IETF Logo Mail Archive

Re: [pkix] Self-issued certificates

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 17 July 2015 04:23 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 120511B2B62 for <pkix@ietfa.amsl.com>; Thu, 16 Jul 2015 21:23:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lXuXk5juAeq4 for <pkix@ietfa.amsl.com>; Thu, 16 Jul 2015 21:23:36 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 562F81B2CC0 for <pkix@ietf.org>; Thu, 16 Jul 2015 21:22:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1437106925; x=1468642925; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=paQyq60Rcu0D14DFBHd2VMU2A1yFOdKbxuaHQqw/mlc=; b=ijUP7FqfTx+0dRrBF4fQXjUFUBGoC45NrjnJjzFcpyLbIvEpOWLLZTqu bDZrPCDwbkZfS7/Vr5sHi6d2dYViTM8+jb8GMySgBbecW/waLocVNiEtU dkpQnSN0dj8qikU0dcia9jM2nsE5fut4iuajpwjQnQT/zSK0y8uUUgvlA rYzeG8fNH26kHmxcyNotsOgrVioW304cGsDWGu9q9MctT1j4BXSyzvy+A 0Ner9epAQYpywdVo+ZMS6Riuvpk1UNHaoATNcGcs+pAGraadMASZYWBkY Vsgicjou4UDgY5CNFTTpPvvhfzOWAYYkxVqxZGnz0nIwScXgIwiXgbsh5 Q==;
X-IronPort-AV: E=Sophos;i="5.15,493,1432555200"; d="scan'208";a="28906864"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 17 Jul 2015 16:21:47 +1200
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.151]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0174.001; Fri, 17 Jul 2015 16:21:47 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Miller, Timothy J." <tmiller@mitre.org>, "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [pkix] Self-issued certificates
Thread-Index: AQHQvO6GAYPrVwbgc064vRlSWTnR1Z3YHn2AgAEqVND//8o1gIABb2ZwgACfJkf//8FjAIABpRXAgABR9cr//z6ygAAo49+AAAEW84AAAiRdgAABHowAADJp+Ns=
Date: Fri, 17 Jul 2015 04:21:46 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AB06271D@uxcn10-tdc05.UoA.auckland.ac.nz>
References: <20150716154449.B20051A1EC@ld9781.wdf.sap.corp>, <74A5D249-85E1-4887-ADD1-C6084F07B265@mitre.org>
In-Reply-To: <74A5D249-85E1-4887-ADD1-C6084F07B265@mitre.org>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/XgpZG7iUIRx8h20sVsKpvqgCZfo>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2015 04:23:41 -0000

Miller, Timothy J. <tmiller@mitre.org> writes:

>> rfc4210 is sufficient complex and awkward that is not used anywhere
>> around TLS (at least the stuff that I come in contact with) nor common
>> web-service or pkcs#7/CMS based data exchange scenarios.
>
>I didn’t say it was *used*, I said it would *work*.  ;)

You can't really claim that it'll work either.  CMP is sufficiently
dysfunctional and broken that it's really hard (in many cases almost
impossible) to get two implementations to talk to each other just to do a
standard "gimme a cert" (which is all that 99.5% of users really care about).
Given that, I'd put the chances of something as untried as a TA-update working
correctly at "vanishingly small", at best.  So the correct phrasing would be
something like "CMP has something that could, in theory, work, if someone
implemented it".

Peter.

v2.23.0 | Report a Bug | By Email