > Subject: Re: Signing what you don't understand: a practical example > > Hi Denis, > > [snip] > > 2. Encode the algorithm ID for the hash function and the hash value into > an > > ASN.1 value of type DigestInfo (see Section 11) with the Distinguished > > Encoding Rules (DER), where the type DigestInfo has the syntax > > > > DigestInfo ::= SEQUENCE { > > digestAlgorithm AlgorithmIdentifier, > > digest OCTET STRING, > > flags BIT STRING OPTIONAL > > } > > > > Meaning of 'flags' bits: > > first bit: content-not-understood > > subsequent bits: not defined at this time > > > > In case the value of the first bit of 'flags' is 0, the 'flags' field may > > be omitted for purposes of backward compatibility. However, this is not > > recommended. If omitted, the interpretation of the 'flags' field is > > application-dependent. > > > > The first field identifies the hash function and the second contains the > > hash value. Let T be the DER encoding. > > > > 3. If emLen is less than ||T|| + 10 then output "intended encoded message > > length too short". > > > > 4. Generate an octet string PS consisting of emLen-||T||-2 octets with > value > > FF (hexadecimal). The length of PS will be at least 8 octets. > > > > 5. Concatenate PS, the DER encoding T, and other padding to form the > encoded > > message EM as > > > > EM = 01 || PS || 00 || T > > > > 6. Output EM. > > [Warning: Long sentence ahead.] If you received a signed message from me, > formatted per your instructions and with the flags parameter, how would you > know that I was using the security device you have described, that the > message was displayed on that device and that I really understood what I > signed? I can easily create an identical message on my insecure PC with > today's smartcards or just with the right software. > > Regards, > Aram Perez Received: from taurus.polito.it (taurus.polito.it [130.192.3.60]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id IAA21030 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 08:26:41 -0700 (PDT) Received: (qmail 21257 invoked from network); 12 Jul 2000 15:25:35 -0000 Received: from lioy.polito.it (HELO polito.it) (130.192.3.33) by taurus.polito.it with SMTP; 12 Jul 2000 15:25:35 -0000 Message-ID: <396C8E41.7EF920E@polito.it> Date: Wed, 12 Jul 2000 17:26:57 +0200 From: Antonio Lioy <lioy@polito.it> Organization: Politecnico di Torino X-Mailer: Mozilla 4.6 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Signing what you don't understand: a practical example References: <000b01bfec13$0546e810$0201010a@intergalactic> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msDE0460E7166015EA2C8A0161" This is a cryptographically signed message in MIME format. --------------msDE0460E7166015EA2C8A0161 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I think that what is being discussed in this thread is all about the meaning (i.e. semantics) of a technically valid digital signature. This could be easily achived by the "signature policy" extension that is requested by the ETSI draft for European electronic documents: http://www.etsi.org/technicalactiv/ElectronicSignatures.htm As e-documents will require much more extensions than just the semantics of the signature (e.g. also the timestamping, the role of the signer, the location) it is better to define all of them in a general framework (such as the one above) rather than to insert bit and pieces in various formats that are then hard to mix up and reconcile. I would therefore prefer to have a plain signature format (i.e. just the data and its signature = public-key encrypted digest) and then build on top of that to get more services (such as the signature semantics that somebody is advocating here). Just my 2c, Antonio Lioy --------------msDE0460E7166015EA2C8A0161 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIP9gYJKoZIhvcNAQcCoIIP5zCCD+MCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC DjIwggT5MIID4aADAgECAgEBMA0GCSqGSIb3DQEBBAUAMGUxCzAJBgNVBAYTAklUMR4wHAYD VQQKExVQb2xpdGVjbmljbyBkaSBUb3Jpbm8xNjA0BgNVBAMTLVBvbGl0ZWNuaWNvIGRpIFRv cmlubyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMDAxMTgxMjAwMDBaFw0wMDEyMzEx MjAwMDBaMHcxCzAJBgNVBAYTAklUMR4wHAYDVQQKExVQb2xpdGVjbmljbyBkaSBUb3Jpbm8x MTAvBgNVBAsTKERpcGFydGltZW50byBkaSBBdXRvbWF0aWNhIGUgSW5mb3JtYXRpY2ExFTAT BgNVBAMTDEFudG9uaW8gTGlveTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyISyZRZK mGqFfcdjcKJ7NegAKLDiLdlO9UK1pN4vJzGmrBtUqV6bKkfslCPCfRsULdpr4NgPwanqTxJn WGS9TR/zV9fHv4cxDTLq/n49UnXI3nP0eTpHOi+y4D1VkTjI+1t6d0qggUIapxxXmfBpqP7R /uxk2x4q07YxTBSjIoUCAwEAAaOCAiQwggIgMB8GA1UdIwQYMBaAFEbcLc3EM3GcgWtDoYzB 7HR2zgt7MB0GA1UdDgQWBBTHkFr7ivGI44U5A3zluh0EQ6nOLTAOBgNVHQ8BAf8EBAMCBPAw gdoGA1UdIASB0jCBzzBDBgorBgEEAakHAQEBMDUwMwYIKwYBBQUHAgEWJ2h0dHA6Ly93d3cu ZXVyb3BraS5vcmcvY2Evcm9vdC9jcHMvMS4xLzBBBgorBgEEAakHAgEBMDMwMQYIKwYBBQUH AgEWJWh0dHA6Ly93d3cuZXVyb3BraS5vcmcvY2EvaXQvY3BzLzEuMS8wRQYKKwYBBAGVYgEC ATA3MDUGCCsGAQUFBwIBFilodHRwOi8vd3d3LmV1cm9wa2kub3JnL2NhL3BvbGl0by9jcHMv MS4xLzAZBgNVHREEEjAQgQ5saW95QHBvbGl0by5pdDAMBgNVHRMBAf8EAjAAMDAGA1UdHwQp MCcwJaAjoCGGH2h0dHA6Ly9jYS5wb2xpdG8uaXQvY3JsL2NybC5kZXIwgZUGCWCGSAGG+EIB DQSBhxaBhElzc3VlZCB1bmRlciBwb2xpY2llczoKIGh0dHA6Ly93d3cuZXVyb3BraS5vcmcv Y2Evcm9vdC9jcHMvMS4xLwogaHR0cDovL3d3dy5ldXJvcGtpLm9yZy9jYS9pdC9jcHMvMS4x LwogaHR0cDovL2NhLnBvbGl0by5pdC9jcHMvMi4xLzANBgkqhkiG9w0BAQQFAAOCAQEAGi5A GJb2EoR6BpTSunNG/dPkEJ94RSzXiBXwomvdXtWZHQFeCUEsV07j+Imoqtrsm96Ub9Uhv+/A 2CBGvrsk2NhPXUQlcAvFs6KCYjXZK6B/2EyLKkm+6sW1sG2rmkQZmypQHodgwsY2/sHkLqPf nDxokzsBj4uurnS26yEfQT+8EbcNOEyLeDdsQhgMFoTGFJON6zT6wBHflA7mOWzUQ1PJF8/Z M2zDuq5AklIGcvF0gMaBJMQNSvQf9RMchxIoFVCGYqbmIOorADjXytE2qDtv9hPa/uq6IuU4 d/qcdPTgrGnzgnAlvE6uHnqo18EOA8koAKsrs5R23Jn7JGw4vDCCBN4wggPGoAMCAQICAQEw DQYJKoZIhvcNAQEEBQAwUTELMAkGA1UEBhMCSVQxEDAOBgNVBAoTB0V1cm9QS0kxMDAuBgNV BAMTJ0V1cm9QS0kgSXRhbGlhbiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAcFw0wMDAxMTUx MzUzMzdaFwswMTEyMzEwMDAwWjBlMQswCQYDVQQGEwJJVDEeMBwGA1UEChMVUG9saXRlY25p Y28gZGkgVG9yaW5vMTYwNAYDVQQDEy1Qb2xpdGVjbmljbyBkaSBUb3Jpbm8gQ2VydGlmaWNh dGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD+kQn+Hxvh SJQs/5y7IdbpVg6+1yXgJ4l6Nguz7InoYZEcG2KBGPhunjalAmQ/DX8xovdQ8lx6nv49M5Xm toMPoYsqe9ZoJhKc3sBiOTFpSp4noP8uzc+muM/95i5VMRtRSjUQB1rhmJ91y4sDenlMhZmd Yb9Qtg57ggseOU5vDK39bSY4VcMg4Ang8jsOZnApVdmPsuS78Up1PsT4dWvqaRDE+CKXCpyr 9lKIot0kw3Tjc0wrixAV0TGH4IeCKeeUp6kk7sTbLvjMN7NPufwZgJUqcGvjtY2A4nWXJ94v F6cK8zs39wBBVesa8saaeCIlTbjCjYXF0fazakgWY92hAgMBAAGjggGtMIIBqTAfBgNVHSME GDAWgBSSQLydgXtL7H3j5uZ042HNGjYHqTAdBgNVHQ4EFgQURtwtzcQzcZyBa0OhjMHsdHbO C3swDgYDVR0PAQH/BAQDAgH+MIGTBgNVHSAEgYswgYgwQwYKKwYBBAGpBwEBATA1MDMGCCsG AQUFBwIBFidodHRwOi8vd3d3LmV1cm9wa2kub3JnL2NhL3Jvb3QvY3BzLzEuMS8wQQYKKwYB BAGpBwIBATAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3LmV1cm9wa2kub3JnL2NhL2l0L2Nw cy8xLjEvMA8GA1UdEwEB/wQFMAMBAf8wOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL3d3dy5l dXJvcGtpLm9yZy9jYS9pdC9jcmwvY3JsLmRlcjB1BglghkgBhvhCAQ0EaBZmSXNzdWVkIHVu ZGVyIHBvbGljaWVzOgogaHR0cDovL3d3dy5ldXJvcGtpLm9yZy9jYS9yb290L2Nwcy8xLjEv CiBodHRwOi8vd3d3LmV1cm9wa2kub3JnL2NhL2l0L2Nwcy8xLjEvMA0GCSqGSIb3DQEBBAUA A4IBAQCdIU0f6e4lWV8FHDj9Cdv/7YUqSx0JgcGXR22lnDkC+ouJMJ1lAsouuqxawA6pf+M9 KEUwOC6oEaF0K9GTY+BIddZbBKMfsUy5IiV9DOC7qwTfhm30cXLGjdPqx9bSxRnx/oz4lo33 FRQQd7OpsAL94fK+M23g6RRF49DxFb5L9bX2ube9ss6jyCWTxj/nwnNaadZRZzTRPawA9bKZ XkhzLTs/iC+Rvfy6sp5n4t1Gq5paD2j6GIIIKQK6Iwwy3FemaxLxzFmU3Xa3wBddwGEP6EUP v6y7kceldQP9sqfaKHz8mpzOycBi1PGLUgJVjbU7ubNpg9ZFRLYGbHbc6GKrMIIETzCCAzeg AwIBAgIBAzANBgkqhkiG9w0BAQQFADBBMRAwDgYDVQQKEwdFdXJvUEtJMS0wKwYDVQQDEyRF dXJvUEtJIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDAwMTExMTgzNjI5WhcN MDExMjMxMTIwMDAwWjBRMQswCQYDVQQGEwJJVDEQMA4GA1UEChMHRXVyb1BLSTEwMC4GA1UE AxMnRXVyb1BLSSBJdGFsaWFuIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/7PzUFrMRRgJVYlUIyv7OfnEeq+arRzi/69G+6w8kuJz e3/5LSuQ/OFdOYt5lagbv1f4neINDG2k2Mgt+h5UpEXLg1OXxgPP4JBo4iZYpi8KS7DEkd8n 428E3Pl7QjvVx/LeFi0zDlzUSuGRwzqOah/Hp9q6xjIdnG4xeCDcgmmEW1dzeUa56X8UNAy/ qNgBeN0+aJsD5LbLzsJEMNnIX4YZzv+7Fhb5mgNn/M3MKoNNAGY3la5eYy7P6Pedo/vCeyYd pfhcEDlYBNdnEMKnsC7AayCjNaJLxaIQntRXbFEj3oSwH/a0X9yNzCE97KnlX+m+C5OamlvR gkiRLBzLXwIDAQABo4IBQDCCATwwHwYDVR0jBBgwFoAUjNyLsaVKkOdOiHMYPJ3VXn7kss0w HQYDVR0OBBYEFJJAvJ2Be0vsfePm5nTjYc0aNgepMA4GA1UdDwEB/wQEAwIBxjBOBgNVHSAE RzBFMEMGCisGAQQBqQcBAQEwNTAzBggrBgEFBQcCARYnaHR0cDovL3d3dy5ldXJvcGtpLm9y Zy9jYS9yb290L2Nwcy8xLjEvMA8GA1UdEwEB/wQFMAMBAf8wOwYDVR0fBDQwMjAwoC6gLIYq aHR0cDovL3d3dy5ldXJvcGtpLm9yZy9jYS9yb290L2NybC9jcmwuZGVyMEwGCWCGSAGG+EIB DQQ/Fj1Jc3N1ZWQgdW5kZXIgcG9saWN5OgogaHR0cDovL3d3dy5ldXJvcGtpLm9yZy9jYS9y b290L2Nwcy8xLjEvMA0GCSqGSIb3DQEBBAUAA4IBAQBR6o4zIMOxhKXGFYxDTbu+Jxmh/i/p EH25kahS5SfFDtclgm/6dfqH6UQEKH7V1yfrhNNGOogVHe3b5m8FsrEf8Oyzr1+vlUVzC0m8 VpEzvyN6PqbwMSsaMP77xlSRe+6zB3iD2h3szHe95ATbML3pz2BDatPVh5ubGUh0LTEwOQkp 2rTn4/K7lUvlMw61X8+lpUtd2tLTGLLEUgcLMrGgZwG+csZ58TdFGGD6pNXyE/lgpWdqFlqH vqtXoRey1JIj1pZ4xzsqWlUTNFXncSOBJElotbo8aFd3hT8IjdSaiwCqiyQ33V8EMVsQXIpw NcOFQY7B49bCxpaY7onrGacoMYIBjDCCAYgCAQEwajBlMQswCQYDVQQGEwJJVDEeMBwGA1UE ChMVUG9saXRlY25pY28gZGkgVG9yaW5vMTYwNAYDVQQDEy1Qb2xpdGVjbmljbyBkaSBUb3Jp bm8gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCAQEwCQYFKw4DAhoFAKB6MBgGCSqGSIb3DQEJ AzELBgkqhkiG9w0BBwEwGwYJKoZIhvcNAQkPMQ4wDDAKBggqhkiG9w0DBzAcBgkqhkiG9w0B CQUxDxcNMDAwNzEyMTUyNjU3WjAjBgkqhkiG9w0BCQQxFgQUzc02Dq6iWjwfQhKZmpHnu32Z mTcwDQYJKoZIhvcNAQEBBQAEgYBF1x1tjRzgqeG7H8nchHdaLcewo+x1D7d6KziQZqg9fFAc KuWQsoJQB+BLmaLDuaAXwjWqJin2cmWsPtI6Q9tACjyvKWh6wa2HW0gZXxun2x3sQ9NE5KoL ASnujrkUbs9hwkWnJN84Gto/+diAxAfZ6MoBoQdUtxQuFEFqJ/pxUw== --------------msDE0460E7166015EA2C8A0161-- Received: from levitator.1div0.com ([213.250.43.61]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA20308 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 08:06:19 -0700 (PDT) Received: from intergalactic ([10.1.1.2]) by levitator.1div0.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id QAA22860; Wed, 12 Jul 2000 16:54:22 +0200 Reply-To: <denis.bider@denisbider.com> From: "denis bider" <denis.bider@globera.com> To: <tgindin@us.ibm.com> Cc: <ietf-pkix@imc.org> Subject: RE: Signing what you don't understand: a practical example Date: Wed, 12 Jul 2000 17:08:21 +0200 Message-ID: <000b01bfec13$0546e810$0201010a@intergalactic> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <8525691A.00067B02.00@D51MTA04.pok.ibm.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Hello Tom, I don't quite understand why such an indicator within a certificate would be needed for this technique to have any real use. The current possible outcomes of a standard signature verification process are: - valid, and - invalid. What I am proposing is, essentially, that the possible range of returns be widened to at least: - valid (== technically and semantically valid) - valid but not binding (== technically valid, semantically invalid) - invalid (== technically and semantically invalid) The security device I was mentioning was only intended to show a practical situation where the widened range of possible returns, as outlined above, WILL be needed sooner or later. Ie, it is just *a* usage scenario; it is not an attempt to encompass all possible usage scenarios. Regards, denis -----Original Message----- From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com] Sent: 12. julij 2000 03:11 To: Aram Perez Cc: ietf-pkix@imc.org Subject: Re: Signing what you don't understand: a practical example For Denis' technique to have any real use, there would also need to be an indicator somewhere in the certificate that "the private key of this pair is held in a Bider-compliant smart card". Doing that (and it could go into any of several extensions, or a new one could be defined), is considerably easier than changing the signature format. For PKCS 1.5, of course, he could change that format just by defining a hash function parameter value (if PKCS #1 would agree), or a new OID for SHA-1 (SHA1OnBiderCard ??). Getting verifiers to understand either of these might be interesting, though. Tom Gindin Aram Perez <aram@pacbell.net> on 07/11/2000 08:44:48 PM To: ietf-pkix@imc.org cc: Subject: Re: Signing what you don't understand: a practical example Hi Denis, [snip] > 2. Encode the algorithm ID for the hash function and the hash value into an > ASN.1 value of type DigestInfo (see Section 11) with the Distinguished > Encoding Rules (DER), where the type DigestInfo has the syntax > > DigestInfo ::= SEQUENCE { > digestAlgorithm AlgorithmIdentifier, > digest OCTET STRING, > flags BIT STRING OPTIONAL > } > > Meaning of 'flags' bits: > first bit: content-not-understood > subsequent bits: not defined at this time > > In case the value of the first bit of 'flags' is 0, the 'flags' field may > be omitted for purposes of backward compatibility. However, this is not > recommended. If omitted, the interpretation of the 'flags' field is > application-dependent. > > The first field identifies the hash function and the second contains the > hash value. Let T be the DER encoding. > > 3. If emLen is less than ||T|| + 10 then output "intended encoded message > length too short". > > 4. Generate an octet string PS consisting of emLen-||T||-2 octets with value > FF (hexadecimal). The length of PS will be at least 8 octets. > > 5. Concatenate PS, the DER encoding T, and other padding to form the encoded > message EM as > > EM = 01 || PS || 00 || T > > 6. Output EM. [Warning: Long sentence ahead.] If you received a signed message from me, formatted per your instructions and with the flags parameter, how would you know that I was using the security device you have described, that the message was displayed on that device and that I really understood what I signed? I can easily create an identical message on my insecure PC with today's smartcards or just with the right software. Regards, Aram Perez Received: from dfw7-1.relay.mail.uu.net (dfw7-1.relay.mail.uu.net [199.171.54.106]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA19697 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 07:36:42 -0700 (PDT) Received: from xedia.com by dfw7sosrv11.alter.net with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQixnm04800; Wed, 12 Jul 2000 14:38:27 GMT Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA27555; Wed, 12 Jul 00 10:34:35 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id KAA01703; Wed, 12 Jul 2000 10:38:25 -0400 From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <14700.33504.767573.577814@xedia.com> Date: Wed, 12 Jul 2000 10:38:24 -0400 (EDT) To: simon@onthenet.com.au Cc: ietf-pkix@imc.org, denis.bider@denisbider.com Subject: Re: Current signature formats insufficient References: <000901bfeb64$38642f50$0201010a@intergalactic> <013901bfeba8$419218f0$8802a8c0@eracom.com.au> X-Mailer: VM 6.72 under 21.1 (patch 9) "Canyonlands" XEmacs Lucid >>>>> "Simon" == Simon McMahon <simon@onthenet.com.au> writes: Simon> Hi all, My 2c worth. Simon> You should look to the analog-signature as an analogy. It's Simon> the content of what you sign that includes the terms and Simon> therefore the extent to which the signer is bound. Carelessly Simon> given signatures should be legally binding, otherwise Simon> ignorance will be used as a defense for repudiation, and only Simon> fraudulently or forcefully obtained signatues should be able Simon> to be sucessfully repudiated by recourse to the law and Simon> courts. I think that's a fine analogy, and it also serves to illustrate the issue that Denis is concerned about. With classic signatures, the norm is that you see what you sign. (One exception is the standard story about the overworked executive who's handed a stack of 50 memos to sign, with little yellow tabs marking "here's the spot" and someone slips in a ringer. Don't know how common that is outside novels.) With digital signatures, the norm is that you have no idea. As Denis mentioned, current smartcards have no way of showing you what you're signing. If you use an application that signs things (like a mailer) the binding is a little better. There you still have to trust that the text you entered is in fact what's being signed -- in other words, that the program is trustworthy, correct, and unsubverted by trojan horses. One good reason for using PGP, because you can check this, unlike closed source mailers. The new (USA) digital signature law scares me, because it makes no sense so long as digital signature mechanisms continue to provide no meaningful way for the user to know what is being signed. paul Received: from hal9000.vguard.com (vguard.com [192.117.162.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA18117 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 06:24:39 -0700 (PDT) Message-Id: <200007121324.GAA18117@ns.secondary.com> Received: from MGM (DEMONA [192.117.162.76]) by hal9000.vguard.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 3Y346R17; Wed, 12 Jul 2000 16:27:13 +0200 X-MG-RegisteredMail: ReturnReceipt From: Raviv Karnieli<raviv@vguard.com> To: "'denis.bider@denisbider.com'"<denis.bider@denisbider.com> Cc: ietf-pkix@imc.org Subject: RE: Signing what you don't understand Date: Wed, 12 JUL 2000 14:22:00 -0000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="<<-- MailGuardian RTF boundary -->>" This is a multi-part message in MIME format. --<<-- MailGuardian RTF boundary -->> Content-Type: text/plain; charset="ISO-8859-8" Content-Transfer-Encoding: base64 RGVuaXMsDQoNCkkgYWdyZWUgd2l0aCB3aGF0IHlvdSB3cm90ZSBhbmQgd2FudCB0byBhZGQg YW5vdGhlciBhc3BlY3Qgb2YgdGhlIHNhbWUgaXNzdWUuDQpTaWduYXR1cmVzIG1heSBiZSBh cHBsaWVkIGF1dG9tYXRpY2FsbHkgKGkuZS4gd2hlbiBJIHNpZ24gbXkgb3V0Z29pbmcgZS1t YWlsLCB3aGVuIEkgbG9nIGludG8gYSB3ZWIgc2l0ZSBvciB3aGVuIG15IG1haWxlciBzZW5k cyByZXR1cm4gcmVjZWlwdHMpLiBJIHN1cmUgd2FudCB0byBiZSBub3RpZmllZCBpbiBhZHZh bmNlIChhbmQgcmVhZCB2ZXJ5IGNhcmVmdWxseSB3aGF0IEkgc2lnbikgd2hlbiBJIHNpZ24g YSBjb250cmFjdCBvciBhIGJ1c2luZXNzIHRyYW5zYWN0aW9uLg0KVGh1cywgaXQgaXMgbm90 IGVub3VnaCBmb3IgdGhlIHNpZ25hdHVyZSB0byBpbmNsdWRlIHRoZSBiaW5kaW5nIGxldmVs LCBpdCBzaG91bGQgYWxzbyBiZSBzdXBwb3J0ZWQgYnkgdGhlIHZhcmlvdXMgcHJvdG9jb2xz LCB0byBub3RpZnkgbXkgYXBwbGljYXRpb25zIHdoYXQgbGV2ZWwgb2YgYmluZGluZyBteSBz aWduYXR1cmUgY2F1c2UuDQoNClJhdml2IEthcm5pZWxpIC0gQ1RPDQpWYW5ndWFyZCBTZWN1 cml0eSBUZWNobm9sb2dpZXMgTHRkLg0KVGVsLiArOTcyLTQtOTg5LTEzMTEgICAgICAgRmF4 ICs5NzItNC05ODktMTMyMg0Kd3d3LnZndWFyZC5jb20gICAgICAgICAgICAgcmF2aXZAdmd1 YXJkLmNvbQ0KDQpUaGlzIG1lc3NhZ2UgbGVmdCBteSBjb21wdXRlciBzZWN1cmVkIHNpbmNl IEmSbSB1c2luZyANCk1BSUxndWFyZGlhbiBFbnRlcnByaXNlIHRoZSBmaXJzdCB0cnVlIGVu ZCB0byBlbmQgZW50ZXJwcmlzZSBlLW1haWwgc2VjdXJpdHkgc29sdXRpb24gdGhhdCBpcyBw b2xpY3kgYmFzZWQsIGNlbnRyYWxseSBtYW5hZ2VkIGFuZCB0b3RhbGx5IHRyYW5zcGFyZW50 IHRvIHRoZSBlbmQgdXNlcnMuDQoNCllvdSBjYW4gZ2V0IHlvdXIgb3duIGZyZWUgZXZhbHVh dGlvbiBjb3B5IG9mIE1BSUxndWFyZGlhbiANCmF0IGh0dHA6Ly93d3cudmd1YXJkLmNvbS9w cm9kLmFzcA0KDQoNCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IGRlbmlz IGJpZGVyIFttYWlsdG86ZGVuaXMuYmlkZXJAZ2xvYmVyYS5jb21dDQpTZW50OiBUdWVzZGF5 LCBKdWx5IDExLCAyMDAwIDc6NDYgUE0NClRvOiBpZXRmLXBraXhAaW1jLm9yZw0KU3ViamVj dDogU2lnbmluZyB3aGF0IHlvdSBkb24ndCB1bmRlcnN0YW5kDQoNCg0KVGhlIG1vc3QgaW1w b3J0YW50IHBvaW50IG9mIG15IHByZXZpb3VzIG1lc3NhZ2Ugd2FzIGJ1cmllZCB1bmRlciBh IHBpbGUgb2YNCm90aGVyIHN0dWZmLCBzbyBJIGFtIHJlcGVhdGluZyBpdCBoZXJlOg0KDQoN Ckl0IGlzIG15IHByb3Bvc2FsIHRoYXQgYSBzaWduYXR1cmUgZm9ybWF0IGlzIGRlc2lnbmVk IHdoaWNoIHdpbGwgYWxsb3cgYW4NCmVudGl0eSB0byBzYXk6ICJJIHNpZ25lZCB0aGlzIGRh dGEsIGJ1dCBJIGRpZG4ndCB1bmRlcnN0YW5kIHdoYXQgSSBzaW duZWQuDQpZb3UgYXJlIGZy ZWUgdG8gdXNlIHRoaXMgc2lnbmF0dXJlIGFzIHByb29mIHRoYXQgSSBwb3NzZXNzIGEgY2Vy dGFpbiBwcml2YXRlDQprZXksIGJ1dCB0aGlzIGlzIGFsc28gdGhlIG9ubHkgcHVycG9zZSBm b3Igd2hpY2ggdGhpcyBzaWduYXR1cmUgY2FuIGJlDQp1c2VkLiINCg0KQ3VycmVudGx5LCBJ IGFtIG5vdCBhd2FyZSBvZiBhIHNpZ25hdHVyZSBmb3JtYXQgdGhhdCBhbGxvd3MgYW4gZW50 aXR5IHRvIGRvDQp0aGF0LiBBbmQgYmVjYXVzZSB0aGVyZSBpcyBubyBzdWNoIHNpZ25hdHVy ZSBmb3JtYXQsIHBlb3BsZSBhcmUgY29uc3RhbnRseQ0KZ29pbmcgYWhlYWQgYW5kIHNpZ25p bmcgZGF0YSB0aGV5IGRvbid0IHVuZGVyc3RhbmQgYW55d2F5ISBTbWFydCBjYXJkcywgYXMN CmN1cnJlbnRseSB1c2VkLCBhcmUgYSBwZXJmZWN0IGV4YW1wbGUgb2YgdGhpcyBiZWhhdmlv cigqKS4NCg0KSSBhbSBjb252aW5jZWQgdGhhdCBhIHNpZ25hdHVyZSBmb3JtYXQgaXMgbmVl ZGVkIHRoYXQgd2lsbCBhbGxvdyBhbiBlbnRpdHkNCnRvIHNhZmVseSBzaWduIGluZm9ybWF0 aW9uIHRoYXQgaXQgZG9lcyBub3QgdW5kZXJzdGFuZC4gT3RoZXJ3aXNlLCBwZW9wbGUNCndp bGwgY29udGludWUgdG8gc2lnbiBzdWNoIGluZm9ybWF0aW9uIHdpdGggYSBwcm90b2NvbCB0 aGF0IEJJTkRTIHRoZW0gdG8NCndoYXQgdGhleSBoYXZlIHNpZ25lZCwgcmVnYXJkbGVzcyBv ZiB0aGUgZmFjdCB0aGF0IHRoZXkgYXJlIG5vdCBzdXJlIGFib3V0DQp3aGF0IHRoZXkgYXJl IHNpZ25pbmcuDQoNCg0KKCopOiBZb3UgbWF5IHRoaW5rIHlvdSBrbm93IHdoYXQgeW91J3Jl IHNpZ25pbmcsIGJ1dCB0cnVzdCBtZSwgeW91IGRvbid0LiBJdA0KaXMgcHJlcG9zdGVyb3Vz bHkgZWFzeSB0byB3cml0ZSBhIHZpcnVzIHRoYXQgd2lsbCBjaXJjdW12ZW50IGFueSBzbWFy dA0KY2FyZCdzIHNlY3VyaXR5IHdpdGhvdXQgYmVpbmcgbm90aWNlZC4gSSB3aWxsIGRvIGl0 IGZvciAkMjUsMDAwOyBhIGNvbGxlZ2UNCnN0dWRlbnQgbmV4dCBkb29yIHdpbGwgZG8gaXQg Zm9yIGZyZWUu --<<-- MailGuardian RTF boundary -->> Content-Type: application/X-MAILguardian-rtf; charset="ISO-8859-8" Content-Transfer-Encoding: base64 DQp7XHJ0ZjFcYW5zaVxhbnNpY3BnMTI1Mlxmcm9tdGV4dCBcZGVmZjB7XGZv bnR0YmwNCntcZjBcZnN3aXNzXGZjaGFyc2V0MCBBcmlhbDt9DQp7XGYxXGZtb2Rlcm4gQ291 cmllciBOZXc7fQ0Ke1xmMlxmbmlsXGZjaGFyc2V0MiBTeW1ib2w7fQ0Ke1xmM1xmbW9kZXJu XGZjaGFyc2V0MCBDb3VyaWVyIE5ldzt9fQ0Ke1xjb2xvcnRibFxyZWQwXGdyZWVuMFxibHVl MDtccmVkMFxncmVlbjBcYmx1ZTI1NTt9DQpcdWMxXHBhcmRccGxhaW5cZGVmdGFiMzYwIFxm MFxmczIwIERlbmlzLFxwYXINClxwYXINCkkgYWdyZWUgd2l0aCB3aGF0IHlvdSB3cm90ZSBh bmQgd2FudCB0byBhZGQgYW5vdGhlciBhc3BlY3Qgb2YgdGhlIHNhbWUgaXNzdWUuXHBhcg0K U2lnbmF0dXJlcyBtYXkgYmUgYXBwbGllZCBhdXRvbWF0aWNhbGx5IChpLmUuIHdoZW4gSSBz aWduIG15IG91dGdvaW5nIGUtbWFpbCwgd2hlbiBJIGxvZyBpbnRvIGEgd2ViIHNpdGUgb3Ig d2hlbiBteSBtYWlsZXIgc2VuZHMgcmV0dXJuIHJlY2VpcHRzKS4gSSBzdXJlIHdhbnQgdG8g YmUgbm90aWZpZWQgaW4gYWR2YW5jZSAoYW5kIHJlYWQgdmVyeSBjYXJlZnVsbHkgd2hhdCBJ IHNpZ24pIHdoZW4gSSBzaWduIGEgY29udHJhY3Qgb3IgYSBidXNpbmVzcyB0cmFuc2FjdGlv bi5ccGFyDQpUaHVzLCBpdCBpcyBub3QgZW5vdWdoIGZvciB0aGUgc2lnbmF0dXJlIHRvIGlu Y2x1ZGUgdGhlIGJpbmRpbmcgbGV2ZWwsIGl0IHNob3VsZCBhbHNvIGJlIHN1cHBvcnRlZCBi eSB0aGUgdmFyaW91cyBwcm90b2NvbHMsIHRvIG5vdGlmeSBteSBhcHBsaWNhdGlvbnMgd2hh dCBsZXZlbCBvZiBiaW5kaW5nIG15IHNpZ25hdHVyZSBjYXVzZS5ccGFyDQpccGFyDQpSYXZp diBLYXJuaWVsaSAtIENUT1xwYXINClZhbmd1YXJkIFNlY3VyaXR5IFRlY2hub2xvZ2llcyBM dGQuXHBhcg0KVGVsLiArOTcyLTQtOTg5LTEzMTEgICAgICAgRmF4ICs5NzItNC05ODktMTMy MlxwYXINCnd3dy52Z3VhcmQuY29tICAgICAgICAgICAgIHJhdml2QHZndWFyZC5jb21ccGFy DQpccGFyDQpUaGlzIG1lc3NhZ2UgbGVmdCBteSBjb21wdXRlciBzZWN1cmVkIHNpbmNlIElc JzkybSB1c2luZyBccGFyDQpNQUlMZ3VhcmRpYW4gRW50ZXJwcmlzZSB0aGUgZmlyc3QgdHJ1 ZSBlbmQgdG8gZW5kIGVudGVycHJpc2UgZS1tYWlsIHNlY3VyaXR5IHNvbHV0aW9uIHRoYXQg aXMgcG9saWN5IGJhc2VkLCBjZW50cmFsbHkgbWFuYWdlZCBhbmQgdG90YWxseSB0cmFuc3Bh cmVudCB0byB0aGUgZW5kIHVzZXJzLlxwYXINClxwYXINCllvdSBjYW4gZ2V0IHlvdXIgb3du IGZyZWUgZXZhbHVhdGlvbiBjb3B5IG9mIE1BSUxndWFyZGlhbiBccGFyDQphdCBodHRwOi8v d3d3LnZndWFyZC5jb20vcHJvZC5hc3BccGFyDQpccGFyDQpccGFyDQpccGFyDQotLS0tLU9y aWdpbmFsIE1lc3NhZ2UtLS0tLVxwYXINCkZyb206IGRlbmlzIGJpZGVyIFttYWlsdG86ZGVu aXMuYmlkZXJAZ2xvYmVyYS5jb21dXHBhcg0KU2VudDogVHVlc2RheSwgSnVseSAxMSwgMjAw MCA3OjQ2IFBNXHBhcg0KVG86IGlldGYtcGtpeEBpbWMub3JnXHBhcg0KU3ViamVjdDogU2ln bmluZyB3aGF0IHlvdSBkb24ndCB1bmRlcnN0YW5kXHBhcg0KXHBhcg0KXHBhcg0KVGhlIG1v c3QgaW1wb3J0YW50IHBvaW50IG9mIG15IHByZXZpb3VzIG1lc3NhZ2Ugd2FzIGJ1cmllZCB1 bmRlciBhIHBpbGUgb2ZccGFyDQpvdGhlciBzdHVmZiwgc28gSSBhbSByZXBlYXRpbmcgaXQg aGVyZTpccGFyDQpccGFyDQpccGFyDQpJdCBpcyBteSBwcm9wb3NhbCB0aGF0IGEgc2lnbmF0 dXJlIGZvcm1hdCBpcyBkZXNpZ25lZCB3aGljaCB3aWxsIGFsbG93IGFuXHBhcg0KZW50aXR5 IHRvIHNheTogIkkgc2lnbmVkIHRoaXMgZGF0YSwgYnV0IEkgZGlkbid0IHVuZGVyc3RhbmQg d2hhdCBJIHNpZ25lZC5ccGFyDQpZb3UgYXJlIGZyZWUgdG8gdXNlIHRoaXMgc2lnbmF0dXJl IGFzIHByb29mIHRoYXQgSSBwb3NzZXNzIGEgY2VydGFpbiBwcml2YXRlXHBhcg0Ka2V5LCBi dXQgdGhpcyBpcyBhbHNvIHRoZSBvbmx5IHB1cnBvc2UgZm9yIHdoaWNoIHRoaXMgc2lnbmF0 dXJlIGNhbiBiZVxwYXINCnVzZWQuIlxwYXINClxwYXINCkN1cnJlbnRseSwgSSBhbSBub3Qg YXdhcmUgb2YgYSBzaWduYXR1cmUgZm9ybWF0IHRoYXQgYWxsb3dzIGFuIGVudGl0eSB0byBk b1xwYXINCnRoYXQuIEFuZCBiZWNhdXNlIHRoZXJlIGlzIG5vIHN1Y2ggc2lnbmF0dXJlIGZv cm1hdCwgcGVvcGxlIGFyZSBjb25zdGFudGx5XHBhcg0KZ29pbmcgYWhlYWQgYW5kIHNpZ25p bmcgZGF0YSB0aGV5IGRvbid0IHVuZGVyc3RhbmQgYW55d2F5ISBTbWFydCBjYXJkcywgYXNc cGFyDQpjdXJyZW50bHkgdXNlZCwgYXJlIGEgcGVyZmVjdCBleGFtcGxlIG9mIHRoaXMgYmVo YXZpb3IoKikuXHBhcg0KXHBhcg0KSSBhbSBjb252aW5jZWQgdGhhdCBhIHNpZ25hdHVyZSBm b3JtYXQgaXMgbmVlZGVkIHRoYXQgd2lsbCBhbGxvdyBhbiBlbnRpdHlccGFyDQp0byBzYWZl bHkgc2lnbiBpbmZvcm1hdGlvbiB0aGF0IGl0IGRvZXMgbm90IHVuZGVyc3RhbmQuIE90aGVy d2lzZSwgcGVvcGxlXHBhcg0Kd2lsbCBjb250aW51ZSB0byBzaWduIHN1Y2ggaW5mb3JtYXRp b24gd2l0aCBhIHByb3RvY29sIHRoYXQgQklORFMgdGhlbSB0b1xwYXINCndoYXQgdGhleSBo YXZlIHNpZ25lZCwgcmVnYXJkbGVzcyBvZiB0aGUgZmFjdCB0aGF0IHRoZXkgYXJlIG5vdCBz dXJlIGFib3V0XHBhcg0Kd2hhdCB0aGV5IGFyZSBzaWduaW5nLlxwYXINClxwYXINClxwYXIN CigqKTogWW91IG1heSB0aGluayB5b3Uga25vdyB3aGF0IHlvdSdyZSBzaWduaW5nLCBidXQg dHJ1c3QgbWUsIHlvdSBkb24ndC4gSXRccGFyDQppcyBwcmVwb3N0ZXJvdXNseSBlYXN5IHRv IHdyaXRlIGEgdmlydXMgdGhhdCB3aWxsIGNpcmN1bXZlbnQgYW55IHNtYXJ0XHBhcg0KY2Fy ZCdzIHNlY3VyaXR5IHdpdGhvdXQgYmVpbmcgbm90aWNlZC4gSSB3aWxsIGRvIGl0IGZvciAk MjUsMDAwOyBhIGNvbGxlZ2VccGFyDQpzdHVkZW50IG5leHQgZG9vciB3aWxsIGRvIGl0IGZv ciBmcmVlLlxwYXINCn0N --<<-- MailGuardian RTF boundary -->>-- Received: from mta02-svc.ntlworld.com (mta02-svc.ntlworld.com [62.253.162.42]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA15541 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 05:42:41 -0700 (PDT) Received: from darxstar ([62.252.197.94]) by mta02-svc.ntlworld.com (InterMail vM.4.01.02.27 201-229-119-110) with SMTP id <20000712134357.CBNE3760.mta02-svc.ntlworld.com@darxstar> for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 13:43:57 +0000 Message-ID: <005001bfebff$27b64df0$cac8fc3e@darxstar> From: "Christopher Williams" <ccwilliams@ntlworld.com> To: <ietf-pkix@imc.org> Subject: unsubscribe Date: Wed, 12 Jul 2000 13:45:22 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 unsubscribe Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA08870 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 03:30:17 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA15215; Wed, 12 Jul 2000 06:32:11 -0400 (EDT) Message-Id: <200007121032.GAA15215@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org, ietf-ldapext@netscape.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-ldap-schema-00.txt Date: Wed, 12 Jul 2000 06:32:11 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Additional LDAP Schema for PKIs and PMIs Author(s) : D. Chadwick Filename : draft-ietf-pkix-ldap-schema-00.txt Pages : 11 Date : 11-Jul-00 This document describes LDAP schema features in addition to RFC 2587 that are needed to support a Privilege Management Infrastructure and a Public Key Infrastructure. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-ldap-schema-00.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-ldap-schema-00.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-ldap-schema-00.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000711135117.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-ldap-schema-00.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-ldap-schema-00.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000711135117.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from mail.mtgnet.de (www.mtgnet.de [62.144.85.193]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA28009 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 00:25:37 -0700 (PDT) Received: from mtgultra.mtgnet.de (mtgultra [199.99.99.3]) by mail.mtgnet.de (8.9.3/8.9.3) with ESMTP id JAA02711 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 09:31:09 +0200 Received: from punisher (punisher [199.99.99.27]) by mtgultra.mtgnet.de (8.9.3/8.9.3) with SMTP id JAA18893 for <ietf-pkix@imc.org>; Wed, 12 Jul 2000 09:27:00 +0200 (MET DST) Message-ID: <000a01bfebd2$b28e6840$1b6363c7@mtgnet.de> From: "Thomas Hermann" <thermann@mtgnet.de> To: <ietf-pkix@imc.org> Subject: subscribe Date: Wed, 12 Jul 2000 09:27:55 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id WAA24418 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 22:37:15 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id PAA74171; Wed, 12 Jul 2000 15:38:58 +1000 (EST) Message-ID: <003c01bfebc4$b8fc67d0$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: <ietf-pkix@imc.org> Cc: <denis.bider@denisbider.com> References: <000201bfeb5f$79a796f0$0201010a@intergalactic> Subject: Re: Current signature formats insufficient Date: Wed, 12 Jul 2000 15:47:17 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Hi all, My 2c worth - You should look to handwritten (analog ?) signatures as an analogy for what you are trying to solve here with digital signatures. The technology makes it easy to mess with the format of signature encodings but laws for handwritten signatures will migrate easier to digital signatures if the differences between them are minimised. Hand written signatures do not vary (colour / size etc.) to imply more or less intention regarding the content of what was signed. The only way I know of to boost the non-repudiation value of a signature is to have it witnessed by some competent authority (a JP). The content of what is signed is what binds the signer to whatever the contract is about. Carelessly given signatures, digital or otherwise, should still be binding otherwise ignorance becomes a defense for repudiating a signature. Only fraudulently or forcefully obtained signatures should be able to be repudiated by recourse to the law and the courts. In my opinion there is no difference between adding some signing intention indicator into the signature encoding or to the content before it is signed. Effectively you are marking the content as "void" before signing it so that its contents become irrelevant. The way content should be marked as legally "void" may vary according to local laws so there may not be much point trying to standardise it (yet). Frank Ballufi's suggestion - > In the case of an authentication protocol, you could include an OBJECT > IDENTIFIER or string in the data to be signed to constrain the use of the > signature. For example: > > AuthenticationInfo ::= SEQUENCE { > disclaimer UTF8String, > nonce OCTET STRING > } > > Another technique would be to use PKCS #7 authenticated attributes. This seems to be a good enough way to get the effect you want using current practise and encodings. I.e no new signature formats are needed. Dennis wrote : > Assuming that I have proven sufficiently that such a device is needed and > that its widespread availability is required, because otherwise we will > never be able to rid ourselves of the acute need for paper, I now put forth > the following theory: > - Sometimes the device will be used to sign data for authentication; at > other times, it will be used to sign documents which the user has to > understand thoroughly before signing. I'm sure there is no doubt that such a device is required however I dont think you should be trying to find ways to use private keys that are intended for non-repudiation for ephemeral signatures anyway. It seems like a dangerous and unnecessary overloading of these type of keys. You are trying to solve two problems, non-repudiation and authentication, with one private key. Any ambiguity in the use of this device will undermine its non-repudiation value. Another device or at least another key should be used for the ephemeral type signatures. I also think private keys should have their own usage attributes and implementations shouldn't look for usage attributes for the private key in a public key certificate since the certifcate and private key do not need to be stored on the same device and the association between them is not trivial to check. Usage attributes on private keys can be implementation dependant since private keys typically stay where they were generated. Simon McMahon ERACOM Pty. Ltd. Received: from prithvi.psi.soft.net (prithvi.psi.soft.net [164.164.48.3]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id VAA20622 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 21:11:26 -0700 (PDT) Received: from psi.soft.net ([164.164.48.70]) by prithvi.psi.soft.net (8.9.0/8.9.0) with ESMTP id JAA55510; Wed, 12 Jul 2000 09:36:11 +0500 Message-ID: <396BF0AB.1762A954@psi.soft.net> Date: Wed, 12 Jul 2000 09:44:35 +0530 From: Venkateshwara Reddy A <avenkat@psi.soft.net> X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: denis.bider@denisbider.com, ietf-pkix@imc.org Subject: Re: Current signature formats insufficient References: <000d01bfeb3d$113b3ad0$0201010a@intergalactic> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit denis bider wrote: > If you sign a cryptographic challenge intended for authentication, that is a > non-binding signature. That is called `commitment` Regards Venkateswara Reddy Security Consultant, PSI, India Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA12123 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 19:13:35 -0700 (PDT) Received: from msimon (pc3.eracom.com.au [203.144.16.147]) by diablo.OntheNet.com.au (8.9.3/8.9.3) with SMTP id MAA35001; Wed, 12 Jul 2000 12:15:15 +1000 (EST) Message-ID: <013901bfeba8$419218f0$8802a8c0@eracom.com.au> From: "Simon McMahon" <simon@onthenet.com.au> To: <ietf-pkix@imc.org> Cc: <denis.bider@denisbider.com> References: <000901bfeb64$38642f50$0201010a@intergalactic> Subject: Re: Current signature formats insufficient Date: Wed, 12 Jul 2000 12:23:27 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Hi all, My 2c worth. You should look to the analog-signature as an analogy. It's the content of what you sign that includes the terms and therefore the extent to which the signer is bound. Carelessly given signatures should be legally binding, otherwise ignorance will be used as a defense for repudiation, and only fraudulently or forcefully obtained signatues should be able to be sucessfully repudiated by recourse to the law and courts. You never modify the nature of a handwritten signature to indicate your intention, e.g different coloured pens or pressing harder, writing bigger / smaller than normal makes no difference if the handwritten signature can be shown to be yours or you say it is yours. Its what you sign that binds you. Having a signature witnessed by a competent authority (a JP) is the only way I know of to boost non-repudiation of a standard signature. A non-witnessed signature is presumably easier, but by no means trival to repudiate. Just because its easier (relatively) to mess with digital signature formats than handwritten ones dosen't mean that you should since laws for handwritten signatures will migrate easier to digital ones if the analogy is kept closer. I dont agree with either digital alternative for indicating the signers intention in a legally binding way, i.e. boosting or removing non-repudiation. Firstly that the certificate's usage attributes should dictate anything about the private key since they may not both be stored on the same device and the association is not trivial to check, or, secondly, that the signature format should indicate my intention when I signed. All of my intentions should be indicated in the content of what I signed. Any "intention" indicator added to the signature encoding could just as easily be encoded into the content before signing. It is effectively modifying the contract before signing it. For "ephemeral" signatures you effectively stamp the content "void", then sign it. Frank's suggestions : > In the case of an authentication protocol, you could include an OBJECT > IDENTIFIER or string in the data to be signed to constrain the use of the > signature. For example: > > AuthenticationInfo ::= SEQUENCE { > disclaimer UTF8String, > nonce OCTET STRING > } > > Another technique would be to use PKCS #7 authenticated attributes. These look like good mechanisms for this purpose and use current practise and encodings. No need for yet-another-encoding :-). I dont believe that private keys for non-repudiation signatures should ever be used for ephemeral signatures. It just seems like a dangerous and unecessary overloading of an important object - the private key. The private key should be stored with its own usage attributes to avoid looking up the certificate to see if it is such a key. The device doing the signing should do whatever the law requires it to do with these keys, regarding authentication and secure containment, to make non-repudiation enforcable. Simon McMahon ERACOM Pty. Ltd. Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA08740 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 18:37:49 -0700 (PDT) Received: from [192.168.1.57] ([208.233.228.110]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FXK00JOR9S7KV@mta6.snfc21.pbi.net> for ietf-pkix@imc.org; Tue, 11 Jul 2000 18:36:08 -0700 (PDT) Date: Tue, 11 Jul 2000 18:35:54 -0700 From: Aram Perez <aram@pacbell.net> Subject: Re: Signing what you don't understand: a practical example In-reply-to: <8525691A.00067B02.00@D51MTA04.pok.ibm.com> To: PKIX <ietf-pkix@imc.org> Message-id: <B591198A.1380%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Hi Tom, > For Denis' technique to have any real use, there would also need to be > an indicator somewhere in the certificate that "the private key of this > pair is held in a Bider-compliant smart card". Doing that (and it could go > into any of several extensions, or a new one could be defined), is > considerably easier than changing the signature format. But how does the CA know that I'm using a "Bider-compliant smart card" (BCSC)? Do I have to physically show up somewhere with my BCSC to prove that I have one? Since the BCSC isn't fully specified, I don't know if it allows me to keep a backup copy of my signature key. If it does, then I might/probably could feed the backup into a software only system. Regards, Aram Perez [snip] Received: from e4.ny.us.ibm.com (e4.ny.us.ibm.com [32.97.182.104]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA05300 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 18:09:09 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e4.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id VAA39250; Tue, 11 Jul 2000 21:11:04 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.92) with SMTP id VAA91202; Tue, 11 Jul 2000 21:10:59 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 8525691A.00067C28 ; Tue, 11 Jul 2000 21:10:50 -0400 X-Lotus-FromDomain: IBMUS To: Aram Perez <aram@pacbell.net> cc: ietf-pkix@imc.org Message-ID: <8525691A.00067B02.00@D51MTA04.pok.ibm.com> Date: Tue, 11 Jul 2000 21:10:45 -0400 Subject: Re: Signing what you don't understand: a practical example Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline For Denis' technique to have any real use, there would also need to be an indicator somewhere in the certificate that "the private key of this pair is held in a Bider-compliant smart card". Doing that (and it could go into any of several extensions, or a new one could be defined), is considerably easier than changing the signature format. For PKCS 1.5, of course, he could change that format just by defining a hash function parameter value (if PKCS #1 would agree), or a new OID for SHA-1 (SHA1OnBiderCard ??). Getting verifiers to understand either of these might be interesting, though. Tom Gindin Aram Perez <aram@pacbell.net> on 07/11/2000 08:44:48 PM To: ietf-pkix@imc.org cc: Subject: Re: Signing what you don't understand: a practical example Hi Denis, [snip] > 2. Encode the algorithm ID for the hash function and the hash value into an > ASN.1 value of type DigestInfo (see Section 11) with the Distinguished > Encoding Rules (DER), where the type DigestInfo has the syntax > > DigestInfo ::= SEQUENCE { > digestAlgorithm AlgorithmIdentifier, > digest OCTET STRING, > flags BIT STRING OPTIONAL > } > > Meaning of 'flags' bits: > first bit: content-not-understood > subsequent bits: not defined at this time > > In case the value of the first bit of 'flags' is 0, the 'flags' field may > be omitted for purposes of backward compatibility. However, this is not > recommended. If omitted, the interpretation of the 'flags' field is > application-dependent. > > The first field identifies the hash function and the second contains the > hash value. Let T be the DER encoding. > > 3. If emLen is less than ||T|| + 10 then output "intended encoded message > length too short". > > 4. Generate an octet string PS consisting of emLen-||T||-2 octets with value > FF (hexadecimal). The length of PS will be at least 8 octets. > > 5. Concatenate PS, the DER encoding T, and other padding to form the encoded > message EM as > > EM = 01 || PS || 00 || T > > 6. Output EM. [Warning: Long sentence ahead.] If you received a signed message from me, formatted per your instructions and with the flags parameter, how would you know that I was using the security device you have described, that the message was displayed on that device and that I really understood what I signed? I can easily create an identical message on my insecure PC with today's smartcards or just with the right software. Regards, Aram Perez Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id RAA03515 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 17:45:08 -0700 (PDT) Received: from [192.168.1.57] ([208.233.228.110]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0FXK00H0D7ESA6@mta6.snfc21.pbi.net> for ietf-pkix@imc.org; Tue, 11 Jul 2000 17:44:53 -0700 (PDT) Date: Tue, 11 Jul 2000 17:44:48 -0700 From: Aram Perez <aram@pacbell.net> Subject: Re: Signing what you don't understand: a practical example In-reply-to: <000d01bfeb6b$d2e75ff0$0201010a@intergalactic> To: ietf-pkix@imc.org Message-id: <B5910D90.1378%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Hi Denis, [snip] > 2. Encode the algorithm ID for the hash function and the hash value into an > ASN.1 value of type DigestInfo (see Section 11) with the Distinguished > Encoding Rules (DER), where the type DigestInfo has the syntax > > DigestInfo ::= SEQUENCE { > digestAlgorithm AlgorithmIdentifier, > digest OCTET STRING, > flags BIT STRING OPTIONAL > } > > Meaning of 'flags' bits: > first bit: content-not-understood > subsequent bits: not defined at this time > > In case the value of the first bit of 'flags' is 0, the 'flags' field may > be omitted for purposes of backward compatibility. However, this is not > recommended. If omitted, the interpretation of the 'flags' field is > application-dependent. > > The first field identifies the hash function and the second contains the > hash value. Let T be the DER encoding. > > 3. If emLen is less than ||T|| + 10 then output "intended encoded message > length too short". > > 4. Generate an octet string PS consisting of emLen-||T||-2 octets with value > FF (hexadecimal). The length of PS will be at least 8 octets. > > 5. Concatenate PS, the DER encoding T, and other padding to form the encoded > message EM as > > EM = 01 || PS || 00 || T > > 6. Output EM. [Warning: Long sentence ahead.] If you received a signed message from me, formatted per your instructions and with the flags parameter, how would you know that I was using the security device you have described, that the message was displayed on that device and that I really understood what I signed? I can easily create an identical message on my insecure PC with today's smartcards or just with the right software. Regards, Aram Perez Received: from stargate.zergo.com.au (IDENT:root@stargate.zergo.com.au [203.2.208.130]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id RAA03023 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 17:31:48 -0700 (PDT) Received: from sydneymail1.baltimore.com.au (sydneymail1.jp.zergo.com.au [192.168.71.5]) by stargate.zergo.com.au (8.9.1/8.8.7) with ESMTP id KAA02487; Wed, 12 Jul 2000 10:39:41 +1000 Received: by sydneymail1.jp.zergo.com.au with Internet Mail Service (5.5.2448.0) id <34DM0MPH>; Wed, 12 Jul 2000 10:32:48 +1000 Message-ID: <D44EACB40164D311BEF00090274EDCCA8497C8@sydneymail1.jp.zergo.com.au> From: Michael Zolotarev <mzolotarev@baltimore.com> To: denis.bider@denisbider.com, ietf-pkix@imc.org Subject: RE: Signing what you don't understand Date: Wed, 12 Jul 2000 10:32:47 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Denis, > > It is my proposal that a signature format is designed which > will allow an > entity to say: "I signed this data, but I didn't understand > what I signed. > You are free to use this signature as proof that I possess a > certain private > key, but this is also the only purpose for which this signature can be > used." > > Currently, I am not aware of a signature format that allows > an entity to do > that. And because there is no such signature format, people > are constantly > going ahead and signing data they don't understand anyway! > Smart cards, as > currently used, are a perfect example of this behavior(*). > I really fail to see how a potential security vulnerability of signing environment is linked to a person's ability to say 'I sign it blindly, and my signature bears no legal obligations'. Those are completely different and unrelated things, IMHO. Are you trying to say that because a system can be easily compromised for 25.000 (is it USD?), a person will be better off by using 'non-binding' signature? This does not make much sense to me. Why not to simply say "Do not sign anything at all, unless you are 100% sure that this world is free of hackers"? Forget about the technology for a moment. Think about legal implications of it. Not a single court on earth would buy your argument about 'non-binding' signatures. If you sign something, you are legally bound. When you are drunk and sign a slip produced by a pizza-delivery boy - that's it, mate. You are legally bound. Try telling to the court that your 'inner-security' could've been compromised (not by a virus, but by alcohol), and therefore your signature is 'non-binding'. Following this logic, we'd better start from global revision of the legal system. Regards Michael Received: from stargate.zergo.com.au (IDENT:root@stargate.zergo.com.au [203.2.208.130]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA01816 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 16:39:55 -0700 (PDT) Received: from sydneymail1.baltimore.com.au (sydneymail1.jp.zergo.com.au [192.168.71.5]) by stargate.zergo.com.au (8.9.1/8.8.7) with ESMTP id JAA02195; Wed, 12 Jul 2000 09:47:45 +1000 Received: by sydneymail1.jp.zergo.com.au with Internet Mail Service (5.5.2448.0) id <34DM0MN8>; Wed, 12 Jul 2000 09:40:52 +1000 Message-ID: <D44EACB40164D311BEF00090274EDCCA849771@sydneymail1.jp.zergo.com.au> From: Michael Zolotarev <mzolotarev@baltimore.com> To: denis.bider@denisbider.com Cc: ietf-pkix@imc.org Subject: RE: Current signature formats insufficient Date: Wed, 12 Jul 2000 09:40:51 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Denis, It was a joke, really. Probably a bad one. In Australia we have a phrase 'give me a finger' - similar to what they do in Italy when driving around like crazy and sticking a hand with one finger up from the car's window. So I was reading through your message (it was over 10pm, I was still at work, tired, etc) and I was imagining how you'd be dealing with that wonder-box. A message on its screen like 'stick your finger', or something like that. I was just bitching, really. Sorry for confusion and possible misunderstanding. Best regards Michael > -----Original Message----- > From: denis bider [mailto:denis.bider@globera.com] > Sent: Tuesday, July 11, 2000 11:20 PM > To: 'Michael Zolotarev'; ietf-pkix@imc.org > Subject: RE: Current signature formats insufficient > > > Hello Michael, > > I'm not sure I understand you correctly. > > To attempt an explanation: I used the 'fingerprint' example > because I like > this particular technology, because I believe it to be more > practical than, > say, a retina scan, and because it is my perception that it is readily > accessible for widespread use. > > I am not, however, involved with the production of any secure > device such as > the one I described in the original message. There is no commercial > background to my proposal - at least none that I am aware of > at this time. > > Regards, > > denis > > > -----Original Message----- > From: Michael Zolotarev [mailto:mzolotarev@baltimore.com] > Sent: 11. julij 2000 13:39 > To: denis.bider@denisbider.com; ietf-pkix@imc.org > Subject: RE: Current signature formats insufficient > > > Don't you find that there is a little bit too much of a > 'finger' stuff in > there... What would be a name for the box? > > :) > > > > -----Original Message----- > > From: denis bider [mailto:denis.bider@globera.com] > > Sent: Tuesday, July 11, 2000 6:42 PM > > To: ietf-pkix@imc.org > > Subject: Current signature formats insufficient > > > > > > Hello folks, > > > > we probably agree that smart cards, as well as a variety of > > other similar > > cryptographic tokens, are insecure. Their primary insecurity > > lies not within > > the tokens themselves, but rather in the way they are most > > commonly used. > > Most frequently, a cryptographic token is attached to a PC, > > and it does > > whatever cryptographic operation the PC tells it to do. > > > > This concept is obviously insecure, since: > > - PCs are insecure. Every average hacker down the street can > > break into > > anyone's Windoze PC, and it is trivial to write an exploit > > that will capture > > a smart card's PIN, wait for the smart card to be inserted > > and then perform > > a signature operation. > > - Even if the user is as security conscious as to use a > > secure PIN entry > > device, or a fingerprint scanner for that matter, it is still > > the PC that > > decides exactly what information the smart card is going to > > sign. It is > > again trivial to write an exploit that will make the smart card sign > > something that the owner did not mean to sign. > > > > With the advent of digital signature laws which make digital signing > > commonplace, it is time to remove these security holes before > > hackers and > > newspaper articles start popping up. (How would any of you > smart card > > manufacturers like to see your company's name placed > > conveniently next to > > "FRAUD!!" in TIME Magazine?) > > > > The ultimate solution, of course, would be for everyone to > > have a secure > > device, containing the private key, with the following > > characteristics: > > - In order to sign anything, the user must put their finger on the > > fingerprint scanner. (Or other biometrics...) > > - In case the signature is binding (ie, contract as opposed to > > authentication), the user must check the contents being > > signed on the screen > > of the secure device. > > - In case the signature is binding, the user must enter a signature > > passphrase (PIN) as well. > > > > Now, since users do not want to enter passphrases every time > > something needs > > to be signed, and since that would be dangerous in the first place > > (increased risk of passphrase exposure), there is a practical > > need for the > > secure device to be able to distinguish between a binding > > signature and a > > non-binding signature. > > > > In the case of a non-binding signature (eg, proof of > > identity), the behavior > > of the secure device could simply match the behavior of all the > > cryptographic tokens currently out there. Ie, the device > > would sign anything > > that it receives - most commonly a hash of something - > > provided that the > > user confirms the signature operation by putting their finger on the > > fingerpring scanner. However, in contrast to the > cryptographic tokens > > currently being used, any such signature would be explicitly > > marked that it > > cannot be considered binding. > > > > In the case of a binding signature (eg, a contract), the > > secure device would > > insist on receiving the entire content that is being signed, > > formatted in a > > well-known and secure format, so that the content can be > > shown to the user > > before anything can be signed. The user would also need to > > authenticate > > themselves in a more secure manner before a binding signature > > is made; and > > when it is made, the signature would be explicitly marked > > that it CAN be > > considered binding. > > > > It is my opinion that the following efforts need to be made: > > - The current signature formats need to be extended so as > to include > > information about the extent to which the data being signed > > was verified by > > the signer - or simply whether the signature can be > > interpreted as binding > > or not. > > - A format for binding content needs to be selected or > > defined. (RTF, ASCII > > text, anything?) - this is the format in which any binding > > content is sent > > to the secure device so that it can be shown to the user, > who in turn > > decides whether to sign it or not. > > - The current APIs for communication with cryptographic > > tokens need to be > > modified to support this. Eg, in PKCS#11, the following modes > > of signature > > could be introduced: > > - sign this hash and mark the signature as non-binding > > - here is the 34kB file containing the binding > > content to be signed, > > show it to the signer, sign it and mark it as binding > > - here is a hash of the binding content to be signed, > > sign it and > > mark it as binding (deprecated, but must be included since it > > is not yet > > possible to transmit 34kB of data to every kind of > > cryptographic token) > > > > I feel that the above issues are important and that somebody > > needs to take > > them on. I cannot decide whether or not this workgroup should > > do it; but > > somebody has to. (Or else...) > > > > Comments are welcome. Also, does anyone have information > whether these > > issues have been addressed by the xmldsig workgroup, or is > > their format as > > clueless as the ASN.1 signature format? > > > > Regards, > > > > denis bider > > > > // > > // denis bider, denis.bider@globera.com > > // [alternative: anything@denisbider.com] > > // globera d.o.o., Ljubljana, Slovenia > > http://www.globera.com > > +386 1 510 7740 > > > > > > > Received: from ns.celocom.se (firewall-user@ns.celocom.se [212.209.40.66]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA28839 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 13:58:00 -0700 (PDT) Received: by ns.celocom.se; id WAA23897; Tue, 11 Jul 2000 22:59:52 +0200 (CEST) Received: from zap.celocom.se(10.10.10.1) by ns.celocom.se via smap (4.1) id xma023891; Tue, 11 Jul 00 22:59:28 +0200 Received: from celocom.com (root@localhost [127.0.0.1]) by zap.celocom.se (8.8.7/8.8.7) with ESMTP id WAA14873; Tue, 11 Jul 2000 22:59:24 +0200 Message-ID: <396B8BBC.EA6CE5D9@celocom.com> Date: Tue, 11 Jul 2000 23:03:56 +0200 From: Oscar Jacobsson <oscar.jacobsson@celocom.com> Organization: Celo Communications X-Mailer: Mozilla 4.72 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Luo, Feng (Exchange)" <fengluo@bear.com> CC: "'Richard Levitte'" <richard.levitte@celocom.se>, "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: Re: p12 and cer, der,crt References: <991708270E97D211998300A0C99B2376012B6FE8@whmsx19.is.bear.