Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
"Denis Pinkas" <denis.pinkas@bull.net> Mon, 10 September 2007 11:40 UTC
Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUhcd-0005Ev-6K for pkix-archive@lists.ietf.org; Mon, 10 Sep 2007 07:40:07 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IUhcb-0001S6-MU for pkix-archive@lists.ietf.org; Mon, 10 Sep 2007 07:40:07 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8AAjX3M028760 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 10 Sep 2007 03:45:33 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l8AAjXOD028759; Mon, 10 Sep 2007 03:45:33 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8AAjRZN028750 for <ietf-pkix@imc.org>; Mon, 10 Sep 2007 03:45:31 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-mcl1.frcl.bull.fr [129.184.87.20]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id MAA15394; Mon, 10 Sep 2007 12:52:16 +0200
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2007091012451460:154002 ; Mon, 10 Sep 2007 12:45:14 +0200
Date: Mon, 10 Sep 2007 12:45:11 +0200
From: Denis Pinkas <denis.pinkas@bull.net>
To: David Chadwick <d.w.chadwick@kent.ac.uk>
Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 10/09/2007 12:45:14, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 10/09/2007 12:45:24, Serialize complete at 10/09/2007 12:45:24
Message-ID: <OF2AFF4AEE.3B9779B9-ONC1257352.003B12E7@frcl.bull.fr>
Content-Type: text/plain; charset="iso-8859-1"
X-MIME-Autoconverted: from base64 to 8bit by balder-227.proper.com id l8AAjWZN028754
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by balder-227.proper.com id l8AAjX3M028760
X-Spam-Score: 2.1 (++)
X-Scan-Signature: 515708a075ffdf0a79d1c83b601e2afd
David, Thank you for your quick reply. >> David, >> >> I have three major concerns with this draft: >> >> 1 - The current proposal is insecure, unless HTTPS is mandated. > >There is no such thing as absolute security as you are aware and HTTPS >does not give absolute security. It does provide more security than HTTP >but at a greater cost. So the option to use HTTP is there for those RPs >that are happy with this risk vs cost tradeoff. If you only use HTTP, it is as if CRLs or certificates were placed in a directory without being signed. In this context, I cannot "buy" your argument of "There is no such thing as absolute security". >> 2 - Even, if HTTPS is mandated, the proposal is still insecure >> unless the relying parties may securely know which trust anchor >> shall be used to verify the certification path of the webdav server. >> That information MUST be provided by the CA that has issued the certificate, >> and NOT by "other means". > >I dont have a problem with adding this statement. The problem is not adding this requirement, but to say HOW a relying party will know - without using out of bands means - that it is indeed connected to the right web server. >> 3 - The text states: >> >> Whilst a certificate might exist, i.e. from its time of first issuing until it validity period finishes, >> one of the pages SHOULD exist, although some implementations MAY choose to treat >> a revoked certificate the same as a certificate that has never existed. >> >> I would be worthwhile to phrase this differently and move the sentence >> once the webdavCert accessMethod has been introduced and state: >> >> If only the webdavCert accessMethod is supported, then the scheme is only able >> to provide real-time revocation status of certificates. In order to support a non-repudiation service, >> the webdavRev accessMethod must be supported. > >Fine, I will add this. I was incorrect when writing the three lines above. I should have said: The proposed scheme is only able to provide real-time revocation status of certificates and thus in unable to support a non-repudiation service". >> This means that Certificates issuers may choose to support: >> >> a) only the webdavRev accessMethod, or >> b) only the webdavCert accessMethod, or >> c) both the webdavRev accessMethod and the webdavCert accessMethod. >> >> This is not clearly stated in the draft. > >I do not think that issuers will want to support a), do you? I tried to imagine the options of the proposal. I return the question: What are the real benefits of option c) versus options b) ? >> In addition, I have the following concerns: >> 4 - The text states: >> When a certificate exists, it has a unique web page (the certificate URL) at which it MUST be found. >This is because I never considered your proposed option a) above. I >would prefer not to go down this route unless a good argument can be >made for your option a) The key question is which options are desirable . >> I would be worthwhile to phrase this differently and move the sentence >> once the webdavCert accessMethod has been introduced and state: >> If the webdavCert accessMethod is supported, then when a certificate exists, >> it has a unique web page (the certificate URL) at which the revocation list (of length one) >> MUST be found. >> This means that the following sentence is not appropriate: >> "When a certificate is revoked, it has a unique web page (revocation URL) >> at which the revocation list (of length one) SHOULD be found". >> 5 - The text states: >> Optionally the revocation page MAY exist after the validity period of a certificate has expired. >> Using RFC 3280, there is no way to know for a relying party (unless out of bands mechanisms >> are being used), if the CA has chosen to do so or not, so such a feature would be unusable. >> In addition, there is no need to maintain such information once a certificate has expired. >I seem to remember that it was you who wanted this feature so that an RP >could determine after the fact whether a cert had been revoked or not. >Out of bound mechanisms are OK anyway, since you have already suggested >one ie. that the CA tells the RP which trust anchor to use for the SSL >service. The idea is different, the information MUST be captured, when available. Anyway, this method is only usable for real-time authentication and keeping it would simply be useless. >> 6 In the security considerations section, the text states: >> Consequently, if the certificates are not meant to be publicly available or stronger security >> is required, then secure access should be provided using HTTP with TLS". >> The use of HTTPS has nothing to do with publicly available certificates. >It is related in this way. If HTTPS with client side (mutual) authn is >used, then the server can use the DN of the client to provide an authz >service. With http only public access can be provided. I know understand, but the sentence should be rephrased. Considering the question to adopt or not this proposal as a PKIX work item, for the time being, I am not in favor for the following reasons: - when using the webdavCert accessMethod, the proposal is insecure since HTTPs is still not mandated, - when using the webdavCert accessMethod the proposal is insecure since the trust anchor to be used to verify the information provided by the web server is undefined, - the proposal is limited to support real-time revocation status of certificates, i.e. it cannot support a non-repudiation service, - CRLs may be fetched using HTTP, so the argument against LDAP becomes moot. The idea of having a CRL of length one is original, but CRL splitting is another way to avoid long CRLs. Denis ============================================================= >regards >David >> Denis >>> I am very interested in the construction of a systematic framework for >>> webdav based publication protocols to be used to publish into >>> repositories. Other WG areas of work are considering adoption of >>> certificate based models which require large, distributed repositories >>> to be maintained, and will imply a repository provisioning protocol. >>> >>> I therefore wish to propose the WG adopt draft-chadwick-webdav-00.txt as a work item. >>> >>> I would also like to ask that the document be slightly modified, to >>> present two distinct parts in the proposal >>> >>> 1) that part which documents use of WEBDAV as a repository publication >>> protocol and the use of a REST model. >>> >>> 2) that part which discusses naming of the repository objects in the >>> repository, eg for use in the SIA and AIA fields, and the related >>> REST model name mapping. >>> >>> The reason I ask that it be re-worked in this way is that there are >>> other models of repository naming architecture which do not have >>> 'deep' RDN name structure in the certificate Subject name, and are less >>> ameanable to a deterministic mapping as Dave has proposed. If the >>> document is re-worked slightly to make it plain that this is only one >>> of many repository naming models, it will be easier for related work to >>> cite this document in reference to part 1) use of WEBDAV and to draw up >>> a distinct repository name mapping function reflecting part 2) in >>> spirit. >>> >>> I have some very minor concerns with stipulating the correct TLS >>> version to support virtual webhost naming in a secured connection to >>> the server during WEBDAV binding. I am sure these can be very easily >>> addressed. >>> >>> Thanks to Dave Chadwick for writing this draft, and presenting it at >>> IETF69 Chicago. >>> >>> -George >>> >>> >> >> Regards, >> >> Denis Pinkas >> >> >> > >-- > >***************************************************************** >David W. Chadwick, BSc PhD >Professor of Information Systems Security >The Computing Laboratory, University of Kent, Canterbury, CT2 7NF >Skype Name: davidwchadwick >Tel: +44 1227 82 3221 >Fax +44 1227 762 811 >Mobile: +44 77 96 44 7184 >Email: D.W.Chadwick@kent.ac.uk >Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html >Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html >Entrust key validation string: MLJ9-DU5T-HV8J >PGP Key ID is 0xBC238DE5 > >***************************************************************** Regards, Denis Pinkas
- request for WG to adopt draft-chadwick-webdav-00.… George Michaelson
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- Re: request for WG to adopt draft-chadwick-webdav… George Michaelson
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- Re: request for WG to adopt draft-chadwick-webdav… George Michaelson
- Re: request for WG to adopt draft-chadwick-webdav… Stephen Kent
- Re: request for WG to adopt draft-chadwick-webdav… Stephen Kent
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- Re: request for WG to adopt draft-chadwick-webdav… Denis Pinkas
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- Re: request for WG to adopt draft-chadwick-webdav… Denis Pinkas
- Re: request for WG to adopt draft-chadwick-webdav… Stephen Kent
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- Re: request for WG to adopt draft-chadwick-webdav… Stephen Kent
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- RE: request for WG to adopt draft-chadwick-webdav… Kemp, David P.
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick