Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
David Chadwick <d.w.chadwick@kent.ac.uk> Wed, 26 September 2007 21:54 UTC
Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iaepy-0003TT-Rp for pkix-archive@lists.ietf.org; Wed, 26 Sep 2007 17:54:31 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Iaepr-0001w3-HD for pkix-archive@lists.ietf.org; Wed, 26 Sep 2007 17:54:24 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8QKtm8a076581 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 26 Sep 2007 13:55:48 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l8QKtmVf076580; Wed, 26 Sep 2007 13:55:48 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mx2.kent.ac.uk (mx2.kent.ac.uk [129.12.21.33]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8QKtkJs076551 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-pkix@imc.org>; Wed, 26 Sep 2007 13:55:47 -0700 (MST) (envelope-from d.w.chadwick@kent.ac.uk)
Received: from vpnd02b.kent.ac.uk ([129.12.208.43]) by mx2.kent.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.62) (envelope-from <d.w.chadwick@kent.ac.uk>) id 1Iaduv-0003Ad-Vd; Wed, 26 Sep 2007 21:55:34 +0100
Message-ID: <46FAC748.9030701@kent.ac.uk>
Date: Wed, 26 Sep 2007 21:55:36 +0100
From: David Chadwick <d.w.chadwick@kent.ac.uk>
Organization: University of Kent
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Kemp, David P." <DPKemp@missi.ncsc.mil>
CC: ietf-pkix@imc.org
Subject: Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
References: <OF3876B698.C80CC9A9-ONC125734F.002F7456@frcl.bull.fr> <46E1B0B7.3080003@kent.ac.uk> <p06240511c30b2a2eae3c@[128.89.89.71]> <46E6678A.2030307@kent.ac.uk> <A15AC0FBACD3464E95961F7C0BCD1FF006A25BE970@EA-EXMSG-C307.europe.corp.microsoft.com> <46EAB378.4090506@kent.ac.uk> <FA998122A677CF4390C1E291BFCF59890822CCF8@EXCH.missi.ncsc.mil>
In-Reply-To: <FA998122A677CF4390C1E291BFCF59890822CCF8@EXCH.missi.ncsc.mil>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-UKC-Mail-System: No virus detected
X-UKC-SpamCheck: not spam, SpamAssassin (not cached, score=-1.44, required 5, autolearn=disabled, ALL_TRUSTED -1.44)
X-UKC-MailScanner-From: d.w.chadwick@kent.ac.uk
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cf3becbbd6d1a45acbe2ffd4ab88bdc2
Hi David I have been thinking about the question you posed below, and my response is just below it Kemp, David P. wrote: > David, > > I have to agree with Stefan and Steve on this. > > 1) DNS may be mis-trusted (falsely treated as a trusted entity) > with disastrous results, but properly designed applications would > permit PKI to fix that, not fail because of it. A signed object > containing a DNS name permits detection of DNS failures. > > Any purely DNS-based identity registration process is, of course, > as weak as DNS itself, so PKI at a minimum would have to use > something like credit card identity proofing through multiple > channels (physical mail of a registration secret + home > telephone activation) if it wishes to claim better assurance > for real (vs. pseudonymous) identities than that provided by DNS. > > 2) It is not the REST model that is of concern - short CRLs, > OCSP responses, or their signed SAML equivalents could be > retrieved just as easily using RESTful requests (SOAP/resource) > as with LDAP, CMC, or SOAP/RPC. As Stefan says, it is the > signed object generated by a trusted PKI component that counts, > not the method by which it is obtained. Of course, a CA > with any particular level of assurance could operate a WebDAV > interface that yields the same results as its CRLs, but you > intend WebDAV revocation responders to not be limited > to CAs, thus greatly expanding the attack surface of the system. > > Is there a way to leverage all three portions of the proposal > (REST conceptual model, REST protocols, and naming models) > while preserving the end-to-end (PKI to consumer application) > properties of signed objects? One solution would be for the cert URL to point to the certificate and the revocation URL to point to the CRL for this certificate, in which the following states hold: Certificate exists and is valid: certificate at certificate URL and empty CRL at rev URL Certificate exists and is revoked: nothing at certificate URL and CRL with single entry at rev URL. Certificate not issued: nothing at either URL (URLs probably not defined) In this way you have cryptographic proof of the state of the certificate, and each certificate has its own stateful resource URLs. What do you think? regards David > >>> What the webdav scheme gives you is instant revocation >>> status, which CRLs do not give you, but the tradeoff is >>> having to trust the repository. > > If "instant" is the goal, I believe it would be better > achieved by morphing the repository into a basic assurance > PKI component with its own keys. A CA's CPS can document > any deliberative process it wants (including none) before > revoking certs, thus permitting delegated responders > (WebDAV or other) to achieve any desired tradeoff between > response time and accuracy. > > V/R, > Dave > > > -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
- request for WG to adopt draft-chadwick-webdav-00.… George Michaelson
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- Re: request for WG to adopt draft-chadwick-webdav… George Michaelson
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- Re: request for WG to adopt draft-chadwick-webdav… George Michaelson
- Re: request for WG to adopt draft-chadwick-webdav… Stephen Kent
- Re: request for WG to adopt draft-chadwick-webdav… Stephen Kent
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- Re: request for WG to adopt draft-chadwick-webdav… Denis Pinkas
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- Re: request for WG to adopt draft-chadwick-webdav… Denis Pinkas
- Re: request for WG to adopt draft-chadwick-webdav… Stephen Kent
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- RE: request for WG to adopt draft-chadwick-webdav… Stefan Santesson
- Re: request for WG to adopt draft-chadwick-webdav… Stephen Kent
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick
- RE: request for WG to adopt draft-chadwick-webdav… Kemp, David P.
- Re: request for WG to adopt draft-chadwick-webdav… David Chadwick