RE: I-D Action:draft-ietf-pkix-tamp-01.txt
"Santosh Chokhani" <SChokhani@cygnacom.com> Wed, 11 March 2009 21:23 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 07EEC3A6B56 for <ietfarch-pkix-archive@core3.amsl.com>; Wed, 11 Mar 2009 14:23:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.314
X-Spam-Level:
X-Spam-Status: No, score=-1.314 tagged_above=-999 required=5 tests=[AWL=0.155, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id coxO+vUi6ZZi for <ietfarch-pkix-archive@core3.amsl.com>; Wed, 11 Mar 2009 14:23:34 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 76C243A6915 for <pkix-archive@ietf.org>; Wed, 11 Mar 2009 14:23:33 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n2BKuRGu038249 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Mar 2009 13:56:27 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n2BKuRI9038248; Wed, 11 Mar 2009 13:56:27 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by balder-227.proper.com (8.14.2/8.14.2) with SMTP id n2BKuQRx038242 for <ietf-pkix@imc.org>; Wed, 11 Mar 2009 13:56:26 -0700 (MST) (envelope-from SChokhani@cygnacom.com)
Received: (qmail 8330 invoked from network); 11 Mar 2009 20:55:52 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 11 Mar 2009 20:55:52 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: I-D Action:draft-ietf-pkix-tamp-01.txt
Date: Wed, 11 Mar 2009 16:56:24 -0400
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D48A2D210@scygexch1.cygnacom.com>
In-Reply-To: <FAD1CF17F2A45B43ADE04E140BA83D48A2D1F6@scygexch1.cygnacom.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: I-D Action:draft-ietf-pkix-tamp-01.txt
Thread-Index: AcmdugHbEEN+Q+v4TXiq2c4e4w6IhQExZ+MAAAMEhUA=
References: <20090304161502.90A2328C1A4@core3.amsl.com> <C2C2D82D-A666-4E4A-9022-35BD2012B81D@cisco.com> <FAD1CF17F2A45B43ADE04E140BA83D48A2D1F6@scygexch1.cygnacom.com>
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: Carl Wallace <CWallace@cygnacom.com>, max pritikin <pritikin@cisco.com>, ietf-pkix@imc.org
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Would it be more accurate to say that signer of TAMP messages must be a management TA or the signer's certification path must terminate at a management TA. > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org > [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Carl Wallace > Sent: Wednesday, March 11, 2009 3:48 PM > To: max pritikin; ietf-pkix@imc.org > Subject: RE: I-D Action:draft-ietf-pkix-tamp-01.txt > > > <snip> > > The latest [TAF] document appear to move away from specifically > categorizing Apex, Management and Identity trust > > anchors. I agree with this change. The [TAMP] draft still indicates > these three types though and I no longer see how > > they are distinguished. I do see that [TAMP, Section 1.3.2] > indicates > that: > > o The trust anchor store MUST support the secure storage > of exactly > > one apex trust anchor. The trust anchor store SHOULD > support the > > secure storage of at least one additional trust anchor. > > but not how it is identified as the Apex. Or as a management trust > anchor, or identity trust anchor. Is it expected that > this > information would be encoded into the TAF extensions > field[s]? For example TAMP would specify a specific extension > > with these types indicated? > > The terms describe the function of a trust anchor, not > necessarily its composition. > > A trust anchor is identified as the apex by placement, > similar to a certificate that is recognized as a trust anchor > by placing it in a trust anchor store. The presence of a > Apex trust anchor info certificate extension is a clue, but > placement is what makes a trust anchor an apex. This will be > clarified in the next draft. > > An identity TA must be able to validate certification paths, > so it must have name. In an environment using the CCC spec > for authorization, a management trust anchor would contain a > CCC extension. Other authorization mechanisms may have > different hallmarks. > > <snip> > > > I like the idea of a TAF which can store information specific to > particular applications, various management protocols > > such as CMS, and other things moving forward. TAMP apparently then > specifies specific authorizations and their meanings > > but this doesn't limit or impact other uses? And > importantly this type > of construct results in a TAF which may be either > > Apex, Management, or Identity or any combination thereof > including new > types in the future? > > Right. TAs can be any combination of TA types (except that > an apex is by definition a management TA) and could address > various management protocols (like CMS) are defined. > > > This line of thought leads to some reflection on the [TAMP] > discussion > illustrated by Figure 4-1 might be even further > > > refined. I appreciate the update from "Crypto Module" to > "Trust Anchor > Store" -- or maybe even a combination of the two > > of them (this echoes my comment above about how the 802.1AR module > sounds like a combination of both of these elements). > > Perhaps my confusion is that in my mind a Trust Anchor Manager is > communicating via TAMP with a TAMP service which is > > then accessing the Trust Anchor Store. A picture is worth a thousand > words: > > > (my apologies if mail messes this up) > +---------+ +----------+ > | | | | > | | | | > | | | | > | | TAMP | | > | Trust |<---->| TAMP | > | Anchor | | Process | OS & Application > | Manager | | | Service Interface > | | | | +----------+ > | | | |<---->|TAFs in a | > | | | | |Crypto | > | | | | |Module | > | | | | |& Store | > +---------+ +----------+ +----------+ > > > > I haven't seen a discussion that the "OS & Application Service > Interface" as being in scope. Drawing the diagram like > > > this clarifies my impression that the TAF might be used by other > applications and that those applications might benefit > > from the TAF standardization. Given the recent changes to [TAF] I > suspect things are moving in this direction? > > The diagram above is an accurate representation. You are > correct that the specs do not address the interface between > the TA store and the applications. Not shown in the diagram > is how the TA is actually used (i.e., what an application > does with a trust anchor once it retrieves it from the > store). There will be another short specification submitted > soon that describes how to use TA-based constraints during > certification path validation. > >
- I-D Action:draft-ietf-pkix-tamp-01.txt Internet-Drafts
- Re: I-D Action:draft-ietf-pkix-tamp-01.txt max pritikin
- RE: I-D Action:draft-ietf-pkix-tamp-01.txt Carl Wallace
- RE: I-D Action:draft-ietf-pkix-tamp-01.txt Santosh Chokhani