Re: WG Last Call: AIA CRL extension
Tom Gindin <tgindin@us.ibm.com> Tue, 24 May 2005 03:41 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA28164 for <pkix-archive@lists.ietf.org>; Mon, 23 May 2005 23:41:52 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4O2kwgE033041; Mon, 23 May 2005 19:46:58 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j4O2kwBC033040; Mon, 23 May 2005 19:46:58 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from e1.ny.us.ibm.com (e1.ny.us.ibm.com [32.97.182.141]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4O2kuXE033022 for <ietf-pkix@imc.org>; Mon, 23 May 2005 19:46:57 -0700 (PDT) (envelope-from tgindin@us.ibm.com)
Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by e1.ny.us.ibm.com (8.12.11/8.12.11) with ESMTP id j4O2koRk013793 for <ietf-pkix@imc.org>; Mon, 23 May 2005 22:46:51 -0400
Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay04.pok.ibm.com (8.12.10/NCO/VER6.6) with ESMTP id j4O2ko2H122012 for <ietf-pkix@imc.org>; Mon, 23 May 2005 22:46:50 -0400
Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.12.11/8.13.3) with ESMTP id j4O2kooC017782 for <ietf-pkix@imc.org>; Mon, 23 May 2005 22:46:50 -0400
Received: from d01ml062.pok.ibm.com (d01ml062.pok.ibm.com [9.56.228.115]) by d01av04.pok.ibm.com (8.12.11/8.12.11) with ESMTP id j4O2kokZ017778; Mon, 23 May 2005 22:46:50 -0400
In-Reply-To: <5.1.0.14.2.20050510170022.02cc5b08@email.nist.gov>
To: wpolk@nist.gov
Cc: housley@vigilsec.com, ietf-pkix@imc.org, kent@bbn.com, stefans@microsoft.com
MIME-Version: 1.0
Subject: Re: WG Last Call: AIA CRL extension
X-Mailer: Lotus Notes Release 6.0.2CF1 June 9, 2003
From: Tom Gindin <tgindin@us.ibm.com>
Message-ID: <OF0A1E00E9.D4A6A6C0-ON8525700B.000D7E0B-8525700B.000F4346@us.ibm.com>
Date: Mon, 23 May 2005 22:46:48 -0400
X-MIMETrack: Serialize by Router on D01ML062/01/M/IBM(Release 6.53IBM1 HF14|April 18, 2005) at 05/23/2005 22:46:50, Serialize complete at 05/23/2005 22:46:50
Content-Type: text/plain; charset="US-ASCII"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Tim:
I should probably have brought this up earlier, but are we certain
that "same trust anchor" is a strong enough check that the CRL signer is
the one expected by the issuing CA? While I was not in San Diego when
this wording was included in the 3280 series, I do not really think that
that check is strong enough. I would suggest instead that the CRL
signer's certificate needs to be directly issued by one of the CA's in the
certification path back to the trust anchor used for the certificate's
verification, or by that anchor itself, unless people have practical
experience with CA structures which that rule would prohibit. Forcing the
CRL to be issued by the CA itself (as I understand Denis to have
suggested) prohibits the reasonable case where the CRL is issued by a
hierarchical superior, so it is IMHO too strict.
I am personally not sure, FWIW, that a CRL should be permitted to
be signed by a second-cousin certificate of the issuer's certificate. By
analogy to the use of the terms in families, "sibling" certificates would
have the same issuer, "first-cousin" certificates would be issued by
siblings, and "second-cousin" certificates would be issued by first
cousins - so they are both three levels down from the same trust anchor,
or from the last common CA in their paths. This issue is not newly caused
by CRL AIA, since the same issue can arise with CRL's containing only
AKID. AIA only allows RP's to build a path (whether right or wrong) more
quickly.
In any case, nothing more than a note in Security Considerations
is appropriate in any of our RFC's other than 3280 and its successor.
Tom Gindin
P.S. - The above views are mine, and not necessarily those of my employer
Tim Polk <tim.polk@nist.gov>
Sent by: owner-ietf-pkix@mail.imc.org
05/10/2005 05:27 PM
To: ietf-pkix@imc.org
cc: kent@bbn.com, stefans@microsoft.com, housley@vigilsec.com
Subject: WG Last Call: AIA CRL extension
This message initiates working group Last Call for the specification
"Internet X.509 Public Key Infrastructure: Authority Information Access
CRL
Extension". While some issues raised in the working group are unresolved,
the editors believe that rough consensus supports the current
specification.
The URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-pkix-crlaia-01.txt
Last Call will run for (at least) two weeks. That is, Last Call will not
close before May 24.
Thanks,
Tim Polk
- WG Last Call: AIA CRL extension Tim Polk
- Re: WG Last Call: AIA CRL extension Tom Gindin
- Re: WG Last Call: AIA CRL extension Tom Gindin
- Re: WG Last Call: AIA CRL extension Denis Pinkas
- Re: WG Last Call: AIA CRL extension Julien Stern
- Re: WG Last Call: AIA CRL extension Jean-Marc Desperrier
- Re: WG Last Call: AIA CRL extension Russ Housley
- RE: WG Last Call: AIA CRL extension Stefan Santesson
- Re: WG Last Call: AIA CRL extension Julien Stern
- CRL Issue (Was RE: WG Last Call: AIA CRL extensio… Santosh Chokhani
- Re: WG Last Call: AIA CRL extension Denis Pinkas
- Re: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Tom Gindin
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Santosh Chokhani
- RE: WG Last Call: AIA CRL extension Stefan Santesson
- Re: WG Last Call: AIA CRL extension Denis Pinkas
- Re: WG Last Call: AIA CRL extension Tim Polk
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Tom Gindin
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Santosh Chokhani
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Tom Gindin