RE: Problem with draft-ietf-pkix-authorityclearanceconstraints-02
"Santosh Chokhani" <SChokhani@cygnacom.com> Thu, 02 April 2009 15:22 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2181228C231 for <ietfarch-pkix-archive@core3.amsl.com>; Thu, 2 Apr 2009 08:22:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.427
X-Spam-Level:
X-Spam-Status: No, score=-1.427 tagged_above=-999 required=5 tests=[AWL=0.041, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SY6mlAbBmcba for <ietfarch-pkix-archive@core3.amsl.com>; Thu, 2 Apr 2009 08:22:16 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id A8A7828C227 for <pkix-archive@ietf.org>; Thu, 2 Apr 2009 08:22:15 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n32F0mdw099249 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Apr 2009 08:00:48 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n32F0ml2099248; Thu, 2 Apr 2009 08:00:48 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by balder-227.proper.com (8.14.2/8.14.2) with SMTP id n32F0lOv099240 for <ietf-pkix@imc.org>; Thu, 2 Apr 2009 08:00:47 -0700 (MST) (envelope-from SChokhani@cygnacom.com)
Received: (qmail 27361 invoked from network); 2 Apr 2009 14:59:42 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 2 Apr 2009 14:59:41 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C9B3A3.CD82FBBD"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: Problem with draft-ietf-pkix-authorityclearanceconstraints-02
Date: Thu, 02 Apr 2009 11:00:46 -0400
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D48A9FEBB@scygexch1.cygnacom.com>
In-Reply-To: <C5FA9C84.13AE%stefan@aaa-sec.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Problem with draft-ietf-pkix-authorityclearanceconstraints-02
Thread-Index: AcmzjAxNtzBfJ61Ws0OScv3P3Q+ASgAFdSIfAABzz5A=
References: <C5FA77E4.1393%stefan@aaa-sec.com> <C5FA9C84.13AE%stefan@aaa-sec.com>
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: Stefan Santesson <stefan@aaa-sec.com>, IETF-pkix <ietf-pkix@imc.org>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
No objection. Steve can direct us to change this now or later since the current text is unlikely to lead some one astray. ________________________________ From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Stefan Santesson Sent: Thursday, April 02, 2009 10:47 AM To: Stefan Santesson; IETF-pkix Subject: Re: Problem with draft-ietf-pkix-authorityclearanceconstraints-02 Small correction, I copied the text from the wrong draft, as you may see from the old title. The actual text from draft-ietf-pkix-authorityclearanceconstraints-02 Is almost the same and has the same problem: When processing Authority Clearance Constraints certificate extension for the purposes of validating Clearance attribute in the end PKC, the processing described in this section or an equivalent algorithm MUST be included in the certification path validation. The processing is presented as additions to the certification path validation algorithm described in section 6 of [RFC5280]. This is just a nit that could be fixed at any later update. I would suggest the following small change: When processing Authority Clearance Constraints certificate extension for the purposes of validating Clearance attribute in the end PKC, the processing described in this section or an equivalent algorithm MUST be performed in addition to the certification path validation algorithm described in section 6 of [RFC5280]. /Stefan On 4/2/09 2:10 PM, "Stefan Santesson" <stefan@aaa-sec.com> wrote: I found a problem with draft-turner-caclearanceconstraints-02.txt Section 4.1.1. Certification Path Processing states When processing Authority Clearance Constraints certificate extension for the purposes of validating Clearance attribute in the end certificate, PKC, the processing described in this section or an equivalent algorithm MUST be included in the certification path validation. It is problematic, and unnecessary to require ca clearance constraints processing to be "included" in certification path validation. None of the clearance constraints information is needed to determine the validity of the certificate, and as such it does not be processed as an integrated process. It would be perfectly valid for an application who choose to rely on the clearance information, to process clearance constraints as a post process, i.e. after path validation is completed. A requirement to integrate caclearance constraints into path validation would make this a lot harder to implement as it would require modification to core security components. Stefan Santesson AAA-sec.com
- Problem with draft-turner-caclearanceconstraints-… Stefan Santesson
- Re: Problem with draft-ietf-pkix-authorityclearan… Stefan Santesson
- RE: Problem with draft-ietf-pkix-authorityclearan… Santosh Chokhani