Re: [pkix] An alternative proposal Was: Fwd: New VersionNotification for draft-hamilton-cmr-00.txt
Phillip Hallam-Baker <hallam@gmail.com> Thu, 03 November 2011 17:44 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E030811E80CA for <pkix@ietfa.amsl.com>; Thu, 3 Nov 2011 10:44:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.489
X-Spam-Level:
X-Spam-Status: No, score=-3.489 tagged_above=-999 required=5 tests=[AWL=0.109, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CuKp68Ny+3Z9 for <pkix@ietfa.amsl.com>; Thu, 3 Nov 2011 10:44:25 -0700 (PDT)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 5882A11E8083 for <pkix@ietf.org>; Thu, 3 Nov 2011 10:44:25 -0700 (PDT)
Received: by qyl16 with SMTP id 16so1373454qyl.10 for <pkix@ietf.org>; Thu, 03 Nov 2011 10:44:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=bZvS13cGQ3eQtcgtIsvxnS/ayEGWmsLUUTnvxd3tKIo=; b=wYYiprzdN174MjyAceD0Y0qwx5BGWXT4lpgMucDcQXA+IauQbLqNfpfSdY1Vnvgib1 XaTbG/BRl1lc+ehGLW+7BjiW6umpqRFSmjII8hPfk0wU1TohPBjCbApOvTrGubW3wW+s SyuMz2aJjzXTywkM00iBlWPeqlmi3ay+FsO7w=
MIME-Version: 1.0
Received: by 10.182.69.52 with SMTP id b20mr2090664obu.58.1320342264704; Thu, 03 Nov 2011 10:44:24 -0700 (PDT)
Received: by 10.182.42.99 with HTTP; Thu, 3 Nov 2011 10:44:24 -0700 (PDT)
In-Reply-To: <C1A47F1540DF3246A8D30C853C05D0DA01B96B6B@DABECK.missi.ncsc.mil>
References: <CAD7F7D5.2003%tmiller@mitre.org> <201111031311.00428.rob.stradling@comodo.com> <C1A47F1540DF3246A8D30C853C05D0DA01B96B6B@DABECK.missi.ncsc.mil>
Date: Thu, 03 Nov 2011 13:44:24 -0400
Message-ID: <CAMm+LwiL_qXfyfrARCUVV1rntsxekE=MjQZa+zcNNcujnYsD-A@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "Kemp, David P." <DPKemp@missi.ncsc.mil>
Content-Type: multipart/alternative; boundary="14dae93b5a00ab6c8e04b0d823c4"
Cc: pkix@ietf.org
Subject: Re: [pkix] An alternative proposal Was: Fwd: New VersionNotification for draft-hamilton-cmr-00.txt
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2011 17:44:27 -0000
To enable the inconsistency in the CA response to be detected more quickly so that the euthanasia squad can be called in quicker. On Thu, Nov 3, 2011 at 9:51 AM, Kemp, David P. <DPKemp@missi.ncsc.mil>wrote: > "logs deleted"? If the CA does not have a database, and database > backups, and audit logs, and offsite audit log backups, showing what > certificate serial numbers have been signed (only one of which would be > needed to reconstruct current CRLs), that pretty much makes the case > that neither a whitelist nor a blacklist is worth the bits it is printed > on. Given the lack of even rudimentary availability controls, what > would make any RP believe that a cert, listed on a whitelist or not, has > any validity? > > Dave > > > -----Original Message----- > From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of > Rob Stradling > > http://isc.sans.edu/diary.html?storyid=11512 > > "Some of the CA servers have had parts of their logs deleted, leading to > DigiNotar not knowing what certificates were issued." > > "The OCSP server's working at DigiNotar has been reversed since Sept > 1st. > Normally these servers respond with good to all certificates except > those on the CRL (a blacklist). The OCSP now operates in whitelist mode: > it will call all unknown certificates signed by DigiNotar as revoked (a > whitelist). > Hence we need to make sure to use the OCSP server to validate DigiNotar > certificates -should we want/need to- and not rely on the published CRLs > anymore." > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > -- Website: http://hallambaker.com/
- [pkix] An alternative proposal Was: Fwd: New Vers… Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … denis.pinkas
- Re: [pkix] An alternative proposal Was: Fwd: New … Trevor Freeman
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] OCSP stapling Michael Myers
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Wilson
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Yoav Nir
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- [pkix] Proposed new singleExtension for OCSP denis.pinkas
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Sylvester
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] Proposed new singleExtension for OCSP Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Phillip Hallam-Baker
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Martin Rex
- Re: [pkix] Proposed new singleExtension for OCSP Tom Ritter
- Re: [pkix] Proposed new singleExtension for OCSP Kemp, David P.
- Re: [pkix] Proposed new singleExtension for OCSP denis.pinkas
- Re: [pkix] Proposed new singleExtension for OCSP Liaquat Khan
- Re: [pkix] Proposed new singleExtension for OCSP Paul Hoffman
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Tom Gindin
- [pkix] Malaysian CA (Was: An alternative proposal… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Rob Stradling
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- [pkix] CRL Whitelist Requirements Was An alternat… Tom Gindin
- Re: [pkix] Malaysian CA (Was: An alternative prop… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- Re: [pkix] Malaysian CA (Was: An alternative prop… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses