IETF Logo Mail Archive

RE: draft-ietf-pkix-3281update-01.txt

Russ Housley <housley@vigilsec.com> Tue, 28 October 2008 15:24 UTC

Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 211E03A6C64 for <ietfarch-pkix-archive@core3.amsl.com>; Tue, 28 Oct 2008 08:24:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.877
X-Spam-Level:
X-Spam-Status: No, score=-100.877 tagged_above=-999 required=5 tests=[AWL=-0.539, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, MSGID_FROM_MTA_HEADER=0.803, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KWzeGRc3UQhk for <ietfarch-pkix-archive@core3.amsl.com>; Tue, 28 Oct 2008 08:24:18 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id C1F133A6C63 for <pkix-archive@ietf.org>; Tue, 28 Oct 2008 08:24:17 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9SEc6R2071291 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 28 Oct 2008 07:38:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9SEc66s071290; Tue, 28 Oct 2008 07:38:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [8.8.40.152]) by balder-227.proper.com (8.14.2/8.14.2) with SMTP id m9SEbtpj071250 for <ietf-pkix@imc.org>; Tue, 28 Oct 2008 07:38:05 -0700 (MST) (envelope-from housley@vigilsec.com)
Message-Id: <200810281438.m9SEbtpj071250@balder-227.proper.com>
Received: (qmail 13638 invoked by uid 0); 28 Oct 2008 14:37:52 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (96.255.145.18) by woodstock.binhost.com with SMTP; 28 Oct 2008 14:37:52 -0000
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Tue, 28 Oct 2008 10:34:54 -0400
To: "BRUMBY, Ian" <ian.brumby@baesystems.com>, ietf-pkix@imc.org
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft-ietf-pkix-3281update-01.txt
In-Reply-To: <0D88367CF035304ABCB1022D82AF0753017C7CDD@brdw3ex1.au.baesy stems.com>
References: <9F11911AED01D24BAA1C2355723C3D32195A6F405C@EA-EXMSG-C332.europe.corp.microsoft.com> <200810251952.m9PJqCPD001487@bunya.baea.com.au> <0D88367CF035304ABCB1022D82AF0753017C7CD3@brdw3ex1.au.baesystems.com> <200810271331.m9RDVOAv028096@bunya.baea.com.au> <0D88367CF035304ABCB1022D82AF0753017C7CDD@brdw3ex1.au.baesystems.com>
Mime-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

I agree.  However, I'd like to find out what document (or early draft of a document) the existing OID was taken from.  Basically, we need to provide implementor guidance about both OIDs.

Russ

At 06:59 PM 10/27/2008, BRUMBY, Ian wrote:
Since the over-the-wire encoding has been changed to be compatible with X.501, and incompatible with RFC 3281, shouldn’t the OID of the attribute be changed to match X.501?
 
 
From: owner-ietf-pkix@mail.imc.org [ mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
Sent: Tuesday, 28 October 2008 12:13 AM
To: BRUMBY, Ian; ietf-pkix@imc.org
Subject: RE: Rationales for CA clearance constraints
 
This fact has been reported in an RFC Errata:

Note that clearance was NOT defined in X.501(1993), but X.500(1997). However, X.501(2005) may be the best reference for clearance.


At 08:13 PM 10/26/2008, BRUMBY, Ian wrote:

The Clearance attribute is defined in the current X.501 (2001 and v6 draft) with an OID of 2.5.4.55. RFC 3281 (as referenced by draft-turner-caclearanceconstraints-01.txt) defines it as 2.5.1.5.55. It refers to X.501-1993 as the source of this definition. I’ve dug up the 1993 standard and can’t find any reference to Clearance. If Clearance Constraints are implemented, maybe it should be clarified if it constrains X.501 (2003) Clearance attributes, if they are present in the certificate, or specifically doesn’t constrain them. 

"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this
email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."

v2.23.0 | Report a Bug | By Email