IETF Logo Mail Archive

Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.

Stephen Kent <kent@bbn.com> Wed, 27 February 2013 05:53 UTC

Return-Path: <kent@bbn.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4913A21F8522 for <pkix@ietfa.amsl.com>; Tue, 26 Feb 2013 21:53:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.584
X-Spam-Level:
X-Spam-Status: No, score=-106.584 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6XkMfZtE72OD for <pkix@ietfa.amsl.com>; Tue, 26 Feb 2013 21:53:35 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id CE22821F8526 for <pkix@ietf.org>; Tue, 26 Feb 2013 21:53:34 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15]:43593 helo=176.151.dhcp.conference.apricot.net) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1UAZxM-000Dha-JO; Wed, 27 Feb 2013 00:53:33 -0500
Message-ID: <512D9F5A.7010103@bbn.com>
Date: Wed, 27 Feb 2013 00:53:30 -0500
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: pkix@ietf.org, ynir@checkpoint.com
References: <9A043F3CF02CD34C8E74AC1594475C733340E7BB@uxcn10-2.UoA.auckland.ac.nz> <5124E2AB.5020400@bull.net> <B017A0A7-1029-4CA1-931B-9CD33A19E098@checkpoint.com>
In-Reply-To: <B017A0A7-1029-4CA1-931B-9CD33A19E098@checkpoint.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2013 05:53:36 -0000

Yoav,

Your characterization of roles for SDOs does not constitute a partition. 
There are other options.

WGs in the IETF, when we do our work well, develop good, technical 
solutions for problems,
and communicate these solutions in a clear fashion, via RFCs.

Developers may or may not follow the RFCs we produce, either by accident 
or intentionally.
Thus implementations may differ because of ambiguities in the RFCs, 
because of implementation
sloppiness, or for business reasons (which may be good reasons, or not).

If an influential vendor elects to not follow some aspect of a standard, 
other vendors may feel
that they have to accommodate the deviation adopted by the influential 
vendor, to preserve interoperability.
The deviation from a standard may have obvious, adverse security 
implications, or subtle security
problems, or may just be a security-neutral alternative.

A WG can elect to modify a standard, to accommodate what has become 
common practice, or not.
If the WG modifies the RFC, and if the modification has adverse security 
implications, this
is bad. Even if the deviation from the standard is security-neutral, the 
change sets a bad
precedent, as it undermines the standards development process in which 
others invested time
and effort.

 From my perspective, making a change to a standard to accommodate 
deviations from the standard,
when the change does not address a bug in the standard, rewards bad 
behavior, and it cheapens RFCs.
I oppose such behavior in any IETF WG.

Steve

v2.23.0 | Report a Bug | By Email