Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
Stephen Kent <kent@bbn.com> Wed, 27 February 2013 05:53 UTC
Return-Path: <kent@bbn.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4913A21F8522 for <pkix@ietfa.amsl.com>; Tue, 26 Feb 2013 21:53:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.584
X-Spam-Level:
X-Spam-Status: No, score=-106.584 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6XkMfZtE72OD for <pkix@ietfa.amsl.com>; Tue, 26 Feb 2013 21:53:35 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id CE22821F8526 for <pkix@ietf.org>; Tue, 26 Feb 2013 21:53:34 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15]:43593 helo=176.151.dhcp.conference.apricot.net) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1UAZxM-000Dha-JO; Wed, 27 Feb 2013 00:53:33 -0500
Message-ID: <512D9F5A.7010103@bbn.com>
Date: Wed, 27 Feb 2013 00:53:30 -0500
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: pkix@ietf.org, ynir@checkpoint.com
References: <9A043F3CF02CD34C8E74AC1594475C733340E7BB@uxcn10-2.UoA.auckland.ac.nz> <5124E2AB.5020400@bull.net> <B017A0A7-1029-4CA1-931B-9CD33A19E098@checkpoint.com>
In-Reply-To: <B017A0A7-1029-4CA1-931B-9CD33A19E098@checkpoint.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [pkix] A non-compliant use of the EKU extension in Mozilla's CA Certificate Policy Version 2.1.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2013 05:53:36 -0000
Yoav, Your characterization of roles for SDOs does not constitute a partition. There are other options. WGs in the IETF, when we do our work well, develop good, technical solutions for problems, and communicate these solutions in a clear fashion, via RFCs. Developers may or may not follow the RFCs we produce, either by accident or intentionally. Thus implementations may differ because of ambiguities in the RFCs, because of implementation sloppiness, or for business reasons (which may be good reasons, or not). If an influential vendor elects to not follow some aspect of a standard, other vendors may feel that they have to accommodate the deviation adopted by the influential vendor, to preserve interoperability. The deviation from a standard may have obvious, adverse security implications, or subtle security problems, or may just be a security-neutral alternative. A WG can elect to modify a standard, to accommodate what has become common practice, or not. If the WG modifies the RFC, and if the modification has adverse security implications, this is bad. Even if the deviation from the standard is security-neutral, the change sets a bad precedent, as it undermines the standards development process in which others invested time and effort. From my perspective, making a change to a standard to accommodate deviations from the standard, when the change does not address a bug in the standard, rewards bad behavior, and it cheapens RFCs. I oppose such behavior in any IETF WG. Steve
- [pkix] A non-compliant use of the EKU extension i… Denis Pinkas
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… David A. Cooper
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Denis Pinkas
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- Re: [pkix] A non-compliant use of the EKU extensi… Santosh Chokhani
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… Dr Stephen Henson
- Re: [pkix] A non-compliant use of the EKU extensi… Martin Rex
- Re: [pkix] A non-compliant use of the EKU extensi… Michael StJohns
- Re: [pkix] A non-compliant use of the EKU extensi… Michael StJohns
- Re: [pkix] A non-compliant use of the EKU extensi… Henry B. Hotz
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Gutmann
- Re: [pkix] A non-compliant use of the EKU extensi… Yoav Nir
- Re: [pkix] A non-compliant use of the EKU extensi… Erwann Abalea
- Re: [pkix] A non-compliant use of the EKU extensi… Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Peter Sylvester
- Re: [pkix] A non-compliant use of the EKU extensi… Piyush Jain
- [pkix] Agenda items for PKIX in Orlando Stefan Santesson
- Re: [pkix] A non-compliant use of the EKU extensi… Stephen Kent
- [pkix] PKIX WG's (lack of) agility to adopt missi… Martin Rex