Re: [pkix] Self-issued certificates
Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 17 July 2015 04:23 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 120511B2B62 for <pkix@ietfa.amsl.com>; Thu, 16 Jul 2015 21:23:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lXuXk5juAeq4 for <pkix@ietfa.amsl.com>; Thu, 16 Jul 2015 21:23:36 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 562F81B2CC0 for <pkix@ietf.org>; Thu, 16 Jul 2015 21:22:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1437106925; x=1468642925; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=paQyq60Rcu0D14DFBHd2VMU2A1yFOdKbxuaHQqw/mlc=; b=ijUP7FqfTx+0dRrBF4fQXjUFUBGoC45NrjnJjzFcpyLbIvEpOWLLZTqu bDZrPCDwbkZfS7/Vr5sHi6d2dYViTM8+jb8GMySgBbecW/waLocVNiEtU dkpQnSN0dj8qikU0dcia9jM2nsE5fut4iuajpwjQnQT/zSK0y8uUUgvlA rYzeG8fNH26kHmxcyNotsOgrVioW304cGsDWGu9q9MctT1j4BXSyzvy+A 0Ner9epAQYpywdVo+ZMS6Riuvpk1UNHaoATNcGcs+pAGraadMASZYWBkY Vsgicjou4UDgY5CNFTTpPvvhfzOWAYYkxVqxZGnz0nIwScXgIwiXgbsh5 Q==;
X-IronPort-AV: E=Sophos;i="5.15,493,1432555200"; d="scan'208";a="28906864"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 17 Jul 2015 16:21:47 +1200
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.151]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0174.001; Fri, 17 Jul 2015 16:21:47 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Miller, Timothy J." <tmiller@mitre.org>, "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [pkix] Self-issued certificates
Thread-Index: AQHQvO6GAYPrVwbgc064vRlSWTnR1Z3YHn2AgAEqVND//8o1gIABb2ZwgACfJkf//8FjAIABpRXAgABR9cr//z6ygAAo49+AAAEW84AAAiRdgAABHowAADJp+Ns=
Date: Fri, 17 Jul 2015 04:21:46 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AB06271D@uxcn10-tdc05.UoA.auckland.ac.nz>
References: <20150716154449.B20051A1EC@ld9781.wdf.sap.corp>, <74A5D249-85E1-4887-ADD1-C6084F07B265@mitre.org>
In-Reply-To: <74A5D249-85E1-4887-ADD1-C6084F07B265@mitre.org>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/XgpZG7iUIRx8h20sVsKpvqgCZfo>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2015 04:23:41 -0000
Miller, Timothy J. <tmiller@mitre.org> writes: >> rfc4210 is sufficient complex and awkward that is not used anywhere >> around TLS (at least the stuff that I come in contact with) nor common >> web-service or pkcs#7/CMS based data exchange scenarios. > >I didn’t say it was *used*, I said it would *work*. ;) You can't really claim that it'll work either. CMP is sufficiently dysfunctional and broken that it's really hard (in many cases almost impossible) to get two implementations to talk to each other just to do a standard "gimme a cert" (which is all that 99.5% of users really care about). Given that, I'd put the chances of something as untried as a TA-update working correctly at "vanishingly small", at best. So the correct phrasing would be something like "CMP has something that could, in theory, work, if someone implemented it". Peter.
- [pkix] Self-issued certificates Peter Bowen
- Re: [pkix] Self-issued certificates Erwann Abalea
- Re: [pkix] Self-issued certificates Brian Smith
- Re: [pkix] Self-issued certificates Peter Bowen
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Carl Wallace
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates Peter Bowen
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Erik Andersen
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Martin Rex
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Peter Gutmann
- Re: [pkix] Self-issued certificates Jeffrey Walton
- Re: [pkix] Self-issued certificates 王文正
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates Miller, Timothy J.
- Re: [pkix] Self-issued certificates 王文正