Re: Son of RFC3280 path validation rules
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 20 October 2006 12:45 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gatkm-00066F-DK for pkix-archive@lists.ietf.org; Fri, 20 Oct 2006 08:45:36 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gatkj-0007xQ-Vy for pkix-archive@lists.ietf.org; Fri, 20 Oct 2006 08:45:36 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k9KBcJ6b096434; Fri, 20 Oct 2006 04:38:19 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k9KBcJNf096433; Fri, 20 Oct 2006 04:38:19 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from imx2.tcd.ie (wpad.iss.tcd.ie [134.226.1.156]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k9KBcHTw096425 for <ietf-pkix@imc.org>; Fri, 20 Oct 2006 04:38:18 -0700 (MST) (envelope-from stephen.farrell@cs.tcd.ie)
Received: from Vams.imx2 (imx2.tcd.ie [134.226.1.156]) by imx2.tcd.ie (Postfix) with SMTP id 3EB7E6804A; Fri, 20 Oct 2006 12:38:12 +0100 (IST)
Received: from imx2.tcd.ie ([134.226.1.156]) by imx2.tcd.ie ([134.226.1.156]) with SMTP (gateway) id A02BA83B6BD; Fri, 20 Oct 2006 12:38:12 +0100
Received: from [127.0.0.1] (unknown [134.226.144.16]) by imx2.tcd.ie (Postfix) with ESMTP id 38E346804A; Fri, 20 Oct 2006 12:38:12 +0100 (IST)
Message-ID: <4538B552.7030708@cs.tcd.ie>
Date: Fri, 20 Oct 2006 12:38:58 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
MIME-Version: 1.0
To: Santosh Chokhani <chokhani@orionsec.com>
Cc: Denis Pinkas <denis.pinkas@bull.net>, ietf-pkix@imc.org
Subject: Re: Son of RFC3280 path validation rules
References: <82D5657AE1F54347A734BDD33637C879051344C6@EXVS01.ex.dslextreme.net>
In-Reply-To: <82D5657AE1F54347A734BDD33637C879051344C6@EXVS01.ex.dslextreme.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiVirus-Status: MessageID = A12BA83B6BD
X-AntiVirus-Status: Host: imx2.tcd.ie
X-AntiVirus-Status: Action Taken:
X-AntiVirus-Status: NONE
X-AntiVirus-Status: Checked by TCD Vexira. (version=1.56.3 VDF=8.1366)
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: e8a67952aa972b528dd04570d58ad8fe
Hi Santosh, That's true. What I meant however, was an I-D. If no-one wants to write one then maybe this isn't actually such a pressing problem. S. Santosh Chokhani wrote: > Steve, > > Text has already been written and briefed to the PKIX group as early as > November 2004. See the slides and minutes from Nov 2004 IETF in > Washington DC > > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] > On Behalf Of Stephen Farrell > Sent: Friday, October 20, 2006 5:44 AM > To: Denis Pinkas > Cc: ietf-pkix@imc.org > Subject: Re: Son of RFC3280 path validation rules > > > > Hi Denis, > > Denis Pinkas wrote: > >> ...the sentence : "The trust anchor for the certification path >> MUST be the same as the trust anchor used to validate the target > certificate" does not allow >> to address the cases where: > > As it happens I disagree with you but that was done to death on the > list before I think. > >> a) two CAs in different branches of a certification tree would > have the same DN, and >> b) two CAs in different trees of a certification forest would > have the same DN. >> Dave, the text of son-of-RFC328 is currently insufficient to enable > secure implementations. > > That strikes me as a wild overstatement almost akin to saying that > we should spend forever figuring out how to handle cases where two > CAs end up with the same private key and never mind making any > progress in the meantime. > > I think the current text is fine, an improvement on 3280, and well > worth proceeding with. > > I suggest that you write up a separate document that says how to > handle the corner cases above. > > Stephen. > > > > >
- Son of RFC3280 path validation rules Julien Stern
- Re: Son of RFC3280 path validation rules Denis Pinkas
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Peter Sylvester
- RE: Son of RFC3280 path validation rules Santosh Chokhani
- RE: Son of RFC3280 path validation rules Santosh Chokhani
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Denis Pinkas
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Stephen Farrell
- RE: Son of RFC3280 path validation rules Michael Myers
- Re: Son of RFC3280 path validation rules Julien Stern
- Re: Son of RFC3280 path validation rules Stephen Farrell
- RE: Son of RFC3280 path validation rules Michael Myers
- RE: Son of RFC3280 path validation rules Santosh Chokhani
- Re: Son of RFC3280 path validation rules Julien Stern
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Julien Stern