Problem with draft-turner-caclearanceconstraints-02.txt
Stefan Santesson <stefan@aaa-sec.com> Thu, 02 April 2009 12:33 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4F7463A684B for <ietfarch-pkix-archive@core3.amsl.com>; Thu, 2 Apr 2009 05:33:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.923
X-Spam-Level:
X-Spam-Status: No, score=-0.923 tagged_above=-999 required=5 tests=[AWL=-0.071, BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xOv0s+gwDvAC for <ietfarch-pkix-archive@core3.amsl.com>; Thu, 2 Apr 2009 05:33:38 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id E64AF3A683D for <pkix-archive@ietf.org>; Thu, 2 Apr 2009 05:33:36 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n32CAnLb084468 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Apr 2009 05:10:49 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n32CAnqr084467; Thu, 2 Apr 2009 05:10:49 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from s87.loopia.se (s87.loopia.se [194.9.95.112]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n32CAk2l084448 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-pkix@imc.org>; Thu, 2 Apr 2009 05:10:48 -0700 (MST) (envelope-from stefan@aaa-sec.com)
Received: (qmail 28396 invoked from network); 2 Apr 2009 12:10:49 -0000
Received: from s34.loopia.se (HELO s24.loopia.se) ([194.9.94.70]) (envelope-sender <stefan@aaa-sec.com>) by s87.loopia.se (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for <ietf-pkix@imc.org>; 2 Apr 2009 12:10:49 -0000
Received: (qmail 41732 invoked from network); 2 Apr 2009 12:10:45 -0000
Received: from 90-229-233-249-no153.tbcn.telia.com (HELO [192.168.0.17]) (stefan@fiddler.nu@[90.229.233.249]) (envelope-sender <stefan@aaa-sec.com>) by s24.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <ietf-pkix@imc.org>; 2 Apr 2009 12:10:45 -0000
User-Agent: Microsoft-Entourage/12.15.0.081119
Date: Thu, 02 Apr 2009 14:10:44 +0200
Subject: Problem with draft-turner-caclearanceconstraints-02.txt
From: Stefan Santesson <stefan@aaa-sec.com>
To: IETF-pkix <ietf-pkix@imc.org>
Message-ID: <C5FA77E4.1393%stefan@aaa-sec.com>
Thread-Topic: Problem with draft-turner-caclearanceconstraints-02.txt
Thread-Index: AcmzjAxNtzBfJ61Ws0OScv3P3Q+ASg==
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3321526245_11855927"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I found a problem with draft-turner-caclearanceconstraints-02.txt Section 4.1.1. Certification Path Processing states When processing Authority Clearance Constraints certificate extension for the purposes of validating Clearance attribute in the end certificate, PKC, the processing described in this section or an equivalent algorithm MUST be included in the certification path validation. It is problematic, and unnecessary to require ca clearance constraints processing to be ³included² in certification path validation. None of the clearance constraints information is needed to determine the validity of the certificate, and as such it does not be processed as an integrated process. It would be perfectly valid for an application who choose to rely on the clearance information, to process clearance constraints as a post process, i.e. after path validation is completed. A requirement to integrate caclearance constraints into path validation would make this a lot harder to implement as it would require modification to core security components. Stefan Santesson AAA-sec.com
- Problem with draft-turner-caclearanceconstraints-… Stefan Santesson
- Re: Problem with draft-ietf-pkix-authorityclearan… Stefan Santesson
- RE: Problem with draft-ietf-pkix-authorityclearan… Santosh Chokhani