IETF Logo Mail Archive

Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15

"Piyush Jain" <piyush@ditenity.com> Tue, 09 April 2013 06:03 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA85C21F8EDB for <pkix@ietfa.amsl.com>; Mon, 8 Apr 2013 23:03:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.735
X-Spam-Level:
X-Spam-Status: No, score=-2.735 tagged_above=-999 required=5 tests=[AWL=0.864, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K2E1JaO+BQ8C for <pkix@ietfa.amsl.com>; Mon, 8 Apr 2013 23:03:12 -0700 (PDT)
Received: from mail-gh0-f179.google.com (mail-gh0-f179.google.com [209.85.160.179]) by ietfa.amsl.com (Postfix) with ESMTP id 23DC621F8C3C for <pkix@ietf.org>; Mon, 8 Apr 2013 23:03:11 -0700 (PDT)
Received: by mail-gh0-f179.google.com with SMTP id z12so1026133ghb.38 for <pkix@ietf.org>; Mon, 08 Apr 2013 23:03:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=0zQSvkz/c8H1nqvXhxLERC/TcDswH3zjvS/1nZHaxC4=; b=ZmrnDw8ZSIGBH0B2+KsMbQXXvbKstuaKPRpu0vk+AgbKK/6m+KiFEplJrQouzMv55a g1QoXohLMVXmCI69xldQN0qoYXJLwUknYc8eW0my/+H5d9aLZCX1ERpCUp5gy+JBtXU3 ps0wjdO3u7HBkGBL7XIO9K1eHRfq+0rBNgbYfVc1Y8PRlmeK+aIj0Ls1o4G7QtOgFdM4 4FEogdWPA979YltgaQjPvA7ZGTpJqqEC0jsMDW+GD2Nch+Y401TC3e5h2THtd3xIHaxq efiU0JzlLQkA4AkHsKEkjiTsZPUYnppSQowtnmfUv6fUh0JL/r0d14bqbHO0S4gzJy2o +Jkg==
X-Received: by 10.236.162.39 with SMTP id x27mr14488391yhk.50.1365487391545; Mon, 08 Apr 2013 23:03:11 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id t27sm41732077yhm.20.2013.04.08.23.03.09 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 08 Apr 2013 23:03:10 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: 'Sean Turner' <turners@ieca.com>
References: <003e01ce3077$5b6329f0$12297dd0$@ditenity.com> <20130403160532.EB4FD1A68A@ld9781.wdf.sap.corp> <00a401ce3092$0a1415d0$1e3c4170$@ditenity.com> <5163270C.20300@ieca.com> <07af01ce34a4$582df1d0$0889d570$@ditenity.com> <5163840F.2030508@ieca.com>
In-Reply-To: <5163840F.2030508@ieca.com>
Date: Mon, 08 Apr 2013 23:02:57 -0700
Message-ID: <083601ce34e7$e3dcef40$ab96cdc0$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHHvIU0pEj95jqjILpXYwEgVOm34gLGPak8AXFeg0kBCCz4MwNWbgjOAWN27bOYinncUA==
Content-Language: en-us
X-Gm-Message-State: ALoCoQmNxpTPFJRZ4bBUOyoTrPY0tFU7NDVw4bdHfoAkW6pC6dr1WzuQNyJXg66AJ8bA+t2L3IjE
X-Mailman-Approved-At: Sat, 20 Apr 2013 16:53:15 -0700
Cc: ambarish@gmail.com, slava.galperin@gmail.com, cadams@eecs.uottawa.ca, 'Stefan Santesson' <stefan@aaa-sec.com>, "'Black, David'" <david.black@emc.com>, sts@aaa-sec.com, pkix@ietf.org, gen-art@ietf.org
Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2013 06:03:12 -0000

> I went back and looked at the WG poll about this issue that you and lot of
> other people participated in (https://www.ietf.org/mail-
> archive/web/pkix/current/msg31906.html).  The WG's rough consensus was
> to allow "revoked" to be used for non-issued certificates with the caveat
> thrown in by Paul Hoffman that the meaning of "revoked" be clear about
> what it now means.  I've not seen anything that would make me want to
> throw this draft back to the WG to revisit that consensus.
> 

I believe that the straw poll consensus was that revoked will be overloaded
to convey non-issued status to the clients.
The deviation from that consensus is that in such cases, the current draft
prohibits clients to interpret the certificate as non-issued, and requires
them to interpret it as issued and revoked by the CA. And this is necessary
to circumvent the responder trust issue for CA delegated responders if they
return extended revoked indicating non-issuance.
Please see http://www.ietf.org/mail-archive/web/pkix/current/msg32336.html.

This is an important distinction because from client's point of view
non-issued response for a CA signed certificate is much more severe than a
revoked response and is indicative of a CA/RA compromise.
The reason I'm raising this at LC is because there were a few WG members who
acknowledged this issue and there was no consensus (other than Stefan's
response in the post linked above) on how this should be handled.

I guess it would be okay if you and David make the determination that this
issue is not worth debating anymore but I would surely have appreciated
hearing the opinions of a few others. 

Best
Piyush

v2.23.0 | Report a Bug | By Email