IETF Logo Mail Archive

Re: [pkix] New Version Notification for draft-seantek-certfrag-00.txt

Sean Leonard <dev+ietf@seantek.com> Thu, 06 November 2014 08:15 UTC

Return-Path: <dev+ietf@seantek.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ACAE1A1A94; Thu, 6 Nov 2014 00:15:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id odWTwR4nsUPK; Thu, 6 Nov 2014 00:14:59 -0800 (PST)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F36A1A1A64; Thu, 6 Nov 2014 00:14:57 -0800 (PST)
Received: from [192.168.123.119] (unknown [23.240.242.6]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 41E50509B6; Thu, 6 Nov 2014 03:14:54 -0500 (EST)
Content-Type: multipart/signed; boundary="Apple-Mail=_233C98B8-5DBC-45A4-B89E-5585AE401805"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Leonard <dev+ietf@seantek.com>
In-Reply-To: <1557541F-A60F-430B-8C6C-BA5474538C79@ieca.com>
Date: Thu, 06 Nov 2014 00:13:50 -0800
Message-Id: <D68BE514-5604-4D29-AF0C-CD56DE9088C9@seantek.com>
References: <540E0A56.7060301@seantek.com> <544D14C8.4070604@seantek.com> <1557541F-A60F-430B-8C6C-BA5474538C79@ieca.com>
To: Sean Turner <turners@ieca.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/JJkdWtr6bAvyrE6VI5kB9COJBNk
Cc: pkix@ietf.org, saag@ietf.org
Subject: Re: [pkix] New Version Notification for draft-seantek-certfrag-00.txt
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Nov 2014 08:15:20 -0000

On Nov 5, 2014, at 4:29 PM, Sean Turner <turners@ieca.com> wrote:

> Seems like a reasonable way to do what you’re trying to do, but I’ve got two questions:
> 
> 1) Do you really, really need the MUST?  If an implementation doesn’t follow the rules and instead uses “sN” for the serial number fragment it’s still going to work right because they’re case-insensitive?  If that’s the case then maybe you could just drop that bit.

Okay, maybe “MUST” is unduly harsh. However, I like to have consistent casing, even though it is case-insensitive. Is “SHOULD” appropriate? If not, I can drop the RFC 2119 key word and simply say “The fragments defined in the table above are case-insensitive; nevertheless for consistency, a generator is supposed to produce the fragment identifiers with the same casing as provided in this memo.”

> 
> 2) The second part of the text in the security considerations gave me pause:
> 
>   A certificate displaying
>   application might zoom in on that aspect of the certificate, while a
>   public key-processing application might use a fragment identifier
>   like "#spki" to extract the "SubjectPublicKeyInfo" structure for
>   further processing. 
> 
> Are you saying the spki would be extracted for processing from the identifier or from the certificate?  I’m hoping the later.

It’s the certificate. Proposed revised text:

   A certificate displaying
   application might zoom in on that aspect of the certificate, while a
   public key-processing application might use a fragment identifier
   like "#spki" to extract the "SubjectPublicKeyInfo” structure
   from the certificate for further processing.

Sean

v2.23.0 | Report a Bug | By Email