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms85A48475EB5BCF0BF9B1F0F2" This is a cryptographically signed message in MIME format. --------------ms85A48475EB5BCF0BF9B1F0F2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit "Luo, Feng (Exchange)" wrote: > What I like to do is, when you export the certificate from netscape, it's > with P12 extension, I want to convert it to der, cer or crt extension, which > allows the user to excute it and install certificate on the webpage. OK, fair enough. Then you would need a two-step process: 1. Extract the Certificate from the PFX, which is easily done using the OpenSSL command line tools as Richard mentioned, and save it to disk using -outform DER. 2. Associate whatever extension you gave to the file containing your Certificate with the appropriate MIME-type for the "installation" you want in your webserver configuration: application/x-x509-user-cert: meaning that the cert is meant for the user of the browser, who should have the corresponding private key. application/x-x509-ca-cert: meaning that the cert is meant to be added as a trusted certification authority. application/x-x509-email-cert: meaning that the cert belongs to another user and is to be used to encrypt e-mail to them. More info on the MIME types is available from http://www.netscape.com/eng/security/comm4-cert-download.html Cheers! //oscar --------------ms85A48475EB5BCF0BF9B1F0F2 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIH/gYJKoZIhvcNAQcCoIIH7zCCB+sCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC Bc8wggKzMIICHKADAgECAgMCjYUwDQYJKoZIhvcNAQEEBQAwgZQxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZU aGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25h bCBGcmVlbWFpbCBSU0EgMTk5OS45LjE2MB4XDTAwMDUxMzAwMDEzOVoXDTAxMDUxMzAwMDEz OVowTTEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEqMCgGCSqGSIb3DQEJARYb b3NjYXIuamFjb2Jzc29uQGNlbG9jb20uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQCZB2URw+NGaMMV/cSk9JoOb4OGMunL44lk/ioXoBR5brSVUcVaB+s+8UmcqOmi9RAAc+Uy wY69hjPn/LWS3HzN4N4KW6jTEiDm0jPE1aVyxMg7un4rjRSGe9htdPL0ut8QoKXLCjafLKIo v/pyudWgC1PxSglWECgKyKVVMl13KwIDAQABo1kwVzAmBgNVHREEHzAdgRtvc2Nhci5qYWNv YnNzb25AY2Vsb2NvbS5jb20wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSIq/Fgg2ZV9ORY x0YdwGG9I9fDjDANBgkqhkiG9w0BAQQFAAOBgQB8NkKsoEJaIAfecEv+NJp6bBs3xM+ynX5F qJ/ave0p7v2eBBO/fovRoMsmFjF0jHf4RFJqxm9NrpoZWlhehM5nOdS0AyPwFIMEWl7PdSxO pKkxGS8wgEsVammWQc8MAwULu4qy8SdL9LnszsvEKtrsJFG+bILsOf1qBkC6UuSR4DCCAxQw ggJ9oAMCAQICAQswDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1 bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNV BAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29u YWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw05OTA5MTYxNDAxNDBaFw0wMTA5MTUxNDAxNDBa MIGUMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJi YW52aWxsZTEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNl czEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDE5OTkuOS4xNjCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAs2lal9TQFgt6tcVd6SGcI3LNEkxL937Px/vKciT0QlKsV5Xj e2F6F4Tn/XI5OJS06u1lp5IGXr3gZfYZu5R5dkw+uWhwdYQc9BF0ALwFLE8JAxcxzPRB1HLG pl3iiESwiy7ETfHw1oU+bPOVlHiRfkDpnNGNFVeOwnPlMN5G9U8CAwEAAaM3MDUwEgYDVR0T AQH/BAgwBgEB/wIBADAfBgNVHSMEGDAWgBRyScJzNMZV9At2coF+d/SH58ayDjANBgkqhkiG 9w0BAQQFAAOBgQBrxlnpMfrptuyxA9jfcnL+kWBI6sZV3XvwZ47GYXDnbcKlN9idtxcoVgWL 3Vx1b8aRkMZsZnET0BB8a5FvhuAhNi3B1+qyCa3PLW3Gg1Kb+7v+nIed/LfpdJLkXJeu/H6s yg1vcnpnLGtz9Yb5nfUAbvQdB86dnoJjKe+TCX5V3jGCAfcwggHzAgEBMIGcMIGUMQswCQYD VQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEP MA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDE5OTkuOS4xNgIDAo2FMAkGBSsOAwIaBQCggbEw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDAwNzExMjEwMzU3 WjAjBgkqhkiG9w0BCQQxFgQUZA2uBiqLgSo6Vq+A5QqJEfqHbwUwUgYJKoZIhvcNAQkPMUUw QzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAw DQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYAySeFJ2q3Wl1JhF6rNO99Hle8Ip+5z +3gvv2Hu94H5NrlHEkWzE1kN6N/t7oYzcz7BBeLnZCJCjiHyLrMjyAMpGuxXYUxcowNvFrK2 vnkGpQ4ybw+YZWLMtoLy/TNOUuKn5dqunJzHBOZXLunnsziOpG3/qqekYyOAiJvSiw64UQ== --------------ms85A48475EB5BCF0BF9B1F0F2-- Received: from hamster.gadens.com.au (root@dns.gadens.com.au [203.32.220.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA28036 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 13:12:36 -0700 (PDT) Received: from exchange.gadens.com.au ([10.1.8.3]) by hamster.gadens.com.au (8.9.3/8.9.3) with ESMTP id GAA30864; Wed, 12 Jul 2000 06:13:39 +1000 (EST) (envelope-from AMcCullagh@exchange.gadens.com.au) Received: by exchange.gadens.com.au with Internet Mail Service (5.5.2650.21) id <3JMMK5RL>; Wed, 12 Jul 2000 06:16:59 +1000 Message-ID: <C7006C79F23FD411AFCC00E018C353B40258E1@exchange.gadens.com.au> From: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au> To: "'Ben Laurie'" <ben@algroup.co.uk>, Frank Balluffi <frankb@valicert.com> Cc: "'denis.bider@denisbider.com'" <denis.bider@denisbider.com>, ietf-pkix@imc.org Subject: RE: Current signature formats insufficient Date: Wed, 12 Jul 2000 06:16:47 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ben; The law does not see it that way. In the UK if you sign a document as a receipt and there are terms on the receipt then you are deemed to have read the terms and agreed to be bound by them. (see the case of L'Strange v. Graucob). The law will not take your subjective view into account. The law will look upon the action from an objective view. This is only a simplified version and yes there are exceptions but the general rule is that if a man comes to your door with a package and asks you to sign the acknowledgement of receipt you will be bound by the terms on the back of the document. The same position also applies in the USA and in Australia. - -----Original Message----- From: Ben Laurie [mailto:ben@algroup.co.uk] Sent: Wednesday, July 12, 2000 1:04 AM To: Frank Balluffi Cc: 'denis.bider@denisbider.com'; ietf-pkix@imc.org Subject: Re: Current signature formats insufficient Frank Balluffi wrote: > > Denis, > > You refer to non-binding signatures. Why would I bother signing something if > it were non-binding? When a man comes to the door with a package, I sign it because he asks for a signature. I do not consider that signature to be binding in any sense I understand the word. Cheers, Ben. - -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ -----BEGIN PGP SIGNATURE----- Version: PGP Personal Edition 6.0.2 iQA/AwUBOWrzQZWt1NGjt4vzEQIqmACgiMWxbIa1/oM3xxluKDhlItOs3RIAoO9X htrjUpQWRUId9sa3BWxpns2p =g/r1 -----END PGP SIGNATURE----- Received: from smtp-out1.bellatlantic.net (smtp-out1.bellatlantic.net [199.45.39.156]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA27437 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 12:45:05 -0700 (PDT) Received: from ieca.com (adsl-151-200-26-46.bellatlantic.net [151.200.26.46]) by smtp-out1.bellatlantic.net (8.9.1/8.9.1) with ESMTP id PAA13046; Tue, 11 Jul 2000 15:46:40 -0400 (EDT) Message-ID: <396B7934.8F24561D@ieca.com> Date: Tue, 11 Jul 2000 15:44:52 -0400 From: Sean Turner <turners@ieca.com> Organization: IECA, Inc. X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: d.w.chadwick@salford.ac.uk CC: PKIX <ietf-pkix@imc.org>, Boeyen@entrust.com Subject: Re: Comments on draft-ietf-pkix-ldap-v3-01.txt References: <3964DF22.9858.AF326B8@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David, Comments in line. David Chadwick wrote: > Date sent: Sat, 30 Oct 1999 14:51:32 -0400 > From: Sean Turner <turners@ieca.com> > Organization: IECA, Inc. > To: PKIX <ietf-pkix@imc.org> > Subject: Comments on draft-ietf-pkix-ldap-v3-01.txt > > > > > After thinking about the draft a bit I'd like to suggest a few > > modifications (mostly organizational). > > > > The draft includes both the protocol and schema issues to deal with > > LDAPv3 servers. I think we should split the two topics as the draft > > is called "operational protocols". I think the draft should just talk > > about the protocol issues and not the schema. > > After some thought and discussion with other LDAP folk I agree > with you. One of the reasons is that the LDAPExt group will be > updating the base LDAPv3 docs in due course and the schema stuff > should go in there. (But this will be over a longer time frame than is > needed to publish the protocol part). I am currently doing the > changes now in time for Pittsburg. > Great - I think this will make it a lot clearer. > > > My suggestion is to > > update RFC 2587 (Internet X.509 Public Key Infrastructure LDAPv2 > > Schema) to include the attribute and object classes required to > > support attribute certificate users. Then the LDAPv2 schema could > > support storing the attribute certificate related information. > > Another draft should be spawned to include specific LDAPv3 schema > > issues such support for matching rules, etc. > > I will talk to Sharon B about this, as to whether she wants to update > the v2 schema doc or not, or put the whole lot in a new schema doc > leaving the existing RFC as is. (After all, we are not aware of any > defects in that doc, are we?). I would favour just one new schema > doc, which preferrably should be published by the LDAPExt group > as these are core schema requirments in my opinion. However, I > will produce the first draft of this. > > > > > There is support for the pmiUser but where are the attribute > > authority's certificates stored? Should we define an pmiAA (name to > > be determined) object class to support storing of the attribute > > certificate for the AA? > > this is now in X509 > That's where I got the idea from ;) I was just wondering if you were going to put in some text to say use the attribute defined in X.509 to store the AA's certs. All I'm looking for is implementation guidance. > > > > > Also, which revocation list includes the revoked attribute > > certificates? I assumed it would be stored in a separate attribute > > certificate revocation list, but the draft is silent on the issue (so > > is draft-ietf-pkix-ac509prof-01.txt). > > X.509 defines attributeCertificateRevocationList and > attributeAuthorityRevocationList. I dont believe PKIX needs to do > anything more. > Same as with the AA's certificate. I was just hoping to see some text that says use attributes X and Y to store the ACRL and AARCL objects. Cheers, spt > > David > > > > > Thanks, > > > > spt > > > > > > > > > > *************************************************** > > David Chadwick > IS Institute, University of Salford, Salford M5 4WT > Tel +44 161 295 5351 Fax +44 161 745 8169 > Mobile +44 790 167 0359 > Email D.W.Chadwick@salford.ac.uk > Home Page http://www.salford.ac.uk/its024/chadwick.htm > Understanding X.500 http://www.salford.ac.uk/its024/X500.htm > X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm > Entrust key validation string MLJ9-DU5T-HV8J > > *************************************************** Received: from cadtt0470.ca.deloitte.com (dac.deloitte.ca [207.164.165.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA26967 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 12:16:52 -0700 (PDT) Received: by CADTT0470 with Internet Mail Service (5.5.2650.21) id <NL3KDNK1>; Tue, 11 Jul 2000 15:15:11 -0400 Message-ID: <171F723A9D3DD311B11C00508B0CC1DA02D2DDE2@cadtt0404.deloitte.com> From: "Dunnigan, Patrick (CA -Toronto)" <pdunnigan@deloitte.ca> To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: unsubscribe Date: Tue, 11 Jul 2000 15:15:10 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Received: from levitator.1div0.com ([213.250.43.61]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA26596 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 12:09:05 -0700 (PDT) Received: from intergalactic ([10.1.1.2]) by levitator.1div0.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id UAA20649 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 20:57:32 +0200 Reply-To: <denis.bider@denisbider.com> From: "denis bider" <denis.bider@globera.com> To: <ietf-pkix@imc.org> Subject: Signing what you don't understand: a practical example Date: Tue, 11 Jul 2000 21:11:30 +0200 Message-ID: <000d01bfeb6b$d2e75ff0$0201010a@intergalactic> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Hello folks, to make my idea clearer, this is how I imagine an improved signature format would look like. (The following is an excerpt from PKCS#1 v2. My proposed changes are marked in blue.) 9.2.1 EMSA-PKCS1-v1_5 This encoding method only has an encoding operation. EMSA-PKCS1-v1_5-ENCODE (M, emLen, content-not-understood) Option: Hash - hash function (hLen denotes the length in octets of the hash function output) Input: M - message to be encoded emLen - intended length in octets of the encoded message, at least ||T|| + 10, where T is the DER encoding of a certain value computed during the encoding operation content-not-understood - boolean; false if the semantic meaning of the content being signed is understood by the logical entity which is performing the signing operation, true otherwise Output: EM - encoded message, an octet string of length emLen; or "message too long" or "intended encoded message length too short" Steps: 1. Apply the hash function to the message M to produce a hash value H: H = Hash(M). If the hash function outputs "message too long", then output "message too long". 2. Encode the algorithm ID for the hash function and the hash value into an ASN.1 value of type DigestInfo (see Section 11) with the Distinguished Encoding Rules (DER), where the type DigestInfo has the syntax DigestInfo ::= SEQUENCE { digestAlgorithm AlgorithmIdentifier, digest OCTET STRING, flags BIT STRING OPTIONAL } Meaning of 'flags' bits: first bit: content-not-understood subsequent bits: not defined at this time In case the value of the first bit of 'flags' is 0, the 'flags' field may be omitted for purposes of backward compatibility. However, this is not recommended. If omitted, the interpretation of the 'flags' field is application-dependent. The first field identifies the hash function and the second contains the hash value. Let T be the DER encoding. 3. If emLen is less than ||T|| + 10 then output "intended encoded message length too short". 4. Generate an octet string PS consisting of emLen-||T||-2 octets with value FF (hexadecimal). The length of PS will be at least 8 octets. 5. Concatenate PS, the DER encoding T, and other padding to form the encoded message EM as EM = 01 || PS || 00 || T 6. Output EM. // // denis bider, denis.bider@globera.com // [alternative: anything@denisbider.com] // globera d.o.o., Ljubljana, Slovenia http://www.globera.com +386 1 510 7740 Received: from levitator.1div0.com ([213.250.43.61]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA25248 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 11:17:15 -0700 (PDT) Received: from intergalactic ([10.1.1.2]) by levitator.1div0.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id UAA20551 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 20:05:44 +0200 Reply-To: <denis.bider@denisbider.com> From: "denis bider" <denis.bider@globera.com> To: <ietf-pkix@imc.org> Subject: RE: Current signature formats insufficient Date: Tue, 11 Jul 2000 20:19:37 +0200 Message-ID: <000a01bfeb64$933f0120$0201010a@intergalactic> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-reply-to: <396B2FE3.9DE42AF3@certplus.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Hello Jean-Marc, I'm not sure that using multiple certificates is the proper solution. Rather, I think it is an attempt to patch the problem rather than to resolve the issue at its roots. The core problem is that there is no standardized signature format that allows a person to say: "I am signing this, but I don't understand what I have signed." One example why using multiple certificates is a context-specific patch rather than a general solution: Suppose you have an e-banking service. The e-banking service uses private key authentication to login, and it also uses digital signatures to confirm payments. With the "multiple certificates" solution, it is up to the designer AND the administrator of the e-banking service to provide support for multiple certificates - one for authentication, and one for confirming payments. Thus, if the service designer and/or administrator are not security-conscious enough to take care of this issue, the user has no way of protecting themselves against trojan attack. Keep in mind, again, that what we are trying to protect the user from is a trojan attack, where the user's PC is compromised and the user is tricked into allowing an authentication-only signature take place, where in fact the authentication-only data has been replaced by a trojan horse with data that, when signed, binds the user to an agreement or contract that they have never seen. If, in contrast, a signature format existed with which it was possible to sign data safely without knowing its semantics, this danger would cease to exist. Btw - a real-world example: a few years ago, an old lady in Austria lost her apartment to a very similar trick. Someone rang her bell and explained to her that some simple formality needs to be signed so that something or other will be taken care of. She couldn't read very well, so she signed the paper without knowing what it said. However, the paper was actually an agreement that she is giving the apartment to a third party she had never heard of. The judge enforced the validity of the agreement and she lost the apartment. Again, thousands of people with PCs and smart cards are unnecessarily signing electronic documents like this every day - just because there is no digital signature format which would allow a person to safely sign data which they can't understand. denis -----Original Message----- From: Jean-Marc Desperrier [mailto:jean-marc.desperrier@certplus.com] Sent: 11. julij 2000 16:32 To: ietf-pkix@imc.org Subject: Re: Current signature formats insufficient denis bider wrote: > Examples: if you sign a contract, that is a binding signature. If you sign a > purchase order, that is a binding signature. If you sign a cryptographic > challenge intended for authentication, that is a non-binding signature. This is what certificates are for. To do that, you use several different private keys, each being associated with a certificate that has different usage extensions. It is already a recommended usage to use a different key for SSL authentification and to sign a document. What you are saying is not linked to the format of certificates, but to the way they are used and the policies that should be enforced for legally binding signatures. Nothing in the RFC says, or will or even could say, how a private key has to be used to be legally binding. Therefore this is quite out of suject here. Could you shorten your quoting please ? Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA25163 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 11:16:50 -0700 (PDT) Received: from mega (t5o69p50.telia.com [213.64.110.50]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id UAA26813; Tue, 11 Jul 2000 20:18:40 +0200 (CEST) Message-ID: <001c01bfeb6c$b45ecbd0$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "PKIX-List" <ietf-pkix@imc.org>, "Stefan Santesson" <stefan@accurata.se>, <kent@bbn.com>, "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: Cert compare. Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Tue, 11 Jul 2000 21:17:48 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id LAA25166 >What we say is that determination of whether the same name in two >certificates relates to the same entity is outside the scope of the standard. Aha! There is a PKIX-equivalent to "outside the scope of the standard" called "handled with care"! >May I also draw your attension to the fact that the term "unmistakable >identity" is no longer part of the document. Uhum, a QC CA does not even have to create unmistakable identities anymore? Anders Received: from levitator.1div0.com ([213.250.43.61]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA24961 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 11:14:50 -0700 (PDT) Received: from intergalactic ([10.1.1.2]) by levitator.1div0.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id UAA20547 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 20:03:06 +0200 Reply-To: <denis.bider@denisbider.com> From: "denis bider" <denis.bider@globera.com> To: <ietf-pkix@imc.org> Subject: RE: Current signature formats insufficient Date: Tue, 11 Jul 2000 20:17:05 +0200 Message-ID: <000901bfeb64$38642f50$0201010a@intergalactic> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-reply-to: <14699.14906.5585.962549@xedia.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Paul, you are right - the definition of a 'binding signature' depends very much on the definition of what "binding" actually means. The 'non-binding signature' that I referred to was, in fact, meant to be a "signature of data that the signer does not understand" - hence, a signature which implies no more than the subject's willingness to participate in a third party's effort to validate the subject's identity. An 'ephemeral signature' therefore, by Hal Lockhart's definition. Regards, denis -----Original Message----- From: Paul Koning [mailto:pkoning@xedia.com] Sent: 11. julij 2000 17:16 To: ben@algroup.co.uk Cc: frankb@valicert.com; denis.bider@denisbider.com; ietf-pkix@imc.org Subject: Re: Current signature formats insufficient >>>>> "Ben" == Ben Laurie <ben@algroup.co.uk> writes: Ben> Frank Balluffi wrote: >> Denis, >> >> You refer to non-binding signatures. Why would I bother signing >> something if it were non-binding? Ben> When a man comes to the door with a package, I sign it because Ben> he asks for a signature. I do not consider that signature to be Ben> binding in any sense I understand the word. I don't understand the notion of a non-binding signature. To put it differently, the purpose of a signature is to bind your identity to some assertion. The only question is what that assertion is. It could be "I (insert name) agree to buy 100k shares of FOO Corporation". That would be a "binding" signature in the sense it has been discussed. But in the example you give, the assertion is "I have received package xyz (and consequently agree not to press insurance claims for non-delivery of that package". Is that any less "binding"? The amount of money at stake may be less, so there's a difference in degree, but I don't see a difference in essence. Similarly the example of authentication for a web banking application. Even if you're only looking at information, you're making an assertion that you're authorized to do the looking (or in other words, that accesses so authenticated will not later be challenged as violations of privacy). Again, the amount of money at stake changes, but... paul Received: from levitator.1div0.com ([213.250.43.61]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA24631 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 11:07:12 -0700 (PDT) Received: from intergalactic ([10.1.1.2]) by levitator.1div0.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id TAA20520; Tue, 11 Jul 2000 19:55:25 +0200 Reply-To: <denis.bider@denisbider.com> From: "denis bider" <denis.bider@globera.com> To: "'Hal Lockhart'" <hal.lockhart@entegrity.com>, <ietf-pkix@imc.org> Subject: RE: Current signature formats insufficient Date: Tue, 11 Jul 2000 20:09:25 +0200 Message-ID: <000801bfeb63$2585d240$0201010a@intergalactic> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-reply-to: <899128A30EEDD1118FC900A0C9C74A34844CF5@bigbird.gradient.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Hal, thanks for this note. Will try to reuse this term when referring to this kind of signature. Does anyone have an idea for a shorthand term for "a digital signature which allows someone to safely sign data which they do not understand"? Regards, denis -----Original Message----- From: Hal Lockhart [mailto:hal.lockhart@entegrity.com] Sent: 11. julij 2000 17:10 To: 'denis.bider@denisbider.com'; 'Frank Balluffi'; ietf-pkix@imc.org Subject: RE: Current signature formats insufficient > in the context of my original message, a "non-binding > signature" would be a > signature for the purposes of, say, authentication. In past discussions (about the key usage field) on this mailing list, this has been referred to as an "ephemeral signature". Hal ======================================================= Harold W. Lockhart Entegrity Solutions 2 Mount Royal Avenue Marlborough, MA 01752 USA V: 1-508-624-9600 x 260 hal.lockhart@entegrity.com F: 1-508-229-0338 www.entegrity.com ======================================================= Received: from levitator.1div0.com ([213.250.43.61]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA23544 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 10:43:45 -0700 (PDT) Received: from intergalactic ([10.1.1.2]) by levitator.1div0.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id TAA20480 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 19:32:12 +0200 Reply-To: <denis.bider@denisbider.com> From: "denis bider" <denis.bider@globera.com> To: <ietf-pkix@imc.org> Subject: Signing what you don't understand Date: Tue, 11 Jul 2000 19:46:10 +0200 Message-ID: <000301bfeb5f$e6cf77c0$0201010a@intergalactic> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 The most important point of my previous message was buried under a pile of other stuff, so I am repeating it here: It is my proposal that a signature format is designed which will allow an entity to say: "I signed this data, but I didn't understand what I signed. You are free to use this signature as proof that I possess a certain private key, but this is also the only purpose for which this signature can be used." Currently, I am not aware of a signature format that allows an entity to do that. And because there is no such signature format, people are constantly going ahead and signing data they don't understand anyway! Smart cards, as currently used, are a perfect example of this behavior(*). I am convinced that a signature format is needed that will allow an entity to safely sign information that it does not understand. Otherwise, people will continue to sign such information with a protocol that BINDS them to what they have signed, regardless of the fact that they are not sure about what they are signing. (*): You may think you know what you're signing, but trust me, you don't. It is preposterously easy to write a virus that will circumvent any smart card's security without being noticed. I will do it for $25,000; a college student next door will do it for free. Received: from levitator.1div0.com ([213.250.43.61]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA23109 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 10:41:04 -0700 (PDT) Received: from intergalactic ([10.1.1.2]) by levitator.1div0.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id TAA20455; Tue, 11 Jul 2000 19:29:09 +0200 Reply-To: <denis.bider@denisbider.com> From: "denis bider" <denis.bider@globera.com> To: "'Dale Gustafson'" <dale.gustafson@bpsi.net>, <ietf-pkix@imc.org> Subject: RE: Current signature formats insufficient Date: Tue, 11 Jul 2000 19:43:07 +0200 Message-ID: <000201bfeb5f$79a796f0$0201010a@intergalactic> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-reply-to: <396B289D.ABE4239D@bpsi.net> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Hello Dale, yes, I agree - a proper security device would indeed be more complex than smart cards currently are. In fact, I expect that either mobile phones or PDAs will take on the role of security devices in place of smart cards. Both types of devices already provide more than sufficient functionality to host, eg, a secure document viewer that the consumer can use to view a document before signing it. However, I think that we have to admit that the solution you identified as "all singing / all dancing" is, in fact, the bare minimum that needs to be implemented before we can move into a true, paperless electronic era. The fact I wanted to expose is that, without the kind of additional token functionality that I described, the current system is much too flawed for widespread use. A PC with a smart card is too easy to crack, and that's it. It's too damn easy to crack. Sooner or later, we will need a secure device which will be able to: - show the document being signed to the user so they can proof-read it; - before signing, verify the user's identity with, say, a fingerprint scanner. Assuming that I have proven sufficiently that such a device is needed and that its widespread availability is required, because otherwise we will never be able to rid ourselves of the acute need for paper, I now put forth the following theory: - Sometimes the device will be used to sign data for authentication; at other times, it will be used to sign documents which the user has to understand thoroughly before signing. - The device will receive data that it is supposed to sign from untrusted sources, such as from a PC (signing an email, or logging into a website); or from a cash register in a supermarket (signing to pay for stuff); or from a door (authentication to enter a house, or an apartment). - This device will not always be able to influence the protocol in which its cryptographic services are required. Hence, the device will not always be able to control the format of data that needs to be signed. Only if the format of data can be understood by the device, only then can the device perform a signature on this data that somehow binds its user. Otherwise, if the format of data is not understood by the device, we have two options: * The device must not perform any signature operation. * The device performs a signature operation where it explicitly states "I do not understand this data, hence this signature cannot be considered binding to my owner." It is my proposal that a signature format is designed which will allow an entity to say exactly this: "I signed this data, but I didn't understand what I signed. You are free to use this signature as proof that I possess a certain private key, but this is also the only purpose for which this signature can be used." Currently, I am not aware of a signature format that allows an entity to do that. And because there is no such signature format, people are constantly going ahead and signing data they don't understand anyway! Smart cards, as currently used, are a perfect example of this behavior. (You may think you know what you're signing, but trust me, you don't. It is preposterously easy to write a virus that will circumvent any smart card's security without being noticed. I will do it for $25,000; a college student next door will do it for free.) I am convinced that a signature format is needed that will allow an entity to safely sign information that it does not understand. Otherwise, people will continue to sign such information with a protocol that BINDS them to what they have signed, regardless of the fact that they are not sure about what they are signing. This is dangerous. Regards, denis -----Original Message----- From: Dale Gustafson [mailto:dale.gustafson@bpsi.net] Sent: 11. julij 2000 16:01 To: denis.bider@denisbider.com Cc: ietf-pkix@imc.org Subject: Re: Current signature formats insufficient Denis, Take a closer look at the "Signing Key with Secondary Authentication PIN" capabilities added to PKCS#11 v2.10. Works with optional Secure PINPad readers such that the PIN values are not known to PC software. This feature can be used to provide the "user must enter a special PIN for each and every signature created" functionality you describe. An application could create a key that is used only for signing binding / contract documents, etc. thus providing one clear indication that a "non-repudiation" service is being provided. This approach is different than adding bits to a signature block but provides a similar effect. I agree that the secure application should be specifically requesting a distinct signature service (signalled to relying parties by use of a dedicated signing key and certificate). Cryptographic tokens typically provide 2-factor authentication -- something you have (the physical card) and something you know (the User PIN / Passphrase). This is clearly more secure and portable than storing your security information on your PC hard drive. Nevertheless, any scenario that defeats both factors eliminates the additional security provided by the token. For example; if someone threatens you, takes your token away, and makes you tell her your PINs then your smart token and any private keys stored within can no longer be considered secure. The problem with any all singing / all dancing technical solution is that in order to make the smart token really nifty you have to provide much of the functionality of your Windows PC (e.g. so you can see the web page or movie clip you're signing). You can go to three-factor authentication (something you have, something you know, something you are) and beyond but there's invariably a point of diminishing returns for any real network, user community, and applications. Best Regards, Dale Gustafson denis bider wrote: > Hello folks, > > we probably agree that smart cards, as well as a variety of other similar > cryptographic tokens, are insecure. Their primary insecurity lies not within > the tokens themselves, but rather in the way they are most commonly used. > Most frequently, a cryptographic token is attached to a PC, and it does > whatever cryptographic operation the PC tells it to do. > > This concept is obviously insecure, since: > - PCs are insecure. Every average hacker down the street can break into > anyone's Windoze PC, and it is trivial to write an exploit that will capture > a smart card's PIN, wait for the smart card to be inserted and then perform > a signature operation. > - Even if the user is as security conscious as to use a secure PIN entry > device, or a fingerprint scanner for that matter, it is still the PC that > decides exactly what information the smart card is going to sign. It is > again trivial to write an exploit that will make the smart card sign > something that the owner did not mean to sign. > > With the advent of digital signature laws which make digital signing > commonplace, it is time to remove these security holes before hackers and > newspaper articles start popping up. (How would any of you smart card > manufacturers like to see your company's name placed conveniently next to > "FRAUD!!" in TIME Magazine?) > > The ultimate solution, of course, would be for everyone to have a secure > device, containing the private key, with the following characteristics: > - In order to sign anything, the user must put their finger on the > fingerprint scanner. (Or other biometrics...) > - In case the signature is binding (ie, contract as opposed to > authentication), the user must check the contents being signed on the screen > of the secure device. > - In case the signature is binding, the user must enter a signature > passphrase (PIN) as well. > > Now, since users do not want to enter passphrases every time something needs > to be signed, and since that would be dangerous in the first place > (increased risk of passphrase exposure), there is a practical need for the > secure device to be able to distinguish between a binding signature and a > non-binding signature. > > In the case of a non-binding signature (eg, proof of identity), the behavior > of the secure device could simply match the behavior of all the > cryptographic tokens currently out there. Ie, the device would sign anything > that it receives - most commonly a hash of something - provided that the > user confirms the signature operation by putting their finger on the > fingerpring scanner. However, in contrast to the cryptographic tokens > currently being used, any such signature would be explicitly marked that it > cannot be considered binding. > > In the case of a binding signature (eg, a contract), the secure device would > insist on receiving the entire content that is being signed, formatted in a > well-known and secure format, so that the content can be shown to the user > before anything can be signed. The user would also need to authenticate > themselves in a more secure manner before a binding signature is made; and > when it is made, the signature would be explicitly marked that it CAN be > considered binding. > > It is my opinion that the following efforts need to be made: > - The current signature formats need to be extended so as to include > information about the extent to which the data being signed was verified by > the signer - or simply whether the signature can be interpreted as binding > or not. > - A format for binding content needs to be selected or defined. (RTF, ASCII > text, anything?) - this is the format in which any binding content is sent > to the secure device so that it can be shown to the user, who in turn > decides whether to sign it or not. > - The current APIs for communication with cryptographic tokens need to be > modified to support this. Eg, in PKCS#11, the following modes of signature > could be introduced: > - sign this hash and mark the signature as non-binding > - here is the 34kB file containing the binding content to be signed, > show it to the signer, sign it and mark it as binding > - here is a hash of the binding content to be signed, sign it and > mark it as binding (deprecated, but must be included since it is not yet > possible to transmit 34kB of data to every kind of cryptographic token) > > I feel that the above issues are important and that somebody needs to take > them on. I cannot decide whether or not this workgroup should do it; but > somebody has to. (Or else...) > > Comments are welcome. Also, does anyone have information whether these > issues have been addressed by the xmldsig workgroup, or is their format as > clueless as the ASN.1 signature format? > > Regards, > > denis bider > > // > // denis bider, denis.bider@globera.com > // [alternative: anything@denisbider.com] > // globera d.o.o., Ljubljana, Slovenia > http://www.globera.com > +386 1 510 7740 Received: from wafw.bear.com (wafw.bear.com [207.162.228.3]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA23043 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 10:40:36 -0700 (PDT) Received: from bear.com (localhost [127.0.0.1]) by wafw.bear.com (8.9.3/8.9.2) with SMTP id NAA29497; Tue, 11 Jul 2000 13:42:27 -0400 (EDT) Received: from 147.107.87.19 by whmsxvs2.is.bear.com (InterScan E-Mail VirusWall NT); Tue, 11 Jul 2000 13:40:50 -0400 (Eastern Daylight Time) Received: by whmsx2.is.bear.com with Internet Mail Service (5.5.2448.0) id <33MD3CTB>; Tue, 11 Jul 2000 13:42:26 -0400 Message-ID: <991708270E97D211998300A0C99B2376012B6FE8@whmsx19.is.bear.com> From: "Luo, Feng (Exchange)" <fengluo@bear.com> To: "'Richard Levitte'" <richard.levitte@celocom.se> Cc: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: RE: p12 and cer, der,crt Date: Tue, 11 Jul 2000 13:42:24 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain What I like to do is, when you export the certificate from netscape, it's with P12 extension, I want to convert it to der, cer or crt extension, which allows the user to excute it and install certificate on the webpage. -feng > -----Original Message----- > From: Richard Levitte [SMTP:richard.levitte@celocom.se] > Sent: Tuesday, July 11, 2000 1:33 PM > To: Luo, Feng (Exchange) > Cc: 'ietf-pkix@imc.org' > Subject: Re: p12 and cer, der,crt > > << File: SMIME.txt >> *********************************************************************** Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. *********************************************************************** Received: from ns.celocom.se (firewall-user@ns.celocom.se [212.209.40.66]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA22646 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 10:32:04 -0700 (PDT) Received: by ns.celocom.se; id TAA22450; Tue, 11 Jul 2000 19:33:51 +0200 (CEST) Received: from zap.celocom.se(10.10.10.1) by ns.celocom.se via smap (4.1) id xma022446; Tue, 11 Jul 00 19:33:38 +0200 Received: from celocom.se (dhcp013.celocom.se [10.10.10.193]) by zap.celocom.se (8.8.7/8.8.7) with ESMTP id TAA13611; Tue, 11 Jul 2000 19:33:38 +0200 Message-ID: <396B5A4D.5A7A12E@celocom.se> Date: Tue, 11 Jul 2000 19:33:01 +0200 From: Richard Levitte <richard.levitte@celocom.se> Organization: Celo Communications, Ltd. X-Mailer: Mozilla 4.73 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: "Luo, Feng (Exchange)" <fengluo@bear.com> CC: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: Re: p12 and cer, der,crt References: <991708270E97D211998300A0C99B2376012B6FE7@whmsx19.is.bear.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msCFD62E24BD356C92D0910154" This is a cryptographically signed message in MIME format. --------------msCFD62E24BD356C92D0910154 Content-Type: multipart/mixed; boundary="------------B3D6BB4109DFA66AA5CCD3BC" This is a multi-part message in MIME format. --------------B3D6BB4109DFA66AA5CCD3BC Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit "Luo, Feng (Exchange)" wrote: > Is there a way to convert p12 to cer, der, crt? That a user can install a > certificate himeself on the webpage. Uhmm, a PKCS12-type file is most probably DER-coded already. I assume that what you really want is to extract certificates from a PKCS12-type file. May I suggest OpenSSL, found in http://www.openssl.org/ ? -- Richard Levitte !!! New cell phone number !!! richard.levitte@celocom.se /* You might enjoy viewing the complete vCard */ --------------B3D6BB4109DFA66AA5CCD3BC Content-Type: text/x-vcard; charset=us-ascii; name="richard.levitte.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Richard Levitte Content-Disposition: attachment; filename="richard.levitte.vcf" begin:vcard n:Levitte;Richard tel;cell:+46-733-72 8811 tel;work:+46-8-58 72 8811 x-mozilla-html:FALSE org:<A HREF="http://www.celocom.com">Celo Communications</A> version:2.1 email;internet:richard.levitte@celocom.se title:Software Artist adr;quoted-printable:;;Sveav=E4gen 145, 5tr=0D=0AStockholm;;;;SWEDEN note;quoted-printable:<br>=0D=0A<table border=3D0>=0D=0A<tr>=0D=0A <td bgcolor=3D"#00ffff">c=EAlo, =E2vi, =E2tum, (latin) 1,v.a.=0D=0A to hide something from one, to keep secret, to conceal.=0D=0A </td>=0D=0A</tr>=0D=0A</table>=0D=0A<br>=0D=0A<table border=3D3>=0D=0A<tr>=0D=0A <td>=0D=0A <table>=0D=0A <tr>=0D=0A <td valign=3Dtop>o/~</td>=0D=0A <td><font size=3D-1>Coding, coding, coding</font><br>=0D=0A Keep'em hackers coding<br>=0D=0A <font size=3D+1>And When They're Done Coding</font><br>=0D=0A <font size=3D7>COMPIIIIIIILE!!