RE: I-D Action:draft-ietf-pkix-tamp-01.txt
"Carl Wallace" <CWallace@cygnacom.com> Wed, 11 March 2009 20:11 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E94EE3A6BAA for <ietfarch-pkix-archive@core3.amsl.com>; Wed, 11 Mar 2009 13:11:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.439
X-Spam-Level:
X-Spam-Status: No, score=-1.439 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l-MBxqB3MiGt for <ietfarch-pkix-archive@core3.amsl.com>; Wed, 11 Mar 2009 13:11:37 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id A08263A68D4 for <pkix-archive@ietf.org>; Wed, 11 Mar 2009 13:11:36 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n2BJm2ZY034848 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Mar 2009 12:48:02 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n2BJm2vb034847; Wed, 11 Mar 2009 12:48:02 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by balder-227.proper.com (8.14.2/8.14.2) with SMTP id n2BJlpff034833 for <ietf-pkix@imc.org>; Wed, 11 Mar 2009 12:48:02 -0700 (MST) (envelope-from CWallace@cygnacom.com)
Received: (qmail 7010 invoked from network); 11 Mar 2009 19:47:17 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 11 Mar 2009 19:47:17 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: I-D Action:draft-ietf-pkix-tamp-01.txt
Date: Wed, 11 Mar 2009 15:47:50 -0400
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D48A2D1F6@scygexch1.cygnacom.com>
In-Reply-To: <C2C2D82D-A666-4E4A-9022-35BD2012B81D@cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: I-D Action:draft-ietf-pkix-tamp-01.txt
Thread-Index: AcmdugHbEEN+Q+v4TXiq2c4e4w6IhQExZ+MA
References: <20090304161502.90A2328C1A4@core3.amsl.com> <C2C2D82D-A666-4E4A-9022-35BD2012B81D@cisco.com>
From: Carl Wallace <CWallace@cygnacom.com>
To: max pritikin <pritikin@cisco.com>, ietf-pkix@imc.org
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
<snip>
> The latest [TAF] document appear to move away from specifically
categorizing Apex, Management and Identity trust
> anchors. I agree with this change. The [TAMP] draft still indicates
these three types though and I no longer see how
> they are distinguished. I do see that [TAMP, Section 1.3.2] indicates
that:
> o The trust anchor store MUST support the secure storage of exactly
> one apex trust anchor. The trust anchor store SHOULD support the
> secure storage of at least one additional trust anchor.
> but not how it is identified as the Apex. Or as a management trust
anchor, or identity trust anchor. Is it expected that > this information
would be encoded into the TAF extensions field[s]? For example TAMP
would specify a specific extension > with these types indicated?
The terms describe the function of a trust anchor, not necessarily its
composition.
A trust anchor is identified as the apex by placement, similar to a
certificate that is recognized as a trust anchor by placing it in a
trust anchor store. The presence of a Apex trust anchor info
certificate extension is a clue, but placement is what makes a trust
anchor an apex. This will be clarified in the next draft.
An identity TA must be able to validate certification paths, so it must
have name. In an environment using the CCC spec for authorization, a
management trust anchor would contain a CCC extension. Other
authorization mechanisms may have different hallmarks.
<snip>
> I like the idea of a TAF which can store information specific to
particular applications, various management protocols
> such as CMS, and other things moving forward. TAMP apparently then
specifies specific authorizations and their meanings
> but this doesn't limit or impact other uses? And importantly this type
of construct results in a TAF which may be either
> Apex, Management, or Identity or any combination thereof including new
types in the future?
Right. TAs can be any combination of TA types (except that an apex is
by definition a management TA) and could address various management
protocols (like CMS) are defined.
> This line of thought leads to some reflection on the [TAMP] discussion
illustrated by Figure 4-1 might be even further >
> refined. I appreciate the update from "Crypto Module" to "Trust Anchor
Store" -- or maybe even a combination of the two
> of them (this echoes my comment above about how the 802.1AR module
sounds like a combination of both of these elements).
> Perhaps my confusion is that in my mind a Trust Anchor Manager is
communicating via TAMP with a TAMP service which is
> then accessing the Trust Anchor Store. A picture is worth a thousand
words:
(my apologies if mail messes this up)
+---------+ +----------+
| | | |
| | | |
| | | |
| | TAMP | |
| Trust |<---->| TAMP |
| Anchor | | Process | OS & Application
| Manager | | | Service Interface
| | | | +----------+
| | | |<---->|TAFs in a |
| | | | |Crypto |
| | | | |Module |
| | | | |& Store |
+---------+ +----------+ +----------+
> I haven't seen a discussion that the "OS & Application Service
Interface" as being in scope. Drawing the diagram like >
> this clarifies my impression that the TAF might be used by other
applications and that those applications might benefit
> from the TAF standardization. Given the recent changes to [TAF] I
suspect things are moving in this direction?
The diagram above is an accurate representation. You are correct that
the specs do not address the interface between the TA store and the
applications. Not shown in the diagram is how the TA is actually used
(i.e., what an application does with a trust anchor once it retrieves it
from the store). There will be another short specification submitted
soon that describes how to use TA-based constraints during certification
path validation.
- I-D Action:draft-ietf-pkix-tamp-01.txt Internet-Drafts
- Re: I-D Action:draft-ietf-pkix-tamp-01.txt max pritikin
- RE: I-D Action:draft-ietf-pkix-tamp-01.txt Carl Wallace
- RE: I-D Action:draft-ietf-pkix-tamp-01.txt Santosh Chokhani