Re: [pkix] reminder
Scott Schmit <i.grok@comcast.net> Sun, 05 August 2012 01:02 UTC
Return-Path: <i.grok@comcast.net>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E903E21F87F8 for <pkix@ietfa.amsl.com>; Sat, 4 Aug 2012 18:02:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.437
X-Spam-Level:
X-Spam-Status: No, score=-100.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jYMwbeWWViMm for <pkix@ietfa.amsl.com>; Sat, 4 Aug 2012 18:02:43 -0700 (PDT)
Received: from qmta01.westchester.pa.mail.comcast.net (qmta01.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:43:76:96:62:16]) by ietfa.amsl.com (Postfix) with ESMTP id C65F621F87C4 for <pkix@ietf.org>; Sat, 4 Aug 2012 18:02:42 -0700 (PDT)
Received: from omta01.westchester.pa.mail.comcast.net ([76.96.62.11]) by qmta01.westchester.pa.mail.comcast.net with comcast id iosk1j0040EZKEL51p2laH; Sun, 05 Aug 2012 01:02:45 +0000
Received: from odin.ulthar.us ([IPv6:2001:470:8c86:0:225:64ff:fe8b:c2f2]) by omta01.westchester.pa.mail.comcast.net with comcast id ip2s1j0092Ekl483Mp2ueR; Sun, 05 Aug 2012 01:02:54 +0000
Received: from odin.ulthar.us (localhost [127.0.0.1]) by odin.ulthar.us (8.14.5/8.14.5) with ESMTP id q7512du6027938 for <pkix@ietf.org>; Sat, 4 Aug 2012 21:02:39 -0400
Received: (from draco@localhost) by odin.ulthar.us (8.14.5/8.14.5/Submit) id q7512dcT027937 for pkix@ietf.org; Sat, 4 Aug 2012 21:02:39 -0400
Date: Sat, 04 Aug 2012 21:02:39 -0400
From: Scott Schmit <i.grok@comcast.net>
To: pkix@ietf.org
Message-ID: <20120805010239.GA25950@odin.ulthar.us>
Mail-Followup-To: pkix@ietf.org
References: <501AB3A3.4020209@bbn.com> <20120804011634.GA25458@odin.ulthar.us> <5170CB53-0BE5-404B-B60B-B6EAE221D8CC@vpnc.org>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="y0ulUmNC+osPPQO6"
Content-Disposition: inline
In-Reply-To: <5170CB53-0BE5-404B-B60B-B6EAE221D8CC@vpnc.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [pkix] reminder
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Aug 2012 01:02:44 -0000
On Sat, Aug 04, 2012 at 08:41:34AM -0700, Paul Hoffman wrote: > On Aug 3, 2012, at 6:16 PM, Scott Schmit wrote: > > On Thu, Aug 02, 2012 at 01:06:43PM -0400, Stephen Kent wrote: > >> Add the following paragraph to the end of RFC 5280, Section 3.2: > >> > >> Consistent with Section 3.4.61 of X.509 (11/2008) we note that use > >> of self-issued certificates and self-signed certificates issued by > >> other than CAs are outside the scope of this specification. Thus, > >> for example, a web server or client might generate a self-signed > >> certificate to identify itself. These certificates, and how a > >> relying party uses them to authenticate asserted identities, are > >> both outside the scope of RFC 5280. > > > > As I read it, if you aren't a CA and generate a self-signed certificate, > > then that certificate isn't a PKIX certificate. Is that statement > > right? > > Partially. Those certificates are outside the scope of PKIX. However... > > > If so, it sort of screws up draft-ietf-dane-protocol: > > > > From section 2.2.1: > > # The certificate usages defined in this document explicitly only apply > > # to PKIX-formatted certificates in DER encoding [X.690]. If TLS > > # allows other formats later, or if extensions to this RRtype are made > > # that accept other formats for certificates, those certificates will > > # need their own certificate usage values. > > > > (TLSA Certificate usage 3 is intended for self-signed "PKIX" > > certificates.) > > No. It is intended for PKIX-formatted certificates, which is exactly > what the DANE spec says. > > > Maybe the problem is that we talk about PKIX-formatted certificates vs. > > PKIX-validated certificates, but both are handled in RFC 5280. > > Can you say why that's a problem? Because someone could easily use that paragraph to say, "there's no such thing as a PKIX-formatted certificate that isn't PKIX-validatable." RFC 5280 == PKIX, so being out of scope of RFC 5280 makes it not PKIX-anything. After all, how the certificate is signed determines if it's in scope of PKIX. > > Can we distinguish the two? > > Yes, easily. I'd suggest we do that. I think think that's why people were trying to inject "use of" the certificates instead of "generation of" the certs-- to make that distinction. I'd be happier if the last sentence read: "Validation of these certificates, and how a relying party authenticates the asserted identities, are both outside the scope of RFC 5280." Then it makes sense for a certificate to be a PKIX[-formatted] certificate, but not PKIX-validatable. -- Scott Schmit
- [pkix] reminder Stephen Kent
- Re: [pkix] reminder Peter Sylvester
- Re: [pkix] reminder Stephen Kent
- Re: [pkix] reminder Scott Schmit
- Re: [pkix] reminder Paul Hoffman
- Re: [pkix] reminder Scott Schmit
- Re: [pkix] reminder Stephen Kent
- Re: [pkix] reminder Scott Schmit
- Re: [pkix] reminder Stephen Kent