</font></td>=0D=0A </tr>=0D=0A </table>=0D=0A </td>=0D=0A</tr>=0D=0A</table> fn:Richard Levitte end:vcard --------------B3D6BB4109DFA66AA5CCD3BC-- --------------msCFD62E24BD356C92D0910154 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIH+gYJKoZIhvcNAQcCoIIH6zCCB+cCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BfYwggLaMIICQ6ADAgECAgMC0N4wDQYJKoZIhvcNAQEEBQAwgZQxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZU aGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25h bCBGcmVlbWFpbCBSU0EgMTk5OS45LjE2MB4XDTAwMDYyODA3NDUyNFoXDTAxMDYyODA3NDUy NFowdTEQMA4GA1UEBBMHTGV2aXR0ZTEWMBQGA1UEKhMNVG9tbXkgUmljaGFyZDEeMBwGA1UE AxMVVG9tbXkgUmljaGFyZCBMZXZpdHRlMSkwJwYJKoZIhvcNAQkBFhpyaWNoYXJkLmxldml0 dGVAY2Vsb2NvbS5zZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwXPKEM87WKqgc1sR 3htfC7RThgvQybuuoEnR3YJEHaO0Bq+GxA5cv19STwnTyts34msx8bnEOowDhXpFMK9SMLxm KTbs7+Tr2MvcndEljhIJOXWhtR1j94Fct6T8TRjLrOrAf9AwXhTzONk+L7JRzqaWMomp80Jb imnGFHF20TECAwEAAaNYMFYwJQYDVR0RBB4wHIEacmljaGFyZC5sZXZpdHRlQGNlbG9jb20u c2UwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSIq/Fgg2ZV9ORYx0YdwGG9I9fDjDANBgkq hkiG9w0BAQQFAAOBgQBlABJMb8zOd6a1Tuia5P/ba5Algr4ts9N5kNRxlrc6xed9B3VwRclE g7U6R2d3Bn+4qD8mMKdjlsnWD305DEKUblO831AnuE1ZRgrt00difbOlBua8+UAyvPfdmrli 6KRDM/A62/ToBX4yYYDlwDMefPRsReNdHbJtlgqw0UN42DCCAxQwggJ9oAMCAQICAQswDQYJ KoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsT H0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJz b25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhh d3RlLmNvbTAeFw05OTA5MTYxNDAxNDBaFw0wMTA5MTUxNDAxNDBaMIGUMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEPMA0GA1UE ChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVy c29uYWwgRnJlZW1haWwgUlNBIDE5OTkuOS4xNjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEAs2lal9TQFgt6tcVd6SGcI3LNEkxL937Px/vKciT0QlKsV5Xje2F6F4Tn/XI5OJS06u1l p5IGXr3gZfYZu5R5dkw+uWhwdYQc9BF0ALwFLE8JAxcxzPRB1HLGpl3iiESwiy7ETfHw1oU+ bPOVlHiRfkDpnNGNFVeOwnPlMN5G9U8CAwEAAaM3MDUwEgYDVR0TAQH/BAgwBgEB/wIBADAf BgNVHSMEGDAWgBRyScJzNMZV9At2coF+d/SH58ayDjANBgkqhkiG9w0BAQQFAAOBgQBrxlnp MfrptuyxA9jfcnL+kWBI6sZV3XvwZ47GYXDnbcKlN9idtxcoVgWL3Vx1b8aRkMZsZnET0BB8 a5FvhuAhNi3B1+qyCa3PLW3Gg1Kb+7v+nIed/LfpdJLkXJeu/H6syg1vcnpnLGtz9Yb5nfUA bvQdB86dnoJjKe+TCX5V3jGCAcwwggHIAgEBMIGcMIGUMQswCQYDVQQGEwJaQTEVMBMGA1UE CBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEPMA0GA1UEChMGVGhhd3Rl MR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJl ZW1haWwgUlNBIDE5OTkuOS4xNgIDAtDeMAkGBSsOAwIaBQCggYYwGAYJKoZIhvcNAQkDMQsG CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDAwNzExMTczMzAzWjAjBgkqhkiG9w0BCQQx FgQU2hGmdSsFFjyHgkx/4euKHuRzQiowJwYJKoZIhvcNAQkPMRowGDAHBgUrDgMCBzANBggq hkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgINRFYPuaU0jc1RHVNpc17y/pMspAx0+aWtO ObPJE8+/jI40y4zpmaliONzAQbbqxplhL2Y85af53hy7rUJ8VOot73G6G30GHHJ4BUALxrsO KFVD5jyrLATbE5qABibEMpEqbR7IDy9VbOXe2snUGiFGeX7ZUqsMuP6w78rmcUd/ --------------msCFD62E24BD356C92D0910154-- Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA22243 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 10:27:15 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FXJ00H01N8J4X@ext-mail.valicert.com> for ietf-pkix@imc.org; Tue, 11 Jul 2000 10:29:07 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FXJ00G99N8IOM@ext-mail.valicert.com>; Tue, 11 Jul 2000 10:29:06 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <3PTBZZ27>; Tue, 11 Jul 2000 10:21:27 -0700 Content-return: allowed Date: Tue, 11 Jul 2000 10:21:19 -0700 From: Frank Balluffi <frankb@valicert.com> Subject: RE: Current signature formats insufficient To: "'denis.bider@denisbider.com'" <denis.bider@denisbider.com> Cc: ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE2E08C16@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Denis, Good point! I am not sure I would consider this a protocol problem. I think this goes back to your original point (which I agree with) that computers used by ordinary people do not boot securely and lack trusted paths to devices. My guess is that over time computers used by ordinary people will gain these features. But who knows? Frank > -----Original Message----- > From: denis bider [mailto:denis.bider@globera.com] > Sent: Tuesday, July 11, 2000 1:05 PM > Cc: ietf-pkix@imc.org > Subject: RE: Current signature formats insufficient > > > [Frank Balluffi in response to Ben Laurie:] > > For the life of me, I can't imagine a protocol that would expect > > a device or person to sign a message that only states "...". > > Oh, but there is such a protocol and it is used every day by > thousands of > people. It's called 'a smart card reader'. > > "..." is exactly what a smart card sees when it performs a signature > operation. Anyone who manages to break the security of the PC > (which is > trivial) can tell the smart card to sign virtually anything. > > This is why I think that we need a more elaborate signature > format - one > which will take the real world, not the ideal world, into account. > > denis > Received: from mail.ec.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.201]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA22193 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 10:27:00 -0700 (PDT) Received: from kahu.cs.auckland.ac.nz (pgut001@kahu.cs.auckland.ac.nz [130.216.36.13]) by mail.ec.auckland.ac.nz (8.9.3/8.8.6/cs-master) with SMTP id FAA22466; Wed, 12 Jul 2000 05:28:21 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by kahu.cs.auckland.ac.nz (relaymail v0.9) id <96333650129572>; Wed, 12 Jul 2000 05:28:21 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ben@algroup.co.uk, pkoning@xedia.com Subject: Re: Current signature formats insufficient Cc: denis.bider@denisbider.com, frankb@valicert.com, ietf-pkix@imc.org Sender: pgut001@cs.auckland.ac.nz Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on kahu.cs.auckland.ac.nz Date: Wed, 12 Jul 2000 05:28:21 (NZST) Message-ID: <96333650129572@kahu.cs.auckland.ac.nz> Paul Koning <pkoning@xedia.com> writes: >I don't understand the notion of a non-binding signature. To put it >differently, the purpose of a signature is to bind your identity to some >assertion. The only question is what that assertion is. "I assert through the squiggle I have made on this page that I acknowledge that without making the squiggle they won't give me a 'Visitor' badge and let me in the door". Peter. Received: from wafw.bear.com (wafw.bear.com [207.162.228.3]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA21908 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 10:22:16 -0700 (PDT) Received: from bear.com (localhost [127.0.0.1]) by wafw.bear.com (8.9.3/8.9.2) with SMTP id NAA14991 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 13:24:07 -0400 (EDT) Received: from 147.107.147.19 by whmsxvs1.is.bear.com (InterScan E-Mail VirusWall NT); Tue, 11 Jul 2000 13:19:22 -0400 (Eastern Daylight Time) Received: by whmsx2.is.bear.com with Internet Mail Service (5.5.2448.0) id <33MD3A6Y>; Tue, 11 Jul 2000 13:22:49 -0400 Message-ID: <991708270E97D211998300A0C99B2376012B6FE7@whmsx19.is.bear.com> From: "Luo, Feng (Exchange)" <fengluo@bear.com> To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: p12 and cer, der,crt Date: Tue, 11 Jul 2000 13:22:40 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain Is there a way to convert p12 to cer, der, crt? That a user can install a certificate himeself on the webpage. Feng Luo Security Technologies and Implementation *********************************************************************** Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. *********************************************************************** Received: from levitator.1div0.com ([213.250.43.61]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA21232 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 10:02:33 -0700 (PDT) Received: from intergalactic ([10.1.1.2]) by levitator.1div0.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id SAA20398 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 18:50:55 +0200 Reply-To: <denis.bider@denisbider.com> From: "denis bider" <denis.bider@globera.com> Cc: <ietf-pkix@imc.org> Subject: RE: Current signature formats insufficient Date: Tue, 11 Jul 2000 19:04:53 +0200 Message-ID: <000101bfeb5a$229c8410$0201010a@intergalactic> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-reply-to: <27FF4FAEA8CDD211B97E00902745CBE2E08C0F@seine.valicert.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 [Frank Balluffi in response to Ben Laurie:] > For the life of me, I can't imagine a protocol that would expect > a device or person to sign a message that only states "...". Oh, but there is such a protocol and it is used every day by thousands of people. It's called 'a smart card reader'. "..." is exactly what a smart card sees when it performs a signature operation. Anyone who manages to break the security of the PC (which is trivial) can tell the smart card to sign virtually anything. This is why I think that we need a more elaborate signature format - one which will take the real world, not the ideal world, into account. denis Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id JAA16887 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 09:15:42 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id RAA16637; Tue, 11 Jul 2000 17:27:55 +0100 Message-ID: <396B487C.E08E2C9F@algroup.co.uk> Date: Tue, 11 Jul 2000 17:17:00 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: Paul Koning <pkoning@xedia.com> CC: frankb@valicert.com, denis.bider@denisbider.com, ietf-pkix@imc.org Subject: Re: Current signature formats insufficient References: <27FF4FAEA8CDD211B97E00902745CBE2E08C0A@seine.valicert.com> <396B3756.271525A8@algroup.co.uk> <14699.14906.5585.962549@xedia.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Paul Koning wrote: > > >>>>> "Ben" == Ben Laurie <ben@algroup.co.uk> writes: > > Ben> Frank Balluffi wrote: > >> Denis, > >> > >> You refer to non-binding signatures. Why would I bother signing > >> something if it were non-binding? > > Ben> When a man comes to the door with a package, I sign it because > Ben> he asks for a signature. I do not consider that signature to be > Ben> binding in any sense I understand the word. > > I don't understand the notion of a non-binding signature. To put it > differently, the purpose of a signature is to bind your identity to > some assertion. The only question is what that assertion is. > > It could be "I (insert name) agree to buy 100k shares of FOO > Corporation". That would be a "binding" signature in the sense it has > been discussed. > > But in the example you give, the assertion is "I have received package > xyz (and consequently agree not to press insurance claims for > non-delivery of that package". Is that any less "binding"? The > amount of money at stake may be less, so there's a difference in > degree, but I don't see a difference in essence. This is really digressing from the point, but that is not the assertion I am signing - in order for that to be the case, I'd have to see more than a form with my name (or someone else's) and address on it with a box saying "signature" on it. If you insist on there being an assertion linked to the signature, it must be "I am signing in this box like the man on my doorstep asked". What that might bind me to, I can't imagine. Nothing, IMO. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from relay3-gui.server.ntli.net (relay3-gui.server.ntli.net [194.168.4.200]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA16846 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 09:15:37 -0700 (PDT) Received: from m235-mp1-cvx1c.hud.ntl.com ([62.252.108.235] helo=dwc-acer) by relay3-gui.server.ntli.net with esmtp (Exim 3.03 #2) id 13C2ZU-0005mN-00; Tue, 11 Jul 2000 17:07:44 +0100 From: "David Chadwick" <d.w.chadwick@salford.ac.uk> Organization: University of Salford To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Date: Tue, 11 Jul 2000 17:14:37 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Operational Protocols - LDAPv3 Reply-to: d.w.chadwick@salford.ac.uk Message-ID: <396B55FD.7884.107AAFC4@localhost> Priority: normal In-reply-to: <200007102125.RAA21716@roadblock.missi.ncsc.mil> X-mailer: Pegasus Mail for Win32 (v3.12c) > Put another way, clients can use nextUpdate (or not use it) however > they see fit in fetching information from a repository. But the only > value that has any security relevance is thisUpdate -- the time after > which revocation events will not be reflected in the CRL. This is surely flawed, for example for e-commerce transactions. thisUpdate can only ever be in the past by definition (it can never be in the future). Thus a RP can never be sure that the current sender of the e-commerce transaction has not been revoked, so who takes the hit if he has been and a CRL has or has not been published that reflects this? I think that nextUpdate is important from a liability perspective. If a client (RP) uses a CRL after nextUpate time has past, thus KNOWING that another one has been issued, and fails to get it, then the RP must take the loss if the current certificate has been revoked. If the RP uses a CRL before nextUpdate, when another CRL has been issued but he did not get it, again he must take the loss as he could have checked if he wanted to. But this is perhaps in the area of worms that Marc referred to in his email, depending upon the exact meaning of nextUpdate (not before, or not after - the standard says not after, which I support. You seem to be saying not before). Finally we have the case of using a CRL before nextUpdate, when no other CRL has been issued, but a certificate revocation notice has been sent to the CA but it is holding it until the next CRL is due to be published. Thus no RP can ever know that the certificate has been revoked (without OCSP that is). I would suggest that the CA takes the loss in this case. Otherwise if you are suggesting that this is still the RPs responsibility it would seem to me that few e- commerce transactions will ever be instant (except in cases of low value transactions) because the RP will wait until it gets a CRL with thisUpdate AFTER the time of the transaction. David > > Regards, > Dave > > > *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id JAA16274 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 09:08:05 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id RAA16595; Tue, 11 Jul 2000 17:20:14 +0100 Message-ID: <396B46B0.C5504314@algroup.co.uk> Date: Tue, 11 Jul 2000 17:09:20 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: Frank Balluffi <frankb@valicert.com> CC: "'denis.bider@denisbider.com'" <denis.bider@denisbider.com>, ietf-pkix@imc.org Subject: Re: Current signature formats insufficient References: <27FF4FAEA8CDD211B97E00902745CBE2E08C0F@seine.valicert.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Frank Balluffi wrote: > > Ben, > > You are signing something you understand or have the right to understand > (before you sign it). I only hope that the man does not ask you sign a > message stating, "I agree to pay the man ..." > > I hope that I will never knowingly sign anything I do not understand. I didn't say I didn't understand it. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from dfw7-1.relay.mail.uu.net (dfw7-1.relay.mail.uu.net [199.171.54.106]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA13217 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 08:14:24 -0700 (PDT) Received: from xedia.com by dfw7sosrv11.alter.net with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQixjx09807; Tue, 11 Jul 2000 15:16:11 GMT Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA14429; Tue, 11 Jul 00 11:12:21 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id LAA00137; Tue, 11 Jul 2000 11:16:10 -0400 From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <14699.14906.5585.962549@xedia.com> Date: Tue, 11 Jul 2000 11:16:10 -0400 (EDT) To: ben@algroup.co.uk Cc: frankb@valicert.com, denis.bider@denisbider.com, ietf-pkix@imc.org Subject: Re: Current signature formats insufficient References: <27FF4FAEA8CDD211B97E00902745CBE2E08C0A@seine.valicert.com> <396B3756.271525A8@algroup.co.uk> X-Mailer: VM 6.72 under 21.1 (patch 9) "Canyonlands" XEmacs Lucid >>>>> "Ben" == Ben Laurie <ben@algroup.co.uk> writes: Ben> Frank Balluffi wrote: >> Denis, >> >> You refer to non-binding signatures. Why would I bother signing >> something if it were non-binding? Ben> When a man comes to the door with a package, I sign it because Ben> he asks for a signature. I do not consider that signature to be Ben> binding in any sense I understand the word. I don't understand the notion of a non-binding signature. To put it differently, the purpose of a signature is to bind your identity to some assertion. The only question is what that assertion is. It could be "I (insert name) agree to buy 100k shares of FOO Corporation". That would be a "binding" signature in the sense it has been discussed. But in the example you give, the assertion is "I have received package xyz (and consequently agree not to press insurance claims for non-delivery of that package". Is that any less "binding"? The amount of money at stake may be less, so there's a difference in degree, but I don't see a difference in essence. Similarly the example of authentication for a web banking application. Even if you're only looking at information, you're making an assertion that you're authorized to do the looking (or in other words, that accesses so authenticated will not later be challenged as violations of privacy). Again, the amount of money at stake changes, but... paul Received: from indy.gradient.com (root@indy.gradient.com [192.92.110.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA13142 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 08:14:07 -0700 (PDT) Received: from bigbird.gradient.com (bigbird.gradient.com [192.92.110.50]) by indy.gradient.com (8.9.1a/8.9.1) with ESMTP id LAA14845; Tue, 11 Jul 2000 11:15:51 -0400 (EDT) Received: by bigbird.gradient.com with Internet Mail Service (5.5.2448.0) id <3VPQNBRA>; Tue, 11 Jul 2000 11:10:30 -0400 Message-ID: <899128A30EEDD1118FC900A0C9C74A34844CF5@bigbird.gradient.com> From: Hal Lockhart <hal.lockhart@entegrity.com> To: "'denis.bider@denisbider.com'" <denis.bider@denisbider.com>, "'Frank Balluffi'" <frankb@valicert.com>, ietf-pkix@imc.org Subject: RE: Current signature formats insufficient Date: Tue, 11 Jul 2000 11:10:29 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" > in the context of my original message, a "non-binding > signature" would be a > signature for the purposes of, say, authentication. In past discussions (about the key usage field) on this mailing list, this has been referred to as an "ephemeral signature". Hal ======================================================= Harold W. Lockhart Entegrity Solutions 2 Mount Royal Avenue Marlborough, MA 01752 USA V: 1-508-624-9600 x 260 hal.lockhart@entegrity.com F: 1-508-229-0338 www.entegrity.com ======================================================= Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA12986 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 08:11:37 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FXJ00G01GYGAB@ext-mail.valicert.com> for ietf-pkix@imc.org; Tue, 11 Jul 2000 08:13:29 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FXJ00FDPGYGRF@ext-mail.valicert.com>; Tue, 11 Jul 2000 08:13:28 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <3PTBZY4T>; Tue, 11 Jul 2000 08:05:49 -0700 Content-return: allowed Date: Tue, 11 Jul 2000 08:05:44 -0700 From: Frank Balluffi <frankb@valicert.com> Subject: RE: Current signature formats insufficient To: "'Ben Laurie'" <ben@algroup.co.uk>, Frank Balluffi <frankb@valicert.com> Cc: "'denis.bider@denisbider.com'" <denis.bider@denisbider.com>, ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE2E08C0F@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Ben, You are signing something you understand or have the right to understand (before you sign it). I only hope that the man does not ask you sign a message stating, "I agree to pay the man ..." I hope that I will never knowingly sign anything I do not understand. For example, there is a tremendous difference between signing "..." and "I received [or forwarded] a message whose SHA-1 digest is ...". I would only sign something that is bound to one or more verbs that I understand. For the life of me, I can't imagine a protocol that would expect a device or person to sign a message that only states "...". Frank > -----Original Message----- > From: Ben Laurie [mailto:ben@algroup.co.uk] > Sent: Tuesday, July 11, 2000 11:04 AM > To: Frank Balluffi > Cc: 'denis.bider@denisbider.com'; ietf-pkix@imc.org > Subject: Re: Current signature formats insufficient > > > Frank Balluffi wrote: > > > > Denis, > > > > You refer to non-binding signatures. Why would I bother > signing something if > > it were non-binding? > > When a man comes to the door with a package, I sign it because he asks > for a signature. I do not consider that signature to be binding in any > sense I understand the word. > > Cheers, > > Ben. > > -- > http://www.apache-ssl.org/ben.html > > Coming to ApacheCon Europe 2000? http://apachecon.com/ > Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id IAA12582 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 08:03:45 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id QAA15950; Tue, 11 Jul 2000 16:14:43 +0100 Message-ID: <396B3756.271525A8@algroup.co.uk> Date: Tue, 11 Jul 2000 16:03:50 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: Frank Balluffi <frankb@valicert.com> CC: "'denis.bider@denisbider.com'" <denis.bider@denisbider.com>, ietf-pkix@imc.org Subject: Re: Current signature formats insufficient References: <27FF4FAEA8CDD211B97E00902745CBE2E08C0A@seine.valicert.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Frank Balluffi wrote: > > Denis, > > You refer to non-binding signatures. Why would I bother signing something if > it were non-binding? When a man comes to the door with a package, I sign it because he asks for a signature. I do not consider that signature to be binding in any sense I understand the word. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from certplus.com (facteur.certplus.com [195.101.88.81]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA11070 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 07:30:43 -0700 (PDT) Received: from certplus.com (nt4_jmd.certplus.com [192.168.1.17]) by certplus.com (8.8.7/8.8.7) with ESMTP id PAA19630 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 15:02:06 +0200 Message-ID: <396B2FE3.9DE42AF3@certplus.com> Date: Tue, 11 Jul 2000 16:32:03 +0200 From: Jean-Marc Desperrier <jean-marc.desperrier@certplus.com> Organization: Certplus X-Mailer: Mozilla 4.72 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Current signature formats insufficient References: <000d01bfeb3d$113b3ad0$0201010a@intergalactic> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit denis bider wrote: > Examples: if you sign a contract, that is a binding signature. If you sign a > purchase order, that is a binding signature. If you sign a cryptographic > challenge intended for authentication, that is a non-binding signature. This is what certificates are for. To do that, you use several different private keys, each being associated with a certificate that has different usage extensions. It is already a recommended usage to use a different key for SSL authentification and to sign a document. What you are saying is not linked to the format of certificates, but to the way they are used and the policies that should be enforced for legally binding signatures. Nothing in the RFC says, or will or even could say, how a private key has to be used to be legally binding. Therefore this is quite out of suject here. Could you shorten your quoting please ? Received: from mail-fwd.verio-web.com ([161.58.16.59]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA09693 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 07:12:26 -0700 (PDT) Received: from 161.58.117.181 (161.58.117.181) by mail11b.verio-web.com (RS ver 1.0.57s) with SMTP id 02109397; Tue, 11 Jul 2000 10:14:09 -0400 (EDT) Sender: rsalz Message-ID: <396B2BEE.73EBA7B6@caveosystems.com> Date: Tue, 11 Jul 2000 10:15:10 -0400 From: Rich Salz <rsalz@caveosystems.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> CC: ietf-pkix@imc.org Subject: Re: Operational Protocols - LDAPv3 References: <200007102125.RAA21716@roadblock.missi.ncsc.mil> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 > Put another way, clients can use nextUpdate (or not use it) however > they see fit in fetching information from a repository. But the only > value that has any security relevance is thisUpdate -- the time after > which revocation events will not be reflected in the CRL. I agree with this. I also believe that, if the connection to the repository is authenticated, then a client can detect "old data" attacks. It is worth noting this in the RFC. Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA08814 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 07:01:55 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FXJ00F01DQAXF@ext-mail.valicert.com> for ietf-pkix@imc.org; Tue, 11 Jul 2000 07:03:46 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FXJ00F42DQARF@ext-mail.valicert.com>; Tue, 11 Jul 2000 07:03:46 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <3PTBZYNN>; Tue, 11 Jul 2000 06:56:07 -0700 Content-return: allowed Date: Tue, 11 Jul 2000 06:56:03 -0700 From: Frank Balluffi <frankb@valicert.com> Subject: RE: Current signature formats insufficient To: "'denis.bider@denisbider.com'" <denis.bider@denisbider.com>, Frank Balluffi <frankb@valicert.com>, ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE2E08C0E@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Denis, By convention, many standards (e.g., protocols) represent a signature with a SEQUENCE containing an AlgorithmIdentifier and a BIT STRING. If your use of current signature formats refers to the above convention, I am not convinced that the problem is with the signature format. Perhaps the problem is with what you sign. In the case of an authentication protocol, you could include an OBJECT IDENTIFIER or string in the data to be signed to constrain the use of the signature. For example: AuthenticationInfo ::= SEQUENCE { disclaimer UTF8String, nonce OCTET STRING } Another technique would be to use PKCS #7 authenticated attributes. Could these be used to solve your problem? I'm still a little confused about what problem you are trying to solve. Frank > -----Original Message----- > From: denis bider [mailto:denis.bider@globera.com] > Sent: Tuesday, July 11, 2000 9:37 AM > To: 'Frank Balluffi'; ietf-pkix@imc.org > Subject: RE: Current signature formats insufficient > > > Hello Frank, > > in the context of my original message, a "non-binding > signature" would be a > signature for the purposes of, say, authentication. > > Suppose you are connecting to a secure website - say, an e-banking > application - that requires private key authentication. For > the purposes of > authentication, your equipment will have to sign a challenge > that is sent to > you from the server. Now, since this signing process is > intended only for > authentication, you want the resulting signature to reflect > this fact. You > don't want to find yourself in a situation where you signed > something that > you thought was intended only for authentication, only to > find later that it > was in fact the hash of a contract that you have never seen before. > > To sum up: for the scope of this discussion, we could vaguely > define that a > signature is "binding" if it can be used as a legal tool to > force the signer > to do something or not to do something. Otherwise, a signature is > "non-binding". > > Examples: if you sign a contract, that is a binding > signature. If you sign a > purchase order, that is a binding signature. If you sign a > cryptographic > challenge intended for authentication, that is a non-binding > signature. > > Regards, > > denis > > > -----Original Message----- > From: Frank Balluffi [mailto:frankb@valicert.com] > Sent: 11. julij 2000 14:49 > To: 'denis.bider@denisbider.com'; ietf-pkix@imc.org > Subject: RE: Current signature formats insufficient > > > Denis, > > You refer to non-binding signatures. Why would I bother > signing something if > it were non-binding? > > Frank > > > -----Original Message----- > > From: denis bider [mailto:denis.bider@globera.com] > > Sent: Tuesday, July 11, 2000 4:42 AM > > To: ietf-pkix@imc.org > > Subject: Current signature formats insufficient > > > > > > Hello folks, > > > > we probably agree that smart cards, as well as a variety of > > other similar > > cryptographic tokens, are insecure. Their primary insecurity > > lies not within > > the tokens themselves, but rather in the way they are most > > commonly used. > > Most frequently, a cryptographic token is attached to a PC, > > and it does > > whatever cryptographic operation the PC tells it to do. > > > > This concept is obviously insecure, since: > > - PCs are insecure. Every average hacker down the street can > > break into > > anyone's Windoze PC, and it is trivial to write an exploit > > that will capture > > a smart card's PIN, wait for the smart card to be inserted > > and then perform > > a signature operation. > > - Even if the user is as security conscious as to use a > > secure PIN entry > > device, or a fingerprint scanner for that matter, it is still > > the PC that > > decides exactly what information the smart card is going to > > sign. It is > > again trivial to write an exploit that will make the smart card sign > > something that the owner did not mean to sign. > > > > With the advent of digital signature laws which make digital signing > > commonplace, it is time to remove these security holes before > > hackers and > > newspaper articles start popping up. (How would any of you > smart card > > manufacturers like to see your company's name placed > > conveniently next to > > "FRAUD!!" in TIME Magazine?) > > > > The ultimate solution, of course, would be for everyone to > > have a secure > > device, containing the private key, with the following > > characteristics: > > - In order to sign anything, the user must put their finger on the > > fingerprint scanner. (Or other biometrics...) > > - In case the signature is binding (ie, contract as opposed to > > authentication), the user must check the contents being > > signed on the screen > > of the secure device. > > - In case the signature is binding, the user must enter a signature > > passphrase (PIN) as well. > > > > Now, since users do not want to enter passphrases every time > > something needs > > to be signed, and since that would be dangerous in the first place > > (increased risk of passphrase exposure), there is a practical > > need for the > > secure device to be able to distinguish between a binding > > signature and a > > non-binding signature. > > > > In the case of a non-binding signature (eg, proof of > > identity), the behavior > > of the secure device could simply match the behavior of all the > > cryptographic tokens currently out there. Ie, the device > > would sign anything > > that it receives - most commonly a hash of something - > > provided that the > > user confirms the signature operation by putting their finger on the > > fingerpring scanner. However, in contrast to the > cryptographic tokens > > currently being used, any such signature would be explicitly > > marked that it > > cannot be considered binding. > > > > In the case of a binding signature (eg, a contract), the > > secure device would > > insist on receiving the entire content that is being signed, > > formatted in a > > well-known and secure format, so that the content can be > > shown to the user > > before anything can be signed. The user would also need to > > authenticate > > themselves in a more secure manner before a binding signature > > is made; and > > when it is made, the signature would be explicitly marked > > that it CAN be > > considered binding. > > > > It is my opinion that the following efforts need to be made: > > - The current signature formats need to be extended so as > to include > > information about the extent to which the data being signed > > was verified by > > the signer - or simply whether the signature can be > > interpreted as binding > > or not. > > - A format for binding content needs to be selected or > > defined. (RTF, ASCII > > text, anything?) - this is the format in which any binding > > content is sent > > to the secure device so that it can be shown to the user, > who in turn > > decides whether to sign it or not. > > - The current APIs for communication with cryptographic > > tokens need to be > > modified to support this. Eg, in PKCS#11, the following modes > > of signature > > could be introduced: > > - sign this hash and mark the signature as non-binding > > - here is the 34kB file containing the binding > > content to be signed, > > show it to the signer, sign it and mark it as binding > > - here is a hash of the binding content to be signed, > > sign it and > > mark it as binding (deprecated, but must be included since it > > is not yet > > possible to transmit 34kB of data to every kind of > > cryptographic token) > > > > I feel that the above issues are important and that somebody > > needs to take > > them on. I cannot decide whether or not this workgroup should > > do it; but > > somebody has to. (Or else...) > > > > Comments are welcome. Also, does anyone have information > whether these > > issues have been addressed by the xmldsig workgroup, or is > > their format as > > clueless as the ASN.1 signature format? > > > > Regards, > > > > denis bider > > > > // > > // denis bider, denis.bider@globera.com > > // [alternative: anything@denisbider.com] > > // globera d.o.o., Ljubljana, Slovenia > > http://www.globera.com > > +386 1 510 7740 > > > > > > > Received: from ra.bpsi.net (ra.bpsi.net [199.199.134.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA08736 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 07:00:53 -0700 (PDT) Received: from bpsi.net (port422.bpsi.net [209.54.245.222]) by ra.bpsi.net (8.9.0/8.9.0) with ESMTP id JAA25646; Tue, 11 Jul 2000 09:02:38 -0500 (CDT) Message-ID: <396B289D.ABE4239D@bpsi.net> Date: Tue, 11 Jul 2000 09:01:01 -0500 From: Dale Gustafson <dale.gustafson@bpsi.net> X-Mailer: Mozilla 4.73 [en]C-CCK-MCD NSCPCD47 (Win95; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: denis.bider@denisbider.com CC: ietf-pkix@imc.org Subject: Re: Current signature formats insufficient References: <000001bfeb13$d25fe870$0201010a@intergalactic> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Denis, Take a closer look at the "Signing Key with Secondary Authentication PIN" capabilities added to PKCS#11 v2.10. Works with optional Secure PINPad readers such that the PIN values are not known to PC software. This feature can be used to provide the "user must enter a special PIN for each and every signature created" functionality you describe. An application could create a key that is used only for signing binding / contract documents, etc. thus providing one clear indication that a "non-repudiation" service is being provided. This approach is different than adding bits to a signature block but provides a similar effect. I agree that the secure application should be specifically requesting a distinct signature service (signalled to relying parties by use of a dedicated signing key and certificate). Cryptographic tokens typically provide 2-factor authentication -- something you have (the physical card) and something you know (the User PIN / Passphrase). This is clearly more secure and portable than storing your security information on your PC hard drive. Nevertheless, any scenario that defeats both factors eliminates the additional security provided by the token. For example; if someone threatens you, takes your token away, and makes you tell her your PINs then your smart token and any private keys stored within can no longer be considered secure. The problem with any all singing / all dancing technical solution is that in order to make the smart token really nifty you have to provide much of the functionality of your Windows PC (e.g. so you can see the web page or movie clip you're signing). You can go to three-factor authentication (something you have, something you know, something you are) and beyond but there's invariably a point of diminishing returns for any real network, user community, and applications. Best Regards, Dale Gustafson denis bider wrote: > Hello folks, > > we probably agree that smart cards, as well as a variety of other similar > cryptographic tokens, are insecure. Their primary insecurity lies not within > the tokens themselves, but rather in the way they are most commonly used. > Most frequently, a cryptographic token is attached to a PC, and it does > whatever cryptographic operation the PC tells it to do. > > This concept is obviously insecure, since: > - PCs are insecure. Every average hacker down the street can break into > anyone's Windoze PC, and it is trivial to write an exploit that will capture > a smart card's PIN, wait for the smart card to be inserted and then perform > a signature operation. > - Even if the user is as security conscious as to use a secure PIN entry > device, or a fingerprint scanner for that matter, it is still the PC that > decides exactly what information the smart card is going to sign. It is > again trivial to write an exploit that will make the smart card sign > something that the owner did not mean to sign. > > With the advent of digital signature laws which make digital signing > commonplace, it is time to remove these security holes before hackers and > newspaper articles start popping up. (How would any of you smart card > manufacturers like to see your company's name placed conveniently next to > "FRAUD!!" in TIME Magazine?) > > The ultimate solution, of course, would be for everyone to have a secure > device, containing the private key, with the following characteristics: > - In order to sign anything, the user must put their finger on the > fingerprint scanner. (Or other biometrics...) > - In case the signature is binding (ie, contract as opposed to > authentication), the user must check the contents being signed on the screen > of the secure device. > - In case the signature is binding, the user must enter a signature > passphrase (PIN) as well. > > Now, since users do not want to enter passphrases every time something needs > to be signed, and since that would be dangerous in the first place > (increased risk of passphrase exposure), there is a practical need for the > secure device to be able to distinguish between a binding signature and a > non-binding signature. > > In the case of a non-binding signature (eg, proof of identity), the behavior > of the secure device could simply match the behavior of all the > cryptographic tokens currently out there. Ie, the device would sign anything > that it receives - most commonly a hash of something - provided that the > user confirms the signature operation by putting their finger on the > fingerpring scanner. However, in contrast to the cryptographic tokens > currently being used, any such signature would be explicitly marked that it > cannot be considered binding. > > In the case of a binding signature (eg, a contract), the secure device would > insist on receiving the entire content that is being signed, formatted in a > well-known and secure format, so that the content can be shown to the user > before anything can be signed. The user would also need to authenticate > themselves in a more secure manner before a binding signature is made; and > when it is made, the signature would be explicitly marked that it CAN be > considered binding. > > It is my opinion that the following efforts need to be made: > - The current signature formats need to be extended so as to include > information about the extent to which the data being signed was verified by > the signer - or simply whether the signature can be interpreted as binding > or not. > - A format for binding content needs to be selected or defined. (RTF, ASCII > text, anything?) - this is the format in which any binding content is sent > to the secure device so that it can be shown to the user, who in turn > decides whether to sign it or not. > - The current APIs for communication with cryptographic tokens need to be > modified to support this. Eg, in PKCS#11, the following modes of signature > could be introduced: > - sign this hash and mark the signature as non-binding > - here is the 34kB file containing the binding content to be signed, > show it to the signer, sign it and mark it as binding > - here is a hash of the binding content to be signed, sign it and > mark it as binding (deprecated, but must be included since it is not yet > possible to transmit 34kB of data to every kind of cryptographic token) > > I feel that the above issues are important and that somebody needs to take > them on. I cannot decide whether or not this workgroup should do it; but > somebody has to. (Or else...) > > Comments are welcome. Also, does anyone have information whether these > issues have been addressed by the xmldsig workgroup, or is their format as > clueless as the ASN.1 signature format? > > Regards, > > denis bider > > // > // denis bider, denis.bider@globera.com > // [alternative: anything@denisbider.com] > // globera d.o.o., Ljubljana, Slovenia > http://www.globera.com > +386 1 510 7740 Received: from spdl139-tr0.dexia.be (mail.dexia.be [193.91.97.4]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA08668 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 06:59:28 -0700 (PDT) Date: 11 Jul 2000 15:57:44 +0200 From: Thierry Van Doninck <Thierry.VanDoninck@dexia.be> To: "denis.bider" <denis.bider@globera.com> Subject: RE: Current signature formats insufficient Message-Id: <056E4396B27D804B*/c=be/admd=publilink/prmd=gkbccb/o=notes/s=SY064/@MHS> Hi, Another example of a non-binding signature : the signature could just be used to assure the integrety of a message. Thierry denis.bider%globera.com@Internet 11/07/2000 15:34 To: frankb%valicert.com@Internet, ietf-pkix%imc.org@Internet cc: (bcc: Thierry Van Doninck/GKBCCB) Subject: RE: Current signature formats insufficient Hello Frank, in the context of my original message, a "non-binding signature" would be a signature for the purposes of, say, authentication. Suppose you are connecting to a secure website - say, an e-banking application - that requires private key authentication. For the purposes of authentication, your equipment will have to sign a challenge that is sent to you from the server. Now, since this signing process is intended only for authentication, you want the resulting signature to reflect this fact. You don't want to find yourself in a situation where you signed something that you thought was intended only for authentication, only to find later that it was in fact the hash of a contract that you have never seen before. To sum up: for the scope of this discussion, we could vaguely define that a signature is "binding" if it can be used as a legal tool to force the signer to do something or not to do something. Otherwise, a signature is "non-binding". Examples: if you sign a contract, that is a binding signature. If you sign a purchase order, that is a binding signature. If you sign a cryptographic challenge intended for authentication, that is a non-binding signature. Regards, denis -----Original Message----- From: Frank Balluffi [mailto:frankb@valicert.com] Sent: 11. julij 2000 14:49 To: 'denis.bider@denisbider.com'; ietf-pkix@imc.org Subject: RE: Current signature formats insufficient Denis, You refer to non-binding signatures. Why would I bother signing something if it were non-binding? Frank > -----Original Message----- > From: denis bider [mailto:denis.bider@globera.com] > Sent: Tuesday, July 11, 2000 4:42 AM > To: ietf-pkix@imc.org > Subject: Current signature formats insufficient > > > Hello folks, > > we probably agree that smart cards, as well as a variety of > other similar > cryptographic tokens, are insecure. Their primary insecurity > lies not within > the tokens themselves, but rather in the way they are most > commonly used. > Most frequently, a cryptographic token is attached to a PC, > and it does > whatever cryptographic operation the PC tells it to do. > > This concept is obviously insecure, since: > - PCs are insecure. Every average hacker down the street can > break into > anyone's Windoze PC, and it is trivial to write an exploit > that will capture > a smart card's PIN, wait for the smart card to be inserted > and then perform > a signature operation. > - Even if the user is as security conscious as to use a > secure PIN entry > device, or a fingerprint scanner for that matter, it is still > the PC that > decides exactly what information the smart card is going to > sign. It is > again trivial to write an exploit that will make the smart card sign > something that the owner did not mean to sign. > > With the advent of digital signature laws which make digital signing > commonplace, it is time to remove these security holes before > hackers and > newspaper articles start popping up. (How would any of you smart card > manufacturers like to see your company's name placed > conveniently next to > "FRAUD!!" in TIME Magazine?) > > The ultimate solution, of course, would be for everyone to > have a secure > device, containing the private key, with the following > characteristics: > - In order to sign anything, the user must put their finger on the > fingerprint scanner. (Or other biometrics...) > - In case the signature is binding (ie, contract as opposed to > authentication), the user must check the contents being > signed on the screen > of the secure device. > - In case the signature is binding, the user must enter a signature > passphrase (PIN) as well. > > Now, since users do not want to enter passphrases every time > something needs > to be signed, and since that would be dangerous in the first place > (increased risk of passphrase exposure), there is a practical > need for the > secure device to be able to distinguish between a binding > signature and a > non-binding signature. > > In the case of a non-binding signature (eg, proof of > identity), the behavior > of the secure device could simply match the behavior of all the > cryptographic tokens currently out there. Ie, the device > would sign anything > that it receives - most commonly a hash of something - > provided that the > user confirms the signature operation by putting their finger on the > fingerpring scanner. However, in contrast to the cryptographic tokens > currently being used, any such signature would be explicitly > marked that it > cannot be considered binding. > > In the case of a binding signature (eg, a contract), the > secure device would > insist on receiving the entire content that is being signed, > formatted in a > well-known and secure format, so that the content can be > shown to the user > before anything can be signed. The user would also need to > authenticate > themselves in a more secure manner before a binding signature > is made; and > when it is made, the signature would be explicitly marked > that it CAN be > considered binding. > > It is my opinion that the following efforts need to be made: > - The current signature formats need to be extended so as to include > information about the extent to which the data being signed > was verified by > the signer - or simply whether the signature can be > interpreted as binding > or not. > - A format for binding content needs to be selected or > defined. (RTF, ASCII > text, anything?) - this is the format in which any binding > content is sent > to the secure device so that it can be shown to the user, who in turn > decides whether to sign it or not. > - The current APIs for communication with cryptographic > tokens need to be > modified to support this. Eg, in PKCS#11, the following modes > of signature > could be introduced: > - sign this hash and mark the signature as non-binding > - here is the 34kB file containing the binding > content to be signed, > show it to the signer, sign it and mark it as binding > - here is a hash of the binding content to be signed, > sign it and > mark it as binding (deprecated, but must be included since it > is not yet > possible to transmit 34kB of data to every kind of > cryptographic token) > > I feel that the above issues are important and that somebody > needs to take > them on. I cannot decide whether or not this workgroup should > do it; but > somebody has to. (Or else...) > > Comments are welcome. Also, does anyone have information whether these > issues have been addressed by the xmldsig workgroup, or is > their format as > clueless as the ASN.1 signature format? > > Regards, > > denis bider > > // > // denis bider, denis.bider@globera.com > // [alternative: anything@denisbider.com] > // globera d.o.o., Ljubljana, Slovenia > http://www.globera.com > +386 1 510 7740 > > > Received: from levitator.1div0.com ([213.250.43.61]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA07561 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 06:34:33 -0700 (PDT) Received: from intergalactic ([10.1.1.2]) by levitator.1div0.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id PAA20004; Tue, 11 Jul 2000 15:22:52 +0200 Reply-To: <denis.bider@denisbider.com> From: "denis bider" <denis.bider@globera.com> To: "'Frank Balluffi'" <frankb@valicert.com>, <ietf-pkix@imc.org> Subject: RE: Current signature formats insufficient Date: Tue, 11 Jul 2000 15:36:49 +0200 Message-ID: <000d01bfeb3d$113b3ad0$0201010a@intergalactic> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 In-reply-to: <27FF4FAEA8CDD211B97E00902745CBE2E08C0A@seine.valicert.com> Hello Frank, in the context of my original message, a "non-binding signature" would be a signature for the purposes of, say, authentication. Suppose you are connecting to a secure website - say, an e-banking application - that requires private key authentication. For the purposes of authentication, your equipment will have to sign a challenge that is sent to you from the server. Now, since this signing process is intended only for authentication, you want the resulting signature to reflect this fact. You don't want to find yourself in a situation where you signed something that you thought was intended only for authentication, only to find later that it was in fact the hash of a contract that you have never seen before. To sum up: for the scope of this discussion, we could vaguely define that a signature is "binding" if it can be used as a legal tool to force the signer to do something or not to do something. Otherwise, a signature is "non-binding". Examples: if you sign a contract, that is a binding signature. If you sign a purchase order, that is a binding signature. If you sign a cryptographic challenge intended for authentication, that is a non-binding signature. Regards, denis -----Original Message----- From: Frank Balluffi [mailto:frankb@valicert.com] Sent: 11. julij 2000 14:49 To: 'denis.bider@denisbider.com'; ietf-pkix@imc.org Subject: RE: Current signature formats insufficient Denis, You refer to non-binding signatures. Why would I bother signing something if it were non-binding? Frank > -----Original Message----- > From: denis bider [mailto:denis.bider@globera.com] > Sent: Tuesday, July 11, 2000 4:42 AM > To: ietf-pkix@imc.org > Subject: Current signature formats insufficient > > > Hello folks, > > we probably agree that smart cards, as well as a variety of > other similar > cryptographic tokens, are insecure. Their primary insecurity > lies not within > the tokens themselves, but rather in the way they are most > commonly used. > Most frequently, a cryptographic token is attached to a PC, > and it does > whatever cryptographic operation the PC tells it to do. > > This concept is obviously insecure, since: > - PCs are insecure. Every average hacker down the street can > break into > anyone's Windoze PC, and it is trivial to write an exploit > that will capture > a smart card's PIN, wait for the smart card to be inserted > and then perform > a signature operation. > - Even if the user is as security conscious as to use a > secure PIN entry > device, or a fingerprint scanner for that matter, it is still > the PC that > decides exactly what information the smart card is going to > sign. It is > again trivial to write an exploit that will make the smart card sign > something that the owner did not mean to sign. > > With the advent of digital signature laws which make digital signing > commonplace, it is time to remove these security holes before > hackers and > newspaper articles start popping up. (How would any of you smart card > manufacturers like to see your company's name placed > conveniently next to > "FRAUD!!" in TIME Magazine?) > > The ultimate solution, of course, would be for everyone to > have a secure > device, containing the private key, with the following > characteristics: > - In order to sign anything, the user must put their finger on the > fingerprint scanner. (Or other biometrics...) > - In case the signature is binding (ie, contract as opposed to > authentication), the user must check the contents being > signed on the screen > of the secure device. > - In case the signature is binding, the user must enter a signature > passphrase (PIN) as well. > > Now, since users do not want to enter passphrases every time > something needs > to be signed, and since that would be dangerous in the first place > (increased risk of passphrase exposure), there is a practical > need for the > secure device to be able to distinguish between a binding > signature and a > non-binding signature. > > In the case of a non-binding signature (eg, proof of > identity), the behavior > of the secure device could simply match the behavior of all the > cryptographic tokens currently out there. Ie, the device > would sign anything > that it receives - most commonly a hash of something - > provided that the > user confirms the signature operation by putting their finger on the > fingerpring scanner. However, in contrast to the cryptographic tokens > currently being used, any such signature would be explicitly > marked that it > cannot be considered binding. > > In the case of a binding signature (eg, a contract), the > secure device would > insist on receiving the entire content that is being signed, > formatted in a > well-known and secure format, so that the content can be > shown to the user > before anything can be signed. The user would also need to > authenticate > themselves in a more secure manner before a binding signature > is made; and > when it is made, the signature would be explicitly marked > that it CAN be > considered binding. > > It is my opinion that the following efforts need to be made: > - The current signature formats need to be extended so as to include > information about the extent to which the data being signed > was verified by > the signer - or simply whether the signature can be > interpreted as binding > or not. > - A format for binding content needs to be selected or > defined. (RTF, ASCII > text, anything?) - this is the format in which any binding > content is sent > to the secure device so that it can be shown to the user, who in turn > decides whether to sign it or not. > - The current APIs for communication with cryptographic > tokens need to be > modified to support this. Eg, in PKCS#11, the following modes > of signature > could be introduced: > - sign this hash and mark the signature as non-binding > - here is the 34kB file containing the binding > content to be signed, > show it to the signer, sign it and mark it as binding > - here is a hash of the binding content to be signed, > sign it and > mark it as binding (deprecated, but must be included since it > is not yet > possible to transmit 34kB of data to every kind of > cryptographic token) > > I feel that the above issues are important and that somebody > needs to take > them on. I cannot decide whether or not this workgroup should > do it; but > somebody has to. (Or else...) > > Comments are welcome. Also, does anyone have information whether these > issues have been addressed by the xmldsig workgroup, or is > their format as > clueless as the ASN.1 signature format? > > Regards, > > denis bider > > // > // denis bider, denis.bider@globera.com > // [alternative: anything@denisbider.com] > // globera d.o.o., Ljubljana, Slovenia > http://www.globera.com > +386 1 510 7740 > > > Received: from levitator.1div0.com ([213.250.43.61]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA06558 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 06:17:29 -0700 (PDT) Received: from intergalactic ([10.1.1.2]) by levitator.1div0.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id PAA19957; Tue, 11 Jul 2000 15:05:47 +0200 Reply-To: <denis.bider@denisbider.com> From: "denis bider" <denis.bider@globera.com> To: "'Michael Zolotarev'" <mzolotarev@baltimore.com>, <ietf-pkix@imc.org> Subject: RE: Current signature formats insufficient Date: Tue, 11 Jul 2000 15:19:44 +0200 Message-ID: <000c01bfeb3a$ae4e2290$0201010a@intergalactic> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 In-reply-to: <D44EACB40164D311BEF00090274EDCCA84970E@sydneymail1.jp.zergo.com.au> Hello Michael, I'm not sure I understand you correctly. To attempt an explanation: I used the 'fingerprint' example because I like this particular technology, because I believe it to be more practical than, say, a retina scan, and because it is my perception that it is readily accessible for widespread use. I am not, however, involved with the production of any secure device such as the one I described in the original message. There is no commercial background to my proposal - at least none that I am aware of at this time. Regards, denis -----Original Message----- From: Michael Zolotarev [mailto:mzolotarev@baltimore.com] Sent: 11. julij 2000 13:39 To: denis.bider@denisbider.com; ietf-pkix@imc.org Subject: RE: Current signature formats insufficient Don't you find that there is a little bit too much of a 'finger' stuff in there... What would be a name for the box? :) > -----Original Message----- > From: denis bider [mailto:denis.bider@globera.com] > Sent: Tuesday, July 11, 2000 6:42 PM > To: ietf-pkix@imc.org > Subject: Current signature formats insufficient > > > Hello folks, > > we probably agree that smart cards, as well as a variety of > other similar > cryptographic tokens, are insecure. Their primary insecurity > lies not within > the tokens themselves, but rather in the way they are most > commonly used. > Most frequently, a cryptographic token is attached to a PC, > and it does > whatever cryptographic operation the PC tells it to do. > > This concept is obviously insecure, since: > - PCs are insecure. Every average hacker down the street can > break into > anyone's Windoze PC, and it is trivial to write an exploit > that will capture > a smart card's PIN, wait for the smart card to be inserted > and then perform > a signature operation. > - Even if the user is as security conscious as to use a > secure PIN entry > device, or a fingerprint scanner for that matter, it is still > the PC that > decides exactly what information the smart card is going to > sign. It is > again trivial to write an exploit that will make the smart card sign > something that the owner did not mean to sign. > > With the advent of digital signature laws which make digital signing > commonplace, it is time to remove these security holes before > hackers and > newspaper articles start popping up. (How would any of you smart card > manufacturers like to see your company's name placed > conveniently next to > "FRAUD!!" in TIME Magazine?) > > The ultimate solution, of course, would be for everyone to > have a secure > device, containing the private key, with the following > characteristics: > - In order to sign anything, the user must put their finger on the > fingerprint scanner. (Or other biometrics...) > - In case the signature is binding (ie, contract as opposed to > authentication), the user must check the contents being > signed on the screen > of the secure device. > - In case the signature is binding, the user must enter a signature > passphrase (PIN) as well. > > Now, since users do not want to enter passphrases every time > something needs > to be signed, and since that would be dangerous in the first place > (increased risk of passphrase exposure), there is a practical > need for the > secure device to be able to distinguish between a binding > signature and a > non-binding signature. > > In the case of a non-binding signature (eg, proof of > identity), the behavior > of the secure device could simply match the behavior of all the > cryptographic tokens currently out there. Ie, the device > would sign anything > that it receives - most commonly a hash of something - > provided that the > user confirms the signature operation by putting their finger on the > fingerpring scanner. However, in contrast to the cryptographic tokens > currently being used, any such signature would be explicitly > marked that it > cannot be considered binding. > > In the case of a binding signature (eg, a contract), the > secure device would > insist on receiving the entire content that is being signed, > formatted in a > well-known and secure format, so that the content can be > shown to the user > before anything can be signed. The user would also need to > authenticate > themselves in a more secure manner before a binding signature > is made; and > when it is made, the signature would be explicitly marked > that it CAN be > considered binding. > > It is my opinion that the following efforts need to be made: > - The current signature formats need to be extended so as to include > information about the extent to which the data being signed > was verified by > the signer - or simply whether the signature can be > interpreted as binding > or not. > - A format for binding content needs to be selected or > defined. (RTF, ASCII > text, anything?) - this is the format in which any binding > content is sent > to the secure device so that it can be shown to the user, who in turn > decides whether to sign it or not. > - The current APIs for communication with cryptographic > tokens need to be > modified to support this. Eg, in PKCS#11, the following modes > of signature > could be introduced: > - sign this hash and mark the signature as non-binding > - here is the 34kB file containing the binding > content to be signed, > show it to the signer, sign it and mark it as binding > - here is a hash of the binding content to be signed, > sign it and > mark it as binding (deprecated, but must be included since it > is not yet > possible to transmit 34kB of data to every kind of > cryptographic token) > > I feel that the above issues are important and that somebody > needs to take > them on. I cannot decide whether or not this workgroup should > do it; but > somebody has to. (Or else...) > > Comments are welcome. Also, does anyone have information whether these > issues have been addressed by the xmldsig workgroup, or is > their format as > clueless as the ASN.1 signature format? > > Regards, > > denis bider > > // > // denis bider, denis.bider@globera.com > // [alternative: anything@denisbider.com] > // globera d.o.o., Ljubljana, Slovenia > http://www.globera.com > +386 1 510 7740 > > > Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id FAA05462 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 05:54:34 -0700 (PDT) Received: from CONVERSION-DAEMON.ext-mail.valicert.com by ext-mail.valicert.com (PMDF V6.0-24 #46243) id <0FXJ00F01ALWOG@ext-mail.valicert.com> for ietf-pkix@imc.org; Tue, 11 Jul 2000 05:56:20 -0700 (PDT) Received: from seine.valicert.com ([192.168.2.23]) by ext-mail.valicert.com (PMDF V6.0-24 #46243) with ESMTP id <0FXJ00F5XALWHB@ext-mail.valicert.com>; Tue, 11 Jul 2000 05:56:20 -0700 (PDT) Received: by seine.valicert.com with Internet Mail Service (5.5.2650.21) id <3PTBZY22>; Tue, 11 Jul 2000 05:48:41 -0700 Content-return: allowed Date: Tue, 11 Jul 2000 05:48:37 -0700 From: Frank Balluffi <frankb@valicert.com> Subject: RE: Current signature formats insufficient To: "'denis.bider@denisbider.com'" <denis.bider@denisbider.com>, ietf-pkix@imc.org Message-id: <27FF4FAEA8CDD211B97E00902745CBE2E08C0A@seine.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Denis, You refer to non-binding signatures. Why would I bother signing something if it were non-binding? Frank > -----Original Message----- > From: denis bider [mailto:denis.bider@globera.com] > Sent: Tuesday, July 11, 2000 4:42 AM > To: ietf-pkix@imc.org > Subject: Current signature formats insufficient > > > Hello folks, > > we probably agree that smart cards, as well as a variety of > other similar > cryptographic tokens, are insecure. Their primary insecurity > lies not within > the tokens themselves, but rather in the way they are most > commonly used. > Most frequently, a cryptographic token is attached to a PC, > and it does > whatever cryptographic operation the PC tells it to do. > > This concept is obviously insecure, since: > - PCs are insecure. Every average hacker down the street can > break into > anyone's Windoze PC, and it is trivial to write an exploit > that will capture > a smart card's PIN, wait for the smart card to be inserted > and then perform > a signature operation. > - Even if the user is as security conscious as to use a > secure PIN entry > device, or a fingerprint scanner for that matter, it is still > the PC that > decides exactly what information the smart card is going to > sign. It is > again trivial to write an exploit that will make the smart card sign > something that the owner did not mean to sign. > > With the advent of digital signature laws which make digital signing > commonplace, it is time to remove these security holes before > hackers and > newspaper articles start popping up. (How would any of you smart card > manufacturers like to see your company's name placed > conveniently next to > "FRAUD!!" in TIME Magazine?) > > The ultimate solution, of course, would be for everyone to > have a secure > device, containing the private key, with the following > characteristics: > - In order to sign anything, the user must put their finger on the > fingerprint scanner. (Or other biometrics...) > - In case the signature is binding (ie, contract as opposed to > authentication), the user must check the contents being > signed on the screen > of the secure device. > - In case the signature is binding, the user must enter a signature > passphrase (PIN) as well. > > Now, since users do not want to enter passphrases every time > something needs > to be signed, and since that would be dangerous in the first place > (increased risk of passphrase exposure), there is a practical > need for the > secure device to be able to distinguish between a binding > signature and a > non-binding signature. > > In the case of a non-binding signature (eg, proof of > identity), the behavior > of the secure device could simply match the behavior of all the > cryptographic tokens currently out there. Ie, the device > would sign anything > that it receives - most commonly a hash of something - > provided that the > user confirms the signature operation by putting their finger on the > fingerpring scanner. However, in contrast to the cryptographic tokens > currently being used, any such signature would be explicitly > marked that it > cannot be considered binding. > > In the case of a binding signature (eg, a contract), the > secure device would > insist on receiving the entire content that is being signed, > formatted in a > well-known and secure format, so that the content can be > shown to the user > before anything can be signed. The user would also need to > authenticate > themselves in a more secure manner before a binding signature > is made; and > when it is made, the signature would be explicitly marked > that it CAN be > considered binding. > > It is my opinion that the following efforts need to be made: > - The current signature formats need to be extended so as to include > information about the extent to which the data being signed > was verified by > the signer - or simply whether the signature can be > interpreted as binding > or not. > - A format for binding content needs to be selected or > defined. (RTF, ASCII > text, anything?) - this is the format in which any binding > content is sent > to the secure device so that it can be shown to the user, who in turn > decides whether to sign it or not. > - The current APIs for communication with cryptographic > tokens need to be > modified to support this. Eg, in PKCS#11, the following modes > of signature > could be introduced: > - sign this hash and mark the signature as non-binding > - here is the 34kB file containing the binding > content to be signed, > show it to the signer, sign it and mark it as binding > - here is a hash of the binding content to be signed, > sign it and > mark it as binding (deprecated, but must be included since it > is not yet > possible to transmit 34kB of data to every kind of > cryptographic token) > > I feel that the above issues are important and that somebody > needs to take > them on. I cannot decide whether or not this workgroup should > do it; but > somebody has to. (Or else...) > > Comments are welcome. Also, does anyone have information whether these > issues have been addressed by the xmldsig workgroup, or is > their format as > clueless as the ASN.1 signature format? > > Regards, > > denis bider > > // > // denis bider, denis.bider@globera.com > // [alternative: anything@denisbider.com] > // globera d.o.o., Ljubljana, Slovenia > http://www.globera.com > +386 1 510 7740 > > > Received: from stargate.zergo.com.au (IDENT:root@stargate.zergo.com.au [203.2.208.130]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id EAA01381 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 04:38:01 -0700 (PDT) Received: from sydneymail1.baltimore.com.au (sydneymail1.jp.zergo.com.au [192.168.71.5]) by stargate.zergo.com.au (8.9.1/8.8.7) with ESMTP id VAA00786; Tue, 11 Jul 2000 21:45:27 +1000 Received: by sydneymail1.jp.zergo.com.au with Internet Mail Service (5.5.2448.0) id <34DM0MHB>; Tue, 11 Jul 2000 21:38:31 +1000 Message-ID: <D44EACB40164D311BEF00090274EDCCA84970E@sydneymail1.jp.zergo.com.au> From: Michael Zolotarev <mzolotarev@baltimore.com> To: denis.bider@denisbider.com, ietf-pkix@imc.org Subject: RE: Current signature formats insufficient Date: Tue, 11 Jul 2000 21:38:31 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Don't you find that there is a little bit too much of a 'finger' stuff in there... What would be a name for the box? :) > -----Original Message----- > From: denis bider [mailto:denis.bider@globera.com] > Sent: Tuesday, July 11, 2000 6:42 PM > To: ietf-pkix@imc.org > Subject: Current signature formats insufficient > > > Hello folks, > > we probably agree that smart cards, as well as a variety of > other similar > cryptographic tokens, are insecure. Their primary insecurity > lies not within > the tokens themselves, but rather in the way they are most > commonly used. > Most frequently, a cryptographic token is attached to a PC, > and it does > whatever cryptographic operation the PC tells it to do. > > This concept is obviously insecure, since: > - PCs are insecure. Every average hacker down the street can > break into > anyone's Windoze PC, and it is trivial to write an exploit > that will capture > a smart card's PIN, wait for the smart card to be inserted > and then perform > a signature operation. > - Even if the user is as security conscious as to use a > secure PIN entry > device, or a fingerprint scanner for that matter, it is still > the PC that > decides exactly what information the smart card is going to > sign. It is > again trivial to write an exploit that will make the smart card sign > something that the owner did not mean to sign. > > With the advent of digital signature laws which make digital signing > commonplace, it is time to remove these security holes before > hackers and > newspaper articles start popping up. (How would any of you smart card > manufacturers like to see your company's name placed > conveniently next to > "FRAUD!!" in TIME Magazine?) > > The ultimate solution, of course, would be for everyone to > have a secure > device, containing the private key, with the following > characteristics: > - In order to sign anything, the user must put their finger on the > fingerprint scanner. (Or other biometrics...) > - In case the signature is binding (ie, contract as opposed to > authentication), the user must check the contents being > signed on the screen > of the secure device. > - In case the signature is binding, the user must enter a signature > passphrase (PIN) as well. > > Now, since users do not want to enter passphrases every time > something needs > to be signed, and since that would be dangerous in the first place > (increased risk of passphrase exposure), there is a practical > need for the > secure device to be able to distinguish between a binding > signature and a > non-binding signature. > > In the case of a non-binding signature (eg, proof of > identity), the behavior > of the secure device could simply match the behavior of all the > cryptographic tokens currently out there. Ie, the device > would sign anything > that it receives - most commonly a hash of something - > provided that the > user confirms the signature operation by putting their finger on the > fingerpring scanner. However, in contrast to the cryptographic tokens > currently being used, any such signature would be explicitly > marked that it > cannot be considered binding. > > In the case of a binding signature (eg, a contract), the > secure device would > insist on receiving the entire content that is being signed, > formatted in a > well-known and secure format, so that the content can be > shown to the user > before anything can be signed. The user would also need to > authenticate > themselves in a more secure manner before a binding signature > is made; and > when it is made, the signature would be explicitly marked > that it CAN be > considered binding. > > It is my opinion that the following efforts need to be made: > - The current signature formats need to be extended so as to include > information about the extent to which the data being signed > was verified by > the signer - or simply whether the signature can be > interpreted as binding > or not. > - A format for binding content needs to be selected or > defined. (RTF, ASCII > text, anything?) - this is the format in which any binding > content is sent > to the secure device so that it can be shown to the user, who in turn > decides whether to sign it or not. > - The current APIs for communication with cryptographic > tokens need to be > modified to support this. Eg, in PKCS#11, the following modes > of signature > could be introduced: > - sign this hash and mark the signature as non-binding > - here is the 34kB file containing the binding > content to be signed, > show it to the signer, sign it and mark it as binding > - here is a hash of the binding content to be signed, > sign it and > mark it as binding (deprecated, but must be included since it > is not yet > possible to transmit 34kB of data to every kind of > cryptographic token) > > I feel that the above issues are important and that somebody > needs to take > them on. I cannot decide whether or not this workgroup should > do it; but > somebody has to. (Or else...) > > Comments are welcome. Also, does anyone have information whether these > issues have been addressed by the xmldsig workgroup, or is > their format as > clueless as the ASN.1 signature format? > > Regards, > > denis bider > > // > // denis bider, denis.bider@globera.com > // [alternative: anything@denisbider.com] > // globera d.o.o., Ljubljana, Slovenia > http://www.globera.com > +386 1 510 7740 > > > Received: from levitator.1div0.com ([213.250.43.61]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id BAA20749 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 01:39:16 -0700 (PDT) Received: from intergalactic ([10.1.1.2]) by levitator.1div0.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id KAA19442 for <ietf-pkix@imc.org>; Tue, 11 Jul 2000 10:27:38 +0200 Reply-To: <denis.bider@denisbider.com> From: "denis bider" <denis.bider@globera.com> To: <ietf-pkix@imc.org> Subject: Current signature formats insufficient Date: Tue, 11 Jul 2000 10:41:34 +0200 Message-ID: <000001bfeb13$d25fe870$0201010a@intergalactic> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Hello folks, we probably agree that smart cards, as well as a variety of other similar cryptographic tokens, are insecure. Their primary insecurity lies not within the tokens themselves, but rather in the way they are most commonly used. Most frequently, a cryptographic token is attached to a PC, and it does whatever cryptographic operation the PC tells it to do. This concept is obviously insecure, since: - PCs are insecure. Every average hacker down the street can break into anyone's Windoze PC, and it is trivial to write an exploit that will capture a smart card's PIN, wait for the smart card to be inserted and then perform a signature operation. - Even if the user is as security conscious as to use a secure PIN entry device, or a fingerprint scanner for that matter, it is still the PC that decides exactly what information the smart card is going to sign. It is again trivial to write an exploit that will make the smart card sign something that the owner did not mean to sign. With the advent of digital signature laws which make digital signing commonplace, it is time to remove these security holes before hackers and newspaper articles start popping up. (How would any of you smart card manufacturers like to see your company's name placed conveniently next to "FRAUD!!" in TIME Magazine?) The ultimate solution, of course, would be for everyone to have a secure device, containing the private key, with the following characteristics: - In order to sign anything, the user must put their finger on the fingerprint scanner. (Or other biometrics...) - In case the signature is binding (ie, contract as opposed to authentication), the user must check the contents being signed on the screen of the secure device. - In case the signature is binding, the user must enter a signature passphrase (PIN) as well. Now, since users do not want to enter passphrases every time something needs to be signed, and since that would be dangerous in the first place (increased risk of passphrase exposure), there is a practical need for the secure device to be able to distinguish between a binding signature and a non-binding signature. In the case of a non-binding signature (eg, proof of identity), the behavior of the secure device could simply match the behavior of all the cryptographic tokens currently out there. Ie, the device would sign anything that it receives - most commonly a hash of something - provided that the user confirms the signature operation by putting their finger on the fingerpring scanner. However, in contrast to the cryptographic tokens currently being used, any such signature would be explicitly marked that it cannot be considered binding. In the case of a binding signature (eg, a contract), the secure device would insist on receiving the entire content that is being signed, formatted in a well-known and secure format, so that the content can be shown to the user before anything can be signed. The user would also need to authenticate themselves in a more secure manner before a binding signature is made; and when it is made, the signature would be explicitly marked that it CAN be considered binding. It is my opinion that the following efforts need to be made: - The current signature formats need to be extended so as to include information about the extent to which the data being signed was verified by the signer - or simply whether the signature can be interpreted as binding or not. - A format for binding content needs to be selected or defined. (RTF, ASCII text, anything?) - this is the format in which any binding content is sent to the secure device so that it can be shown to the user, who in turn decides whether to sign it or not. - The current APIs for communication with cryptographic tokens need to be modified to support this. Eg, in PKCS#11, the following modes of signature could be introduced: - sign this hash and mark the signature as non-binding - here is the 34kB file containing the binding content to be signed, show it to the signer, sign it and mark it as binding - here is a hash of the binding content to be signed, sign it and mark it as binding (deprecated, but must be included since it is not yet possible to transmit 34kB of data to every kind of cryptographic token) I feel that the above issues are important and that somebody needs to take them on. I cannot decide whether or not this workgroup should do it; but somebody has to. (Or else...) Comments are welcome. Also, does anyone have information whether these issues have been addressed by the xmldsig workgroup, or is their format as clueless as the ASN.1 signature format? Regards, denis bider // // denis bider, denis.bider@globera.com // [alternative: anything@denisbider.com] // globera d.o.o., Ljubljana, Slovenia http://www.globera.com +386 1 510 7740 Received: from roadblock.missi.ncsc.mil (roadblock.missi.ncsc.mil [144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA11805 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 14:34:13 -0700 (PDT) Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id RAA21720 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 17:25:40 -0400 (EDT) Message-Id: <200007102125.RAA21716@roadblock.missi.ncsc.mil> Date: Mon, 10 Jul 2000 17:32:32 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: Operational Protocols - LDAPv3 To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: zFfNe2n+kDO29NOefYydlQ== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc > From: "David Chadwick" <d.w.chadwick@salford.ac.uk> > > > > Conclusion. The superceded CRL is valid if it contains the > > > certificate we are checking, and is invalid otherwise. > > > > This conclusion depends on some assumptions: all clients have the same > > revocation freshness requirements, those requirements don't depend on > > the value of the information being processed at the time, and the CA > > is the controlling authority for how often clients must check CRLs. > > Sorry David, I disagree with you on the above. They are irrelevant > in my opinion to the statement I made. However, they may be > relevant to the client (who is choosing to ignore the fact that a later > CRL is available, but that is its choice. The fact still stands that the > old CRL is not fully trustworthy (or valid) in an absolute sense. But it > might be good enough for the client.) Assume CA "A" which issues scheduled CRLs every day, but will issue an unscheduled CRL within 3 hours of receiving a revocation-for-compromise request. Assume CA "B" which issues scheduled CRLs every hour and no unscheduled CRLs. Assume a client which fetches a CRL every three hours, regardless of nextUpdate. client client gets com- validates CRL A CRL B CRL promise cert X ----- ----- ---- ------- -------- thisUpdate: t t *** nextUpdate: t + 24h t + 1h thisUpdate: t + 1h nextUpdate: t + 2h thisUpdate: t + 2h t + 2h nextUpdate: t + 3h thisUpdate: t + 3h *** nextUpdate: t + 4h thisUpdate: t + 4h nextUpdate: t + 5h t + 4h thisUpdate: t + 5h t + 5h nextUpdate: t + 24h t + 6h thisUpdate: t + 6h *** nextUpdate: t + 7h . . . thisUpdate: t + 24h t + 24h *** nextUpdate: t + 48h t + 25h What you are saying is that the client which fetches CRL A is always using an up-to-date CRL which is fully trustworthy (valid) in an absolute sense. But the same client which fetches CRL B is two thirds of the time using an old (superceded) CRL which is not fully trustworthy (invalid if the cert it is looking for is not present). I respectfully disagree. CRLs are not "valid" in any absolute sense, they are only "fresh" or "stale" in an absolute sense. CRL B (issued at t+3h) is, despite being superceded, fresher than CRL A at time t+4 hours. Put another way, clients can use nextUpdate (or not use it) however they see fit in fetching information from a repository. But the only value that has any security relevance is thisUpdate -- the time after which revocation events will not be reflected in the CRL. Regards, Dave Received: from rhea.salford.ac.uk (rhea.salford.ac.uk [146.87.255.99]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA07659 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 12:10:31 -0700 (PDT) Received: (qmail 51847 invoked by alias); 10 Jul 2000 19:12:18 -0000 Received: (qmail 51816 invoked from network); 10 Jul 2000 19:12:17 -0000 Received: from unknown (HELO dwc-acer) (146.87.80.54) by rhea.salford.ac.uk with SMTP; 10 Jul 2000 19:12:17 -0000 From: "David Chadwick" <d.w.chadwick@salford.ac.uk> Organization: University of Salford To: tgindin@us.ibm.com, "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Date: Mon, 10 Jul 2000 20:07:48 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Operational Protocols - LDAPv3 Reply-to: d.w.chadwick@salford.ac.uk CC: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Message-ID: <396A2D14.16548.BF2AF37@localhost> Priority: normal In-reply-to: <85256918.00135BEA.00@D51MTA04.pok.ibm.com> X-mailer: Pegasus Mail for Win32 (v3.12c) > [Tom Gindin] My conclusion is only slightly different: the superseded > CRL is trustworthy if it contains the certificate we are checking and > that certificate does not have either reason "certificateHold" or > reason "removeFromCRL", and is not fully trustworthy otherwise. The > term "valid" here gets into the semantic debate above. > Fair point (but I was omitting the Hold case for simplification reasons) David *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** Received: from rhea.salford.ac.uk (rhea.salford.ac.uk [146.87.255.99]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA07656 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 12:10:31 -0700 (PDT) Received: (qmail 51861 invoked by alias); 10 Jul 2000 19:12:18 -0000 Received: (qmail 51819 invoked from network); 10 Jul 2000 19:12:17 -0000 Received: from unknown (HELO dwc-acer) (146.87.80.54) by rhea.salford.ac.uk with SMTP; 10 Jul 2000 19:12:17 -0000 From: "David Chadwick" <d.w.chadwick@salford.ac.uk> Organization: University of Salford To: ietf-pkix@imc.org, "David P. Kemp" <dpkemp@missi.ncsc.mil> Date: Mon, 10 Jul 2000 20:07:49 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Operational Protocols - LDAPv3 Reply-to: d.w.chadwick@salford.ac.uk Message-ID: <396A2D15.4758.BF2B0C4@localhost> Priority: normal In-reply-to: <200007101525.LAA23993@roadblock.missi.ncsc.mil> X-mailer: Pegasus Mail for Win32 (v3.12c) > > Conclusion. The superceded CRL is valid if it contains the > > certificate we are checking, and is invalid otherwise. > > > This conclusion depends on some assumptions: all clients have the same > revocation freshness requirements, those requirements don't depend on > the value of the information being processed at the time, and the CA > is the controlling authority for how often clients must check CRLs. Sorry David, I disagree with you on the above. They are irrelevant in my opinion to the statement I made. However, they may be relevant to the client (who is choosing to ignore the fact that a later CRL is available, but that is its choice. The fact still stands that the old CRL is not fully trustworthy (or valid) in an absolute sense. But it might be good enough for the client.) David > Putting the CA in control of CRL "validity" turns what would normally > be a pull model into a push model - clients have to take the latest > information that has been generated, or else. In my view, that isn't > the best way to improve security. > > Regards, > Dave > > > *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** Received: from rhea.salford.ac.uk (rhea.salford.ac.uk [146.87.255.99]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA07657 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 12:10:31 -0700 (PDT) Received: (qmail 51835 invoked by alias); 10 Jul 2000 19:12:18 -0000 Received: (qmail 51816 invoked from network); 10 Jul 2000 19:12:17 -0000 Received: from unknown (HELO dwc-acer) (146.87.80.54) by rhea.salford.ac.uk with SMTP; 10 Jul 2000 19:12:17 -0000 From: "David Chadwick" <d.w.chadwick@salford.ac.uk> Organization: University of Salford To: tgindin@us.ibm.com, "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Date: Mon, 10 Jul 2000 20:07:48 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Operational Protocols - LDAPv3 Reply-to: d.w.chadwick@salford.ac.uk CC: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Message-ID: <396A2D14.16548.BF2AF37@localhost> Priority: normal In-reply-to: <85256918.00135BEA.00@D51MTA04.pok.ibm.com> X-mailer: Pegasus Mail for Win32 (v3.12c) > [Tom Gindin] My conclusion is only slightly different: the superseded > CRL is trustworthy if it contains the certificate we are checking and > that certificate does not have either reason "certificateHold" or > reason "removeFromCRL", and is not fully trustworthy otherwise. The > term "valid" here gets into the semantic debate above. > Fair point (but I was omitting the Hold case for simplification reasons) David *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** Received: from rhea.salford.ac.uk (rhea.salford.ac.uk [146.87.255.99]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA07655 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 12:10:31 -0700 (PDT) Received: (qmail 51898 invoked by alias); 10 Jul 2000 19:12:18 -0000 Received: (qmail 51855 invoked from network); 10 Jul 2000 19:12:18 -0000 Received: from unknown (HELO dwc-acer) (146.87.80.54) by rhea.salford.ac.uk with SMTP; 10 Jul 2000 19:12:18 -0000 From: "David Chadwick" <d.w.chadwick@salford.ac.uk> Organization: University of Salford To: "Miklos, Sue A." <samiklo@missi.ncsc.mil>, "Kemp David P." <DPKemp@missi.ncsc.mil>, ietf-pkix@imc.org Date: Mon, 10 Jul 2000 20:07:47 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: RE: Operational Protocols - LDAPv3 Reply-to: d.w.chadwick@salford.ac.uk CC: "Kemp David P." <DPKemp@missi.ncsc.mil>, ietf-pkix@imc.org Message-ID: <396A2D13.16967.BF2ABA4@localhost> Priority: normal In-reply-to: <200007101422.KAA07561@roadblock.missi.ncsc.mil> X-mailer: Pegasus Mail for Win32 (v3.12c) From: "Miklos, Sue A." <samiklo@missi.ncsc.mil> To: "'tgindin@us.ibm.com'" <tgindin@us.ibm.com>, d.w.chadwick@salford.ac.uk Copies to: "Kemp David P." <DPKemp@missi.ncsc.mil>, ietf-pkix@imc.org Subject: RE: Operational Protocols - LDAPv3 Date sent: Mon, 10 Jul 2000 10:33:00 -0400 > Forgive what may be an ignorant question, but if the client 'verifies' > the server, does that indicate some form of two-way strong > authentication? > Sandi You know it was not an ignorant question :-) > we ran into issues when trying to require two way strong > authentication. The client required a crl to complete the path > processing on the signed bind response from the server. (this is my > understanding of 'verifying' the server) Clearly there is a bootstrapping problem here. Although verify does not necessarily mean dig sigs, (though it could). It could be hashed passwords. If it is dig sigs, the client could hold off veryifying the bind until the crls had been retrieved, that would be one solution. But I would rather not get into the mire of saying how you verify the server if you dont mind. This note was merely meant as a cautionary one to alert the reader to the possibility of a rare and sophisticated attack that is possible. That's all. > > Subsequently, it was easiest to allow unauthenticated reads to > retrieve CRLs at start up. Ease of use does often conflict with tight security as I mentioned in my previous message. It is always a balancing act David *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** Received: from rhea.salford.ac.uk (rhea.salford.ac.uk [146.87.255.99]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA07658 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 12:10:31 -0700 (PDT) Received: (qmail 51897 invoked by alias); 10 Jul 2000 19:12:18 -0000 Received: (qmail 51855 invoked from network); 10 Jul 2000 19:12:18 -0000 Received: from unknown (HELO dwc-acer) (146.87.80.54) by rhea.salford.ac.uk with SMTP; 10 Jul 2000 19:12:18 -0000 From: "David Chadwick" <d.w.chadwick@salford.ac.uk> Organization: University of Salford To: "Miklos, Sue A." <samiklo@missi.ncsc.mil>, "Kemp David P." <DPKemp@missi.ncsc.mil>, ietf-pkix@imc.org Date: Mon, 10 Jul 2000 20:07:47 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: RE: Operational Protocols - LDAPv3 Reply-to: d.w.chadwick@salford.ac.uk CC: "Kemp David P." <DPKemp@missi.ncsc.mil>, ietf-pkix@imc.org Message-ID: <396A2D13.16967.BF2ABA4@localhost> Priority: normal In-reply-to: <200007101422.KAA07561@roadblock.missi.ncsc.mil> X-mailer: Pegasus Mail for Win32 (v3.12c) From: "Miklos, Sue A." <samiklo@missi.ncsc.mil> To: "'tgindin@us.ibm.com'" <tgindin@us.ibm.com>, d.w.chadwick@salford.ac.uk Copies to: "Kemp David P." <DPKemp@missi.ncsc.mil>, ietf-pkix@imc.org Subject: RE: Operational Protocols - LDAPv3 Date sent: Mon, 10 Jul 2000 10:33:00 -0400 > Forgive what may be an ignorant question, but if the client 'verifies' > the server, does that indicate some form of two-way strong > authentication? > Sandi You know it was not an ignorant question :-) > we ran into issues when trying to require two way strong > authentication. The client required a crl to complete the path > processing on the signed bind response from the server. (this is my > understanding of 'verifying' the server) Clearly there is a bootstrapping problem here. Although verify does not necessarily mean dig sigs, (though it could). It could be hashed passwords. If it is dig sigs, the client could hold off veryifying the bind until the crls had been retrieved, that would be one solution. But I would rather not get into the mire of saying how you verify the server if you dont mind. This note was merely meant as a cautionary one to alert the reader to the possibility of a rare and sophisticated attack that is possible. That's all. > > Subsequently, it was easiest to allow unauthenticated reads to > retrieve CRLs at start up. Ease of use does often conflict with tight security as I mentioned in my previous message. It is always a balancing act David *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** Received: from crack.x509.com (root@crack.x509.com [199.175.150.