Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
"Black, David" <david.black@emc.com> Fri, 29 March 2013 18:18 UTC
Return-Path: <david.black@emc.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87B0121F8717; Fri, 29 Mar 2013 11:18:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5TPjqX+uyPN0; Fri, 29 Mar 2013 11:18:16 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id CBADA21F867A; Fri, 29 Mar 2013 11:18:15 -0700 (PDT)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2TIHwNC011544 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 29 Mar 2013 14:17:59 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd01.lss.emc.com [10.254.221.251]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Fri, 29 Mar 2013 14:17:42 -0400
Received: from mxhub28.corp.emc.com (mxhub28.corp.emc.com [10.254.110.184]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2TIHcAC011111; Fri, 29 Mar 2013 14:17:40 -0400
Received: from mxhub38.corp.emc.com (128.222.70.105) by mxhub28.corp.emc.com (10.254.110.184) with Microsoft SMTP Server (TLS) id 8.3.297.1; Fri, 29 Mar 2013 14:17:40 -0400
Received: from mx15a.corp.emc.com ([169.254.1.81]) by mxhub38.corp.emc.com ([128.222.70.105]) with mapi; Fri, 29 Mar 2013 14:17:40 -0400
From: "Black, David" <david.black@emc.com>
To: Piyush Jain <piyush@ditenity.com>, 'Stefan Santesson' <stefan@aaa-sec.com>, "sts@aaa-sec.com" <sts@aaa-sec.com>, "mmyers@fastq.com" <mmyers@fastq.com>, "ambarish@gmail.com" <ambarish@gmail.com>, "slava.galperin@gmail.com" <slava.galperin@gmail.com>, "cadams@eecs.uottawa.ca" <cadams@eecs.uottawa.ca>, "gen-art@ietf.org" <gen-art@ietf.org>
Date: Fri, 29 Mar 2013 14:17:38 -0400
Thread-Topic: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
Thread-Index: AQFaQn1rWGWmOJQLB6oJfMxBH8dluJmktKLggAAW9QA=
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71293D36BC5@MX15A.corp.emc.com>
References: <00fc01ce2c98$ddc41770$994c4650$@ditenity.com> <CD7B80C0.5F100%stefan@aaa-sec.com> <012f01ce2ca0$9eaf4840$dc0dd8c0$@ditenity.com>
In-Reply-To: <012f01ce2ca0$9eaf4840$dc0dd8c0$@ditenity.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
X-Mailman-Approved-At: Mon, 01 Apr 2013 06:59:13 -0700
Cc: "pkix@ietf.org" <pkix@ietf.org>, "Black, David" <david.black@emc.com>
Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2013 18:18:16 -0000
Hi Piyush, The usual backwards compatibility concern is mixed new/legacy deployments. In this case, the specifics appear to be: New clients with legacy servers cannot expect to see "revoked" in this case. This matters because a hypothetical client coded to depend on a "revoked" response in this case won't work correctly with legacy servers (even though it'd be rather questionable to code that dependency into a new client - never underestimate the creativity and cleverness of implementers). New servers with legacy clients risk breaking clients that can't cope with "revoked" in this case, as you noted: >>> any other approach would break backward compatibility with >>> legacy clients. Both of these are justifications for "optional", as these RFCs apply to both clients and servers. Thanks, --David > -----Original Message----- > From: Piyush Jain [mailto:piyush@ditenity.com] > Sent: Friday, March 29, 2013 1:13 PM > To: 'Stefan Santesson'; Black, David; sts@aaa-sec.com; mmyers@fastq.com; > ambarish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen- > art@ietf.org > Cc: pkix@ietf.org > Subject: RE: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > > Not arguing that it should be required. I'm with you on keeping it optional. > > It is your statement about backward compatibility to justify it that is > incorrect. > Backward compatibility "with deployments of RFC2560" is not affected in > either case. Legacy clients will continue to work whether you make it > required or optional. > > You probably meant "maintain compliance with RFC 2560 and RFC 5019." > > -Piyush > > > -----Original Message----- > > From: Stefan Santesson [mailto:stefan@aaa-sec.com] > > Sent: Friday, March 29, 2013 9:37 AM > > To: Piyush Jain; 'Black, David'; sts@aaa-sec.com; mmyers@fastq.com; > > ambarish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca; > > gen-art@ietf.org > > Cc: pkix@ietf.org; ietf@ietf.org > > Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > > > > On 3/29/13 5:17 PM, "Piyush Jain" <piyush@ditenity.com> wrote: > > > > >' "revoked" status is still optional in this context in order to > > >maintain backwards compatibility with deployments of RFC 2560.' > > > > > >I fail to understand this statement about backward compatibility. > > >How does "revoked" being "optional/required breaks backward > > compatibility? > > >The only reason cited in the WG discussions to use revoked for > > >"not-issued" > > >was that any other approach would break backward compatibility with > > >legacy clients. And now the draft says that revoked is optional because > > >making it required won't be backward compatible. > > > > Yes. Making it required would prohibit other valid ways to respond to this > > situation that is allowed by RFC 2560 and RFC 5019. > > Such as responding "good" or responding with "unauthorized" error. > > > > > > > >And it gives the impression that best course of action for 2560bis > > >responders is to start issuing revoked for "not-issued", which is far > > >from the originally stated goal to provide a way for CAs to be able to > > >return revoked for such serial numbers. > > > > The latter is what optional means. > > > > /Stefan > > > >
- [pkix] Gen-ART review of draft-ietf-pkix-rfc2560b… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- [pkix] Gen-ART review of draft-ietf-pkix-rfc2560b… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Andris Berzins
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Andris Berzins
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Sean Turner
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson