Re: PKI Resource Discovery - Proposal for a new Working Item
"Anders Rundgren" <anders.rundgren@telia.com> Tue, 24 April 2007 18:37 UTC
Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HgPtg-0004QV-50 for pkix-archive@lists.ietf.org; Tue, 24 Apr 2007 14:37:53 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HgPte-0004Br-LF for pkix-archive@lists.ietf.org; Tue, 24 Apr 2007 14:37:52 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l3OHvX3U064369 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 24 Apr 2007 10:57:33 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l3OHvX8w064368; Tue, 24 Apr 2007 10:57:33 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from pne-smtpout1-sn1.fre.skanova.net (pne-smtpout1-sn1.fre.skanova.net [81.228.11.98]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l3OHvCQ2064322 for <ietf-pkix@imc.org>; Tue, 24 Apr 2007 10:57:32 -0700 (MST) (envelope-from anders.rundgren@telia.com)
Received: from arport2v (81.232.45.243) by pne-smtpout1-sn1.fre.skanova.net (7.2.076.2) (authenticated as u18116613) id 461E4AF80031F10E; Tue, 24 Apr 2007 19:56:58 +0200
Message-ID: <000401c78699$ee787b20$82c5a8c0@arport2v>
From: Anders Rundgren <anders.rundgren@telia.com>
To: Massimiliano Pala <pala@cs.dartmouth.edu>, Wen-Cheng Wang <wcwang@cht.com.tw>
Cc: pkix <ietf-pkix@imc.org>
References: <OF40DC074E.35415756-ONC12572C3.0043BD52@frcl.bull.fr> <462D05DA.5060002@cs.dartmouth.edu> <002601c78622$c31e6e70$5d85900a@wcwang> <462E1C8D.8090602@cs.dartmouth.edu>
Subject: Re: PKI Resource Discovery - Proposal for a new Working Item
Date: Tue, 24 Apr 2007 19:44:04 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1807
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1896
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 14582b0692e7f70ce7111d04db3781c8
Hi Max, Some time ago you proposed new PKI protocols but then you did not state any specific use-case. I'm happy to see such now :-) Regarding painful rollover, I believe a 5-year plan or so is realistic if it involves certificate changes. If the idea is really some kind of "mapping scheme" between existing certificates and services it may be faster but OTOH I don't really see how such a mapping utility would work given the huge variations out there. But maybe you are thinking of some kind of centralized discovery service? Personally I'm only interested in decentralized Internet-scale PKI solutions (the opposite to S/MIME...) and would due to this base a new scheme on the only Internet-scale "registry" there is: DNS. I would suggest a scheme based on DNS names which both can be obtained locally (from a config file) as well as being supplied in a new certificate extension. This would allow step-wise migration which has proved to be the fastest route to adoption. The following is one way of architecting this: In the repository/certificate extension: "example.com" Searched for by an enhanced PKI client: _thesuperduper-pki-lookup.example.com TXT "something" _other-pki-lookup-service.example.com TXT "something" Regarding applications, I would like to add automatic certificate renewal services support. regards Anders ----- Original Message ----- From: "Massimiliano Pala" <pala@cs.dartmouth.edu> To: "Wen-Cheng Wang" <wcwang@cht.com.tw> Cc: "pkix" <ietf-pkix@imc.org> Sent: Tuesday, April 24, 2007 17:04 Subject: Re: PKI Resource Discovery - Proposal for a new Working Item Hello Wen-Cheng, thank you for the comment. Indeed the distribution of the RQA address is something tricky, but the AIA/SIA extensions can be used to provide that. Also the DHCP could be used for the same porpuse on a local network. Again, thanks. I'll try to come up with a draft for the WG to read hopefully in the next few days (or the next week). Let me know what do you think also about a possible session/proposal at the next IETF. Cheers, Max Wen-Cheng Wang wrote: > > Dr. Massimiliano Pala, > > That is an interesting idea. > > However, one imaginable problem you might face is "how > a relying party (the PRQP client) can find an authroized RQA?" > > One straightforward way is to let the CA issue a certificate first to > delegate the authority to the RQA and then use AIA/SIA extnesions > to provide the URL of the authroized RQA (the authroized PRQP server) > to the PRQP client. If you are going to adopt this kind of straightforward > solution, it will not be a painless rollover from traditional ways (embed > various pointers via CDP, AIA or SIA extensions) to the new way (a single > AIA/SIA extension comtaining the authroized PRQP access info). The > reason why it will not be a painless rollover is that the goal can not be > achieved without the need to re-issuing all the existing certificates to > add the newly defined PRQP access info into the AIA/SIA extension. -- Best Regards, Dr. Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] pala@cs.dartmouth.edu project.manager@openca.org Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883 PKI/Trust - Office 063 Work Phone: +1 (603) 646-9179 --o------------------------------------------------------------------------
- Lightweight Certificate Validation Protocol (LCVP) Denis Pinkas
- RE: Lightweight Certificate Validation Protocol (… Dave Engberg
- RE: Lightweight Certificate Validation Protocol (… Santosh Chokhani
- RE: Lightweight Certificate Validation Protocol (… Seth Hitchings
- Re: Lightweight Certificate Validation Protocol (… Tim Polk
- RE: Lightweight Certificate Validation Protocol (… Kemp, David P.
- PKI Resource Discovery - Proposal for a new Worki… Massimiliano Pala
- Re: PKI Resource Discovery - Proposal for a new W… Wen-Cheng Wang
- Re: Lightweight Certificate Validation Protocol (… Denis Pinkas
- Lightweight Certificate Validation Protocol (LCVP) Denis Pinkas
- Re: Lightweight Certificate Validation Protocol (… Peter Sylvester
- RE: Lightweight Certificate Validation Protocol (… Santosh Chokhani
- Re: Lightweight Certificate Validation Protocol (… Stephen Farrell
- Re: PKI Resource Discovery - Proposal for a new W… Massimiliano Pala
- Re: Lightweight Certificate Validation Protocol (… Peter Sylvester
- Re: PKI Resource Discovery - Proposal for a new W… Anders Rundgren
- Re: PKI Resource Discovery - Proposal for a new W… Anders Rundgren
- Re: PKI Resource Discovery - Proposal for a new W… Thierry Moreau
- RE: Lightweight Certificate Validation Protocol (… Hallam-Baker, Phillip
- RE: Lightweight Certificate Validation Protocol (… Stefan Santesson
- Re: Lightweight Certificate Validation Protocol (… Denis Pinkas
- RE: Lightweight Certificate Validation Protocol (… Stefan Santesson
- Re: Lightweight Certificate Validation Protocol (… Denis Pinkas
- RE: Lightweight Certificate Validation Protocol (… Stefan Santesson
- RE: Lightweight Certificate Validation Protocol (… Seth Hitchings
- Re: PKI Resource Discovery Protocol - Proposal fo… Massimiliano Pala
- Re: Lightweight Certificate Validation Protocol (… Peter Sylvester
- Re: PKI Resource Discovery - Proposal for a new W… Massimiliano Pala
- Re: PKI Resource Discovery - Proposal for a new W… Thierry Moreau
- RE: Lightweight Certificate Validation Protocol (… Michael Myers
- Re: RE: Lightweight Certificate Validation Protoc… Denis Pinkas
- RE: RE: Lightweight Certificate Validation Protoc… Stefan Santesson
- Re: Lightweight Certificate Validation Protocol (… Peter Sylvester
- RE: RE: Lightweight Certificate Validation Protoc… Paul Hoffman
- Re: Lightweight Certificate Validation Protocol (… Denis Pinkas
- Re: Lightweight Certificate Validation Protocol (… Paul Hoffman
- Re: Lightweight Certificate Validation Protocol (… Stephen Kent
- Re: Lightweight Certificate Validation Protocol (… Denis Pinkas
- RE: Lightweight Certificate Validation Protocol (… Hallam-Baker, Phillip
- Re: Lightweight Certificate Validation Protocol (… Peter Sylvester
- CP extension and OID tree structure Bechlaghem, Malek
- RE: CP extension and OID tree structure Santosh Chokhani