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA04853 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 10:13:12 -0700 (PDT) Received: from xcert.com (saxifrage.x509.com [199.175.148.75]) by crack.x509.com (8.10.0/XCERT) with ESMTP id e6AHEwI25323 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 10:14:58 -0700 (PDT) Sender: marcnarc@crack.x509.com Message-ID: <396A04D3.8ABA8425@xcert.com> Date: Mon, 10 Jul 2000 10:16:03 -0700 From: Marc Branchaud <marcnarc@xcert.com> Organization: Xcert International Inc. X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.10 i686) X-Accept-Language: en, fr MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Operational Protocols - LDAPv3 References: <200007072033.QAA17615@roadblock.missi.ncsc.mil> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit "David P. Kemp" wrote: > > this "CRL Validity" interpretation eliminates the ability of the client > to decide, based on the value of information, how fresh its revocation > information needs to be. An interesting perspective if you consider a couple of points: - The CA gets to decide when a revocation is important enough to issue a pre-emptive CRL. - The relying party typically has no legal relationship with the issuing CA. So the CA is under no obligation to care about the relying party's values. The relying party can demand the latest CRL every 10ms if he wants, but the CA isn't necessarily going to cough up any newer revocation data. Seems like the client never has the ability to decide freshness based on their own values, regardless of how they interpret CRL validity. Sure, the client can decide "I need data fresher than the CRL issuance frequency of this CA, so I'm not going to trust it." Refusing to talk to other people isn't a good way to use a network though. Later, you do put a slightly different spin on things: > I prefer an environment where the CA is > incentivized to improve service - to advertise "status updates every hour", > "every 15 minutes" or "every minute", and fastest would be unequivocably > best. For this to work sensibly, CAs should really ignore the provision of X.509 that says that CRLs can be issued before nextUpdate. Although it may seem wise to take the position that an "important" revocation warrants an early CRL, doing so really throws RPs' trust assumptions out the window: RP: "Gee, your honor, the CA only updates its revocation info every hour, so I didn't see the need to check again since my CRL was only 20 minutes old..." CA: "But your honor, this was an important revocation, so we issued an early update to our revocation data. We're just trying to provide the best possible service, and since we already published the revocation, we can't be held liable for the RP's damages." Lovely can of big, fat wriggly worms that is. More importantly, though, even if the issue were resolved the client is still stuck with whatever regime the CA chooses. If there isn't a CA that meets the client's freshness requirements, the client is SOL. Marc +------------------------------------------------------------------------+ Marc Branchaud \/ Chief PKI Architect /\CERT INTERNATIONAL INC. marcnarc@xcert.com PKI References page: www.xcert.com 604-640-6227 www.xcert.com/~marcnarc/PKI/ +------------------------------------------------------------------------+ Received: from dfw7-1.relay.mail.uu.net (dfw7-1.relay.mail.uu.net [199.171.54.106]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA00908 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 09:09:07 -0700 (PDT) Received: from xedia.com by dfw7sosrv11.alter.net with SMTP (peer crosschecked as: madway.xedia.com [198.202.232.199]) id QQixgi13247; Mon, 10 Jul 2000 16:10:48 GMT Received: from tonga.xedia.com by xedia.com (4.1/SMI-4.1) id AA03180; Mon, 10 Jul 00 12:06:58 EDT Received: by tonga.xedia.com (SMI-8.6/SMI-SVR4) id MAA28622; Mon, 10 Jul 2000 12:10:47 -0400 From: Paul Koning <pkoning@xedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <14697.62855.86517.298866@xedia.com> Date: Mon, 10 Jul 2000 12:10:47 -0400 (EDT) To: kent@bbn.com Cc: James.H.Manger@team.telstra.com, ietf-pkix@imc.org Subject: RE: I-D ACTION:draft-ietf-pkix-time-stamp-08.txt. HASH References: <73388857A695D31197EF00508B08F2988A3C17@ntmsg0131.corpmail.telstra.com.au> <v0422080bb58299d62029@[171.78.30.107]> X-Mailer: VM 6.72 under 21.1 (patch 9) "Canyonlands" XEmacs Lucid >>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes: Stephen> Jim, I support Denis in his desire to have the TSA check Stephen> everything it can (syntactically) in a request. Not Stephen> checking allows the TSA to sign tokens that are just broken. Stephen> We have seen many examples of broken certs signed by CAs, so Stephen> I think it worthwhile that we put language in RFCs to Stephen> require, where possible, that appropriate consistency checks Stephen> be performed. RFC 2459 has a few statement about Stephen> relationships among extensions, which gets to the same Stephen> concerns. We could put in more, or collect them in one Stephen> place, and make for a better document. Stephen> I may have lost track of the counter argument here. Why Stephen> would one not want to have a TSA do the best possible job Stephen> when it comes to ensuring syntactic consistency re its Stephen> inputs? The Internet protocol design rule is "be strict in what you send, tolerant in what you receive". It has been known for decades that this is the correct rule. (That doesn't keep some other standards bodies from ignoring it, unfortunately. Then again, there are still standards bodies that use two-way connection setup handshakes...) Protocols should check those invariants that have to be valid for correct operation to result, or for interoperability to be possible. Checks beyond that are counterproductive. In particular, the more you check, the more often you have to ECO your specs and your implementation as new extensions are registered. And the more often you have to release bugfixes. paul Received: from roadblock.missi.ncsc.mil ([144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA28410 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 08:33:39 -0700 (PDT) Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id LAA23997 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 11:25:06 -0400 (EDT) Message-Id: <200007101525.LAA23993@roadblock.missi.ncsc.mil> Date: Mon, 10 Jul 2000 11:31:58 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: Operational Protocols - LDAPv3 To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: 4SPc+cQwXnDINk2z5pOlsA== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc > From: "David Chadwick" <d.w.chadwick@salford.ac.uk> > > > > [dpk] ... A CRL does not > > become invalid when the next CRL is issued, although some > > applications behave as though it does. > > We are playing with fine semantics here. Is a superceded CRL > invalid or not? No, its not technically invalid, as everything it contains > is good and true, but it is certainly incomplete (in the scenario we > are discussing). Is an incomplete CRL invalid or not? I would say > from a trust perspective yes, given that another CRL has been > issued and therefore one or more other certificates have been > revoked and I dont know which ones they are, therefore I cannot > rely on the superceded CRL, therefore it might as well be invalid. In > other words, for certificate X, where X is not in the list of revoked > certificates in the superceded CRL, using the superceded CRL or > using an invalid CRL give me exactly the same answer, viz: I dont > know if X has been revoked or not. The superceded CRL can only > be regarded as being valid, if X is in the list of revoked certificates. > > Conclusion. The superceded CRL is valid if it contains the certificate > we are checking, and is invalid otherwise. This conclusion depends on some assumptions: all clients have the same revocation freshness requirements, those requirements don't depend on the value of the information being processed at the time, and the CA is the controlling authority for how often clients must check CRLs. In a world where communication is instantaneous, free, and 100% reliable, there would be no reason for a client to ever use anything but the most up-to-date revocation information from a CA, and your conclusion would be correct. But in a world where the cost of communicating must be traded off against the cost of not communicating (relying on a superceded CRL), I believe local administrators are in a better position than a CA to make the tradeoff. Putting the CA in control of CRL "validity" creates a perverse incentive against improving service - the more frequently the CA issues scheduled CRLs, the more the clients are going to complain about the cost of retrieving them. I prefer an environment where the CA is incentivized to improve service - to advertise "status updates every hour", "every 15 minutes" or "every minute", and fastest would be unequivocably best. Putting the CA in control of CRL "validity" turns what would normally be a pull model into a push model - clients have to take the latest information that has been generated, or else. In my view, that isn't the best way to improve security. Regards, Dave Received: from roadblock.missi.ncsc.mil ([144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA26319 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 07:31:06 -0700 (PDT) Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id KAA07565 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 10:22:32 -0400 (EDT) Message-Id: <200007101422.KAA07559@roadblock.missi.ncsc.mil> From: "Miklos, Sue A." <samiklo@missi.ncsc.mil> To: "'tgindin@us.ibm.com'" <tgindin@us.ibm.com>, d.w.chadwick@salford.ac.uk Cc: "Kemp David P." <DPKemp@missi.ncsc.mil>, ietf-pkix@imc.org Subject: RE: Operational Protocols - LDAPv3 Date: Mon, 10 Jul 2000 10:33:00 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="ISO-8859-1" Forgive what may be an ignorant question, but if the client 'verifies' the server, does that indicate some form of two-way strong authentication? we ran into issues when trying to require two way strong authentication. The client required a crl to complete the path processing on the signed bind response from the server. (this is my understanding of 'verifying' the server) Subsequently, it was easiest to allow unauthenticated reads to retrieve CRLs at start up. If there's a more effective way to achieve this, please advise. Regards, Sandi Miklos -----Original Message----- From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com] Sent: Sunday, July 09, 2000 11:31 PM To: d.w.chadwick@salford.ac.uk Cc: Kemp David P.; ietf-pkix@imc.org Subject: Re: Operational Protocols - LDAPv3 Comments below: "David Chadwick" <d.w.chadwick@salford.ac.uk> on 07/08/2000 06:40:05 PM Please respond to d.w.chadwick@salford.ac.uk To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org cc: Subject: Re: Operational Protocols - LDAPv3 > Professor Chadwick, David thanks for the complement, but I am not a professor in the UK, just a lecturer [Tom Gindin] I'm sure you would be at least an assistant professor in the USA. > > An observation and an opinion: > > 1. Clients that do verify the server still run the risk of being > sent a "still valid" but superseded CRL. The attacker just > denies the server access to the latest CRL. > Agreed, this can happen, but the sender (particularly if its a CA or part of the CA administration) will then be aware of a fault or an attack and may be able to quickly counteract it. A user on the other hand will be less likely to be aware of the attack. So the risk is greater. > 2. Using the term "still-valid-but-superseded" implies that CRLs > have a validity period. Certificates have a Validity period, > but CRLs have values for thisUpdate and nextUpdate. A CRL does not > become invalid when the next CRL is issued, although some > applications behave as though it does. We are playing with fine semantics here. Is a superseded CRL invalid or not? No, its not technically invalid, as everything it contains is good and true, but it is certainly incomplete (in the scenario we are discussing). Is an incomplete CRL invalid or not? I would say from a trust perspective yes, given that another CRL has been issued and therefore one or more other certificates have been revoked and I dont know which ones they are, therefore I cannot rely on the superceded CRL, therefore it might as well be invalid. In other words, for certificate X, where X is not in the list of revoked certificates in the superseded CRL, using the superseded CRL or using an invalid CRL give me exactly the same answer, viz: I don't know if X has been revoked or not. The superseded CRL can only be regarded as being valid, if X is in the list of revoked certificates. [Tom Gindin] Actually, if X is in the list but its reason is "certificateHold" its status is no more final than if it were not in the list. Of course, the RP will refuse to trust it when he possibly should, which is less of a security flaw than the other way around. Conclusion. The superseded CRL is valid if it contains the certificate we are checking, and is invalid otherwise. [Tom Gindin] My conclusion is only slightly different: the superseded CRL is trustworthy if it contains the certificate we are checking and that certificate does not have either reason "certificateHold" or reason "removeFromCRL", and is not fully trustworthy otherwise. The term "valid" here gets into the semantic debate above. (snip) **************************************************************************** * This confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. **************************************************************************** ** Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA21274 for <ietf-pkix@imc.org>; Mon, 10 Jul 2000 03:31:58 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA02310; Mon, 10 Jul 2000 06:33:43 -0400 (EDT) Message-Id: <200007101033.GAA02310@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-ldap-v3-02.txt Date: Mon, 10 Jul 2000 06:33:42 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv3 Author(s) : D. Chadwick Filename : draft-ietf-pkix-ldap-v3-02.txt Pages : 6 Date : 07-Jul-00 This document describes the features of the Lightweight Directory Access Protocol v3 that are needed in order to support a public key infrastructure based on X.509 certificates and CRLs. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-ldap-v3-02.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-ldap-v3-02.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-ldap-v3-02.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000707143910.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-ldap-v3-02.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-ldap-v3-02.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000707143910.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from e4.ny.us.ibm.com (e4.ny.us.ibm.com [32.97.182.104]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA10641 for <ietf-pkix@imc.org>; Sun, 9 Jul 2000 20:29:55 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e4.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id XAA289648; Sun, 9 Jul 2000 23:29:40 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.9) with SMTP id XAA170560; Sun, 9 Jul 2000 23:31:37 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256918.00135CDD ; Sun, 9 Jul 2000 23:31:29 -0400 X-Lotus-FromDomain: IBMUS To: d.w.chadwick@salford.ac.uk cc: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Message-ID: <85256918.00135BEA.00@D51MTA04.pok.ibm.com> Date: Sun, 9 Jul 2000 23:31:24 -0400 Subject: Re: Operational Protocols - LDAPv3 Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Comments below: "David Chadwick" <d.w.chadwick@salford.ac.uk> on 07/08/2000 06:40:05 PM Please respond to d.w.chadwick@salford.ac.uk To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org cc: Subject: Re: Operational Protocols - LDAPv3 > Professor Chadwick, David thanks for the complement, but I am not a professor in the UK, just a lecturer [Tom Gindin] I'm sure you would be at least an assistant professor in the USA. > > An observation and an opinion: > > 1. Clients that do verify the server still run the risk of being > sent a "still valid" but superseded CRL. The attacker just > denies the server access to the latest CRL. > Agreed, this can happen, but the sender (particularly if its a CA or part of the CA administration) will then be aware of a fault or an attack and may be able to quickly counteract it. A user on the other hand will be less likely to be aware of the attack. So the risk is greater. > 2. Using the term "still-valid-but-superseded" implies that CRLs > have a validity period. Certificates have a Validity period, > but CRLs have values for thisUpdate and nextUpdate. A CRL does not > become invalid when the next CRL is issued, although some > applications behave as though it does. We are playing with fine semantics here. Is a superseded CRL invalid or not? No, its not technically invalid, as everything it contains is good and true, but it is certainly incomplete (in the scenario we are discussing). Is an incomplete CRL invalid or not? I would say from a trust perspective yes, given that another CRL has been issued and therefore one or more other certificates have been revoked and I dont know which ones they are, therefore I cannot rely on the superceded CRL, therefore it might as well be invalid. In other words, for certificate X, where X is not in the list of revoked certificates in the superseded CRL, using the superseded CRL or using an invalid CRL give me exactly the same answer, viz: I don't know if X has been revoked or not. The superseded CRL can only be regarded as being valid, if X is in the list of revoked certificates. [Tom Gindin] Actually, if X is in the list but its reason is "certificateHold" its status is no more final than if it were not in the list. Of course, the RP will refuse to trust it when he possibly should, which is less of a security flaw than the other way around. Conclusion. The superseded CRL is valid if it contains the certificate we are checking, and is invalid otherwise. [Tom Gindin] My conclusion is only slightly different: the superseded CRL is trustworthy if it contains the certificate we are checking and that certificate does not have either reason "certificateHold" or reason "removeFromCRL", and is not fully trustworthy otherwise. The term "valid" here gets into the semantic debate above. (snip) Received: from relay3-gui.server.ntli.net (relay3-gui.server.ntli.net [194.168.4.200]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA02894 for <ietf-pkix@imc.org>; Sat, 8 Jul 2000 15:39:19 -0700 (PDT) Received: from m83-mp1-cvx1b.hud.ntl.com ([62.252.104.83] helo=dwc-acer) by relay3-gui.server.ntli.net with esmtp (Exim 3.03 #2) id 13B389-0007Cl-00; Sat, 08 Jul 2000 23:31:25 +0100 From: "David Chadwick" <d.w.chadwick@salford.ac.uk> Organization: University of Salford To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Date: Sat, 8 Jul 2000 23:40:05 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Operational Protocols - LDAPv3 Reply-to: d.w.chadwick@salford.ac.uk Message-ID: <3967BBD5.27655.2684AE0@localhost> Priority: normal In-reply-to: <200007072033.QAA17615@roadblock.missi.ncsc.mil> X-mailer: Pegasus Mail for Win32 (v3.12c) > Professor Chadwick, David thanks for the complement, but I am not a professor in the UK, just a lecturer > > An observation and an opinion: > > 1. Clients that do verify the server still run the risk of being > sent a "still valid" but superceded CRL. The attacker just > denies the server access to the latest CRL. > Agreed, this can happen, but the sender (particularly if its a CA or part of the CA administration) will then be aware of a fault or an attack and may be able to quickly counteract it. A user on the other hand will be less likely to be aware of the attack. So the risk is greater. > 2. Using the term "still-valid-but-superceded" implies that CRLs > have a validity period. Certificates have a Validity period, > but CRLs have values for thisUpdate and nextUpdate. A CRL does not > become invalid when the next CRL is issued, although some > applications behave as though it does. We are playing with fine semantics here. Is a superceded CRL invalid or not? No, its not technically invalid, as everything it contains is good and true, but it is certainly incomplete (in the scenario we are discussing). Is an incomplete CRL invalid or not? I would say from a trust perspective yes, given that another CRL has been issued and therefore one or more other certificates have been revoked and I dont know which ones they are, therefore I cannot rely on the superceded CRL, therefore it might as well be invalid. In other words, for certificate X, where X is not in the list of revoked certificates in the superceded CRL, using the superceded CRL or using an invalid CRL give me exactly the same answer, viz: I dont know if X has been revoked or not. The superceded CRL can only be regarded as being valid, if X is in the list of revoked certificates. Conclusion. The superceded CRL is valid if it contains the certificate we are checking, and is invalid otherwise. I dont need to quote the following to you, but here is what X.509 says about nextUpdate: The next revocation list could be issued before the indicated date, but it will *not* be issued any later than the indicated time. Therefore after nextUpdate has passed I know that a later CRL definately exists, and I am open to attack if I dont have it. If I dont have the later one, I should treat the earlier as valid for certificates it contains, and invalid for all others. > In addition to forcing CAs > to populate CRLs with deliberately incorrect values for nextUpdate, By this I assume you mean overly long values. There is a difference between knowing that another CRL has been published and knowing that one has not. In the later case the current CRL is valid for all certificates, in the former case it is not. Thus a CA that has failed to publish before nextUpdate expires, forces the RPs to assume the former when the later is the truth (which is secure but inconvenient to the users) By having an overly long nextUpdate, and publishing before it expires, those users who dont have the latest CRL will believe the latter whilst the former is true (which is insecure for the users but convenient to them.) Thus security dictates a CA should have a shorter nextUpdate whilst user convenience dictates the opposite. This phenomenon often occurs i.e. that user convenience is opposite to security. (You have probably heard about Lotus having a configuration switch to say "use expired certificates" as it was inconvenient to users that they could not check signatures with expired certificates. This is another facet of the same phenomenon) > this "CRL Validity" interpretation eliminates the ability of the > client to decide, based on the value of information, how fresh its > revocation information needs to be. I dont fully agree with you. I think rather that it is actually a user interface issue and an administration issue. If user interfaces had a "get latest CRL now" button, a client could decide before each signature verification, irrespective of update period and validity, whether to refresh now or not. But as we stand now without this button, with a long update period the client believes there is no need to decide, and everything is OK. With a short update period the client may have to make a decision if his current CRL has expired and he does not have the latest one. And this is the administration's decision of how long to make the update period. Do they want to inconvenience the users by having short times and force them to make decisions occasionally, or have long times so that they do not need to bother ever. If you are an administrator, then you are in the fortunate position of being able to make this choice. Enjoy David > If CRLs are issued every hour, > I might demand a CRL less than 3 hours old to authenticate a > purchase. It depends upon the size of the purchase. For a large one you would want the latest. Risk vs Size of Loss is important. For a one dollar purchase you probably would not bother with a CRL at all. > When reading PKIX mail on the road, however, I'd be > quite happy with whatever CRLs were available the last time I was > online, say yesterday or even the day before :-). If a CA issues > CRLs every month, I'd rather be warned that, according to my > application preferences, that CA's certs shouldn't be used for > purchases. I don't want the application to blindly treat them as > just as fresh as certs from CAs who issue CRLs daily or hourly. > > Dave Kemp > > *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** Received: from relay3-gui.server.ntli.net (relay3-gui.server.ntli.net [194.168.4.200]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA23356 for <ietf-pkix@imc.org>; Sat, 8 Jul 2000 10:26:32 -0700 (PDT) Received: from m184-mp1-cvx1c.hud.ntl.com ([62.252.108.184] helo=dwc-acer) by relay3-gui.server.ntli.net with esmtp (Exim 3.03 #2) id 13AyF4-0004hc-00; Sat, 08 Jul 2000 18:18:23 +0100 From: "David Chadwick" <d.w.chadwick@salford.ac.uk> Organization: University of Salford To: internet-drafts@ietf.org Date: Sat, 8 Jul 2000 18:26:54 +0100 MIME-Version: 1.0 Content-type: Multipart/Mixed; boundary=Message-Boundary-16738 Subject: PKIX ID on LDAPv3 Schema Reply-to: d.w.chadwick@salford.ac.uk CC: ietf-ldapext@netscape.com, ietf-pkix@imc.org Message-ID: <3967726E.23329.1498525@localhost> Priority: normal X-mailer: Pegasus Mail for Win32 (v3.12c) --Message-Boundary-16738 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Dear ID editor could you please publish the enclosed as an Internet Draft. It is work being done under the remit of the PKIX group, but I am copying it to the LDAPExt group as it is of interest to them as well Thankyou David *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** --Message-Boundary-16738 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Text from file 'PKIXSchema-00.txt' Internet-Draft D.W.Chadwick PKIX WG University of Salford Intended Category: Standards Track Expires: 8 January 2001 8 July 2000 Internet X.509 Public Key Infrastructure Additional LDAP Schema for PKIs and PMIs <draft-pkix-ldap-schema-00.txt> STATUS OF THIS MEMO This document is an Internet-Draft and is in full conformance with all the provisions of Section 10 of RFC2026 [1]. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft expires on 6 January 2001. Comments and suggestions on this document are encouraged. Comments on this document should be sent to the PKIX working group discussion list: <ietf-pkix@imc.org> or directly to the author. ABSTRACT This document describes LDAP schema features in addition to RFC 2587 that are needed to support a Privilege Management Infrastructure and a Public Key Infrastructure. 1. Introduction RFC2587 [8] describes some of the subschema applicable to LDAPv2 servers [2], specifically the public key certificate related attribute types and object classes that MUST or MAY be supported. This [document/ID/standard] does not revoke any of the contents of RFC2587, but supplements them. RFC2587 is equally applicable to LDAPv3 [4] servers as to LDAPv2 servers and MUST be supported by LDAPv3 servers. Neither RFC2587 nor the user schema for LDAPv3 (RFC2256 [3]) nor the attribute syntax definitions for LDAPv3 (RFC2252 [7]) describe in detail the matching rules that should be supported by LDAP servers, nor do they describe how attribute value assertions for each matching rule should be encoded in filter items. Finally none of these documents mention attributeCertificates or any schema to support privilege management, since these concepts superseded the publishing of the RFCs. 2. Subschema Publishing LDAPv3 allows the subschema supported by a server to be published in a subschema subentry. Clients following this profile which support the Search operation containing an extensible matching rule SHOULD use the subschemaSubentry attribute in the root DSE to find the subschemaSubentry, and SHOULD use the matchingRule and matchingRuleUse operational attributes in the subschema subentry in order to determine whether the server supports the various matching rules described below. Servers which support extensible matching SHOULD publish the matching rules they support in the matchingRule and matchingRuleUse operational attributes. 3. Public Key Certificate Matching Rules X.509 [9] supports both equality and flexible certificate matching rules by the server, via the certificateExactMatch and certificateMatch MATCHING-RULEs respectively. (For example, a client may flexibly search for certificates with a particular validity time, key usage, policy or other field.) LDAPv3 servers MUST support the certificateExactMatch matching rule. Clients MAY support certificateExactMatch values for equalityMatch filters. LDAPv3 servers SHOULD support the certificateMatch matching rule. If the server does support flexible matching (either via certificateMatch or some other matching rule), then the extensibleMatch filter of the Search request MUST be supported. Clients MAY support the extensibleMatch filter and one or more of the optional elements of certificateMatch. Neither of the above matching rules are mentioned in the LDAPv3 standards [3 or 7], and only the equality matching rule is mentioned in [8], but nowhere is it defined for LDAP servers. It is expected that future revisions of the LDAPv3 documents will include these definitions, which are described below. 3.1 Certificate Exact Match Certificate exact match is defined in 11.3.1 of [9]. The string description of the certificateExactMatch matching rule is: ( 2.5.13.34 NAME 'certificateExactMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.x ) Note. x is still to be allocated The LDAP syntax definition is: ( 1.3.6.1.4.1.1466.115.121.1.x DESC 'Certificate Serial Number and Issuer' ) Values in this syntax are encoded as an integer, a dollar ($) separator and a string encoding of the distinguished name of the issuing CA. 3.2 Certificate Match Certificate match is defined in 11.3.2 of [9]. The string description of the certificateMatch matching rule is: ( 2.5.13.35 NAME 'certificateMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.y ) Note. y is still to be allocated The syntax definition is: ( 1.3.6.1.4.1.1466.115.121.1.y DESC 'Certificate Assertion' ) The ASN.1 for certificateAssertion is defined in 11.3.2 of [9], as are the semantics of each of its component types. The LDAP string encoding of this is: - an optional integer representing the certificate serial number, - followed by a dollar separator ($), - followed by an optional string encoding of the distinguished name of the issuing CA, - followed by a dollar separator, - followed by an optional string encoding of the subject key identifier octet string using hex character encoding, - followed by a dollar separator, - followed by an optional string encoding of the authority key identifier octet string using hex character encoding, (Editor's note. This is a subset of the X.509 allowed values for authority key identifier. Is this the best choice to make?) - followed by a dollar separator, - followed by an optional string representation of the generalised time of the certificate validity (in the format yyyymmddhhmmssZ as specified in RFC 2252), - followed by a dollar separator, - followed by an optional string representation of the generalised time for the private key validity, - followed by a dollar separator - followed by an optional string encoding of the object identifier of the subject public key algorithm, - followed by a dollar separator, - followed by an optional string encoding of the key usage bit string according to RFC 2252 e.g. '0101111101'B. The first (left most) bit represents key usage digital signature (bit 0). Note that if less bits are present than defined in the keyUsage field it is assumed that those right most bits that are not present have the value 0, - followed by a dollar separator, - followed by an optional string encoding of the subjectAltName type using the following keywords "rfc822", "dns", "x400", "ldapdn", "edi", "uri", "ip", "oid", or the string encoding of the object identifier the other name form type being sought if it is none of the above, - followed by a dollar separator, - followed by an optional string encoding of one or more object identifiers of certificate policies each separated by "+" character if there is more than one, - followed by a dollar separator, - followed by an optional string encoding of the distinguished name of the entity to which a certification path cannot be made - followed by a dollar separator, - followed by an optional string encoding of the distinguished name of the subject, - followed by a dollar separator, - followed by an optional string encoding of the name constraints as follows: the string "permitted" followed by a "+" followed by the type of name using one of the keywords "rfc822", "dns", "x400", "ldapdn", "edi", "uri", "ip", "oid", or the string encoding of the object identifier the name type, followed by a "+" followed by a string encoding of the name, followed by "excluded", a "+", the type of name, a "+" and the string encoding of the name of the excluded subtree, Editor's note 1. With proper BNF for this we can miss out either the permitted or excluded components Editor's note 2. This is a subset of the allowed values of name contstraints (minimum and maximum are missing). Do we want to add these? - and finally ending with a dollar separator. Where any optional field is missing this is indicated by the presence of two contiguous dollar separators (or if the certificate serial number is missing a certificate assertion that starts with a dollar separator). Editors Notes. 1. We need to decide whether searching for cross certificates should be supported by this LDAPv3 profile or not. If we decide that this should be supported, then we will need to define the matching rules to be supported and the string encodings for the assertion syntaxes (in fact this is not too difficult since they are similar to certificate matching rules and AVAs). 2. We need to decide if userSMIMECertificates should also be supported as part of this profile or not. 4. Public Key Certificate Revocation List Matching Rules X.509[9] defines both equality and flexible matching rules for CRLs, via the certificateListExactMatch and certificateListMatch MATCHING- RULEs respectively. LDAPv3 servers MUST support the certificateListExactMatch matching rule. Clients MAY support certificateListExactMatch values for equalityMatch filters. LDAPv3 servers MAY support the certificateListMatch matching rule. If the server does support flexible matching (either via certificateListMatch or some other matching rule), then the extensibleMatch filter of the Search request MUST be supported. Clients MAY support the extensibleMatch filter and one or more of the optional elements of certificateListMatch. 4.1 Certificate List Exact Match Certificate List exact match is defined in 11.3.5 of [9]. The string description of the certificateListExactMatch matching rule is: ( 2.5.13.38 NAME 'certificateListExactMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.z ) Note. z is still to be allocated The syntax definition is: ( 1.3.6.1.4.1.1466.115.121.1.z DESC 'Issuer name, time and distribution point name' ) Values in this syntax are encoded as a string encoding of a distinguished name, a dollar ($) separator, a string representation of generalised time, a dollar separator and an optional string encoding of the distinguished name of the distribution point. (Editor's Note. The latter DN encoding for a distribution point name is a subset of the allowed variants, which can be a generalName or an RDN. Should this simplification be allowed?) 4.2 Certificate List Match Certificate List match is defined in 11.3.6 of [9]. The string description of the certificateListMatch matching rule is: ( 2.5.13.39 NAME 'certificateListMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.w ) Note. w is still to be allocated The syntax definition is: ( 1.3.6.1.4.1.1466.115.121.1.w DESC 'Certificate List Assertion' ) The ASN.1 for certificateListAssertion is defined in 11.3.6 of [9]. Values in this syntax are encoded as: - an optional string encoding of the distinguished name of the issuer, - followed by a dollar ($) separator, - followed by an optional string encoding of an integer representing the minimum CRL number, - followed by a dollar separator, - followed by an optional string encoding of an integer representing the maximum CRL number, - followed by a dollar separator, - followed by an optional string encoding of the reason flags bit string according to RFC 2252 e.g. '010111110'B. The first (left most) bit represents unused reason flag (bit 0). Note that if less bits are present than defined in the reason flags field it is assumed that those right most bits that are not present have the value 0, - followed by a dollar separator, - followed by an optional string representation of the generalised time for the CRL validity, - followed by an optional string encoding of the authority key identifier octet string using hex character encoding, (Editor's note. This is a subset of the X.509 allowed values for authority key identifier. Is this the best choice to make?) - and ending with a dollar separator. 5. Privilege Management Schema LDAP servers MAY store any type of attribute with the AttributeCertificate syntax, and LDAP clients MAY request them to be returned by adding them to the Search Request AttributeDescriptionList (either explicitly or implicity via requesting all attributes). LDAP servers that do support the storage of attributes with the AttributeCertificate syntax MUST support searching for entries containing specific attribute certificates, via the attributeCertificateExactMatch matching rule. LDAPv3Servers MAY support flexible matching for any attributes with the AttributeCertificate syntax via the attributeCertificateMatch matching rule or any of the matching rules defined for the certificate extensions. LDAPv3 servers SHOULD publish the matching rules that they do support in the matchingRule and matchingRuleUse operational attributes of the subschema subentry. LDAPv3 clients MAY support the extensibleMatch filter of the Search operation, along one or more of the optional elements of attributeCertificateMatch or any of the certificate extension matching rules. For the convenience of the reader, some of the subchema definitions to support attribute certificates are produced below, but it is anticipated that these will be moved to a subsequent revision of the LDAPv3 standard. 5.1 PMI Attributes The attributeCertificateAttribute holds the privileges of a user. attributeCertificateAttribute ATTRIBUTE ::= { WITH SYNTAX AttributeCertificate EQUALITY MATCHING RULE attributeCertificateExactMatch ID joint-iso-ccitt(2) ds(5) attributeType(4) attributeCertificate(58) } The aAcertificate holds the privileges of an attribute authority aACertificate ATTRIBUTE ::= { WITH SYNTAX AttributeCertificate EQUALITY MATCHING RULE attributeCertificateExactMatch ID joint-iso-ccitt(2) ds(5) attributeType(4) aACertificate(61} The attributeDescriptorCertificate is self signed by a source of authority and holds a description of the privilege and its delegation rules. attributeDescriptorCertificate ATTRIBUTE ::= { WITH SYNTAX AttributeCertificate EQUALITY MATCHING RULE attributeCertificateExactMatch ID joint-iso-ccitt(2) ds(5) attributeType(4) attributeDescriptorCertificate (62) } The attributeCertificateRevocationList holds a list of attribute certificates that have been revoked. attributeCertificateRevocationList ATTRIBUTE ::= { WITH SYNTAX CertificateList EQUALITY MATCHING RULE certificateListExactMatch ID joint-iso-ccitt(2) ds(5) attributeType(4) aCRL(59) } The attributeAuthorityList holds a list of AA certificates that have been revoked. attributeAuthorityRevocationList ATTRIBUTE ::= { WITH SYNTAX CertificateList EQUALITY MATCHING RULE certificateListExactMatch ID joint-iso-ccitt(2) ds(5) attributeType(4) aARL(63) } 5.2 PMI Object Classes pmiUser OBJECT-CLASS ::= { -- a privilege holder SUBCLASS OF {top} KIND auxiliary MAY CONTAIN {attributeCertificateAttribute} ID joint-iso-ccitt(2) ds(5) objectClass(6) pmiUser (24)} pmiAA OBJECT-CLASS ::= { -- an attribute authority SUBCLASS OF {top} KIND auxiliary MAY CONTAIN {aACertificate | attributeCertificateRevocationList | attributeAuthorityRevocationList} ID joint-iso-ccitt(2) ds(5) objectClass(6) pmiAA (25)} pmiSOA OBJECT-CLASS ::= { -- a PMI Source of Authority SUBCLASS OF {top} KIND auxiliary MAY CONTAIN {attributeCertificateRevocationList | attributeAuthorityRevocationList | attributeDescriptorCertificate} ID joint-iso-ccitt(2) ds(5) objectClass(6) pmiSOA (26)} 5.3 PMI Matching Rules 5.3.1 Attribute Certificate Exact Match The equality matching rule for all types of attribute with AttributeCertificate syntax is the attributeCertificateExactMatch, This is defined in 17.3.1 of [9]. It is reproduced below for the convenience of the reader. attributeCertificateExactMatch MATCHING-RULE ::= { SYNTAX AttributeCertificateExactAssertion ID joint-iso-ccitt(2) ds(5) mr (13) attributeCertificateExactMatch (45) } AttributeCertificateExactAssertion ::= SEQUENCE { serialNumber CertificateSerialNumber, issuer IssuerSerial } CertificateSerialNumber ::= INTEGER IssuerSerial ::= SEQUENCE { issuer GeneralNames, serial CertificateSerialNumber, issuerUID UniqueIdentifier OPTIONAL } UniqueIdentifier ::= BIT STRING The LDAP definition for the above matching rule is: ( 2.5.13.45 NAME 'attributeCertificateExactMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.m ) Note that the value of m is still to be allocated. The syntax definition is: ( 1.3.6.1.4.1.1466.115.121.1.m DESC 'Attribute certificate serial number and public key issuer and serial number' ) Values in this syntax are encoded as a string encoding of an integer (the serial number of the attribute certificate), a dollar ($) separator, a string representation of the distinguished name of the CA of the issuer, a dollar separator, a string encoding of an integer (the serial number of the issuer's public key certificate), a dollar separator and optionally a string encoding of the unique identifier bit string according to RFC 2252 e.g. '010111110'B. Editors note. Issuer DN is a subset of the allowed GeneralNames. Do we wish to allow any type? 5.3.2 Attribute Certificate Match Attribute certificate matching rule is defined in section 17.3.2 of [9]. For the convenience of the reader it is reproduced below: attributeCertificateMatch MATCHING-RULE ::= { SYNTAX AttributeCertificateAssertion ID joint-iso-ccitt(2) ds(5) mr (13) attributeCertificateMatch (42) } AttributeCertificateAssertion ::= SEQUENCE { subject [0] CHOICE { baseCertificateID [0] IssuerSerial, subjectName [1] GeneralNames} OPTIONAL, issuer [1] GeneralNames OPTIONAL, attCertValidity [2] GeneralizedTime OPTIONAL, attType [3] SET OF AttributeType OPTIONAL} --At least one component of the sequence must be present The LDAP definition of the attributeCertificateMatch matching rule is: ( 2.5.13.42 NAME 'attributeCertificateMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.n ) Note that the value of n is still be assigned. The syntax definition is: ( 1.3.6.1.4.1.1466.115.121.1.n DESC 'Attribute Certificate Assertion' ) The LDAP string encoding of this is: - Optionally a string encoding of a distinguished name, optionally followed by a "+" and a string encoding of an integer, Note. If the optional + and integer are missing the distinguished name is the name of the holder of the attribute certificate, whereas if they are present it is the name of the issuer of the certificate and the integer is the serial number of the holder's certificate. Editors note. Distinguished names are a subset of the allowed types in General Name. Is this OK or too restrictive? - followed by a dollar ($) separator, - followed by an optional string encoding of the distinguished name of the issuer, Editor's Note. This is a subset of the allowed General Names. Is it sufficient? - followed by a dollar separator, - followed by an optional string representation of the generalised time of the certificate validity (in the format yyyymmddhhmmssZ as specified in RFC 2252), - followed by a dollar separator, - followed by an optional string encoding of one or more object identifiers of attribute types each separated by "+" character if there is more than one. Editor's Note. X.509 defines the following matching rules for matching on various extensions within an attribute certificate. Before any of them is defined for LDAP, we need to decide how many of them are really useful. 5.3.3 Holder Issuer Match 5.3.4 Delegation Path Match 5.3.5 Authority Attribute Identifier Match 5.3.6 Role Specification Certificate Identifier Match 5.3.7 Basic Attribute Constraints Match 5.3.8 Delegated Name Constraints Match 5.3.9 Time Specification Match 5.3.10 Acceptable Certificate Policies Match 5.3.11 Attribute Descriptor Match 5.3.12 Source of Authority Match Note. This rule has not been defined by X.509, but this is perhaps an omission that should be rectified. It is an easy matching rule to define since it has a null syntax i.e. we will be matching on present or not. 6. Security Considerations This [Internet Draft/Standard] describes the schema for the storage and matching of attribute certificates and revocation lists in an LDAP directory server. It does not address the protocol for the retrieval of this information. LDAP servers SHOULD use access control information to protect the information during its storage. In addition, clients MAY choose to encrypt the attributes in the attribute certificates before storing them in an LDAP server. 7 Copyright Copyright (C) The Internet Society (date). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 8. References [1] Bradner, S. The Internet Standards Process -- Revision 3. RFC 2026 October 1996. [2] Yeong, W., Howes, T., and Kille, S. "Lightweight Directory Access Protocol", RFC 1777, March 1995. [3] M.Wahl. "A Summary of the X.500(96) User Schema for use with LDAPv3" RFC 2256, Dec 1997 [4] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access Protocol (v3)", Dec. 1997, RFC 2251 [5] S.Bradner. "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [6] M. Wahl, S. Kille, T. Howes. "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names", RFC2253, December 1997. [7] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, Dec 1997 [8] S.Boeyen, T. Howes, P. Richard "Internet X.509 Public Key Infrastructure, LDAPv2 Schema", RFC 2587, June 1999 [9] ITU-T Rec. X.509(2000) The Directory: Authentication Framework 9 Authors Address David Chadwick IS Institute University of Salford Salford England M5 4WT Email: d.w.chadwick@salford.ac.uk Internet-Draft PKIX Operational Protocols - LDAP Schema 8 July 2000 --Message-Boundary-16738-- Received: from roadblock.missi.ncsc.mil ([144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA29163 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 13:42:25 -0700 (PDT) Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id QAA17619 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 16:33:58 -0400 (EDT) Message-Id: <200007072033.QAA17615@roadblock.missi.ncsc.mil> Date: Fri, 7 Jul 2000 16:40:37 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: Operational Protocols - LDAPv3 To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: G1dEu1Vi4nk6oevtaMMxHg== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc > From: "David Chadwick" <d.w.chadwick@salford.ac.uk> > To: Rich Salz <rsalz@caveosystems.com>, ietf-pkix@imc.org > Date: Fri, 7 Jul 2000 20:22:42 +0100 > Subject: Re: Operational Protocols - LDAPv3 > > > > I think it's worth adding a warning that clients who retrieve CRLs > > without some way of verifying the server run the risk of being sent an > > obsolete CRL. > > /r$ > > Good point. Clearly an attacker cannot create a false CRL (without > compromising the CA), but an attacker does have a window of > opportunity to use a compromised key by denying access to the > latest CRL and providing access to a still-valid-but-superceded CRL. > > How does this text sound > > "However, clients that retrieve CRLs > without some way of verifying the server run the risk of > being sent a still valid but superceded CRL." > > David Professor Chadwick, An observation and an opinion: 1. Clients that do verify the server still run the risk of being sent a "still valid" but superceded CRL. The attacker just denies the server access to the latest CRL. 2. Using the term "still-valid-but-superceded" implies that CRLs have a validity period. Certificates have a Validity period, but CRLs have values for thisUpdate and nextUpdate. A CRL does not become invalid when the next CRL is issued, although some applications behave as though it does. In addition to forcing CAs to populate CRLs with deliberately incorrect values for nextUpdate, this "CRL Validity" interpretation eliminates the ability of the client to decide, based on the value of information, how fresh its revocation information needs to be. If CRLs are issued every hour, I might demand a CRL less than 3 hours old to authenticate a purchase. When reading PKIX mail on the road, however, I'd be quite happy with whatever CRLs were available the last time I was online, say yesterday or even the day before :-). If a CA issues CRLs every month, I'd rather be warned that, according to my application preferences, that CA's certs shouldn't be used for purchases. I don't want the application to blindly treat them as just as fresh as certs from CAs who issue CRLs daily or hourly. Dave Kemp Received: from rhea.salford.ac.uk (rhea.salford.ac.uk [146.87.255.99]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id MAA27181 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 12:22:10 -0700 (PDT) Received: (qmail 51260 invoked by alias); 7 Jul 2000 19:23:41 -0000 Received: (qmail 51248 invoked from network); 7 Jul 2000 19:23:41 -0000 Received: from unknown (HELO dwc-acer) (146.87.80.54) by rhea.salford.ac.uk with SMTP; 7 Jul 2000 19:23:41 -0000 From: "David Chadwick" <d.w.chadwick@salford.ac.uk> Organization: University of Salford To: Rich Salz <rsalz@caveosystems.com>, ietf-pkix@imc.org Date: Fri, 7 Jul 2000 20:22:42 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Operational Protocols - LDAPv3 Reply-to: d.w.chadwick@salford.ac.uk Message-ID: <39663C12.8000.49E0F1E@localhost> Priority: normal In-reply-to: <3965E4A6.1408503C@caveosystems.com> X-mailer: Pegasus Mail for Win32 (v3.12c) > I think it's worth adding a warning that clients who retrieve CRLs > without some way of verifying the server run the risk of being sent an > obsolete CRL. > /r$ Good point. Clearly an attacker cannot create a false CRL (without compromising the CA), but an attacker does have a window of opportunity to use a compromised key by denying access to the latest CRL and providing access to a still-valid-but-superceded CRL. How does this text sound "However, clients that retrieve CRLs without some way of verifying the server run the risk of being sent a still valid but superceded CRL." David > *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** Received: from sothmxs01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA27161 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 12:22:06 -0700 (PDT) Received: by sothmxs01.entrust.com with Internet Mail Service (5.5.2650.21) id <N7C9RVPY>; Fri, 7 Jul 2000 15:23:07 -0400 Message-ID: <ED026032A3FCD211AEDA00105A9C469601E043B7@sothmxs05.entrust.com> From: Carlisle Adams <carlisle.adams@entrust.com> To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: FW: I-D ACTION:draft-adams-cmpaltcert-00.txt Date: Fri, 7 Jul 2000 15:22:08 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01BFE848.A4AB6AD0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01BFE848.A4AB6AD0 Content-Type: text/plain Hi, This may be of moderate interest/relevance to some of the people in PKIX. I submitted it as an independent draft because its whole purpose is to deal with non-X.509 public-key certificates, but it is nevertheless connected to PKIX because it explains how to use CMP (rfc2510bis) for the management of such certificates. In any case, I'd be interested in comments on this proposal (on the list or privately, but keep in mind that this is not technically a PKIX work item). We can, however, discuss on the list whether or not this draft should be brought into the PKIX WG. Carlisle. > ---------- > From: Internet-Drafts@ietf.org[SMTP:Internet-Drafts@ietf.org] > Reply To: Internet-Drafts@ietf.org > Sent: Friday, July 07, 2000 7:04 AM > Subject: I-D ACTION:draft-adams-cmpaltcert-00.txt > > <<...>> > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > > Title : Alternative Certificate Formats for PKIX-CMP > Author(s) : C. Adams > Filename : draft-adams-cmpaltcert-00.txt > Pages : 6 > Date : 06-Jul-00 > > The PKIX Certificate Management Protocols (PKIX-CMP) specification > [1], while primarily focused on X.509v3 public-key certificates, > allows the messages it defines to be used for the management of > alternative certificate formats as well. This document specifies > precisely how such formats may be incorporated into PKIX-CMP and > provides the relevant syntax for some important certificate types. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-adams-cmpaltcert-00.txt > > Internet-Drafts are also available by anonymous FTP. Login with the > username > "anonymous" and a password of your e-mail address. After logging in, > type "cd internet-drafts" and then > "get draft-adams-cmpaltcert-00.txt". > > A list of Internet-Drafts directories can be found in > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv@ietf.org. > In the body type: > "FILE /internet-drafts/draft-adams-cmpaltcert-00.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. > ------_=_NextPart_000_01BFE848.A4AB6AD0 Content-Type: message/rfc822 To: Subject: Date: Fri, 7 Jul 2000 15:23:08 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_002_01BFE848.A4AB6AD0" ------_=_NextPart_002_01BFE848.A4AB6AD0 Content-Type: text/plain ------_=_NextPart_002_01BFE848.A4AB6AD0 Content-Type: application/octet-stream; name="ATT12571" Content-Disposition: attachment; filename="ATT12571" Content-type: message/external-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000706151909.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-adams-cmpaltcert-00.txt ------_=_NextPart_002_01BFE848.A4AB6AD0 Content-Type: message/external-body; site="internet-drafts"; dir="draft-adams-cmpaltcert-00.txt"; mode="ftp.ietf.org"; access-type="anon-ftp" ------_=_NextPart_002_01BFE848.A4AB6AD0-- ------_=_NextPart_000_01BFE848.A4AB6AD0-- Received: from mail-fwd.verio-web.com ([161.58.16.59]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id LAA25867 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 11:17:19 -0700 (PDT) Received: from 161.58.117.181 (161.58.117.181) by mail11b.verio-web.com (RS ver 1.0.57s) with SMTP id 01567164; Fri, 7 Jul 2000 14:18:35 -0400 (EDT) Sender: rsalz Message-ID: <39661F14.8DF4E562@caveosystems.com> Date: Fri, 07 Jul 2000 14:19:00 -0400 From: Rich Salz <rsalz@caveosystems.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> CC: ietf-pkix@imc.org Subject: Re: Operational Protocols - LDAPv3 References: <200007071748.NAA06270@roadblock.missi.ncsc.mil> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 > "The same name, in at least one of its name forms, shall be present > in the distributionPoint field of the issuing distribution point > extension of the CRL." > > Thus the signed certificate and the signed CRL are linked together by > a common distribution point name. And if the CRLDP has a name like "pkix-ldap.foo.com", then an adversary need only spoof DNS to get the client to go somewhere else, get valid -- albeit STALE -- data, and will erroneously proceed, no? /r$ Received: from roadblock.missi.ncsc.mil ([144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA25132 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 10:57:24 -0700 (PDT) Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id NAA06275 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 13:48:57 -0400 (EDT) Message-Id: <200007071748.NAA06270@roadblock.missi.ncsc.mil> Date: Fri, 7 Jul 2000 13:55:35 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: Operational Protocols - LDAPv3 To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: z9lBK/73X4CwCPTqWI+ILQ== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc > From: Rich Salz <rsalz@caveosystems.com> > > If a cert has a CRLDP that points to a repository, shouldn't the client > policy be to verify that it's got the right repository? Nope. The CRLDP certificate extension says: "The same name, in at least one of its name forms, shall be present in the distributionPoint field of the issuing distribution point extension of the CRL." Thus the signed certificate and the signed CRL are linked together by a common distribution point name. Whether the CRL came from the named repository, a different repository, a cache entry, or a floppy disk doesn't matter. I agree that the fact that CRLDP is used for two unrelated purposes - pointing to a repository and partitioning CRLs - is a subtle point. Received: from mail-fwd.verio-web.com ([161.58.16.59]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id JAA23207 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 09:20:00 -0700 (PDT) Received: from 161.58.117.181 (161.58.117.181) by mail11b.verio-web.com (RS ver 1.0.57s) with SMTP id 01549951; Fri, 7 Jul 2000 12:21:19 -0400 (EDT) Sender: rsalz Message-ID: <39660398.B2F3E52E@caveosystems.com> Date: Fri, 07 Jul 2000 12:21:44 -0400 From: Rich Salz <rsalz@caveosystems.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> CC: ietf-pkix@imc.org Subject: Re: Operational Protocols - LDAPv3 References: <200007071450.KAA00544@roadblock.missi.ncsc.mil> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 > A CRL includes a nextUpdate field which allows a client to know whether > a scheduled replacement has been issued. What benefit is there to > verifying the server? The issue here would be unscheduled. The fact that you wrote something indicates the need for the caveat. :) > That policy > shouldn't have anything to do with the trustworthiness or reliability > of any LDAP servers. If a cert has a CRLDP that points to a repository, shouldn't the client policy be to verify that it's got the right repository? This seems to be a subtle point missed by many, hence my suggested addition. /r$ Received: from indy.gradient.com (indy.gradient.com [192.92.110.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA18139 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 08:33:57 -0700 (PDT) Received: from bigbird.gradient.com (bigbird.gradient.com [192.92.110.50]) by indy.gradient.com (8.9.1a/8.9.1) with ESMTP id LAA15000; Fri, 7 Jul 2000 11:33:22 -0400 (EDT) Received: by bigbird.gradient.com with Internet Mail Service (5.5.2448.0) id <K6XBN082>; Fri, 7 Jul 2000 11:28:07 -0400 Message-ID: <899128A30EEDD1118FC900A0C9C74A34844CEC@bigbird.gradient.com> From: Hal Lockhart <hal.lockhart@entegrity.com> To: "'Paul_Ashley@tivoli.com'" <Paul_Ashley@tivoli.com>, ietf-pkix@imc.org, "'Russ Housley'" <housley@spyrus.com>, "'Stephen Farrell'" <stephen.farrell@baltimore.ie> Subject: RE: Comments: An Intranet Attribute Certificate Profile for Autho rization Date: Fri, 7 Jul 2000 11:26:10 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Since the responses so far have been negative, let me put in a (partially) supportive comment. We are also implementing ACs in an environment where they are passed over a secure channel. We also are supporting audit id. > -----Original Message----- > From: Paul_Ashley@tivoli.com [mailto:Paul_Ashley@tivoli.com] ... > (1) The draft does not adequately support anonymous > operations with audit id. ... > The combination of these two requirements implies that > there MUST be an > attribute other > than the audit id in an AC. This makes fully anonymous > (but auditable) > operations very difficult. I don't really understand this. Anonymous to whom? ACs are no good unless you bind them to an authenticated identity. Section 4.2.2 requires that if the authentication is via PKI, they should be bound to the base certificate. My understanding of RFC 2459 is that there has to be an identity either in subject name or altname. I recall discussion of explicitly pseudonomous identifiers, but this was not adopted. Similiarly, most non-PKI authentication systems use some kind of username or account to base authorization decisions on. It seems to me then that you are trusting the behavior of the process that consumes the AC and generates the audit record to correctly use the audit id rather than some traceable identifier. Given that, it seems harmless to have other crufties (thanks, Peter G.) in the AC. > Making audit IDs extensions rather than attributes complicates > implementation unecessarily > in any case, as (at least from the point of view of > encoding) they must be > handled differently than > other kinds of IDs (access ids, accounting ids, etc...). I don't see this. As far as syntax goes, that's what ASN.1 compilers are for. As far as semantics, each of these is a special case anyway. ... > Note that this mechanism also permits issuers to define audit > IDs without making > their use mandatory, which > we view as a good thing. I see this as harmless, but hardly benificial. In our environment we will always use an audit id for auditing if it is present and not use it for anything else. Authorization is based on subject and other attributes. If the net of this proposed change is that it should be possible to issue an AC with "nothing" but an audit id, I guess that seems reasonable, but it is not part of our requirements. > (2) The draft does not support adequately performant pull-protocol > implementations. ... > The combination of these requirements implies that even in > pull-protocol > configurations in which the certificate acceptor > pulls the AC from a trusted repository over a secure, > authenticated link, the > acceptor must do at least one public-key > verify operation and a hash. In high-volume cases, > especially those employing > very short-lived ACs, this will impose > substantial and perhaps unacceptable overhead. It is worth pointing out that if the ACs are "very short-lived" that are likely to be constructed by and retrieved from an AA, not a trusted repository. > We propose to add another algorithm to the set: > NoHashWithNoEncryption. We have been considering exactly this optimization. However,I am willing to concede Stephen's point that this may be out of scope for the IETF, given there are no IETF defined standards defining a protocol with the specified properties. (LDAP over TLS anyone?) As for Russ's question about why use ACs in such an environment, there are lots of reasons: 1) Well defined format usable with widely available tools 2) Desire to make info available over secure and insecure channels, using standard and non-standard protocols in a single format 3) Intention to comply with future IETF standards as they are enhanced 4) Market value of "standards compliance" (no flames here, we all know this matters whether we like it or not) > Now the minor issue: > > (3) We may be confused here, but when section 4.2.7 requires > that "AC users MUST > be able to handle multiple values > for all attribute types" we see trouble. Do we really want > to REQUIRE support > for multiple values of Access Identity and Charging Identity > attributes? Given that PKIX is full of such undefined constructs, e.g. semantics of multiple values in alt name, why pick on these two in particular? Hal ======================================================= Harold W. Lockhart Entegrity Solutions 2 Mount Royal Avenue Marlborough, MA 01752 USA V: 1-508-624-9600 x 260 hal.lockhart@entegrity.com F: 1-508-229-0338 www.entegrity.com ======================================================= Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA15933 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 08:00:07 -0700 (PDT) Received: from mega (t6o69p76.telia.com [213.64.110.196]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id RAA06641; Fri, 7 Jul 2000 17:01:28 +0200 (CEST) Message-ID: <002401bfe82c$7eee8870$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Stephen Kent" <kent@bbn.com> Cc: <ietf-pkix@imc.org> Subject: Re: Cert compare. Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Fri, 7 Jul 2000 18:00:32 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id IAA15936 Steve, <snip> >At 4:49 PM +0200 7/7/00, Anders Rundgren wrote: >> >Comparing two qualified certificates to determine if they represent >> >the same physical entity may provide misleading results and should be >> >performed with care. >> >>Could we then have the Java code for performed with "care" :-) >> >>Sorry for wining but I [still] don't see the point of standards with such > >The correct spelling here is whining. Wining is what you have not >done in this context. Oooops! I did it again... Maybe too much Wine really was the problem :-) :-) On the more serious side: In my (twisted) ears "performed with care" indicates that there is an algorithm or method. And it is??? Implementation-defined OTOH denotes the absense of a described algorithm or method. Maybe "performed with care" is a PKIX-equivalent to implementation-defined? Anders Received: from roadblock.missi.ncsc.mil ([144.51.50.70]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA15863 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 07:59:00 -0700 (PDT) Received: from roadblock.missi.ncsc.mil (root@localhost) by roadblock.missi.ncsc.mil with ESMTP id KAA00554 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 10:50:33 -0400 (EDT) Message-Id: <200007071450.KAA00544@roadblock.missi.ncsc.mil> Date: Fri, 7 Jul 2000 10:57:10 -0400 (EDT) From: "David P. Kemp" <dpkemp@missi.ncsc.mil> Reply-To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Subject: Re: Operational Protocols - LDAPv3 To: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: rfZ+n+P6El8SFIUk15e/qQ== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4u sparc > From: Rich Salz <rsalz@caveosystems.com> > > > 6. Security Considerations > > > > The PKI information to be retrieved from LDAPv3 servers (certificates > > and CRLs) is digitally signed and therefore additional integrity > > services are NOT REQUIRED. > > I think it's worth adding a warning that clients who retrieve CRLs > without some way of verifying the server run the risk of being sent > an obsolete CRL. > /r$ A CRL includes a nextUpdate field which allows a client to know whether a scheduled replacement has been issued. What benefit is there to verifying the server? Propogation delays will cause even a "good" server to send out an "obsolete" CRL after a replacement (scheduled or unscheduled) has been issued. Clients should have a security policy that determines, possibly based on transaction value and possibly though not necessarily based on nextUpdate, how long after "thisUpdate" a CRL can be used. That policy shouldn't have anything to do with the trustworthiness or reliability of any LDAP servers. Dave Received: from scrooge.parallelconsulting.com ([212.209.152.4]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA15645 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 07:46:48 -0700 (PDT) Received: from karon ([10.1.2.1]) by scrooge.parallelconsulting.com (Netscape Messaging Server 3.6) with SMTP id AAA2C71 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 16:48:15 +0200 Message-ID: <3965DF8D.ECFB1EEE@parallelconsulting.com> Date: Fri, 07 Jul 2000 15:47:57 +0200 From: "magnus andersson" <magnus.andersson@parallelconsulting.com> X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit subscribe Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA15022 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 07:27:00 -0700 (PDT) Received: from [171.78.30.107] (fixed030-107.bbn.com [171.78.30.107] (may be forged)) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id KAA24836; Fri, 7 Jul 2000 10:28:22 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <v04220803b58b9844ff5c@[171.78.30.107]> In-Reply-To: <001501bfe822$8da276b0$0201a8c0@mega.vincent.se> References: <001501bfe822$8da276b0$0201a8c0@mega.vincent.se> Date: Fri, 7 Jul 2000 10:23:48 -0400 To: "Anders Rundgren" <anders.rundgren@telia.com> From: Stephen Kent <kent@bbn.com> Subject: Re: Cert compare. Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Cc: <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 4:49 PM +0200 7/7/00, Anders Rundgren wrote: > >Comparing two qualified certificates to determine if they represent > >the same physical entity may provide misleading results and should be > >performed with care. > >Could we then have the Java code for performed with "care" :-) > >Sorry for wining but I [still] don't see the point of standards with such The correct spelling here is whining. Wining is what you have not done in this context. Steve Received: from mail-fwd.verio-web.com ([161.58.16.59]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id HAA14370 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 07:08:03 -0700 (PDT) Received: from 161.58.117.181 (161.58.117.181) by mail11b.verio-web.com (RS ver 1.0.57s) with SMTP id 01530899; Fri, 7 Jul 2000 10:09:19 -0400 (EDT) Sender: rsalz Message-ID: <3965E4A6.1408503C@caveosystems.com> Date: Fri, 07 Jul 2000 10:09:42 -0400 From: Rich Salz <rsalz@caveosystems.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: d.w.chadwick@salford.ac.uk, ietf-pkix@imc.org Subject: Re: Operational Protocols - LDAPv3 References: <396526ED.28085.6373C7@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 > > 6. Security Considerations > > The PKI information to be retrieved from LDAPv3 servers (certificates > and CRLs) is digitally signed and therefore additional integrity > services are NOT REQUIRED. I think it's worth adding a warning that clients who retrieve CRLs without some way of verifying the server run the risk of being sent an obsolete CRL. /r$ Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA13751 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 06:48:53 -0700 (PDT) Received: from mega (t4o69p73.telia.com [62.20.145.193]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id PAA20653 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 15:50:19 +0200 (CEST) Message-ID: <001501bfe822$8da276b0$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: <ietf-pkix@imc.org> Subject: Cert compare. Was: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Fri, 7 Jul 2000 16:49:27 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 Content-Type: text/plain; boundary="NextPart"; charset="iso-8859-1" X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id GAA13752 >Comparing two qualified certificates to determine if they represent >the same physical entity may provide misleading results and should be >performed with care. Could we then have the Java code for performed with "care" :-) Sorry for wining but I [still] don't see the point of standards with such statements. If the algorithms and methods can't be determined it should be stated so. I.e. outside of the scope of standard. Then even a third-class programmer understands that this is implementation-dependent which is what you are really trying to say. I think this is more than playing with words as this feature *will* be supported by the majority of QCs. Anders Received: from mailcity.com (fes-qout.whowhere.com [209.1.236.7]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id FAA11421 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 05:30:45 -0700 (PDT) Received: from Unknown/Local ([?.?.?.?]) by mailcity.com; Fri Jul 7 05:31:32 2000 To: asn1@oss.com Date: Fri, 07 Jul 2000 05:31:32 -0700 From: "chandrasekaran natarajan" <chandrasekaran_n@mailcity.com> Message-ID: <EKMIHLAKOBMMBAAA@mailcity.com> Mime-Version: 1.0 Cc: ietf-pkix@imc.org X-Sent-Mail: off Reply-To: chandrasekaran_n@mailcity.com X-Mailer: MailCity Service Subject: ASN.1 BitString X-Sender-Ip: 202.144.10.93 Organization: MailCity (http://www.mailcity.lycos.com:80) Content-Type: text/plain; charset=us-ascii Content-Language: en Content-Transfer-Encoding: 7bit hello all, I have a doubt on the following text extracted from X.208 Standard 5.3 Example of a production BitStringValue ::= bstring | hstring | {IdentifierList} is a production which associates with the name BitStringValue the following sequences: a) any bstring (an item); and b) any hstring (an item); and c) any sequence associated with IdentifierList, preceded by a { and followed by a } Note { and } are the names of items containing the single characters { and } (see ' 8). In this example, IdentifierList would be defined by a further production, either before or after production defining BitStringValue. ** Can some one help me on knowing what part c) refers to Thanks, chandar Send FREE Greetings for Father's Day--or any day! Click here: http://www.whowhere.lycos.com/redirects/fathers_day.rdct Received: from ietf.org (odin.ietf.org [132.151.1.176]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id EAA08167 for <ietf-pkix@imc.org>; Fri, 7 Jul 2000 04:19:22 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA20875; Fri, 7 Jul 2000 07:20:51 -0400 (EDT) Message-Id: <200007071120.HAA20875@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-qc-04.txt Date: Fri, 07 Jul 2000 07:20:51 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Qualified Certificates Profile Author(s) : S. Santesson, T. Polk, P. Barzin, M. Nystrom Filename : draft-ietf-pkix-qc-04.txt Pages : 33 Date : 06-Jul-00 This document forms a certificate profile for Qualified Certificates, based on RFC 2459, for use in the Internet. The term Qualified Certificate is used to describe a certificate with a certain qualified status within applicable governing law. Further, Qualified Certificates are issued exclusively to physical persons. The goal of this document is to define a general syntax independent of local legal requirements. The profile is however designed to allow further profiling in order to meet specific local needs. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-qc-04.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-qc-04.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-qc-04.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20000706152244.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-qc-04.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-qc-04.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20000706152244.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from relay3-gui.server.ntli.net (relay3-gui.server.ntli.net [194.168.4.200]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA03216 for <ietf-pkix@imc.org>; Thu, 6 Jul 2000 16:39:38 -0700 (PDT) Received: from m53-mp1-cvx1c.hud.ntl.com ([62.252.108.53] helo=dwc-acer) by relay3-gui.server.ntli.net with esmtp (Exim 3.03 #2) id 13AL7I-0004w4-00; Fri, 07 Jul 2000 00:31:36 +0100 From: "David Chadwick" <d.w.chadwick@salford.ac.uk> Organization: University of Salford To: internet-drafts@ietf.org Date: Fri, 7 Jul 2000 00:40:13 +0100 MIME-Version: 1.0 Content-type: Multipart/Mixed; boundary=Message-Boundary-21031 Subject: Operational Protocols - LDAPv3 Reply-to: d.w.chadwick@salford.ac.uk CC: ietf-pkix@imc.org Message-ID: <396526ED.28085.6373C7@localhost> Priority: normal X-mailer: Pegasus Mail for Win32 (v3.12c) --Message-Boundary-21031 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Dear Editor Could you please publish the attached update to the Internet Draft Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv3 <draft-pkix-ldap-v3-02.txt> thankyou David *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** --Message-Boundary-21031 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: Quoted-printable Content-description: Text from file 'LDAPv3PKIXProfile02.txt' Internet-Draft D.W.Chadwick PKIX WG University of Salford Intended Category: Standards Track Expires: 6 January 2001 6 July, 2000 Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv3 <draft-pkix-ldap-v3-02.txt> STATUS OF THIS MEMO This document is an Internet-Draft and is in full conformance with all the provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft expires on 6 January 2001. Comments and suggestions on this document are encouraged. Comments on this document should be sent to the PKIX working group discussion list: <ietf-pkix@imc.org> or directly to the author. ABSTRACT This document describes the features of the Lightweight Directory Access Protocol v3 that are needed in order to support a public key infrastructure based on X.509 certificates and CRLs. 1. Introduction RFC 2559 [1] specifies the subset of LDAPv2 [2] that is necessary to retrieve X.509 [9] certificates and CRLs from LDAP servers. However LDAPv2 has a number of deficiencies that may limit its usefulness in certain circumstances. The most notable of these are: - LDAPv2 distinguished names must be composed from the IA5 character set and cannot contain accented or non-latin characters, - LDAPv2 only has a limited number of supported authentication schemes for binding to the server, in particular the use of hashed passwords or TLS [3] are not supported, - LDAPv2 only supports a single directory server. It is the responsibility of the user to pre-configure his client with the required set of LDAP servers, and to choose the correct one for each certificate and CRL retrieval. It is for these reasons (and others not listed here) that the IETF have stopped the standardisation of the LDAPv2 protocol and have replaced it with the LDAPv3 protocol [4]. However the LDAPv3 protocol is much more complex than the LDAPv2 protocol and many of its features are not essential for simple PKIX use. This document describes the features of LDAPv3 that are essential, or not required, or are optional for servers to support a PKI based on X.509. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [5]. 2. Features Of Ldapv3 That MUST Be Supported Attribute descriptions are a superset of attribute type definitions. They allow attribute subtyping to be specified in the LDAPv3 protocol. The ;binary option is an exception to this. This option allows certificates and CRLs to be asked for and returned as binary values encoded using the Basic Encoding Rules [11]. The mechanism described in RFC2559 (PKIX LDAPv2) [1] is fully compliant with the ;binary option of LDAPv3. The ;binary option of attribute descriptions MUST be supported by all implementations. When a client adds, deletes, retrieves or modifies attribute values that are defined in RFC 2256 [13] to be stored and requested in the binary form, the attribute type name MUST always be specified with the ;binary attribute option. When the server returns such an attribute in a search result, the attribute type name MUST include the ;binary option. Other attribute description options SHOULD NOT be generated by clients. Servers MAY choose to support them at their discretion. Other parameters of the Search operation for "read" or "search" type queries will usually be set as specified in RFC 2559. UTF8 encoding [12] allows the full ISO 10646 character set to be used in the creation of distinguished names. UTF8 encoding of distinguished names MUST be supported as specified in RFC2253 [6]. Multiple attribute value assertions (AVAs) within RDN components of distinguished names MUST be supported and the ordering of the AVAs is non-deterministic. For example cn=3DJohn + serialNumber=3D123 is the same as serialNumber=3D123 + cn=3DJohn. LDAPv3 has the concept of unsolicited notifications that can be sent from the server to the client. This is used to indicate when the server is going down, so that a client can distinguish between a server failure and a network failure. A client MUST be prepared to accept unsolicited notifications defined in RFC 2251 [4]. The altServer attribute is used by servers to point to alternative servers that may be contacted if this server is temporarily unavailable. This attribute MUST be stored in the root DSE of the server and MUST be available to clients for retrieval. (The access controls on this attribute MUST be the same or less than those on certificates and revocation lists.) If no alternative servers exist this attribute MUST point to the current server. Clients MAY make use of this feature but do not need to. Servers MAY store any other operational attributes in the root DSE, but do not need to, except where mandated in this or other profiles. If the Certification Practice Statement (CPS) allows unauthenticated anonymous access to the server, then the server MUST allow a client to perform a Search operation (for a "read" or "search" type request) without issuing a prior Bind operation. The server MUST also allow the client to present a Bind request with the simple authentication choice and a zero-length OCTET STRING. If the CPS allows weak password based authentication for "read" or "search" access to the server, the client and the server MUST support the DIGEST-MD5 mechanism [7] as specified in [8] and [10]. 3. Features Of Ldapv3 That SHOULD Be Supported In a distributed directory with multiple servers, LDAPv3 supports referrals as the mechanism to allow one server that cannot fulfil a client=92s request, to refer the client to another server that might be better able to fulfil the request. Servers SHOULD be able to return referrals to clients. Clients SHOULD be able to receive referrals and process them, although they are not required to automatically process them and support multiple asynchronous outgoing connections. Partial Search results are returned when a server only has a subset of the certificates requested by the client. Referrals to other servers are embedded in the SearchResultReference field. Clients and servers SHOULD be able to handle SearchResultReferences in the same way as they handle referrals. However, the returned referrals SHOULD NOT specify new search filters, attributes to be returned or user credentials. Servers SHOULD only return the hostport, and DN components and MAY return the scope component. 4. Features Of Ldapv3 that are Not Used by this Profile A client following this profile need not send the ModifyDN, Compare and Abandon operations. The server MAY choose to support these operations at its discretion. (Note that a client wishing to abnormally terminate a search request may, instead of issuing an Abandon operation, close the TCP/IP connection.) The LDAPv3 protocol is infinitely extensible via two mechanisms: extended operations and controls on existing operations. The client does not need to generate any LDAPv3 protocol extensions (extended operations or controls), unless flexible searching for certificates is supported (see below). The server SHOULD NOT return any LDAPv3 protocol extensions (extended operations or controls) apart from supported controls which were marked as critical by the user. 5. Features Of Ldapv3 That MAY Be Supported The default behaviour for LDAPv2 and LDAPv3 servers is that a user must retrieve all the attribute values from an attribute, or none of them (subject of course to having access rights to the values). If the user of the LDAPv3 server wishes to retrieve a limited number of userCertificates from a user=92s entry, specifically those that match certain filtering criteria, then this MAY be achieved by using the LDAPv3 valuesReturnFilter control [15] along with the certificateExactMatch or certificateMatch matching rules [17]. If the CPS allows weak password based authentication for "read" or "search" access to the server, the client and the server MAY support a simple password Bind sequence following the negotiation of a TLS ciphersuite to provide connection confidentiality, as specified in [10]. If the CPS requires strong authentication for access to the server then the client and the server SHOULD support certificate based authentication as specified in [10]. 6. Security Considerations The PKI information to be retrieved from LDAPv3 servers (certificates and CRLs) is digitally signed and therefore additional integrity services are NOT REQUIRED. The CPS will specify whether the information should be publicly available or not. If publicly available, privacy services will NOT be REQUIRED for retrieval requests. If not publicly available, privacy services MAY be REQUIRED and these can be provided by a TLS ciphersuite as specified in clause 5. For update of the information by CAs either strong authentication or weaker password based authentication MUST be supported as specified in clause 5. Additional access controls SHOULD be provided. Organizations are NOT REQUIRED to provide external CAs or users with access to their directories. 7. Copyright Copyright (C) The Internet Society (date). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 8. References [1] S.Boeyen, T. Howes, P. Richard "Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2", RFC 2559, April 1999 [2] Yeong, W., Howes, T., and Kille, S. "Lightweight Directory Access Protocol", RFC 1777, March 1995. [3] T. Dierks, C. Allen. "The TLS Protocol Version 1.0", RFC 2246, January 1999. [4] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access Protocol (v3)", Dec. 1997, RFC 2251 [5] S.Bradner. "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [6] M. Wahl, S. Kille, T. Howes. "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names", RFC2253, December 1997. [7] R. Rivest, "The MD5 Message-Digest Algorithm", RFC 1321, April 1992 [8] P. Leach, C. Newman, "Using Digest Authentication as a SASL Mechanism", RFC 2831, May 2000. [9] ITU-T Rec. X.509(97) The Directory: Authentication Framework [10] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan. "Authentication Methods for LDAP", RFC 2829, May 2000 [11] ITU-T Rec. X.690, "Specification of ASN.1 encoding rules: Basic, Canonical, and Distinguished Encoding Rules", 1994. [12] F. Yergeau. "UTF-8, a transformation format of ISO 10646", RFC 2279, January 1998. [13] M.Wahl. "A Summary of the X.500(96) User Schema for use with LDAPv3" RFC 2256, Dec 1997 [14] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, Dec 1997 [15] D.Chadwick, "Returning Matched Values with LDAPv3", Internet Draft <draft-ldapext-matchedval-02.txt>, July 2000 [16] S.Boeyen, T. Howes, P. Richard "Internet X.509 Public Key Infrastructure, LDAPv2 Schema", RFC 2587, June 1999 [17] D.Chadwick, "Internet X.509 Public Key Infrastructure, Additional LDAP Schema for PKIs and PMIs", <draft-pkix-ldap-schema- 00.txt>, July 2000 9. Authors Address David Chadwick IS Institute University of Salford Salford England M5 4WT Email: d.w.chadwick@salford.ac.uk 10. Changes Made to Version 01 i) Schema removed to a separate document ii) Selecting individual attribute values updated to reflect new LDAP Internet Draft iii) Re-wording of text surrounding the use of ;binary option. 11. Outstanding Issues i) Should we make the Abandon operation optional for the client and mandatory for the server. Comments on this issue are requested. Internet-Draft PKIX Operational Protocols =96 LDAPv3 6 July 2000 5 --Message-Boundary-21031-- Received: from mail.spyrus.com (mail.spyrus.com [207.212.34.20]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id NAA29269 for <ietf-pkix@imc.org>; Thu, 6 Jul 2000 13:08:44 -0700 (PDT) Received: from rhousley_laptop ([209.172.119.209]) by mail.spyrus.com (8.9.3/8.9.3) with ESMTP id NAA23674; Thu, 6 Jul 2000 13:09:02 -0700 (PDT) Message-Id: <4.2.0.58.20000706152512.00953dd0@mail.spyrus.com> X-Sender: rhousley@mail.spyrus.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 06 Jul 2000 15:45:41 -0400 To: Paul_Ashley@tivoli.com From: Russ Housley <housley@spyrus.com> Subject: Re: Comments: An Intranet Attribute Certificate Profile for Authorization Cc: ietf-pkix@imc.org In-Reply-To: <86256913.0075C804.00@tivmta4.tivoli.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Paul: 1. I am not very happy with your proposal. I would be willing to make the audit identifier an attribute, but I see no utility in the extension that you propose. 2. I see no value in unsigned attribute certificates. If you have a secure means of pulling attributes about a subject from a server, why use attribute certificates at all? Russ At 04:23 PM 07/05/2000 -0500, Paul_Ashley@tivoli.com wrote: >All, > >We have some comments below related to "An Intranet Attribute Certificate >Profile for Authorization" <draft-ietf-pkix-ac509prof-03.txt>. > >Paul. > >--------------------------------------------------------------------------- >--------------------------------------------------------------------------- >-------------- > > >We have two major issues and one minor issue. First, the major issues: >(1) The draft does not adequately support anonymous operations with audit id. > > Section 4.3.1 requires the audit id to be a critical extension > rather than >an attribute > > Section 4.2.7 requires the AC to have at least one attribute > > The combination of these two requirements implies that there MUST be an >attribute other > than the audit id in an AC. This makes fully anonymous (but auditable) >operations very difficult. > > Making audit IDs extensions rather than attributes complicates >implementation unecessarily > in any case, as (at least from the point of view of encoding) they > must be >handled differently than > other kinds of IDs (access ids, accounting ids, etc...). > >We propose the following fix to the problem. The rationale behind making >audit >IDs critical extensions is that >issuers want to constrain implementations which accept their ACs with >audit IDs >in them to treat audit ids properly -- that >is, they want to constrain acceptors of their ACs to put only audit IDs into >audit records. > >Proposal: > >The goal can be accomplished by defining the audit id as an attribute, and >defining a separate a "UseAuditID" extension. >If the "UseAuditID" extension is present, the accepting implementation must >never put any attribute other than the >audit ID into an audit event. > >Note that this mechanism also permits issuers to define audit IDs without >making >their use mandatory, which >we view as a good thing. > >We propose that 4.4 be updated to define audit ID as an attribute, and that >4.3.1 be updated to define the UseAuditID extension >instead of the current Audit Identity extension. > >(2) The draft does not support adequately performant pull-protocol >implementations. > > Section 3 defines support for pull-protocol use of ACs as a requirement > > Section 4.2.4 requires that the AC signature MUST be > md5WithRSAEncryption, >id-dsa-with-sha1, > sha-1WithRSAEncryption, or ecdsa-with-SHA1. > > Section 5 requires that the signature must verify (path and crypto) > or else >be rejected. > >The combination of these requirements implies that even in pull-protocol >configurations in which the certificate acceptor >pulls the AC from a trusted repository over a secure, authenticated link, the >acceptor must do at least one public-key >verify operation and a hash. In high-volume cases, especially those employing >very short-lived ACs, this will impose >substantial and perhaps unacceptable overhead. > >We propose to add another algorithm to the set: NoHashWithNoEncryption. > >Specifically, we propose that the text of the last two paragraphs of 4.2.4 be >changed to read: > > This MUST be one of the following algorithms: NoHashWithNoEncryption, >md5WithRSAEncryption, > id-dsa-with-sha1, sha-1WithRSAEncryption, or > ecdsa-with-SHA1. [PKIXPROF] >section 7.2 defines > md5WithRSAEncryption, id-dsa-with-sha1, and sha-1WithRSAEncryption. >[ECDSA] section 3.2 > defines ecdsa-with-SHA1. NoHashWithNoEncryption indicates that no >signature has been applied > to the attribute certificate; if this signature algorithm is > specified, the >certificate passes the signature > validity check with no processing required. > > id-dsa-with-sha1 MUST be supported by all AC > users. md5WithRSAEncryption, >sha-1WithRSAEncryption, > and ecdsa-with-SHA1 SHOULD be supported. NoHashWithNoEncryption MAY be >supported. > >Now the minor issue: > >(3) We may be confused here, but when section 4.2.7 requires that "AC >users MUST >be able to handle multiple values >for all attribute types" we see trouble. Do we really want to REQUIRE support >for multiple values of Access Identity and Charging Identity attributes? > > >Paul Ashley, PhD >Senior Security Architect >Tivoli Security Business Unit > >Bridgepoint III >6300 BridgePoint Parkway >Office A5022 >Austin, Tx 78731 > >email: paul_ashley@tivoli.com >phone: +1 (512) 436 1541 >fax: +1(512)436-1199 >cell: (512) 695 1821 > >Tivoli - an IBM division > Received: from relay3-gui.server.ntli.net (relay3-gui.server.ntli.net [194.168.4.200]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA27352 for <ietf-pkix@imc.org>; Thu, 6 Jul 2000 11:34:27 -0700 (PDT) Received: from m718-mp1-cvx1c.hud.ntl.com ([62.252.110.206] helo=dwc-acer) by relay3-gui.server.ntli.net with esmtp (Exim 3.03 #2) id 13AGLy-0006fE-00; Thu, 06 Jul 2000 19:26:27 +0100 From: "David Chadwick" <d.w.chadwick@salford.ac.uk> Organization: University of Salford To: Sean Turner <turners@ieca.com>, PKIX <ietf-pkix@imc.org> Date: Thu, 6 Jul 2000 19:33:54 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Comments on draft-ietf-pkix-ldap-v3-01.txt Reply-to: d.w.chadwick@salford.ac.uk CC: Boeyen@entrust.com Message-ID: <3964DF22.9858.AF326B8@localhost> Priority: normal In-reply-to: <381B3E34.156A7895@ieca.com> X-mailer: Pegasus Mail for Win32 (v3.12c) Date sent: Sat, 30 Oct 1999 14:51:32 -0400 From: Sean Turner <turners@ieca.com> Organization: IECA, Inc. To: PKIX <ietf-pkix@imc.org> Subject: Comments on draft-ietf-pkix-ldap-v3-01.txt > > After thinking about the draft a bit I'd like to suggest a few > modifications (mostly organizational). > > The draft includes both the protocol and schema issues to deal with > LDAPv3 servers. I think we should split the two topics as the draft > is called "operational protocols". I think the draft should just talk > about the protocol issues and not the schema. After some thought and discussion with other LDAP folk I agree with you. One of the reasons is that the LDAPExt group will be updating the base LDAPv3 docs in due course and the schema stuff should go in there. (But this will be over a longer time frame than is needed to publish the protocol part). I am currently doing the changes now in time for Pittsburg. > My suggestion is to > update RFC 2587 (Internet X.509 Public Key Infrastructure LDAPv2 > Schema) to include the attribute and object classes required to > support attribute certificate users. Then the LDAPv2 schema could > support storing the attribute certificate related information. > Another draft should be spawned to include specific LDAPv3 schema > issues such support for matching rules, etc. I will talk to Sharon B about this, as to whether she wants to update the v2 schema doc or not, or put the whole lot in a new schema doc leaving the existing RFC as is. (After all, we are not aware of any defects in that doc, are we?). I would favour just one new schema doc, which preferrably should be published by the LDAPExt group as these are core schema requirments in my opinion. However, I will produce the first draft of this. > > There is support for the pmiUser but where are the attribute > authority's certificates stored? Should we define an pmiAA (name to > be determined) object class to support storing of the attribute > certificate for the AA? this is now in X509 > > Also, which revocation list includes the revoked attribute > certificates? I assumed it would be stored in a separate attribute > certificate revocation list, but the draft is silent on the issue (so > is draft-ietf-pkix-ac509prof-01.txt). X.509 defines attributeCertificateRevocationList and attributeAuthorityRevocationList. I dont believe PKIX needs to do anything more. David > > Thanks, > > spt > > > > *************************************************** David Chadwick IS Institute, University of Salford, Salford M5 4WT Tel +44 161 295 5351 Fax +44 161 745 8169 Mobile +44 790 167 0359 Email D.W.Chadwick@salford.ac.uk Home Page http://www.salford.ac.uk/its024/chadwick.htm Understanding X.500 http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string MLJ9-DU5T-HV8J *************************************************** Received: from mail.spyrus.com (mail.spyrus.com [207.212.34.20]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA25020; Thu, 6 Jul 2000 09:52:55 -0700 (PDT) Received: from rhousley_laptop ([209.172.119.209]) by mail.spyrus.com (8.9.3/8.9.3) with ESMTP id JAA20746; Thu, 6 Jul 2000 09:53:50 -0700 (PDT) Message-Id: <4.2.0.58.20000706110019.00953410@mail.spyrus.com> X-Sender: rhousley@mail.spyrus.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 06 Jul 2000 11:00:58 -0400 To: Paul Hoffman / IMC <phoffman@imc.org> From: Russ Housley <housley@spyrus.com> Subject: Re: RFC 2459 and internationalized domain names Cc: ietf-pkix@imc.org In-Reply-To: <p0432040db58915f36417@[165.227.249.13]> References: <4.2.0.58.20000705123024.00ab1c30@mail.spyrus.com> <4.2.0.58.20000705123024.00ab1c30@mail.spyrus.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Paul: I agree. A forward pointer that this issue needs to be addresses once the IDN WG finishes their work is fine. Russ At 09:44 AM 07/05/2000 -0700, Paul Hoffman / IMC wrote: >At 12:31 PM -0400 7/5/00, Russ Housley wrote: >>I agree that certificates should accommodate non-ASCII domain names once >>they are finalized. I do not understand why anything should be done >>before IDN finishes their work. > >Because someone will be reading the PKIX RFC at some point after IDN is >done. They may say "gee, this is stupid that they said to use IA5String >for domain name, I'll just use UTF8String". Putting in an acknowledgement >that the PKIX WG knows of some of the formats that we have locked down >possibly changing might help promote future interoperability. > >--Paul Hoffman, Director >--Internet Mail Consortium Received: from balinese.baltimore.ie (firewall-user@pc215-8.indigo.ie [194.125.215.8]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id EAA16101 for <ietf-pkix@imc.org>; Thu, 6 Jul 2000 04:09:14 -0700 (PDT) Received: by balinese.baltimore.ie; id MAA11219; Thu, 6 Jul 2000 12:10:34 +0100 (GMT/IST) Received: from bobcat.baltimore.ie(192.168.20.10) by balinese.baltimore.ie via smap (V4.2) id xma010954; Thu, 6 Jul 00 12:09:50 +0100 Received: from baltimore.ie (lease212-21.baltimore.ie [192.168.21.212]) by bobcat.baltimore.ie (8.9.3/8.9.3) with ESMTP id MAA06072; Thu, 6 Jul 2000 12:09:49 +0100 Message-ID: <39646900.3C2B0EAB@baltimore.ie> Date: Thu, 06 Jul 2000 12:09:52 +0100 From: Stephen Farrell <stephen.farrell@baltimore.ie> Reply-To: stephen.farrell@baltimore.ie Organization: Baltimore Technologies Ltd. X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Paul_Ashley@tivoli.com CC: ietf-pkix@imc.org, xme <stephen.farrell@baltimore.ie> Subject: Re: Comments: An Intranet Attribute Certificate Profile forAuthorization References: <86256913.0075C804.00@tivmta4.tivoli.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi Paul, I'm afraid I don't really agree with your proposals. I don't see much difference between the audit id as is, and your proposal, and I'm not sure I like an AC with an audit-id attribute and no critical extensions being conformant. I'll think about it though - if lots of folks agreed, I'd be willing to take it (so far, you're the second, Bob Blakely was the first:-). I really don't like your no-hash-no-sig suggestion and I don't think it fits in this spec anyway. nHnS could only be used where there was also an interoperable secure AC transport scheme defined (or else you're back in proprietary land), which is definitely out of scope for the profile. There'd also be some process issues - it is the PKIX WG after all, and folks have been beaten up for suggesting dummy algorithms in the past. I'd suggest you write an I-D, based on the profile, defining the secure transport and adding nHnS as an algorithm (BTW: where's that defined?) For issue 3, yes we meant that everyone has to be able to parse multivalued. I don't think we should get any more restrictive in the profile. Stephen. -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 647 7406 61 Fitzwilliam Lane, fax: +353 1 647 7499 Dublin 2. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com Received: from gandalf.trustpoint.com (gandalf.trustpoint.com [157.22.240.75]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id BAA08167 for <ietf-pkix@imc.org>; Thu, 6 Jul 2000 01:28:35 -0700 (PDT) Received: from ronald.certicom.com (ronald [10.1.6.23]) by gandalf.trustpoint.com (8.8.7/8.8.7) with ESMTP id BAA02296; Thu, 6 Jul 2000 01:29:51 -0700 Received: (from ronald@localhost) by ronald.certicom.com (8.8.7/8.8.7) id BAA27105; Thu, 6 Jul 2000 01:29:57 -0700 Date: Thu, 6 Jul 2000 01:29:57 -0700 From: "Life is hard, and then you die" <ronald@trustpoint.com> To: =?iso-8859-1?Q?Martin_Lindstr=F6m?= <martin.lindstrom@entegrity.com> Cc: ietf-pkix@imc.org, ca-talk@icsa.net Subject: Re: [ca-talk] CMP transport protocol - who should close the connection? Message-ID: <20000706012957.G25696@innovation.ch> Mail-Followup-To: =?iso-8859-1?Q?Martin_Lindstr=F6m?= <martin.lindstrom@entegrity.com>, ietf-pkix@imc.org, ca-talk@icsa.net References: <20000705100044.A25596@innovation.ch> <000d01bfe720$72d9f680$1f00000a@cost.se> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0.1i In-Reply-To: <000d01bfe720$72d9f680$1f00000a@cost.se>; from martin.lindstrom@entegrity.com on Thu, Jul 06, 2000 at 10:01:52AM +0200 On Thu, Jul 06, 2000 at 10:01:52AM +0200, Martin Lindström wrote: > [snip] > >The client has two possibilities: it can either do a shutdown on > >the client->server direction immediately, or then it has to wait > >for the response from the server. > > > Martin> But this doesn't solve the question. If the client does a > Martin> shutdown he will not receive the CA pkiConf (if any), Of course he will - by shutdown I mean the standard shutdown() socket call where you only close the client->server direction - the server->client direction still stays open. This is *not* a close(), which closes both directions. > Martin> and if the client decides to wait for a response that never > Martin> comes, he'll hang unless the server closes the connection. See below. > >That case never occurs. The protocol is a request/response protocol > >and there is *always* a response. > > Martin> Well, the case occurs during the PKIForum CMP testing anyway :-) Not unless somebody had a bug... > Martin> So what is the response to a certConf? RFC2510bis states that > Martin> a confirmation ack is optional. > Martin> Or, should the response from the server be a 'finRep' TCP > Martin> message in cases where no CMP response is to be sent? Exactly. I.e. there is always a response at the TCP level (and as soon as certConf goes away then that is also true at the CMP level). > Martin> In that case the transport draft need to be more clear. Ok, will add some text. Cheers, Ronald Received: from exchsvr1.entegrity.com (exchsvr1.entegrity.com [207.215.19.3]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id BAA07235 for <ietf-pkix@imc.org>; Thu, 6 Jul 2000 01:01:01 -0700 (PDT) Received: from roger (dave.cost.se [195.100.88.62]) by exchsvr1.entegrity.