IETF Logo Mail Archive

Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15

"Piyush Jain" <piyush@ditenity.com> Fri, 29 March 2013 17:12 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BEB221F9405 for <pkix@ietfa.amsl.com>; Fri, 29 Mar 2013 10:12:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.921
X-Spam-Level:
X-Spam-Status: No, score=-2.921 tagged_above=-999 required=5 tests=[AWL=0.678, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pNWKlsOlfQPq for <pkix@ietfa.amsl.com>; Fri, 29 Mar 2013 10:12:44 -0700 (PDT)
Received: from mail-gh0-f179.google.com (mail-gh0-f179.google.com [209.85.160.179]) by ietfa.amsl.com (Postfix) with ESMTP id 6C23821F91F0 for <pkix@ietf.org>; Fri, 29 Mar 2013 10:12:44 -0700 (PDT)
Received: by mail-gh0-f179.google.com with SMTP id z12so51160ghb.38 for <pkix@ietf.org>; Fri, 29 Mar 2013 10:12:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=ts9tp7NQ67JmzP+2dGIhLZzPy4Igv1d5U3wroC96kBM=; b=YGu7CQ7eRwR5LzvXkBnCWUDD024LOxbvV2FMwwvvxdVe9f0T0PrqImgXmbV3sDfOIH ULQRcpqli2pWIuMCj+hoETtqtgCoH9VOl9CukaoLFqCpWrVeByg2K8XI7QeI1SWvWUfQ wr+wg8z/MTdJpIfXHecBzqs2rvbpuUB0bi14LBgA8WziLrcJKPLybcp0wmfy5/wZx8JB Xsm5JUE0YZFnkwKD62UqM8Ut19l2U3he2mlyKgJlAv7o4/SLHb1YwTk2v02vHL+HzNlc rtBI6tW4cyTsldG8HiqaAo1OMJUW0XEAAv8ZQ2YYDqUV3XNhFxV5PFHuhrfJbIGHKZyH QOlw==
X-Received: by 10.236.135.231 with SMTP id u67mr896266yhi.135.1364577163772; Fri, 29 Mar 2013 10:12:43 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id x71sm2079717yhg.17.2013.03.29.10.12.41 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 29 Mar 2013 10:12:43 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: 'Stefan Santesson' <stefan@aaa-sec.com>, "'Black, David'" <david.black@emc.com>, sts@aaa-sec.com, mmyers@fastq.com, ambarish@gmail.com, slava.galperin@gmail.com, cadams@eecs.uottawa.ca, gen-art@ietf.org
References: <00fc01ce2c98$ddc41770$994c4650$@ditenity.com> <CD7B80C0.5F100%stefan@aaa-sec.com>
In-Reply-To: <CD7B80C0.5F100%stefan@aaa-sec.com>
Date: Fri, 29 Mar 2013 10:12:38 -0700
Message-ID: <012f01ce2ca0$9eaf4840$dc0dd8c0$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
thread-index: AQFaQn1rWGWmOJQLB6oJfMxBH8dluJmktKLg
Content-Language: en-us
X-Gm-Message-State: ALoCoQmGbWIBCD5pZ8mFg+cK7f1DbbbyoysiJHEi8GvzO7LQ2iSDV7xuN2hqlBlPwbp8dVgoM3gs
Cc: pkix@ietf.org
Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2013 17:12:45 -0000

Not arguing that it should be required. I'm with you on keeping it optional.

It is your statement about backward compatibility to justify it that is
incorrect.
Backward compatibility "with deployments of RFC2560" is not affected in
either case. Legacy clients will continue to work whether you make it
required or optional.

You probably meant "maintain compliance with RFC 2560 and RFC 5019."

-Piyush

> -----Original Message-----
> From: Stefan Santesson [mailto:stefan@aaa-sec.com]
> Sent: Friday, March 29, 2013 9:37 AM
> To: Piyush Jain; 'Black, David'; sts@aaa-sec.com; mmyers@fastq.com;
> ambarish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca;
> gen-art@ietf.org
> Cc: pkix@ietf.org; ietf@ietf.org
> Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
> 
> On 3/29/13 5:17 PM, "Piyush Jain" <piyush@ditenity.com> wrote:
> 
> >' "revoked" status is still optional in this context in order to
> >maintain backwards compatibility with deployments of RFC 2560.'
> >
> >I fail to understand this statement about backward compatibility.
> >How does "revoked" being "optional/required breaks backward
> compatibility?
> >The only reason cited in the WG discussions to use revoked for
> >"not-issued"
> >was that any other approach would break backward compatibility with
> >legacy clients. And now the draft says that revoked is optional because
> >making it required won't be backward compatible.
> 
> Yes. Making it required would prohibit other valid ways to respond to this
> situation that is allowed by RFC 2560 and RFC 5019.
> Such as responding "good" or responding with "unauthorized" error.
> 
> >
> >And it gives the impression that best course of action for 2560bis
> >responders is to start issuing revoked for "not-issued", which is far
> >from the originally stated goal to provide a way for CAs to be able to
> >return revoked for such serial numbers.
> 
> The latter is what optional means.
> 
> /Stefan
>

v2.23.0 | Report a Bug | By Email