Re: question to time stamp draft: case of error

Denis Pinkas <Denis.Pinkas@bull.net> Mon, 22 January 2001 11:50 UTC

Message-ID: <3A6C1D9C.FCE0CF1E@bull.net>
Date: Mon, 22 Jan 2001 12:46:36 +0100
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull
MIME-Version: 1.0
To: mainbug@celocom.de
CC: FRousseau@chrysalis-its.com, ietf-pkix@imc.org
Subject: Re: question to time stamp draft: case of error
References: <918C70B01822D411A87400B0D0204DFF72F5B5@panda.chrysalis-its.com> <3A64752E.75B00D83@celocom.de>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Precedence: bulk
Content-Transfer-Encoding: 7bit

Bernd,

> > FRousseau@chrysalis-its.com wrote:
> >
> > Jean-Marc Desperrier (jean-marc.desperrier@certplus.com) asked a
> > similar question in December and Ari Kermaier (arik@phaos.com) wrote:
> >
> > > The PKIFailureInfo structure described in
> > draft-ietf-pkix-rfc2510bis-02
> > > includes systemFailure(25) which, while not very descriptive, might
> > fit the
> > > bill for hardware failure.
> >
> > Denis, will you be adding systemFailure(25) to the PKIFailureInfo in
> > the RFC version of the Time Stamping Protocol?

systemFailure(25) has been added.

> And additional badSenderNonce(18)?
> I think, if a time stamp query contains a wrong nonce, this is also a
> helpful value.

This has not been added. I do not want to raise at this time questions like:
what is a bad nonce ? or how does a server know it is a bad nonce ? 

> BTW,
> if a signed ts query is received, it should be possible to send
> appropriate
> errors send back  like badMessageCheck(1), signerNotTrusted(20) or
> notAuthorized(23).
> Is it generally planned that the new RFC provides a signed time stamp
> query?

There is no plan for a new RFC addressing a signed time stamp query. The
architecture is transport independent. Since the proposed additional error
cases would correspond to the transport protocol, they have not been added.
A revised version, including changes to address comments from Jeff Schiller
(our security area Director) is on its way.

> The last draft-ietf-pkix-time-stamp-12.txt say nothing about this fact.
> 
> >
> > I agree with Jean-Marc and Ari that it would be very useful to add
> > this additional value to the PKIFailureInfo since the latest time
> > stamping draft currently indicates that:
> >
> > "These are the only values of PKIFailureInfo that are supported.
> > Compliant servers MUST NOT produce any other values. Compliant clients
> > MAY ignore any other values."

This text has been changed in the revised document. Wait for the summary of
all the changes that will be posted soon, to see the replacement which
addresses this concern.

Denis  

> > By not adding during the final editing of the RFC
> > version, this useful value could not ever be used to indicate this
> > type of error.
> >
> 
> with kind regards
> --
> Mors certa, hora incerta. In dubio pro mille.
> --------------------------------------------------------------------
> Bernd Matthes                   Celo Communications GmbH
> Senior Software Engineer        Weissenfelser Strasse 46a
> Nachrichtentechniker            D 06217 Merseburg
> Dipl.-Ing.(FH)                  http://www.celocom.com
>   f. technische Informatik      mailto:mainbug@celocom.de
> http://www.worldbug.de          Tel.: +49 3461/3318-0
> mailto:mainbug@worldbug.de      Fax:  +49 3461/415072
> --------------------------------------------------------------------
> "When in doubt, use brute force." (Ken Thompson)

question to time stamp draft: case of error Bernd Matthes
RE: question to time stamp draft: case of error FRousseau
RE: question to time stamp draft: case of error Peter Sylvester
Re: question to time stamp draft: case of error Bernd Matthes
Re: question to time stamp draft: case of error Denis Pinkas