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 3KYLZMDD; Thu, 6 Jul 2000 01:09:25 -0700 From: "Martin Lindström" <martin.lindstrom@entegrity.com> To: <ietf-pkix@imc.org> Cc: <ca-talk@icsa.net> Subject: RE: [ca-talk] CMP transport protocol - who should close the connection? Date: Thu, 6 Jul 2000 10:01:52 +0200 Message-ID: <000d01bfe720$72d9f680$1f00000a@cost.se> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 In-Reply-To: <20000705100044.A25596@innovation.ch> Ronald, See my comments inline. >> >> Regarding draft-ietf-pkix-cmp-transport-protocols-00.txt: >[snip] >> Suppose that a CR/CP is sent in one connection and when the >> client is about to send its certConf it connects to the server >> and sends the TCP message with the close bit set. >> Should the client wait for the server to close the connection >> or should it do it itself? >> IMO the client cannot really do it itself since it must be prepared >> to receive a pkiconf message from the CA (e.g. that the cert hash >> comparison failed), and if the server does not close the >> connection the client will either hang or timeout. > >The client has two possibilities: it can either do a shutdown on >the client->server direction immediately, or then it has to wait >for the response from the server. > Martin> But this doesn't solve the question. If the client does a Martin> shutdown he will not receive the CA pkiConf (if any), Martin> and if the client decides to wait for a response that never Martin> comes, he'll hang unless the server closes the connection. >As an aside, and a purely implementation problem, quite a few >systems don't properly support shutdown(). Hence it is usally >safer for the client to wait for the server response and then >doing a close(). > >> So what I want is that section 2.3 is extended with: >> "If the connection close bit is set on a request, then the server >> MUST set the bit in the response and close the connection after >> sending the response. <add - begin> In the case the server does >> not intend to send any response to the client request, the server >> should close the connection directly. <add - end>" > >That case never occurs. The protocol is a request/response protocol >and there is *always* a response. Martin> Well, the case occurs during the PKIForum CMP testing anyway :-) Martin> So what is the response to a certConf? RFC2510bis states that Martin> a confirmation ack is optional. Martin> Or, should the response from the server be a 'finRep' TCP Martin> message in cases where no CMP response is to be sent? Martin> In that case the transport draft need to be more clear. /Martin ********* Entegrity Solutions ********* Martin Lindström, Systems Designer Finlandsgatan 60 S-166 74 Kista, Sweden Direct: +46-(0)8-477-7735 Fax: +46-(0)8-477-7731 Cell: +46-(0)70-483-0024 *************************************** Received: from levitator.1div0.com ([213.250.43.61]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA02313 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 15:46:04 -0700 (PDT) Received: from intergalactic ([10.1.1.2]) by levitator.1div0.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id AAA04982; Thu, 6 Jul 2000 00:34:01 +0200 Reply-To: <denis-at-globera@denisbider.com> From: <denis.bider@siol.net> Sender: "denis bider" <denis.bider@globera.com> To: "'Pedrabissi Raffaele'" <pedra@europe.com>, <ietf-pkix@imc.org> Subject: RE: Certificate creation and usage Date: Thu, 6 Jul 2000 00:47:46 +0200 Message-ID: <000601bfe6d3$0a8130f0$0201010a@intergalactic> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal In-Reply-To: <386417174.962783012657.JavaMail.root@web302-mc.mail.com> Hello Pedrabissi, there is a C++ library called Certify which is intended for exactly this kind of job. It currently includes support for RFC2459 certificates, RFC2511 certificate requests and PKCS#11 crypto tokens. The address is: http://www.globera.com/certify.php3 The library is free for non-commercial use. Regards, denis -----Original Message----- From: Pedrabissi Raffaele [mailto:pedra@europe.com] Sent: 5. julij 2000 09:44 To: ietf-pkix@imc.org Subject: Good morning, I`m Raffaele Pedrabissi, a student of Politecnico of Milano (ITALY-EUROPE) and I`m doing a stage in Alcatel of Vimercate (Milano-ITALY). I write You because I had read the RFC 2459 for the electronic certicates. Now I have a little problem: I`m searching a program in C language that creates an electronic certificate and one that notices the same certificate. Thank You for Your time. Pedrabissi Raffaele. ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup Received: from corp.tivoli.com (corp.tivoli.com [216.140.178.60]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA19580 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 14:23:46 -0700 (PDT) From: Paul_Ashley@tivoli.com Received: from tivmta4.tivoli.com (tivmta4.tivoli.com [146.84.104.47]) by corp.tivoli.com (8.9.3/8.9.0) with SMTP id QAA12624 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 16:25:05 -0500 (CDT) Received: by tivmta4.tivoli.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 86256913.0075C8AC ; Wed, 5 Jul 2000 16:26:30 -0500 X-Lotus-FromDomain: TIVOLI SYSTEMS To: ietf-pkix@imc.org Message-ID: <86256913.0075C804.00@tivmta4.tivoli.com> Date: Wed, 5 Jul 2000 16:23:00 -0500 Subject: Comments: An Intranet Attribute Certificate Profile for Authorization Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline All, We have some comments below related to "An Intranet Attribute Certificate Profile for Authorization" <draft-ietf-pkix-ac509prof-03.txt>. Paul. -------------------------------------------------------------------------------------------------------------------------------------------------------------------- We have two major issues and one minor issue. First, the major issues: (1) The draft does not adequately support anonymous operations with audit id. Section 4.3.1 requires the audit id to be a critical extension rather than an attribute Section 4.2.7 requires the AC to have at least one attribute The combination of these two requirements implies that there MUST be an attribute other than the audit id in an AC. This makes fully anonymous (but auditable) operations very difficult. Making audit IDs extensions rather than attributes complicates implementation unecessarily in any case, as (at least from the point of view of encoding) they must be handled differently than other kinds of IDs (access ids, accounting ids, etc...). We propose the following fix to the problem. The rationale behind making audit IDs critical extensions is that issuers want to constrain implementations which accept their ACs with audit IDs in them to treat audit ids properly -- that is, they want to constrain acceptors of their ACs to put only audit IDs into audit records. Proposal: The goal can be accomplished by defining the audit id as an attribute, and defining a separate a "UseAuditID" extension. If the "UseAuditID" extension is present, the accepting implementation must never put any attribute other than the audit ID into an audit event. Note that this mechanism also permits issuers to define audit IDs without making their use mandatory, which we view as a good thing. We propose that 4.4 be updated to define audit ID as an attribute, and that 4.3.1 be updated to define the UseAuditID extension instead of the current Audit Identity extension. (2) The draft does not support adequately performant pull-protocol implementations. Section 3 defines support for pull-protocol use of ACs as a requirement Section 4.2.4 requires that the AC signature MUST be md5WithRSAEncryption, id-dsa-with-sha1, sha-1WithRSAEncryption, or ecdsa-with-SHA1. Section 5 requires that the signature must verify (path and crypto) or else be rejected. The combination of these requirements implies that even in pull-protocol configurations in which the certificate acceptor pulls the AC from a trusted repository over a secure, authenticated link, the acceptor must do at least one public-key verify operation and a hash. In high-volume cases, especially those employing very short-lived ACs, this will impose substantial and perhaps unacceptable overhead. We propose to add another algorithm to the set: NoHashWithNoEncryption. Specifically, we propose that the text of the last two paragraphs of 4.2.4 be changed to read: This MUST be one of the following algorithms: NoHashWithNoEncryption, md5WithRSAEncryption, id-dsa-with-sha1, sha-1WithRSAEncryption, or ecdsa-with-SHA1. [PKIXPROF] section 7.2 defines md5WithRSAEncryption, id-dsa-with-sha1, and sha-1WithRSAEncryption. [ECDSA] section 3.2 defines ecdsa-with-SHA1. NoHashWithNoEncryption indicates that no signature has been applied to the attribute certificate; if this signature algorithm is specified, the certificate passes the signature validity check with no processing required. id-dsa-with-sha1 MUST be supported by all AC users. md5WithRSAEncryption, sha-1WithRSAEncryption, and ecdsa-with-SHA1 SHOULD be supported. NoHashWithNoEncryption MAY be supported. Now the minor issue: (3) We may be confused here, but when section 4.2.7 requires that "AC users MUST be able to handle multiple values for all attribute types" we see trouble. Do we really want to REQUIRE support for multiple values of Access Identity and Charging Identity attributes? Paul Ashley, PhD Senior Security Architect Tivoli Security Business Unit Bridgepoint III 6300 BridgePoint Parkway Office A5022 Austin, Tx 78731 email: paul_ashley@tivoli.com phone: +1 (512) 436 1541 fax: +1(512)436-1199 cell: (512) 695 1821 Tivoli - an IBM division Received: from freeby.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id NAA11464 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 13:26:35 -0700 (PDT) Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id VAA20261; Wed, 5 Jul 2000 21:35:32 +0100 Message-ID: <39639A84.C1CACCEC@algroup.co.uk> Date: Wed, 05 Jul 2000 21:28:52 +0100 From: Ben Laurie <ben@algroup.co.uk> Organization: A.L. Group plc X-Mailer: Mozilla 4.7 [en] (WinNT; I) MIME-Version: 1.0 To: Pedrabissi Raffaele <pedra@europe.com> CC: ietf-pkix@imc.org Subject: Re: References: <386417174.962783012657.JavaMail.root@web302-mc.mail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Pedrabissi Raffaele wrote: > > Good morning, I`m Raffaele Pedrabissi, a student of Politecnico of Milano > (ITALY-EUROPE) and I`m doing a stage in Alcatel of Vimercate (Milano-ITALY). > I write You because I had read the RFC 2459 for the electronic certicates. > Now I have a little problem: I`m searching a program in C language that > creates an electronic certificate and one that notices the same certificate. > Thank You for Your time. http://www.openssl.org/ Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/ Received: from e1.ny.us.ibm.com (e1.ny.us.ibm.com [32.97.182.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA21128 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 10:13:51 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id NAA354494; Wed, 5 Jul 2000 13:13:08 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.9) with SMTP id NAA80822; Wed, 5 Jul 2000 13:15:02 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256913.005EBD3C ; Wed, 5 Jul 2000 13:14:48 -0400 X-Lotus-FromDomain: IBMUS To: Jean-Marc Desperrier <jean-marc.desperrier@certplus.com> cc: ietf-pkix@imc.org, hoytkesterson@earthlink.net, sharon.boeyen@entrust.com Message-ID: <85256913.005EBA75.00@D51MTA04.pok.ibm.com> Date: Wed, 5 Jul 2000 13:14:41 -0400 Subject: Re: RFC 2459 and internationalized domain names Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline This question may be premature, but we will need to ask it sometime - if the Internet definitions of the three IA5String's in GeneralName get extended for internationalization, should we: 1) Add OTHER-NAME's for the internationalized string types, 2) Add extra CHOICE values to GeneralName; 3) Change the IMPLICIT type of each of these three strings to UTF8String on the grounds that every legal IA5String is also a legal UTF8String with the same meaning, although not vice versa? If we pick option 2 or option 3, will every certificate and CRL extension currently including GeneralName get assigned a new OID for use with the new GeneralName definition? The answers to these questions are as much under the control of X.509 as of PKIX. Tom Gindin Jean-Marc Desperrier <jean-marc.desperrier@certplus.com> on 07/05/2000 12:17:49 PM To: ietf-pkix@imc.org cc: Subject: Re: RFC 2459 and internationalized domain names tgindin@us.ibm.com wrote: > The format of GeneralName is : > GeneralName ::= CHOICE { > otherName [0] INSTANCE OF OTHER-NAME, > rfc822Name [1] IA5String, > dNSName [2] IA5String, > ... > uniformResourceIdentifier [6] IA5String, > > It seems > we need to create something like : > rfcSonOf822Name [9] UTF8strings, > > [Tom Gindin] I think it's rfc822I18N [9] UTF8String, but that's minor. > The same applies to dNSName, and uniformResourceIdentifier. > > [Tom Gindin] I have one basic question here. Does adding new members to > this choice mean we have to change OID's for the extensions using it (not > just SubjectAltName, but IssuerAltName, AuthorityKeyIdentifier, > NameConstraints, CRLDistributionPoint, CertificateIssuer, > IssuingDistributionPoint and AuthorityInfoAccess in RFC 2459 alone - and I > might have missed one)? If it does, should we and X.509 bite that > particular bullet or define OTHER-NAME's as DirectoryString's instead? OK, OTHER-NAME is the way to go. It is clearly a lot better to define a specific OID for rfc822I18N and then insert that kind of thing as an otherName element, and *not* to change the syntax of GeneralName. OtherName ::= SEQUENCE { type-id OBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id } [Tom Gindin] Two points. First, I was really asking our X.509 committee types (Sharon, Hoyt, are you listening?) whether adding a new choice in GeneralName would cause both X.509 and PKIX-1 to have to renumber all of the extensions cited; if not, it's not clear to me that adding OTHER-NAME is really better. Second, what I meant by "OTHER-NAME's as DirectoryString's" was OTHER-NAME's with values which are DirectoryString's - there's no need for a new string type here. (snip) Received: from mail.ec.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.201]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA20426; Wed, 5 Jul 2000 10:02:56 -0700 (PDT) Received: from kahu.cs.auckland.ac.nz (pgut001@kahu.cs.auckland.ac.nz [130.216.36.13]) by mail.ec.auckland.ac.nz (8.9.3/8.8.6/cs-master) with SMTP id FAA17549; Thu, 6 Jul 2000 05:04:10 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by kahu.cs.auckland.ac.nz (relaymail v0.9) id <96281665018859>; Thu, 6 Jul 2000 05:04:10 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: phoffman@imc.org Subject: Re: RFC 2459 and internationalized domain names Cc: ietf-pkix@imc.org Sender: pgut001@cs.auckland.ac.nz Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on kahu.cs.auckland.ac.nz Date: Thu, 6 Jul 2000 05:04:10 (NZST) Message-ID: <96281665018859@kahu.cs.auckland.ac.nz> Paul Hoffman / IMC <phoffman@imc.org> writes: >At 12:31 PM -0400 7/5/00, Russ Housley wrote: >>I agree that certificates should accommodate non-ASCII domain names >>once they are finalized. I do not understand why anything should be >>done before IDN finishes their work. >Because someone will be reading the PKIX RFC at some point after IDN is done. >They may say "gee, this is stupid that they said to use IA5String for domain >name, I'll just use UTF8String". Putting in an acknowledgement that the PKIX WG >knows of some of the formats that we have locked down possibly changing might >help promote future interoperability. You could also do what a certain Spanish CA did and unilaterally extend the string type which is causing problems to AnythingIWantString (so you can put cedillas in a string-formerly-known-as-PrintableString for example). Peter :-). Received: from gandalf.trustpoint.com (gandalf.trustpoint.com [157.22.240.75]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA20063 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 09:59:29 -0700 (PDT) Received: from ronald.certicom.com (ronald [10.1.6.23]) by gandalf.trustpoint.com (8.8.7/8.8.7) with ESMTP id KAA01789; Wed, 5 Jul 2000 10:00:38 -0700 Received: (from ronald@localhost) by ronald.certicom.com (8.8.7/8.8.7) id KAA25606; Wed, 5 Jul 2000 10:00:44 -0700 Date: Wed, 5 Jul 2000 10:00:44 -0700 From: "Life is hard, and then you die" <ronald@trustpoint.com> To: =?iso-8859-1?Q?Martin_Lindstr=F6m?= <martin.lindstrom@entegrity.com> Cc: ietf-pkix@imc.org, ca-talk@icsa.net Subject: Re: [ca-talk] CMP transport protocol - who should close the connection? Message-ID: <20000705100044.A25596@innovation.ch> Mail-Followup-To: =?iso-8859-1?Q?Martin_Lindstr=F6m?= <martin.lindstrom@entegrity.com>, ietf-pkix@imc.org, ca-talk@icsa.net References: <000301bfe684$504453f0$1f00000a@cost.se> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0.1i In-Reply-To: <000301bfe684$504453f0$1f00000a@cost.se>; from martin.lindstrom@entegrity.com on Wed, Jul 05, 2000 at 03:24:13PM +0200 On Wed, Jul 05, 2000 at 03:24:13PM +0200, Martin Lindström wrote: > > Regarding draft-ietf-pkix-cmp-transport-protocols-00.txt: [snip] > Suppose that a CR/CP is sent in one connection and when the > client is about to send its certConf it connects to the server > and sends the TCP message with the close bit set. > Should the client wait for the server to close the connection > or should it do it itself? > IMO the client cannot really do it itself since it must be prepared > to receive a pkiconf message from the CA (e.g. that the cert hash > comparison failed), and if the server does not close the > connection the client will either hang or timeout. The client has two possibilities: it can either do a shutdown on the client->server direction immediately, or then it has to wait for the response from the server. As an aside, and a purely implementation problem, quite a few systems don't properly support shutdown(). Hence it is usally safer for the client to wait for the server response and then doing a close(). > So what I want is that section 2.3 is extended with: > "If the connection close bit is set on a request, then the server > MUST set the bit in the response and close the connection after > sending the response. <add - begin> In the case the server does > not intend to send any response to the client request, the server > should close the connection directly. <add - end>" That case never occurs. The protocol is a request/response protocol and there is *always* a response. Cheers, Ronald Received: from [165.227.249.13] (ip13.proper.com [165.227.249.13]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA19173; Wed, 5 Jul 2000 09:42:52 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org Message-Id: <p0432040db58915f36417@[165.227.249.13]> In-Reply-To: <4.2.0.58.20000705123024.00ab1c30@mail.spyrus.com> References: <4.2.0.58.20000705123024.00ab1c30@mail.spyrus.com> Date: Wed, 5 Jul 2000 09:44:13 -0700 To: Russ Housley <housley@spyrus.com> From: Paul Hoffman / IMC <phoffman@imc.org> Subject: Re: RFC 2459 and internationalized domain names Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 12:31 PM -0400 7/5/00, Russ Housley wrote: >I agree that certificates should accommodate non-ASCII domain names >once they are finalized. I do not understand why anything should be >done before IDN finishes their work. Because someone will be reading the PKIX RFC at some point after IDN is done. They may say "gee, this is stupid that they said to use IA5String for domain name, I'll just use UTF8String". Putting in an acknowledgement that the PKIX WG knows of some of the formats that we have locked down possibly changing might help promote future interoperability. --Paul Hoffman, Director --Internet Mail Consortium Received: from mail.spyrus.com (mail.spyrus.com [207.212.34.20]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA18490; Wed, 5 Jul 2000 09:32:11 -0700 (PDT) Received: from rhousley_laptop.spyrus.com ([209.172.119.209]) by mail.spyrus.com (8.9.3/8.9.3) with ESMTP id JAA06343; Wed, 5 Jul 2000 09:32:59 -0700 (PDT) Message-Id: <4.2.0.58.20000705123024.00ab1c30@mail.spyrus.com> X-Sender: rhousley@mail.spyrus.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 05 Jul 2000 12:31:35 -0400 To: Paul Hoffman / IMC <phoffman@imc.org> From: Russ Housley <housley@spyrus.com> Subject: Re: RFC 2459 and internationalized domain names Cc: ietf-pkix@imc.org In-Reply-To: <p0432040eb586e5039935@[165.227.249.13]> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Paul: I agree that certificates should accommodate non-ASCII domain names once they are finalized. I do not understand why anything should be done before IDN finishes their work. Russ At 07:10 PM 07/03/2000 -0700, Paul Hoffman / IMC wrote: >Greetings again. There is active work in the IETF to allow non-ASCII >characters in doamin names. This is being considered in the IDN Working >Group (see <http://www.ietf.org/html.charters/idn-charter.html> for the WG >charter). There is a strong desire for these names in many parts of the world. > >If the wire format for the new domain names includes non-ASCII characters >(which seems likely to me), then we probably should change 2459 to handle >these new names. Fortunately, son-of-2459 is still not finished. > >Please note that: >- The IDN WG may not come up with a protocol >- The protocol may be ASCII-only, using an encoding scheme that maps to >the current rules for domain names >- If there is a binary protocol, it is likely (but not definitely) going >to be UTF-8 > >Given that, it might be wise of us to either change how domain names are >represented 2459 or to put warnings into the text about this in >son-of-2459. It is likely that son-of-2459 will be finished well before >the IDN WG is finished. > >Oh, and if the IDN WG creates a binary protocol, there will be a strong >demand for changes to the email protocols to handle binary domain names in >headers. There will also be a strong demand for binary on the left-hand >side of the addr-spec. We may wan to consider these as well. > >Thoughts? > >--Paul Hoffman, Director >--Internet Mail Consortium Received: from certplus.com ([195.101.88.81]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA17674 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 09:17:38 -0700 (PDT) Received: from certplus.com (nt4_jmd.certplus.com [192.168.1.17]) by certplus.com (8.8.7/8.8.7) with ESMTP id QAA29780 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 16:48:17 +0200 Message-ID: <39635FAD.2D202C56@certplus.com> Date: Wed, 05 Jul 2000 18:17:49 +0200 From: Jean-Marc Desperrier <jean-marc.desperrier@certplus.com> Organization: Certplus X-Mailer: Mozilla 4.72 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: RFC 2459 and internationalized domain names References: <85256913.00517321.00@D51MTA04.pok.ibm.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit tgindin@us.ibm.com wrote: > The format of GeneralName is : > GeneralName ::= CHOICE { > otherName [0] INSTANCE OF OTHER-NAME, > rfc822Name [1] IA5String, > dNSName [2] IA5String, > ... > uniformResourceIdentifier [6] IA5String, > > It seems > we need to create something like : > rfcSonOf822Name [9] UTF8strings, > > [Tom Gindin] I think it's rfc822I18N [9] UTF8String, but that's minor. > The same applies to dNSName, and uniformResourceIdentifier. > > [Tom Gindin] I have one basic question here. Does adding new members to > this choice mean we have to change OID's for the extensions using it (not > just SubjectAltName, but IssuerAltName, AuthorityKeyIdentifier, > NameConstraints, CRLDistributionPoint, CertificateIssuer, > IssuingDistributionPoint and AuthorityInfoAccess in RFC 2459 alone - and I > might have missed one)? If it does, should we and X.509 bite that > particular bullet or define OTHER-NAME's as DirectoryString's instead? OK, OTHER-NAME is the way to go. It is clearly a lot better to define a specific OID for rfc822I18N and then insert that kind of thing as an otherName element, and *not* to change the syntax of GeneralName. OtherName ::= SEQUENCE { type-id OBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id } The only thing that is needed is to define that "value" is of type UTF8String or InternetDirectoryString when "type-id" is rfc822I18N, OtherName might be anything, it's defined by the OID used. Also a dNSNameI18N, and uniformResourceIdentifierI18N OID would be needed. > It seems to me using a CHOICE format similar to DirectoryString for > rfc822Name, > dNSName, uniformResourceIdentifier, and a recommendation to use IA5String > in the > current state of things would have been a better solution. > > [Tom Gindin] It might well have been better (using AugmentedDirectoryString > as a CHOICE between DirectoryString and IA5String, or > InternetDirectoryString as a CHOICE between IA5String and the three Unicode > string types), but it's probably too late. It's too late, but I think the moral is that the standard should always leave some room for the type of strings elements to evolve in the future. Received: from firewall1.glaxowellcome.com (firewall-user@firewall1.glaxowellcome.com [192.58.204.204]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA14887 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 08:34:06 -0700 (PDT) Received: by firewall1.glaxowellcome.com; id LAA05040; Wed, 5 Jul 2000 11:35:44 -0400 (EDT) Received: from ussun2m.glaxo.com(152.51.20.99) by firewall1.glaxowellcome.com via smap (V5.5) id xmaaq0283; Wed, 5 Jul 00 11:27:42 -0400 Received: by ussun2m.glaxo.com id KAA10881; Wed, 5 Jul 2000 10:56:00 -0400 (EDT) Received: from 152.51.60.17 by securemail1.glaxo.com with SMTP ( WorldSecure Server SMTP Relay(WSS) v4.5); Wed, 05 Jul 2000 10:50:03 -0400 X-Server-Uuid: c7fabf50-5a2e-11d2-968c-00805fc1f894 Received: from 152.51.20.99 by securemail1.glaxo.com with SMTP ( WorldSecure Server SMTP Relay(WSS) v4.5); Fri, 23 Jun 2000 17:35:31 -0400 X-Server-Uuid: c7fabf50-5a2e-11d2-968c-00805fc1f894 Received: by ussun2m.glaxo.com id RAA15558; Fri, 23 Jun 2000 17:35:33 -0400 (EDT) Received: by firewall1.glaxowellcome.com; id RAA27929; Fri, 23 Jun 2000 17:35:53 -0400 (EDT) Received: from ns.secondary.com(208.184.76.39) by firewall1.glaxowellcome.com via smap (V5.5) id xma027631; Fri, 23 Jun 00 17:34:35 -0400 Received: from localhost (daemon@localhost) by ns.secondary.com ( 8.9.3/8.9.3) with SMTP id OAA06544; Fri, 23 Jun 2000 14:33:42 -0700 ( PDT) Received: by mail.imc.org (bulk_mailer v1.12); Fri, 23 Jun 2000 14:33:33 -0700 Received: from iaik.tu-graz.ac.at (excalibur.iaik.tu-graz.ac.at [129.27.152.30]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id OAA06477 for <ietf-pkix@imc.org>; Fri, 23 Jun 2000 14:33:31 -0700 (PDT) Received: from PLIPP2 [129.27.152.34] by iaik.tu-graz.ac.at ( SMTPD32-6.00) id A7AB19D0128; Fri, 23 Jun 2000 23:33:31 +0200 Received: from 127.0.0.1 [127.0.0.1] by PLIPP2 (IAIK S/MIME Mapper 2.0beta3 22/March/2000); Fr, 23 Jun 2000 23:34:23 +0100 From: "Peter Lipp" <Peter.Lipp@iaik.at> To: "Michael Zolotarev" <mzolotarev@baltimore.com>, ietf-pkix@imc.org Subject: AW: AW: self-signed TSA [Was Re: Private Key Cloning] Date: Fri, 23 Jun 2000 23:34:22 +0200 Message-ID: <NDBBLDEHJKOODMJCNBNCAELDEAAA.Peter.Lipp@iaik.at> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <D44EACB40164D311BEF00090274EDCCA7D118C@sydneymail1.jp.zergo.com.au> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Precedence: bulk List-Archive: http://www.imc.org/ietf-pkix/mail-archive/ List-ID: <ietf-pkix.imc.org> List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe X-WSS-ID: 154D07A991476-01-02 X-WSS-ID: 157D949111757-01-01 Content-Type: multipart/mixed; boundary="_-==154D07AF50==-_" --_-==154D07AF50==-_ Content-Type: multipart/signed; boundary=--IAIK.SMIME.MAPPER.8A03CDEB--; micalg=sha1; protocol="application/x-pkcs7-signature" Content-Transfer-Encoding: 7bit This is a multipart MIME message, it may require a MIME capable user agent. ----IAIK.SMIME.MAPPER.8A03CDEB-- Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable > I guess the problem is a common misconception that a TSA is always a > subsidiary/sub-service of a CA. Not necessary. TSA is/can_be a service on > its own, with no inherited relationship to any CA at all. Sure it can. But I bet it still will have certificates from some CA (more than one maybe) that trust the TSA for doing their service properly. Do you really believe the average user will and can go and check for each and every service provider if it should be trusted? If he at some point really consiously decided to trust a certain CA, it will be close to a miracle. Most will accept somebody elses decisions, maybe preconfigured by the vendor, and if the SW asks: should I trust, he will hit the "never ask me that question again" button.... Peter ----IAIK.SMIME.MAPPER.8A03CDEB-- Content-Type: application/x-pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAA oIIVIDCCBE0wggM5oAMCAQICAwGGrTAJBgUrDgMCHQUAMIIBEzELMAkGA1UEBhMC QVQxDzANBgNVBAgTBlN0eXJpYTENMAsGA1UEBxMER1JBWjEZMBcGA1UECRMQSW5m ZmVsZGdhc3NlIDE2YTEmMCQGA1UEChMdR1JBWiBVTklWRVJTSVRZIE9GIFRFQ0hO T0xPR1kxRzBFBgNVBAsTPkluc2l0dXRlIGZvciBBcHBsaWVkIEluZm9ybWF0aW9u IFByb2Nlc3NpbmcgYW5kIENvbW11bmljYXRpb25zMRkwFwYDVQQLExBJQUlLIElO VFJBTkVUIENBMRkwFwYDVQQDExBJQUlLIFRVLUdSQVogU0lHMSIwIAYDVQQMExlJ QUlLIGVsZWN0cm9uaWMgc2lnbmF0dXJlMB4XDTk5MTEyODIwMjIzOVoXDTAwMTEy ODIwMjIzOVowgZMxCzAJBgNVBAYTAkFUMSYwJAYDVQQKEx1HUkFaIFVOSVZFUlNJ VFkgT0YgVEVDSE5PTE9HWTFHMEUGA1UECxM+SW5zaXR1dGUgZm9yIEFwcGxpZWQg SW5mb3JtYXRpb24gUHJvY2Vzc2luZyBhbmQgQ29tbXVuaWNhdGlvbnMxEzARBgNV BAMTClBldGVyIExpcHAwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGBAM5s1aJQ xXxczmMNSJtL4cv9nhMA+dtbUN4+DA5qfZBqcwR2zWw2VulPyrAeZDA1HFP8zlpk PlC5C4hNnX+p7QdG8u0LMk45FwaatOm2r2gEmTYGH/znwQSrKTsZXi0d0VHZV0TX yU/I3SlYxSXfjFafAVE09KKa2m8jcUOhF97dAgEDo4G0MIGxMDgGA1UdHwQxMC8w LaAroCmkJzAlMRAwDgYDVQQKEwdpYWlrLmF0MREwDwYDVQQDEwhJQUlLQ1JMMTAR BglghkgBhvhCAQEEBAMCAKAwKAYJYIZIAYb4QgENBBsWGVVzZXItQ2VydGlmaWNh dGUgSU5UUkFORVQwDAYDVR0TBAUwAwEBADAdBgNVHREEFjAUgRJQZXRlci5MaXBw QGlhaWsuYXQwCwYDVR0PBAQDAgbAMAkGBSsOAwIdBQADggEBAA4r/qDOLW8ChbuC 2pGzcf74Uv190Q45aHj99lMgNhPQRIVaLLNXJH+NYJxEvIwmVOWIXjdA03TqkOOq FJ/tK31wV+RbrvaPaVUwRjPhC2f8rr+K6pp9mzUC1SolUEbRWVHgOZGsbnEJkTEr oJOelFdKr0coT+Xeje/fI5d50P3CwsJLR2PFkiswnOoWBINi2nq6MGZ7fwmzW8F9 ZVstrNMQYCeEj4V2SR/YIUrDxsdqMQyorBe/su3eab3fOpPlonb86KKWH6jLdgpi KGRoHGWeGgAWlMB0HdxaupX7Lm8LhVYZOdh9SpvO8AdhMyOXNHOKF6sMXCZvSEHy 2XUvbmAwggRUMIIDQKADAgECAgJOIDAJBgUrDgMCHQUAMIGZMQswCQYDVQQGEwJB VDEmMCQGA1UEChMdR1JBWiBVTklWRVJTSVRZIE9GIFRFQ0hOT0xPR1kxRzBFBgNV BAsTPkluc2l0dXRlIGZvciBBcHBsaWVkIEluZm9ybWF0aW9uIFByb2Nlc3Npbmcg YW5kIENvbW11bmljYXRpb25zMRkwFwYDVQQDExBJQUlLIElOVFJBTkVUIENBMB4X DTk5MTExNDEyNTE0OVoXDTAyMTIzMTIyNTkzMFowggETMQswCQYDVQQGEwJBVDEP MA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHUkFaMRkwFwYDVQQJExBJbmZmZWxk Z2Fzc2UgMTZhMSYwJAYDVQQKEx1HUkFaIFVOSVZFUlNJVFkgT0YgVEVDSE5PTE9H WTFHMEUGA1UECxM+SW5zaXR1dGUgZm9yIEFwcGxpZWQgSW5mb3JtYXRpb24gUHJv Y2Vzc2luZyBhbmQgQ29tbXVuaWNhdGlvbnMxGTAXBgNVBAsTEElBSUsgSU5UUkFO RVQgQ0ExGTAXBgNVBAMTEElBSUsgVFUtR1JBWiBTSUcxIjAgBgNVBAwTGUlBSUsg ZWxlY3Ryb25pYyBzaWduYXR1cmUwggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAwggEI AoIBAQDSyhKuZGsL1EPk5mOTG8RzhHS/Va+/WYjs7Zm91nwVHu1+XFLJeJ85AICk SQ7yq9lWa9ur34cywbNhl/9QxaOBOiHkMvAuXxs2Bq/uhe/hEb1T7XgO12ptG80q SOP8/nKxw1PXlbUkd1rD9727mO/5tpvagEQfz7CZQ5wI4HkrNw5uH/vsJ72wRcRT FzmHy/nOX3Y9sXLd/V7TG8j1x0oNWsR3b0tHEWM+Oc1Qq5FfCknoMMCitSD38cUL CCcLJtVxkOiapWaZrDXUAuhvshhsRPjkXh6IzpqsZEtRI64SurLoUUShPv108ELE 6rfQKtm9FNnlFRD954diwfFHko/lAgEFozMwMTARBglghkgBhvhCAQEEBAMCAAIw DwYDVR0TBAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwCQYFKw4DAh0FAAOCAQEAc26n vl5jQspoqD0fzjpZkqGARmFVj9uHNqVoWttqw/y6t46OhJUcePEmXkKsFP4NuCFx 2MyvmbWb6R6QNQ5WfoarGWyQ382cQN6mccPS5weDjXAzYeGZUkx99K70ncVxkwq7 rINAhJtari2XSLxmfBJyTYrZuWEgd5C9NBuf2u3iZyArarOKPbrBjZxjmXwBbZ7t sfAhSVMGSr2ODgQcQjf7ZndNIsQZL75HkN21Pj+/x3wnMCAQF50+Pt8ioAgZ/SAu dxmdYNr2itI0vmsV/xjD1NQuwb6+HwmR2LxclhMzrT1VbtTDkRLD/h8LKC1OpKV8 lQlS7Ir+Od/XNafKJjCCA8owggKyoAMCAQICAQEwDQYJKoZIhvcNAQEEBQAwgZkx CzAJBgNVBAYTAkFUMSYwJAYDVQQKEx1HUkFaIFVOSVZFUlNJVFkgT0YgVEVDSE5P TE9HWTFHMEUGA1UECxM+SW5zaXR1dGUgZm9yIEFwcGxpZWQgSW5mb3JtYXRpb24g UHJvY2Vzc2luZyBhbmQgQ29tbXVuaWNhdGlvbnMxGTAXBgNVBAMTEElBSUsgSU5U UkFORVQgQ0EwHhcNOTkxMTE0MTIzMTU5WhcNMDIxMjMxMjI1OTMwWjCBmTELMAkG A1UEBhMCQVQxJjAkBgNVBAoTHUdSQVogVU5JVkVSU0lUWSBPRiBURUNITk9MT0dZ MUcwRQYDVQQLEz5JbnNpdHV0ZSBmb3IgQXBwbGllZCBJbmZvcm1hdGlvbiBQcm9j ZXNzaW5nIGFuZCBDb21tdW5pY2F0aW9uczEZMBcGA1UEAxMQSUFJSyBJTlRSQU5F VCBDQTCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAMLr+IHe6qeAtYLk fvxyRI6ogrvBP5iKPEBZ7j3T1yVJL7CDPGH8hgPsI4qt6Fnzh2MuAq84JS58zX5x LqEUC/E5xw1xyAzorC6yWwxGRhb+fvTg4OlM2JVsTlyJO6F/BWlXuZU33lgGky/R X84sItXKhmhbUPscnHYBsVKcQO5rFcRrJK/5c1Mha/bcQNVDQaQw+HRCvr7T4mAV Yi+DVJv6jb393CoDBnffGP/mcIkFGFO5D6lyfP8QiSs06+0unIYWwUn1YzQI2RNB AjXrCuAJtlf4qYrGXC09Neg8ymoI2uOglo6scWiZXt/prxWoi+btPX8oWDl5+7DE tCf0rx8CAQejHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3 DQEBBAUAA4IBAQAfdOMJ/ePlmrY0flkgiL6vyRDBuWGcIaB/oGofngJzbQLa7X2s hWzpIiVpvo64XcjIBuocpErhIQfc2UZTSqYYT7R2Uydh0wVeqScURuwuihFURPhI 7GWCSrNwym2lrwsva2Xh/MTyzhXs9vo29dP2djjelN8n347dXhKJOYJ0tsA583af EKmKvkfzAb+sQLxEmPyasQTCGJMec/iWjLTsEDRfCrROYVgDZ4NcCpiRSv9mWw6s PYB8Chf5fJq1waFzluFYSUkuF24NKVopr1E4dKt2Lc1zdMRGRztKQWeUiBLkqFCQ xsi6iZrl1nvMCdF+scuLj7G4lNshx6n1ZcabMIIETTCCAzmgAwIBAgIDAw1NMAkG BSsOAwIdBQAwggETMQswCQYDVQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYD VQQHEwRHcmF6MRkwFwYDVQQJExBJbmZmZWxkZ2Fzc2UgMTZhMSYwJAYDVQQKEx1H UkFaIFVOSVZFUlNJVFkgT0YgVEVDSE5PTE9HWTFHMEUGA1UECxM+SW5zaXR1dGUg Zm9yIEFwcGxpZWQgSW5mb3JtYXRpb24gUHJvY2Vzc2luZyBhbmQgQ29tbXVuaWNh dGlvbnMxGTAXBgNVBAsTEElBSUsgSU5UUkFORVQgQ0ExGzAZBgNVBAMTEklBSUsg VFUtR1JBWiBDUllQVDEgMB4GA1UEDBMXSUFJSyBjb25maWRlbnRpYWxpdHkgQ0Ew HhcNOTkxMTI4MjAyMzM4WhcNMDAxMTI4MjAyMzM4WjCBkzELMAkGA1UEBhMCQVQx JjAkBgNVBAoTHUdSQVogVU5JVkVSU0lUWSBPRiBURUNITk9MT0dZMUcwRQYDVQQL Ez5JbnNpdHV0ZSBmb3IgQXBwbGllZCBJbmZvcm1hdGlvbiBQcm9jZXNzaW5nIGFu ZCBDb21tdW5pY2F0aW9uczETMBEGA1UEAxMKUGV0ZXIgTGlwcDCBnTANBgkqhkiG 9w0BAQEFAAOBiwAwgYcCgYEAvQe3ZdxrE2Nv5z2ZLink1P2MFeQb5gYrS55w4jsX ZGD5v9Ajnv3w30Ajcn7jI+blIvYYpmNQV476+aUHNZFUML/KN5WGVXfdBOxb2n+6 Porez8KMnUlq3cCvAdhVdquFjwaRHO5k7gY80hNAfVker52A1aXbrT0TaWGlCl25 sq0CAQWjgbQwgbEwOAYDVR0fBDEwLzAtoCugKaQnMCUxEDAOBgNVBAoTB2lhaWsu YXQxETAPBgNVBAMTCElBSUtDUkwxMBEGCWCGSAGG+EIBAQQEAwIAoDAoBglghkgB hvhCAQ0EGxYZVXNlci1DZXJ0aWZpY2F0ZSBJTlRSQU5FVDAMBgNVHRMEBTADAQEA MB0GA1UdEQQWMBSBElBldGVyLkxpcHBAaWFpay5hdDALBgNVHQ8EBAMCA3gwCQYF Kw4DAh0FAAOCAQEAhvbZ0/1a47YqiCYjsnsqxWhFufL9oPQzzK9sBDjZZwbpPnhD ZN8PmBqWUXAo74a6oz7Q0W1QieAPCIGenFcVe5ui9m+9TDwtrQN1ECE5k3VuGlh9 l+1Sw5GjFEynARTDmaSRIc75EV/nx4a1LuHLkRYGC5Mg6LskWpIw7ShdPD54U/3Q 19iboaASh0ynfySjBsy1549hQcmi9UfMMX7u1QCCia2kd15u+YaVxtWoMHFB59q6 ELx+9XseEpEI/zBlvSwdyDTXWtnlxnzZjsyk0a/W+FpdeuZ7k2Dbf/Owx0nXS70M HrH/AErvvbhxJ1BaAPC6TAN6da4xPpwy5XSRfjCCBFQwggNAoAMCAQICAnUwMAkG BSsOAwIdBQAwgZkxCzAJBgNVBAYTAkFUMSYwJAYDVQQKEx1HUkFaIFVOSVZFUlNJ VFkgT0YgVEVDSE5PTE9HWTFHMEUGA1UECxM+SW5zaXR1dGUgZm9yIEFwcGxpZWQg SW5mb3JtYXRpb24gUHJvY2Vzc2luZyBhbmQgQ29tbXVuaWNhdGlvbnMxGTAXBgNV BAMTEElBSUsgSU5UUkFORVQgQ0EwHhcNOTkxMTE0MTI1NTM2WhcNMDIxMjMxMjI1 OTMwWjCCARMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcT BEdyYXoxGTAXBgNVBAkTEEluZmZlbGRnYXNzZSAxNmExJjAkBgNVBAoTHUdSQVog VU5JVkVSU0lUWSBPRiBURUNITk9MT0dZMUcwRQYDVQQLEz5JbnNpdHV0ZSBmb3Ig QXBwbGllZCBJbmZvcm1hdGlvbiBQcm9jZXNzaW5nIGFuZCBDb21tdW5pY2F0aW9u czEZMBcGA1UECxMQSUFJSyBJTlRSQU5FVCBDQTEbMBkGA1UEAxMSSUFJSyBUVS1H UkFaIENSWVBUMSAwHgYDVQQMExdJQUlLIGNvbmZpZGVudGlhbGl0eSBDQTCCASAw DQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAMEnzjatic90xi5VRmr0i2O16Z1a SElQFZitoNvAzGw+KehOTuKeUr5ALHib9tGInNm+jPTWVGl/u5Hab1JRzXj0xAKy qvZ+KphGy6ag6VcCVySJmeY1AqTM0W78XdFQXnlZuciBv00Ktoulb/Ktgh6c0YNg o4UMVdxjGHJweibT1AGvlFe2BqulwtuwOLovMIuIyHHh+o6F2HXYKUB54GJpia1B 2IfmqcpBBFdYtDlHyrxugB5QhuhLo0BjD8jCe8B2gkQnI2wIeyfpLlH+u3/VQAl1 2cZKkqaqPpOgP/znsdh62QBSabrRluvCp9OQW9M8u+mJlrxIIVwtThfzIW0CAQWj MzAxMBEGCWCGSAGG+EIBAQQEAwIAAjAPBgNVHRMECDAGAQH/AgEBMAsGA1UdDwQE AwIBBjAJBgUrDgMCHQUAA4IBAQBa+v4JIzqbBydvFOaP/dA5D/GLWEWjPTF8tKcP hxlEYABH8dW5E2tk/nNE2CDyGjkJtR+o9kiCDCa4N/qlc2LepJpa0I28Hi4wCd0C uxSWpEuDHNDrW6Y/bU8gJ8DpskVl+lR0QFkqSCWAu3bY0e2VvUffk2ltrx1KvO64 vGX+ayZn2P7naGHPfYjCBWUKzW0zS8chVf0aehu/qXFuZDfy1MlDgEnPl1DQ1vSL CMmFEDc99iNzcCU7ILn+RgWPNYPVhCUqoDQ6buX00ohfNVS/OHgqkWpa1HLvLRXq E9NmYUJvfhE2zCY6w6bTME3IfDCXRat2Q3twP4/iP9xtsTbPMYICeDCCAnQCAQEw ggEcMIIBEzELMAkGA1UEBhMCQVQxDzANBgNVBAgTBlN0eXJpYTENMAsGA1UEBxME R1JBWjEZMBcGA1UECRMQSW5mZmVsZGdhc3NlIDE2YTEmMCQGA1UEChMdR1JBWiBV TklWRVJTSVRZIE9GIFRFQ0hOT0xPR1kxRzBFBgNVBAsTPkluc2l0dXRlIGZvciBB cHBsaWVkIEluZm9ybWF0aW9uIFByb2Nlc3NpbmcgYW5kIENvbW11bmljYXRpb25z MRkwFwYDVQQLExBJQUlLIElOVFJBTkVUIENBMRkwFwYDVQQDExBJQUlLIFRVLUdS QVogU0lHMSIwIAYDVQQMExlJQUlLIGVsZWN0cm9uaWMgc2lnbmF0dXJlAgMBhq0w CQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3 DQEJBTEPFw0wMDA2MjMyMTM0MjNaMCMGCSqGSIb3DQEJBDEWBBRxCE72xr47V3Mr SVFLlPFfOZikgzBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3 DQMCAgIAgDANBggqhkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDAHBgUrDgMCBzAN BgkqhkiG9w0BAQEFAASBgMiIJYnloS3RWMW4oAn/jeFn8V6nVPjyWfgnSWnK2ko8 D1cqCS31beJePiEa+7eFjgaz/luEEngzEHWmOIZLwg/fg9JQPUuWx2tDByoyp6IE qdolRWRFIja4CYOToMUGmoXv1UqO5Lv8qa7M5bVS+JhMFyQvNwCoSrLWJwL87AgN AAAAAAAA ----IAIK.SMIME.MAPPER.8A03CDEB---- --_-==154D07AF50==-_ Content-Type: text/plain; charset=us-ascii; name=wssalert.txt Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=wssalert.txt "WorldSecure Server <glaxo.com>" made the following annotations on 06/23/00 17:35:33 ------------------------------------------------------------------------------ [ALERT] -- Security Manager: Proxy decryption/verification failed. The message could not be decrypted. ============================================================================== --_-==154D07AF50==-_-- Received: from thalia.fm.intel.com (thalia.fm.intel.com [132.233.247.11]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA12331 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 07:49:30 -0700 (PDT) Received: from SMTP (fmsmsxvs04-1.fm.intel.com [132.233.42.204]) by thalia.fm.intel.com (8.9.1a+p1/8.9.1/d: relay.m4,v 1.30 2000/06/08 18:25:35 dmccart Exp $) with SMTP id OAA03904 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 14:51:36 GMT Received: from fmsmsx26.fm.intel.com ([132.233.48.26]) by 132.233.48.204 (Norton AntiVirus for Internet Email Gateways 1.0) ; Wed, 05 Jul 2000 14:50:41 0000 (GMT) Received: by fmsmsx26.fm.intel.com with Internet Mail Service (5.5.2650.21) id <N32LJQMK>; Wed, 5 Jul 2000 07:49:59 -0700 Message-ID: <8DCFE693DDFFD111AC4100A0C9B8DB9401566188@hdsmsx33.hd.intel.com> From: "Eissa, Mohamed" <mohamed.eissa@intel.com> To: ietf-pkix@imc.org Subject: CMP & CRS Which is better? Date: Wed, 5 Jul 2000 07:49:57 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Hello everybody, I am evaluating numer of CA servers and I the certification methodologies with PKIX. I am still confused what are the advantages/disadvantages of CRS(PKCS messaging) and CMP protocols? What is the most popular one most of CA server vendors support? Mohamed Received: from e1.ny.us.ibm.com (e1.ny.us.ibm.com [32.97.182.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA12262 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 07:48:36 -0700 (PDT) From: tgindin@us.ibm.com Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id KAA169554; Wed, 5 Jul 2000 10:47:59 -0400 Received: from D51MTA04.pok.ibm.com (d51mta04.pok.ibm.com [9.117.200.32]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.9) with SMTP id KAA206300; Wed, 5 Jul 2000 10:49:51 -0400 Received: by D51MTA04.pok.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256913.005176C8 ; Wed, 5 Jul 2000 10:49:48 -0400 X-Lotus-FromDomain: IBMUS To: Jean-Marc Desperrier <jean-marc.desperrier@certplus.com> cc: ietf-pkix@imc.org Message-ID: <85256913.00517321.00@D51MTA04.pok.ibm.com> Date: Wed, 5 Jul 2000 10:49:38 -0400 Subject: Re: RFC 2459 and internationalized domain names Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Comments below. Are we going to need to change over a third of the extension OID's - and if so, should we try hard to avoid doing so? Tom Gindin Jean-Marc Desperrier <jean-marc.desperrier@certplus.com> on 07/05/2000 05:40:40 AM To: ietf-pkix@imc.org cc: Subject: Re: RFC 2459 and internationalized domain names Paul Hoffman / IMC wrote: > >My secondary comment is that PKIX really shouldn't be in the business of > >specifying altName formats and semantics at all. The definition of what > >constitutes a valid email address, DNS name, IP address, and so forth, has no > >place in a PKIX RFC. The same goes for name-matching rules: it's not up to > >PKIX to define these. It's a loser's game, where PKIX will have to be > >maintained indefinitely in order to keep up with the evolving Internet. > > Agree. The current version of RFC2459 serves two purposes : defining the format of the certificate and defining some "best practices" for implementations of what everyone must be able to support. This best practices are needed, an ASN1 based format has just too many possibilities. [Tom Gindin] And somebody has to define the ASN.1 for each extension. If that doesn't belong in PKIX, why do we have an entire section on the use of standard extensions? > >If an Internet group wants to be compatible with PKIX, it should be up to > >them to define a PKIX sub-profile on what it means to conform to their stuff. And this would be a big problem because there would several different PKIX sub-profiles. If the standard of PKIX defines both the format and the best practices, that means it must be able to evolve easily to adapt to new practices. Or there must be two separate documents for each of theses aspects. Now if the RFC2459 wasn't so strict about the email format, url format, etc... this would be a good thing. [Tom Gindin] Agreed. The format of GeneralName is : GeneralName ::= CHOICE { otherName [0] INSTANCE OF OTHER-NAME, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER } As these are implicits tags, this is closed to evolutions in the format of the data, it is not possible to modify the standard to allow rfc822Name to be a CHOICE between UTF8strings, and IA5String, as could be done with explicit tags. It seems we need to create something like : rfcSonOf822Name [9] UTF8strings, [Tom Gindin] I think it's rfc822I18N [9] UTF8String, but that's minor. The same applies to dNSName, and uniformResourceIdentifier. [Tom Gindin] I have one basic question here. Does adding new members to this choice mean we have to change OID's for the extensions using it (not just SubjectAltName, but IssuerAltName, AuthorityKeyIdentifier, NameConstraints, CRLDistributionPoint, CertificateIssuer, IssuingDistributionPoint and AuthorityInfoAccess in RFC 2459 alone - and I might have missed one)? If it does, should we and X.509 bite that particular bullet or define OTHER-NAME's as DirectoryString's instead? It seems to me using a CHOICE format similar to DirectoryString for rfc822Name, dNSName, uniformResourceIdentifier, and a recommendation to use IA5String in the current state of things would have been a better solution. [Tom Gindin] It might well have been better (using AugmentedDirectoryString as a CHOICE between DirectoryString and IA5String, or InternetDirectoryString as a CHOICE between IA5String and the three Unicode string types), but it's probably too late. Received: from exchsvr1.entegrity.com (exchsvr1.entegrity.com [207.215.19.3]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id GAA08821 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 06:23:25 -0700 (PDT) Received: from roger (dave.cost.se [195.100.88.62]) by exchsvr1.entegrity.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id N706W8AX; Wed, 5 Jul 2000 06:31:44 -0700 From: "Martin Lindström" <martin.lindstrom@entegrity.com> To: <ietf-pkix@imc.org> Cc: <ca-talk@icsa.net> Subject: CMP transport protocol - who should close the connection? Date: Wed, 5 Jul 2000 15:24:13 +0200 Message-ID: <000301bfe684$504453f0$1f00000a@cost.se> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Regarding draft-ietf-pkix-cmp-transport-protocols-00.txt: One of the reasons of introducing a protocol for transport of CMP messages was that interoperability testing showed that there were no clear definitions on who should close a connection and when. The new protocol tries to solve these issues, but during the PKIForum initiated CMP interoperability testing I have run into some cases not covered by the draft. Suppose that a CR/CP is sent in one connection and when the client is about to send its certConf it connects to the server and sends the TCP message with the close bit set. Should the client wait for the server to close the connection or should it do it itself? IMO the client cannot really do it itself since it must be prepared to receive a pkiconf message from the CA (e.g. that the cert hash comparison failed), and if the server does not close the connection the client will either hang or timeout. So what I want is that section 2.3 is extended with: "If the connection close bit is set on a request, then the server MUST set the bit in the response and close the connection after sending the response. <add - begin> In the case the server does not intend to send any response to the client request, the server should close the connection directly. <add - end>" Comments? /Martin ********* Entegrity Solutions ********* Martin Lindström, Systems Designer Finlandsgatan 60 S-166 74 Kista, Sweden Direct: +46-(0)8-477-7735 Fax: +46-(0)8-477-7731 Cell: +46-(0)70-483-0024 *************************************** Received: from certplus.com ([195.101.88.81]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA28238 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 02:40:32 -0700 (PDT) Received: from certplus.com (nt4_jmd.certplus.com [192.168.1.17]) by certplus.com (8.8.7/8.8.7) with ESMTP id KAA25796 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 10:11:09 +0200 Message-ID: <39630298.56880318@certplus.com> Date: Wed, 05 Jul 2000 11:40:40 +0200 From: Jean-Marc Desperrier <jean-marc.desperrier@certplus.com> Organization: Certplus X-Mailer: Mozilla 4.72 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: RFC 2459 and internationalized domain names References: <p0432040eb586e5039935@[165.227.249.13]> <396230D8.51256A64@xcert.com> <p04320424b587e3244ec9@[165.227.249.13]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Paul Hoffman / IMC wrote: > >My secondary comment is that PKIX really shouldn't be in the business of > >specifying altName formats and semantics at all. The definition of what > >constitutes a valid email address, DNS name, IP address, and so forth, has no > >place in a PKIX RFC. The same goes for name-matching rules: it's not up to > >PKIX to define these. It's a loser's game, where PKIX will have to be > >maintained indefinitely in order to keep up with the evolving Internet. > > Agree. The current version of RFC2459 serves two purposes : defining the format of the certificate and defining some "best practices" for implementations of what everyone must be able to support. This best practices are needed, an ASN1 based format has just too many possibilities. > >If an Internet group wants to be compatible with PKIX, it should be up to > >them to define a PKIX sub-profile on what it means to conform to their stuff. And this would be a big problem because there would several different PKIX sub-profiles. If the standard of PKIX defines both the format and the best practices, that means it must be able to evolve easily to adapt to new practices. Or there must be two separate documents for each of theses aspects. Now if the RFC2459 wasn't so strict about the email format, url format, etc... this would be a good thing. The format of GeneralName is : GeneralName ::= CHOICE { otherName [0] INSTANCE OF OTHER-NAME, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER } As these are implicits tags, this is closed to evolutions in the format of the data, it is not possible to modify the standard to allow rfc822Name to be a CHOICE between UTF8strings, and IA5String, as could be done with explicit tags. It seems we need to create something like : rfcSonOf822Name [9] UTF8strings, The same applies to dNSName, and uniformResourceIdentifier. It seems to me using a CHOICE format similar to DirectoryString for rfc822Name, dNSName, uniformResourceIdentifier, and a recommendation to use IA5String in the current state of things would have been a better solution. Received: from rmx470-mta.mail.com (rmx470-mta.mail.com [165.251.48.48]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA21629 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 00:42:14 -0700 (PDT) Received: from web302-mc.mail.com (web302-mc.mail.com [165.251.48.163]) by rmx470-mta.mail.com (8.9.3/8.9.3) with SMTP id DAA20783 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 03:43:33 -0400 (EDT) Message-ID: <386417174.962783012657.JavaMail.root@web302-mc.mail.com> Date: Wed, 5 Jul 2000 03:43:32 -0400 (EDT) From: Pedrabissi Raffaele <pedra@europe.com> To: ietf-pkix@imc.org Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: mail.com X-Originating-IP: 212.177.60.6 Good morning, I`m Raffaele Pedrabissi, a student of Politecnico of Milano (ITALY-EUROPE) and I`m doing a stage in Alcatel of Vimercate (Milano-ITALY). I write You because I had read the RFC 2459 for the electronic certicates. Now I have a little problem: I`m searching a program in C language that creates an electronic certificate and one that notices the same certificate. Thank You for Your time. Pedrabissi Raffaele. ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup Received: from d12lmsgate.de.ibm.com (d12lmsgate.de.ibm.com [195.212.91.199]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id XAA19929 for <ietf-pkix@imc.org>; Tue, 4 Jul 2000 23:40:09 -0700 (PDT) From: amir.herzberg@il.ibm.com Received: from d12relay01.de.ibm.com (d12relay01.de.ibm.com [9.165.215.22]) by d12lmsgate.de.ibm.com (1.0.0) with ESMTP id IAA219202 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 08:40:20 +0200 Received: from d12mta05.de.ibm.com (d12mta05_cs0 [9.165.222.239]) by d12relay01.de.ibm.com (8.8.8m3/NCO v2.07) with SMTP id IAA200272 for <ietf-pkix@imc.org>; Wed, 5 Jul 2000 08:40:44 +0200 Received: by d12mta05.de.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id C1256913.0024AE73 ; Wed, 5 Jul 2000 08:40:39 +0200 X-Lotus-FromDomain: IBMIL@IBMDE To: "Doug M Williscroft" <doug.williscroft@moh.hnet.bc.ca> cc: ietf-pkix@imc.org Message-ID: <C1256913.0024AD0A.00@d12mta05.de.ibm.com> Date: Wed, 5 Jul 2000 09:43:07 +0300 Subject: Re: Trading Partner Web Certificates Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Doug, your design below requires distribution of the private key of the trading partner to each of its employees allowed to access your site. This clearly creates significant exposure to this key. What are the reasons for taking this risk, rather than having the trading partner (or you) issue certificates to each employee of the business partner allowed to access your site? If the problem is the need to manage a potentially complex policy for deciding which users can access your site (using which certificates)... this can be easily achieved using e.g. our Trust Establishment system (download from our site http://www.hrl.il.ibm.com). Best Regards, Amir Herzberg IBM Research Lab in Haifa (Tel Aviv Office) http://www.hrl.il.ibm.com "Doug M Williscroft" <doug.williscroft@moh.hnet.bc.ca> on 06/23/2000 09:30:21 PM Please respond to "Doug M Williscroft" <doug.williscroft@moh.hnet.bc.ca> To: ietf-pkix@imc.org cc: (bcc: Amir Herzberg/Haifa/IBM) Subject: Trading Partner Web Certificates This note is to elicit feedback on a PKI model that my organization has implemented for web delivery/collection of information. We call it the "trading partner certificate" model. The trading partner certificate model does not attempt to provide the full benefits of the grand PKI vision but limits itself to browser-based extranets. The solution we have adopted is rather simple but - due to limitations of existing technology - not especially elegant. Even so, we believe it to provide significant authentication benefit at at significantly lower cost than other alternatives. At the end of this note I describe a desirable new function for certificate management (at the browser and/or OS) that would provide broad benefit for extranet applications under this model. I believe this additional functionality would be relatively easy to develop, and would quite possibly find a large market. Our model: 1) Establish a trading agreement with an organization through standard business processes which include contractual definition of obligaitions. 2) Issue a trading partner certificate to the organization. (In our current case the certificates are "anonymous"; they make no statement about the trading partner. This is not a necessary component of the model. Neither is it necessary that we be the certificate issuer.) 3) The trading partner installs the certificate and private key on all browsers that will be used to access our services. (Most of our trading partners use the IE5 browser which allows the private key to be flagged as "not exportable" from the computer - a highly desirable feature in our from our perspective.) 4) The trading partner registers its users in our extranet directory - and assumes responsibility for managing those users - including assignment of access permissions within the bounds of the trading partner agreement. (At this point user administration requires some intervention on our part - we anticipate fully externalized user management in the future.) 5) Users connecting to our web servers are challenged (via SSL) to provide a client certificate. 6) Users presenting a valid trading partner certificate are challenged for UserID and Password. 7) Users presenting a valid password and the correct trading partner certificate for that user's organization are granted access to the appropriate services. To impersonate a user an attacker must gain direct access to a computer in the trading partner organization, and gain knowledge of a valid userID and password pair. We see this 2-factor mechanism as offering protection against password discovery (by attackers external to the trading partner organization), and against man-in-the-middle attacks based on URL hijacking or DNS poisoning. Desirable new certificate management functionality: It would be helpful to our trading partners if certificates/private keys could be centrally distributed en-masse to all computers/user profiles in a trading partner organization. Currently, our trading partners must manually install the private key to each user login account that will use our services - a tedious activity. This task must be repeated prior to certificate expiry. Fortunately our trading partners are willing to accept this administrative burden because they consider the services we offer sufficiently valuable. Comments? -- Doug Williscroft HealthNet/BC Architecture and Standards Branch Ministry of Health Information Management Group Telephone: (250) 952-2497 _______________________________________________ Received: from [165.227.249.13] (ip13.proper.com [165.227.249.13]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA25304; Tue, 4 Jul 2000 11:56:21 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org Message-Id: <p04320424b587e3244ec9@[165.227.249.13]> In-Reply-To: <396230D8.51256A64@xcert.com> References: <p0432040eb586e5039935@[165.227.249.13]> <396230D8.51256A64@xcert.com> Date: Tue, 4 Jul 2000 11:57:37 -0700 To: Marc Branchaud <marcnarc@xcert.com>, ietf-pkix@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: Re: RFC 2459 and internationalized domain names Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 11:45 AM -0700 7/4/00, Marc Branchaud wrote: >My main comment is that PKIX would be unwise to try to anticipate how other >protocols might evolve. PKIX should really wait until the IDN, email, or any >other group, figures out what they're going to do before making any changes >in a PKIX RFC. Agree. >My secondary comment is that PKIX really shouldn't be in the business of >specifying altName formats and semantics at all. The definition of what >constitutes a valid email address, DNS name, IP address, and so forth, has no >place in a PKIX RFC. The same goes for name-matching rules: it's not up to >PKIX to define these. It's a loser's game, where PKIX will have to be >maintained indefinitely in order to keep up with the evolving Internet. Agree. >What PKIX should do is provide generic space for altNames in PKIX certs and >protocols, but leave the definition and handling of these to other groups. Agree. >If an Internet group wants to be compatible with PKIX, it should be up to >them to define a PKIX sub-profile on what it means to conform to their stuff. The problem with this is, as you point out below, that PKIX already *does* describe what a domain name is, what an email address is, and so on. If any the standards for these evolves (and we can expect they will), one of two situations arises: - PKIX has to be revised to change with the standard. - PKIX prevents users from identifying themselves using the revised standard. >PKIX hasn't gone this way in the past though, despite these arguments, so I >doubt it'll change now. Agree. --Paul Hoffman, Director --Internet Mail Consortium Received: from crack.x509.com (root@crack.x509.com [199.175.150.1]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA24941 for <ietf-pkix@imc.org>; Tue, 4 Jul 2000 11:43:27 -0700 (PDT) Received: from xcert.com (saxifrage.x509.com [199.175.148.75]) by crack.x509.com (8.10.0/XCERT) with ESMTP id e64IihI22140 for <ietf-pkix@imc.org>; Tue, 4 Jul 2000 11:44:44 -0700 (PDT) Sender: marcnarc@crack.x509.com Message-ID: <396230D8.51256A64@xcert.com> Date: Tue, 04 Jul 2000 11:45:44 -0700 From: Marc Branchaud <marcnarc@xcert.com> Organization: Xcert International Inc. X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.10 i686) X-Accept-Language: en, fr MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: RFC 2459 and internationalized domain names References: <p0432040eb586e5039935@[165.227.249.13]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi Paul... My main comment is that PKIX would be unwise to try to anticipate how other protocols might evolve. PKIX should really wait until the IDN, email, or any other group, figures out what they're going to do before making any changes in a PKIX RFC. My secondary comment is that PKIX really shouldn't be in the business of specifying altName formats and semantics at all. The definition of what constitutes a valid email address, DNS name, IP address, and so forth, has no place in a PKIX RFC. The same goes for name-matching rules: it's not up to PKIX to define these. It's a loser's game, where PKIX will have to be maintained indefinitely in order to keep up with the evolving Internet. What PKIX should do is provide generic space for altNames in PKIX certs and protocols, but leave the definition and handling of these to other groups. If an Internet group wants to be compatible with PKIX, it should be up to them to define a PKIX sub-profile on what it means to conform to their stuff. PKIX hasn't gone this way in the past though, despite these arguments, so I doubt it'll change now. Marc +------------------------------------------------------------------------+ Marc Branchaud \/ Chief PKI Architect /\CERT INTERNATIONAL INC. marcnarc@xcert.com PKI References page: www.xcert.com 604-640-6227 www.xcert.com/~marcnarc/PKI/ +------------------------------------------------------------------------+ Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA22435 for <ietf-pkix@imc.org>; Tue, 4 Jul 2000 09:16:49 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id SAA17680 for <ietf-pkix@imc.org>; Tue, 4 Jul 2000 18:17:33 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.3); Tue, 4 Jul 2000 18:17:33 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id SAA19044 for <ietf-pkix@imc.org>; Tue, 4 Jul 2000 18:17:32 +0200 (MET DST) From: Peter Sylvester <Peter.Sylvester@EdelWeb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.7.6/8.6.6) id SAA19428 for ietf-pkix@imc.org; Tue, 4 Jul 2000 18:17:32 +0200 (MET DST) Date: Tue, 4 Jul 2000 18:17:32 +0200 (MET DST) Message-Id: <200007041617.SAA19428@emeriau.edelweb.fr> To: ietf-pkix@imc.org Subject: RE: I-D ACTION:draft-ietf-pkix-time-stamp-08.txt : SIA Some time ago I had asked about the status of the Subject information Access extension mentioned in the actual time stamping draft as being or to be defined in son of RFC2459. It would be nice to hear some more details about that from let's say one of the editors of the documents mentioned. Thanks in advance Peter Sylvester Received: from mailout02.sul.t-online.com (mailout02.sul.t-online.com [194.25.134.17]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA21927 for <ietf-pkix@imc.org>; Tue, 4 Jul 2000 08:55:13 -0700 (PDT) From: ralf.wieler@t-online.de Received: from fwd01.sul.t-online.com by mailout02.sul.t-online.com with smtp id 139V3a-0003bo-05; Tue, 4 Jul 2000 17:56:18 +0200 Received: from webmail.t-online.de (340036226028-0001@[194.25.134.114]) by fwd01.sul.t-online.com with smtp id 139V3V-0HBHSyC; Tue, 4 Jul 2000 17:56:13 +0200 Date: 04 Jul 2000 15:56 GMT Subject: kein Betreff To: ietf-pkix@imc.org X-Mailer: T-Online WebMail 0.99 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Message-ID: <139V3V-0HBHSyC@fwd01.sul.t-online.com> X-Sender: 340036226028-0001@t-dialin.net Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id IAA21928 unsubscribe Received: from [165.227.249.13] (ip13.proper.com [165.227.249.13]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id TAA05684 for <ietf-pkix@imc.org>; Mon, 3 Jul 2000 19:08:49 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org (Unverified) Message-Id: <p0432040eb586e5039935@[165.227.249.13]> Date: Mon, 3 Jul 2000 19:10:01 -0700 To: ietf-pkix@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: RFC 2459 and internationalized domain names Content-Type: text/plain; charset="us-ascii" ; format="flowed" Greetings again. There is active work in the IETF to allow non-ASCII characters in doamin names. This is being considered in the IDN Working Group (see <http://www.ietf.org/html.charters/idn-charter.html> for the WG charter). There is a strong desire for these names in many parts of the world. If the wire format for the new domain names includes non-ASCII characters (which seems likely to me), then we probably should change 2459 to handle these new names. Fortunately, son-of-2459 is still not finished. Please note that: - The IDN WG may not come up with a protocol - The protocol may be ASCII-only, using an encoding scheme that maps to the current rules for domain names - If there is a binary protocol, it is likely (but not definitely) going to be UTF-8 Given that, it might be wise of us to either change how domain names are represented 2459 or to put warnings into the text about this in son-of-2459. It is likely that son-of-2459 will be finished well before the IDN WG is finished. Oh, and if the IDN WG creates a binary protocol, there will be a strong demand for changes to the email protocols to handle binary domain names in headers. There will also be a strong demand for binary on the left-hand side of the addr-spec. We may wan to consider these as well. Thoughts? --Paul Hoffman, Director --Internet Mail Consortium Received: from balinese.baltimore.ie (firewall-user@pc215-8.indigo.ie [194.125.215.8]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id JAA23335 for <ietf-pkix@imc.org>; Mon, 3 Jul 2000 09:09:02 -0700 (PDT) Received: by balinese.baltimore.ie; id RAA10553; Mon, 3 Jul 2000 17:10:12 +0100 (GMT/IST) Received: from bobcat.baltimore.ie(192.168.20.10) by balinese.baltimore.ie via smap (V4.2) id xma010537; Mon, 3 Jul 00 17:09:54 +0100 Received: from baltimore.ie (lease212-21.baltimore.ie [192.168.21.212]) by bobcat.baltimore.ie (8.9.3/8.9.3) with ESMTP id RAA32581; Mon, 3 Jul 2000 17:09:53 +0100 Message-ID: <3960BAD3.7065EF13@baltimore.ie> Date: Mon, 03 Jul 2000 17:09:55 +0100 From: Stephen Farrell <stephen.farrell@baltimore.ie> Reply-To: stephen.farrell@baltimore.ie Organization: Baltimore Technologies Ltd. X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: pkix <ietf-pkix@imc.org> CC: xme <stephen.farrell@baltimore.ie>, "Magnus =?iso-8859-1?Q?Nystr=F6m?=" <magnus@rsasecurity.com> Subject: roaming credentials (sacred) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi All, I put up a slide in Adelaide about roaming credentials and it looks like we're on for a BOF in Pittsburgh (date TBD). The strawman charter/BOF description is attached. So, if you're interested then subscribe to the list and let's see how much progress we can make prior to Pittsburgh. Paul Hoffman has kindly agreed to host the mailing list which he'll open for postings in a day or two, as soon as subscribing is seen to be working without problems, (but you can subscribe right now). Paul's also hosting the web site at: http://www.imc.org/ietf-sacred If you have any questions in the meantime, feel free to mail Magnus and/or me directly. Regards, Stephen. -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 647 7406 61 Fitzwilliam Lane, fax: +353 1 647 7499 Dublin 2. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com Strawman charter for Securely Available Credentials (sacred) WG: ================================================================ Working Group name: Securely Available Credentials (sacred) Chairs (suggested): Stephen Farrell, Baltimore Technologies <stephen.farrell@baltimore.ie>, and Magnus Nystrom, RSA Security Inc. <magnus@rsasecurity.com> Area: Security Area Directors: Jeffrey Schiller <jis@mit.edu> Marcus Leech <mleech@nortelnetworks.com> Resp. Area Director: TBD Mailing list: ietf-sacred@imc.org Web Site: http://www.imc.org/ietf-sacred/ Descr. of WG: A nice feature of smart-card based PKIs, in addition to the security offered by the cards themselves, is the "free-seating solution," or the portability of user's credentials. In order to provide a similar solution or service to environments where security is based on pure software implementations or so-called "soft tokens" (a.k.a. "virtual smart cards," software files containing information normally stored on smart cards) some kind of credential store from which users can download their soft-tokens, using some specified protocol is required. This protocol will provide mobility for credentials. Such a protocol and specified data format might also allow an individual user to have the same set of credentials on, e.g., her mobile phone as in her desktop. Adding an upload protocol to the solution means that it in principle would be possible to always have the credential store up-to-date. Even in some cases where real smart cards are used, there may be some benefit to using such a protocol - e.g. when a new card is received, but "old" credentials should be used. If the cards offered the appropriate install and delete interfaces, then the credentials could be (securely) moved between cards. Many desktop applications also require mobility of credentials, for example to support some "kiosk" style operation, when a user upgrades a PC, or when "hot-desking". It is sometimes required to integrate such credential mobility with single-sign-on solutions. A protocol that could be used in the smart card case, can also be used to solve this case. Finally, some applications may benefit from the ability to migrate credentials from a device to a smart card, in particular where the smart card using device has limited user interface capabililies, e.g. a mobile phone. Security is at a premium for this working group; only authorized entities should be allowed to download credentials, credentials must be protected against eavesdropping and cut & paste attacks; attackers must not be able to succesfully replace an entities credentials at a credential serer; etc. Availability is also at a premium, a credential server must be reachable from many different types of client with different characteristics in terms of processing power, storage and network connectivity. The purpose of this working group is therefore to gather requirements for a solution beneficial to the Internet community, establish a framework for such a solution, and to develop or adopt the required protocols and credential formats. Goals & Milestone: (The timeline assumes that the WG is approved just after Pittsburgh.) Oct 00 Submit first draft of Requirements document Nov 00 Submit first draft of Frameworks document Dec 00 Submit second draft of Requirements document Submit second draft of Frameworks document Submit first draft of Protocol document (incl. PDU syntax) Mar 01 Requirements document to Informational RFC Frameworks document to Informational RFC Submit second draft of Protocol document Jun 01 Protocol document to Proposed Standard Jul 01 WG recharters if appropriate Outline BOF Agenda: - agenda bashing - scene setting (some problems that might be solved) - HTTP/SASL strawman - <other proposals> - WG charter discussion Received: from fgwmail6.fujitsu.co.jp (fgwmail6.fujitsu.co.jp [192.51.44.36]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id WAA04535 for <ietf-pkix@imc.org>; Sun, 2 Jul 2000 22:31:38 -0700 (PDT) Received: from m4.gw.fujitsu.co.jp by fgwmail6.fujitsu.co.jp (8.9.3/3.7W-MX0006-Fujitsu Gateway) id OAA27818 for <ietf-pkix@imc.org>; Mon, 3 Jul 2000 14:32:11 +0900 (JST) (envelope-from kongqy@ec.cs.fujitsu.co.jp) Received: from vishnu.ec.cs.fujitsu.co.jp by m4.gw.fujitsu.co.jp (8.9.3/3.7W-0006-Fujitsu Domain Master) id OAA18414; Mon, 3 Jul 2000 14:32:10 +0900 (JST) Received: from ec.cs.fujitsu.co.jp (cath.ec.cs.fujitsu.co.jp [10.34.199.204]) by vishnu.ec.cs.fujitsu.co.jp (8.8.5+2.7Wbeta5/3.4W5-04/12/98 EC domain mail master) with ESMTP id OAA04595 for <ietf-pkix@imc.org>; Mon, 3 Jul 2000 14:32:10 +0900 (JST) Message-ID: <39602555.38DE2F86@ec.cs.fujitsu.co.jp> Date: Mon, 03 Jul 2000 14:32:05 +0900 From: Kong QiuYan <kongqy@ec.cs.fujitsu.co.jp> X-Mailer: Mozilla 4.7 [ja] (WinNT; U) X-Accept-Language: ja MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: certificate chain validation(policy extension) References: <395C5506.D233574B@ec.cs.fujitsu.co.jp> <39601809.B5F927D2@kisa.or.kr> Content-Type: text/plain; charset=iso-2022-jp Content-Transfer-Encoding: 7bit Thank you very much for the reply. I agree with you. It depends on the policy constraints extension. However, I think that the process of (e)(f) is to keep the certificate policy's consistency in certificate chain. If the SkipCerts is greater than zero, and the policy extension is null, how can we explain it(in this case the Cert chain will be valid)? Thanks in advance. KwonSung Chung wrote: > > I think it is depend on policy constraints extension. > > If requireExplicitPolicy sub-field of the Root certificate > has 0 as value of SkipCerts, the certificate chain is invalid because > the policy checking about CA certificate must be processed. > > But, in the case of positive integer(greater then zero), the certificate chain is > valid ( if other extension is valid). > > ------------------ > KwonSung Chung > KISA > kschung@kisa.or.kr > ------------------ > > Kong QiuYan wrote: > > > Suppose I have a certificate chain consisting of a Root, a CA and a User > > certificate. > > > > The policy extension in the Root certificate contains one oid of 1.1.1(critical) > > The policy extension in the CA certificate does not exist. > > The policy extension in the User certificate contains one oid of 1.1.1(critical) > > > > Assuming all other data is valid, is this a valid certificate chain? > > > > It appears to me that the algorithm defined in RFC2459 would determine that > > this certificate path is valid. > > > > ----------- > > RFC2459 6.1 says: > > > > (e) Verify that policy information is consistent with the > > acceptable policy set: > > > > (1) if the certificate policies extension is marked critical, > > the intersection of the policies extension and the acceptable > > policy set shall be non-null; > > > > (2) the acceptable policy set is assigned the resulting > > intersection as its new value. > > > > (g) Verify that the intersection of the acceptable policy set and > > the initial policy set is non-null. > > --------- > > > > Personally, I think that all of the certificates in a valid path must have > > policy extension(critical or non-critical). Am I wrong? > > > > QiuYan Kong, > > Fujitsu Ltd -- ------------------------------------------------- Kong QiuYan FUJITSU LIMITED EMail: kongqy@ec.cs.fujitsu.co.jp TEL: +81-45-473-3707 Received: from mtiwmhc27.worldnet.att.net (mtiwmhc27.worldnet.att.net [204.127.131.52]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id UAA00107 for <ietf-pkix@imc.org>; Sun, 2 Jul 2000 20:40:04 -0700 (PDT) Received: from client20 ([129.37.81.139]) by mtiwmhc27.worldnet.att.net (InterMail vM.4.01.02.39 201-229-119-122) with SMTP id <20000703034020.BLYG2120.mtiwmhc27.worldnet.att.net@client20> for <ietf-pkix@imc.org>; Mon, 3 Jul 2000 03:40:20 +0000 Message-ID: <003b01bfe49f$41f6f5a0$0b0a0a0a@client20> From: "Norm McLeod" <normcleod@pobox.com> To: "PKIX Mailing List" <ietf-pkix@imc.org> Subject: Senate Bill 671 Date: Sun, 2 Jul 2000 22:31:54 -0500 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="----=_NextPart_000_0035_01BFE475.541608E0"; protocol="application/x-pkcs7-signature"; micalg=SHA1 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 Disposition-Notification-To: "Norm McLeod" <normcleod@pobox.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 This is a multi-part message in MIME format. ------=_NextPart_000_0035_01BFE475.541608E0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0036_01BFE475.541608E0" ------=_NextPart_001_0036_01BFE475.541608E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Gentleman (& Ladies): I have been watching and reading this list for a couple of months (not = that I have a clue to most of the subject matter), I try to keep up = anyway. I have been interested in Public Key Encryption for a while now though. = Not for some esoteric reason, but pure greed. I think somebody's gonna = make a lot of money off of this technology, and I want some. For the big one: Does anybody have any opinions about Senate Bill 671, signed into law = last Friday??? Digitally Signed Message ASSURING you this message is from: Norman McLeod NEW: With the force of law, nationwide (US): http://www.whitehouse.gov/WH/New/html/20000630.html Public Encryption Key included With THIS Message ------=_NextPart_001_0036_01BFE475.541608E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3018.900" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Gentleman (& = Ladies):<BR></FONT></DIV> <DIV><FONT face=3DArial size=3D2>I have been watching and reading this = list for a=20 couple of months (not that I have a clue to most of the subject matter), = I try=20 to keep up anyway.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I have been interested in Public Key = Encryption for=20 a while now though. Not for some esoteric reason, but pure greed. I = think=20 somebody's gonna make a lot of money off of this technology, and I want=20 some.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>For the big one:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Does anybody have any opinions about = Senate Bill=20 671, signed into law last Friday???</DIV></FONT> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><BR>Digitally Signed = Message<BR>ASSURING you this=20 message is=20 from:<BR> &nbs= p;  = ; =20 Norman McLeod</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>NEW: With the force of law, nationwide = (US):<BR><A=20 href=3D"http://www.whitehouse.gov/WH/New/html/20000630.html">http://www.w= hitehouse.gov/WH/New/html/20000630.html</A></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Public Encryption Key included With = THIS=20 Message</FONT></DIV></BODY></HTML> ------=_NextPart_001_0036_01BFE475.541608E0-- ------=_NextPart_000_0035_01BFE475.541608E0 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJCTCCArww ggIloAMCAQICAwKbIzANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UE CxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAx OTk5LjkuMTYwHhcNMDAwNTE5MDcxNDI1WhcNMDEwNTE5MDcxNDI1WjBeMQ8wDQYDVQQEEwZNY0xl b2QxDzANBgNVBCoTBk5vcm1hbjEWMBQGA1UEAxMNTm9ybWFuIE1jTGVvZDEiMCAGCSqGSIb3DQEJ ARYTbm9ybWNsZW9kQHBvYm94LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuuqw4TY7 xlXa7mMixYaR7boDIbbLUcGJYWVKJ2WDCBRnuhEbKkBhVln32TJBd8rsc7g0mfawSgaxc44b42V4 BBiOeYkrn2dkOy5OyR7nGcaDjGcvRVu4LkAccc7dZcGlM8tbIdSkn1AWjp0ZJjJNG46Sq+PrPLvu PBa2UodqUr0CAwEAAaNRME8wHgYDVR0RBBcwFYETbm9ybWNsZW9kQHBvYm94LmNvbTAMBgNVHRMB Af8EAjAAMB8GA1UdIwQYMBaAFIir8WCDZlX05FjHRh3AYb0j18OMMA0GCSqGSIb3DQEBBAUAA4GB AKOdz9bRSxCxw8mdA4yl+50u4qqesn1fmGyujeR9x25mFabyBemkCwwEeNz8hmZ1tYbTtN/hmKug ATd6nBsIRUsB5yTkDkowHgO+9WQrgkP3iHdIy4JdOomMmkc51hU6gIDH1SXEGMRm0RshCVRQbryi C+v8pvjLtgQaCCUdxucBMIIDFDCCAn2gAwIBAgIBCzANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UE BhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQK ExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZp c2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkB FhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTk5MDkxNjE0MDE0MFoXDTAxMDkxNTE0 MDE0MFowgZQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1 cmJhbnZpbGxlMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2Vz MSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMTk5OS45LjE2MIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCzaVqX1NAWC3q1xV3pIZwjcs0STEv3fs/H+8pyJPRCUqxXleN7YXoXhOf9 cjk4lLTq7WWnkgZeveBl9hm7lHl2TD65aHB1hBz0EXQAvAUsTwkDFzHM9EHUcsamXeKIRLCLLsRN 8fDWhT5s85WUeJF+QOmc0Y0VV47Cc+Uw3kb1TwIDAQABozcwNTASBgNVHRMBAf8ECDAGAQH/AgEA MB8GA1UdIwQYMBaAFHJJwnM0xlX0C3ZygX539IfnxrIOMA0GCSqGSIb3DQEBBAUAA4GBAGvGWekx +um27LED2N9ycv6RYEjqxlXde/BnjsZhcOdtwqU32J23FyhWBYvdXHVvxpGQxmxmcRPQEHxrkW+G 4CE2LcHX6rIJrc8tbcaDUpv7u/6ch538t+l0kuRcl678fqzKDW9yemcsa3P1hvmd9QBu9B0Hzp2e gmMp75MJflXeMIIDLTCCApagAwIBAgIBADANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkEx FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3 dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEk MCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJz b25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTk2MDEwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVow gdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93 bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy dmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkG CSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEA1GnX1LCUZFtx6UfYDFG26nKRsIRefS0Nj3sS34UldSh0OkIsYyeflXtL734Z hx2G6qPduc6WZBrCFG5ErHzmj+hND3EfQDimAKOHePb5lIZererAXnbr2RSjXW56fAylS1V/Bhkp f56aJtVquzgkCGqYx7Hao5iR/Xnb5VrEHLkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkq hkiG9w0BAQQFAAOBgQDH7JJ+Tvj1lqVnYiqk8E0RYNBvjWBYYawmu1I1XAjPMPuoSpaKH2JCI4wX D/S6ZJwXrEcp352YXtJsYHFcoqzceePnbgBHH7UNKOgCneSa/RP0ptl8sfjcXyMmCZGAc9AUG95D qYMl8uacLxXK/qarigd1iwzdUYRr5PjRzneigTGCAgAwggH8AgEBMIGcMIGUMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEPMA0GA1UEChMG VGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwg RnJlZW1haWwgUlNBIDE5OTkuOS4xNgIDApsjMAkGBSsOAwIaBQCggbowGAYJKoZIhvcNAQkDMQsG CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDAwNzAzMDMzMTU0WjAjBgkqhkiG9w0BCQQxFgQU Oil/9QDB0oCv/izMQHjrFCE61eIwWwYJKoZIhvcNAQkPMU4wTDAOBggqhkiG9w0DAgICAIAwCgYI KoZIhvcNAwcwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAh0w DQYJKoZIhvcNAQEBBQAEgYC1w7tAbGoB/JcO9sGJvhRf9ogTTxXWYlkbnEQWUksvQkAfGzS8pckg Nt8h3cCaHxI6Wn44cXqecLunCODcnNmPtYd1bhzToVjZeU90NFeUCi5kCIjX5c+MOyJbLB9PIrgq Qyph7Vlb0M5dz7gYqM574mPvr3xMsXtp9iljdcbaWAAAAAAAAA== ------=_NextPart_000_0035_01BFE475.541608E0-- Received: from stargate.zergo.com.au (IDENT:root@stargate.zergo.com.au [203.2.208.130]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA21245 for <ietf-pkix@imc.org>; Sun, 2 Jul 2000 18:34:01 -0700 (PDT) Received: from sydneymail1.baltimore.com.au (sydneymail1.jp.zergo.com.au [192.168.71.5]) by stargate.zergo.com.au (8.9.1/8.8.7) with ESMTP id LAA04011; Mon, 3 Jul 2000 11:40:37 +1000 Received: by sydneymail1.jp.zergo.com.au with Internet Mail Service (5.5.2448.0) id <N62M071Y>; Mon, 3 Jul 2000 11:34:07 +1000 Message-ID: <D44EACB40164D311BEF00090274EDCCA81F016@sydneymail1.jp.zergo.com.au> From: Michael Zolotarev <mzolotarev@baltimore.com> To: Stephen Kent <kent@bbn.com> Cc: "'PKIX'" <ietf-pkix@imc.org> Subject: RE: I-D ACTION:draft-ietf-pkix-time-stamp-08.txt. HASH Date: Mon, 3 Jul 2000 11:34:06 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01BFE48E.C728EBE0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01BFE48E.C728EBE0 Content-Type: text/plain; charset="iso-8859-1" Stephen, > > I may have lost track of the counter argument here. Why would one > not want to have a TSA do the best possible job when it comes to > ensuring syntactic consistency re its inputs? A few of us are being concerned that forcing the TSA to 'know' the hash oid and to perform the sanity check is an unnecessary requirement, causing more evil than good. Instead of reiterrating our position, I've attached a few messages from the thread which summarize the views. Regards Michael ------_=_NextPart_000_01BFE48E.C728EBE0 Content-Type: message/rfc822 Content-Description: Re: I-D ACTION:draft-ietf-pkix-time-stamp-08.txt. HASH Message-ID: <395017E5.59EF334D@netscape.com> From: thayes@netscape.com To: Michael Zolotarev <mzolotarev@baltimore.com> Cc: Paul Koning <pkoning@xedia.com>, ietf-pkix@imc.org, Denis.Pinkas@bull.net Subject: Re: I-D ACTION:draft-ietf-pkix-time-stamp-08.txt. HASH Date: Wed, 21 Jun 2000 11:18:29 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" I agree as well. There is no need for the TSA to check anything about the imprint. This requirement should be removed from the draft. Terry Hayes thayes@netscape.com Michael Zolotarev wrote: > > If I were to generate my imprint with hash algorithm FRED that has a > > 37 byte digest, does it matter to the TSA? No, it does not. So why > > are we saying that the TSA needs to know the OID for FRED, and the > > associated digest length? > > > > The spec says that it's done to consistency-check the length of the > > imprint. Sure, but to what end? If I send a digest generated by FRED > > but truncate it to 31 bytes, what purpose is served by the TSA saying > > "naughty boy you threw away 6 bytes"? I may in fact have a legitimate > > reason for doing this -- just as IPsec has a legitimate reason for > > throwing away some of the hash bytes in the HMAC construct. If it > > actually mattered to the TSA algorithms, that would be one thing. But > > since the only purpose of the check is to do the check, let's get rid > > of it, simplify the spec, make the TSA implementations more reliable, > > and eliminate the need to ECO the spec every time a new hash appears. > > > > paul > > I agree (expecting a public outcry here :). I always felt pretty > uncomfortable with the TSA having to recognise the hash OID and checking the > length. And on top of if, this would now allow a client tp send a NO-HASH > imprint, a clear text, if they want to. > > Michael > > ------_=_NextPart_000_01BFE48E.C728EBE0 Content-Type: message/rfc822 Content-Description: RE: I-D ACTION:draft-ietf-pkix-time-stamp-08.txt. HASH Message-ID: <14671.34826.394447.525886@xedia.com> From: Paul Koning <pkoning@xedia.com> To: Michael Zolotarev <mzolotarev@baltimore.com> Cc: ietf-pkix@imc.org, Denis.Pinkas@bull.net Subject: RE: I-D ACTION:draft-ietf-pkix-time-stamp-08.txt. HASH Date: Wed, 21 Jun 2000 01:04:42 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" >>>>> "Michael" == Michael Zolotarev <mzolotarev@baltimore.com> writes: Michael> Folks, Haven't we already had a discussion about hash Michael> algorithm for messageImprint? Michael> I believe that the consensus was (and it is 100% reflected Michael> in the current draft) to allow a user to use whatever digest Michael> he/she wants. It is NOT a TSA concern if a user used 'weak' Michael> hash. The TSA does not inspect, modify, store or analyse the Michael> content of messageImprint - it only checks that the length Michael> of the hash corresponds to the hash algorithm. If so, then Michael> why should the draft imply any limitations on type of digest Michael> algorithms, except saying that they must be known? Michael> The position of the draft is, if I interpret it correctly: Michael> 1) The TSA does not care about hash algorithm used in Michael> messageImprint. But the algorithm must be known, to allow Michael> TSA to sanity-check the length of digested data. 2) The Michael> user is ADVICED to use strong hash, such as SHA-1 or MD5. Michael> This position of the draft with regards to hash is general, Michael> and provides enough space to grow, instead of being Michael> unnecessary restrictive. Can we leave it in peace :)? Can we remove this unnecessary restrictions instead? A rule of thumb of protocol design is that requirements are put in because they are necessary for interoperability. In the case we have here, that rule of thumb doesn't apply. If I were to generate my imprint with hash algorithm FRED that has a 37 byte digest, does it matter to the TSA? No, it does not. So why are we saying that the TSA needs to know the OID for FRED, and the associated digest length? The spec says that it's done to consistency-check the length of the imprint. Sure, but to what end? If I send a digest generated by FRED but truncate it to 31 bytes, what purpose is served by the TSA saying "naughty boy you threw away 6 bytes"? I may in fact have a legitimate reason for doing this -- just as IPsec has a legitimate reason for throwing away some of the hash bytes in the HMAC construct. If it actually mattered to the TSA algorithms, that would be one thing. But since the only purpose of the check is to do the check, let's get rid of it, simplify the spec, make the TSA implementations more reliable, and eliminate the need to ECO the spec every time a new hash appears. paul ------_=_NextPart_000_01BFE48E.C728EBE0 Content-Type: message/rfc822 Content-Description: RE: I-D ACTION:draft-ietf-pkix-time-stamp-08.txt. HASH Message-ID: <D44EACB40164D311BEF00090274EDCCA7A9F07@sydneymail1.jp.zergo.com.au> From: Michael Zolotarev <mzolotarev@baltimore.com> To: ietf-pkix@imc.org Cc: Denis.Pinkas@bull.net Subject: RE: I-D ACTION:draft-ietf-pkix-time-stamp-08.txt. HASH Date: Tue, 20 Jun 2000 13:21:12 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe Content-Type: text/plain; charset="iso-8859-1" Folks, Haven't we already had a discussion about hash algorithm for messageImprint? I believe that the consensus was (and it is 100% reflected in the current draft) to allow a user to use whatever digest he/she wants. It is NOT a TSA concern if a user used 'weak' hash. The TSA does not inspect, modify, store or analyse the content of messageImprint - it only checks that the length of the hash corresponds to the hash algorithm. If so, then why should the draft imply any limitations on type of digest algorithms, except saying that they must be known? The position of the draft is, if I interpret it correctly: 1) The TSA does not care about hash algorithm used in messageImprint. But the algorithm must be known, to allow TSA to sanity-check the length of digested data. 2) The user is ADVICED to use strong hash, such as SHA-1 or MD5. This position of the draft with regards to hash is general, and provides enough space to grow, instead of being unnecessary restrictive. Can we leave it in peace :)? Michael > -----Original Message----- > From: Paul Koning [mailto:pkoning@xedia.com] > Sent: Tuesday, June 20, 2000 1:00 AM > To: seidel@timeproof.de > Cc: FRousseau@chrysalis-its.com; Denis.Pinkas@bull.net; > ietf-pkix@imc.org > Subject: Re: I-D ACTION:draft-ietf-pkix-time-stamp-08.txt > > > >>>>> "Joerg" == Joerg Seidel <seidel@timeproof.de> writes: > > Joerg> Comments inline. > >> TSA implementations MUST support SHA-1. TSA implementations > >> SHOULD support MD5. > > Joerg> I think there are good reasons not to use MD5 in time > Joerg> stamps. They should use a strong hash function in order to > Joerg> achive long validity periods. MD5 is likely to be unsafe (=not > Joerg> collision free) soon and is already discuraged by german > Joerg> authorities. > > Joerg> IF we add a section about algorithms, it should maybe read: > Joerg> "TSA implementations MUST support SHA-1. TSA implementations > Joerg> SHOULD NOT support MD5.". But I think such a section is not > Joerg> very necessary. > > IANAC, but from what I understand the currently known attacks on MD5 > are nowhere near strong enough to justify that. > > I don't have a problem with the current text (SHA-1 required, MD5 > recommended). I do have a problem with text that implies that MD5 is > bad, because I don't know of data that supports such an assertion. > > Also, it doesn't seem like a good idea for the timestamp spec to give > very different signals from the other security specs. If there really > is good reason to say these kinds of things about MD5, let's have them > identified. (German authorities are not a good reason. Cryptanalysis > that shows weaknesses of interesting size would be.) If the issues > are real, changes to MD5 text should be applied across the board. > > paul > ------_=_NextPart_000_01BFE48E.C728EBE0-- Received: from levitator.1div0.com ([213.250.43.61]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id QAA16923 for <ietf-pkix@imc.org>; Sun, 2 Jul 2000 16:39:44 -0700 (PDT) Received: from intergalactic ([10.1.1.2]) by levitator.1div0.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with SMTP id BAA29494; Mon, 3 Jul 2000 01:27:25 +0200 Reply-To: <denis-at-globera@1div0.com> From: "denis bider" <denis.bider@1div0.com> To: "'Anders Rundgren'" <anders.rundgren@telia.com>, <ietf-pkix@imc.org> Subject: RE: W2K fakes 128-bit crypto or not? Date: Mon, 3 Jul 2000 01:41:03 +0200 Message-ID: <000101bfe47e$fc91f7a0$0201010a@intergalactic> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 In-Reply-To: <000a01bfe47e$db8e6de0$0201a8c0@mega.vincent.se> Importance: Normal Hello Anders, I have received no responses by members of this group. I guess if the rumour had any merit then at least someone ought to have heard? Or maybe not necessarily: just the other day I found sound-looking information about how id Software has built a backdoor (yes, a back door, kind of like Back Orifice) into its Quake product. Yes, Quake, the game. It's interesting how these things don't get known or talked about - for instance, the general population seems never to have heard about ECHELON. Seems that, when it comes to striking news like this, people who haven't seen the facts themselves are afraid of spreading the word, fearing that if the rumour is proven wrong, they will be considered naive dummies without credibility. I have since subscribed to sci.crypt (hurray), so I'll run this W2K rumour by them, too. I'll report if there is any response. Regards, denis -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@telia.com] Sent: 3. julij 2000 01:40 To: denis-at-globera@denisbider.com; ietf-pkix@imc.org Subject: W2K fakes 128-bit crypto or not? Denis, no news on this alarming news of yours? Anders -----Original Message----- From: denis bider <denis.bider@globera.com> To: 'Anders Rundgren' <anders.rundgren@jaybis.com>; ietf-pkix@imc.org <ietf-pkix@imc.org> Date: Saturday, June 17, 2000 15:43 Subject: Off-topic: crypto crippling >[I would have posted this to the sci.crypt newsgroup, but I dislike doing >that for several reasons - among them, slow message propagation, spam and >last but not the least, I do not have Usenet configured and it takes a while >to find a server that carries sci.crypt. Does anyone know of a regular >mailing list equivalent to the sci.crypt newsgroup?] > >Actually, > >I have heard a rumour that the '128-bit encryption' that Microsoft is >shipping with Windows 2000 has actually been tweaked in such a way that it >is only 128-bit when observed by a non-clued-in person, but is rather 40-bit >for the people who know how it has been designed. > >In effect, rumour therefore has it that 88 bits out of the 128 are set in >such a way that it is extremely easy to find them for someone who knows how. >The French are supposed to have found this out, and they are supposed to >have been a little bit upset because of this fact. > >I am not sure how much of this is actually the truth. The person I received >this information from might have confused this with the silent "3DES -> DES" >fallback in Windows that has been demonstrated lately. > >Can anyone confirm or deny the above rumour? > >Anyway. The bottom line is - I think people today are a little bit crazy to >use, and even buy, security software as executables without any kind of >access to the source code. It is plain stupid, and it gives the country >which supplied you with the binaries a perfect weapon for the information >wars that are due to ensue sooner or later. The world is not all roses all >the time. Remember the several-billion-dollar deal which was lost by the >European airplane manufacturer to Boeing because the USA was eavesdropping >on their conversations with the purchaser? > >Iraq, Vatican and several others have learned this lesson when they bought >black-box crypto machines from Crypto AG, only to find out that the machine >transmits the encryption key almost in plaintext along with the encrypted >message. Which, hence, was easily recoverable by folks from the NSA and from >the German intelligence agency. > >denis > > >-----Original Message----- >From: Anders Rundgren [mailto:anders.rundgren@jaybis.com] >Sent: 17. junij 2000 14:44 >To: PKIX-List >Subject: Why is Java still crypto-crippled? > > >I have since quite a while been using W2K (Bill, it IS great!) using strong >crypto >although I live in Europe. But why can't I get that for JDK? Without >special permissions. > >This is a *serious* threat to Java to be dependent on third-party tools when >the "other guy" has it all built-in! > >Anders > >Not religious about Java but likes it anyway. > > Received: from d1o69.telia.com (root@d1o69.telia.com [62.20.144.241]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id PAA16241 for <ietf-pkix@imc.org>; Sun, 2 Jul 2000 15:39:53 -0700 (PDT) Received: from mega (t3o69p83.telia.com [62.20.145.83]) by d1o69.telia.com (8.8.8/8.8.8) with SMTP id AAA07495; Mon, 3 Jul 2000 00:40:53 +0200 (CEST) Message-ID: <000a01bfe47e$db8e6de0$0201a8c0@mega.vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: <denis-at-globera@denisbider.com>, <ietf-pkix@imc.org> Subject: W2K fakes 128-bit crypto or not? Date: Mon, 3 Jul 2000 01:40:04 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MIMEOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ns.secondary.com id PAA16242 Denis, no news on this alarming news of yours? Anders -----Original Message----- From: denis bider <denis.bider@globera.com> To: 'Anders Rundgren' <anders.rundgren@jaybis.com>; ietf-pkix@imc.org <ietf-pkix@imc.org> Date: Saturday, June 17, 2000 15:43 Subject: Off-topic: crypto crippling >[I would have posted this to the sci.crypt newsgroup, but I dislike doing >that for several reasons - among them, slow message propagation, spam and >last but not the least, I do not have Usenet configured and it takes a while >to find a server that carries sci.crypt. Does anyone know of a regular >mailing list equivalent to the sci.crypt newsgroup?] > >Actually, > >I have heard a rumour that the '128-bit encryption' that Microsoft is >shipping with Windows 2000 has actually been tweaked in such a way that it >is only 128-bit when observed by a non-clued-in person, but is rather 40-bit >for the people who know how it has been designed. > >In effect, rumour therefore has it that 88 bits out of the 128 are set in >such a way that it is extremely easy to find them for someone who knows how. >The French are supposed to have found this out, and they are supposed to >have been a little bit upset because of this fact. > >I am not sure how much of this is actually the truth. The person I received >this information from might have confused this with the silent "3DES -> DES" >fallback in Windows that has been demonstrated lately. > >Can anyone confirm or deny the above rumour? > >Anyway. The bottom line is - I think people today are a little bit crazy to >use, and even buy, security software as executables without any kind of >access to the source code. It is plain stupid, and it gives the country >which supplied you with the binaries a perfect weapon for the information >wars that are due to ensue sooner or later. The world is not all roses all >the time. Remember the several-billion-dollar deal which was lost by the >European airplane manufacturer to Boeing because the USA was eavesdropping >on their conversations with the purchaser? > >Iraq, Vatican and several others have learned this lesson when they bought >black-box crypto machines from Crypto AG, only to find out that the machine >transmits the encryption key almost in plaintext along with the encrypted >message. Which, hence, was easily recoverable by folks from the NSA and from >the German intelligence agency. > >denis > > >-----Original Message----- >From: Anders Rundgren [mailto:anders.rundgren@jaybis.com] >Sent: 17. junij 2000 14:44 >To: PKIX-List >Subject: Why is Java still crypto-crippled? > > >I have since quite a while been using W2K (Bill, it IS great!) using strong >crypto >although I live in Europe. But why can't I get that for JDK? Without >special permissions. > >This is a *serious* threat to Java to be dependent on third-party tools when >the "other guy" has it all built-in! > >Anders > >Not religious about Java but likes it anyway. > > Received: from mailcity.com (fes-qout.whowhere.com [209.1.236.7]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id GAA28706 for <ietf-pkix@imc.org>; Sat, 1 Jul 2000 06:39:43 -0700 (PDT) Received: from Unknown/Local ([?.?.?.?]) by mailcity.com; Sat Jul 1 06:40:03 2000 To: ietf-pkix@imc.org Date: Sat, 01 Jul 2000 06:40:03 -0700 From: "chandrasekaran natarajan" <chandrasekaran_n@mailcity.com> Message-ID: <LFFLPAGFAHPEBAAA@mailcity.com> Mime-Version: 1.0 X-Sent-Mail: off Reply-To: chandrasekaran_n@mailcity.com X-Mailer: MailCity Service Subject: Re: DSA & ASN.1 X-Sender-Ip: 202.144.10.93 Organization: MailCity (http://www.mailcity.lycos.com:80) Content-Type: text/plain; charset=us-ascii Content-Language: en Content-Transfer-Encoding: 7bit hello, Can anyone let me know the ASN.1 Specification for Digital Signature Algorithm. Thanks, Chandar Send FREE Greetings for Father's Day--or any day! Click here: http://www.whowhere.lycos.com/redirects/fathers_day.rdct
- Dual-signed certificates Bob Jueneman
- Re: Dual-signed certificates Peter Gutmann
- Re: Dual-signed certificates Ben Laurie
- Re: Dual-signed certificates tgindin
- RE: Dual-signed certificates Simon Tardell
- Re: Dual-signed certificates Ben Laurie
- Re: Dual-signed certificates Ben Laurie
- Re: Dual-signed certificates tgindin
- RE: Dual-signed certificates Simon Tardell
- Re: Dual-signed certificates Denis Pinkas
- Re: Dual-signed certificates Ben Laurie
- Re: Dual-signed certificates Ben Laurie
- Re: Dual-signed certificates Russ Housley
- RE: Dual-signed certificates Bob Jueneman
- RE: Dual-signed certificates Hiroyuki Sakakibara
- Re: Dual-signed certificates Denis Pinkas
- RE: Dual-signed certificates David P. Kemp
- Re: Dual-signed certificates Simon McMahon
- Re: Dual-signed certificates Bob Jueneman
- RE: Dual-signed certificates Tony Bartoletti
- RE: Dual-signed certificates Bob Jueneman
- RE: Dual-signed certificates Bob Jueneman
- RE: Dual-signed certificates Hiroyuki Sakakibara
- RE: Dual-signed certificates Hiroyuki Sakakibara