Re: CPS Pointer
Paul Hoffman / IMC <phoffman@imc.org> Tue, 01 May 2001 01:15 UTC
Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id VAA29671 for <pkix-archive@odin.ietf.org>; Mon, 30 Apr 2001 21:15:19 -0400 (EDT)
Received: from localhost by above.proper.com (8.9.3/8.9.3) with SMTP id SAA02373; Mon, 30 Apr 2001 18:14:39 -0700 (PDT)
Received: by mail.imc.org (bulk_mailer v1.12); Mon, 30 Apr 2001 18:14:24 -0700
Received: from [165.227.249.20] (ip20.proper.com [165.227.249.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA02298; Mon, 30 Apr 2001 18:14:21 -0700 (PDT)
Mime-Version: 1.0
X-Sender: phoffman@mail.imc.org
Message-Id: <p05100343b71397f1c8c4@[165.227.249.20]>
In-Reply-To: <5.0.1.4.2.20010430142758.01bacbe8@exna07.securitydynamics.com>
References: <5.0.1.4.2.20010430142758.01bacbe8@exna07.securitydynamics.com>
Date: Mon, 30 Apr 2001 15:40:04 -0700
To: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org
From: Paul Hoffman / IMC <phoffman@imc.org>
Subject: Re: CPS Pointer
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
At 2:32 PM -0400 4/30/01, Housley, Russ wrote: >Trevor Freeman noticed we don't have any guidelines for what forms >of URI are supported with the CPS Pointer. Presently, we say: > > The CPS Pointer qualifier contains a pointer to a Certification > Practice Statement (CPS) published by the CA. The pointer is in the > form of a URI. Processing requirements for this qualifier are a > local matter. No action is mandated by this specification regardless > of the criticality value asserted for the extension. > >So, we are not mandating any behavior on the client. Nor should we. The "client" might be offline, such as a mail user agent that uses S/MIME. The "client" might have no user interface for certificates, such as an IPsec box. Let's be realistic: will the end user reading the CPS affect the actions in more that 0.000001% of PKI transactions? If a user has already loaded a root cert, there is essentially no chance that they will read a CPS after the fact. I propose that you don't change anything. --Paul Hoffman, Director --Internet Mail Consortium Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by above.proper.com (8.9.3/8.9.3) with ESMTP id XAA21041 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 23:32:50 -0700 (PDT) Received: from [38.29.132.63] ([38.29.132.63]) by hawk.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id XAA23700; Mon, 30 Apr 2001 23:32:00 -0700 (PDT) Mime-Version: 1.0 X-Sender: hoytkesterson@mail.earthlink.net Message-Id: <a05001904b71403d1e953@[38.29.132.63]> Date: Mon, 30 Apr 2001 23:31:38 -0700 To: OSI Directory List <OSIdirectory@az05.bull.com>, "X.509":; From: "Hoyt L. Kesterson II" <hoytkesterson@earthlink.net> Subject: Defect resolution for X.509 Content-Type: text/plain; charset="us-ascii" ; format="flowed" Hello A new defect, DR 279, to X.509/9594-8 has been posted in pdf on the server at ftp://ftp.bull.com/pub/OSIdirectory/DefectResolution/DefectReports/X.509andRelated/DR_279Rev1.pdf The proposed resolutions for this defect and others have been incorporated into two Draft Technical Corrigenda and submitted to ISO/IEC SC6 for ballot. The following URL points to Draft Technical Corrigenda 10 for the third edition (1997) of 9594-8 ftp://ftp.bull.com/pub/OSIdirectory/DefectResolution/DraftTechnicalCorrigenda/8-DTC10%283rd%29.doc The following URL points to Draft Technical Corrigenda 2 for the fourth edition (2000) of 9594-8 ftp://ftp.bull.com/pub/OSIdirectory/DefectResolution/DraftTechnicalCorrigenda/8-DTC2%284th%29.doc The ballot period for a DTC ballot is normally three months. National Bodies and Liaison Organizations may submit comments on these DTCs. Note that comments cannot come directly from individuals but must come as contributions from the organizations themselves. please vote early and often hoyt Received: from [165.227.249.20] (ip20.proper.com [165.227.249.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA02298; Mon, 30 Apr 2001 18:14:21 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org Message-Id: <p05100343b71397f1c8c4@[165.227.249.20]> In-Reply-To: <5.0.1.4.2.20010430142758.01bacbe8@exna07.securitydynamics.com> References: <5.0.1.4.2.20010430142758.01bacbe8@exna07.securitydynamics.com> Date: Mon, 30 Apr 2001 15:40:04 -0700 To: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: Re: CPS Pointer Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 2:32 PM -0400 4/30/01, Housley, Russ wrote: >Trevor Freeman noticed we don't have any guidelines for what forms >of URI are supported with the CPS Pointer. Presently, we say: > > The CPS Pointer qualifier contains a pointer to a Certification > Practice Statement (CPS) published by the CA. The pointer is in the > form of a URI. Processing requirements for this qualifier are a > local matter. No action is mandated by this specification regardless > of the criticality value asserted for the extension. > >So, we are not mandating any behavior on the client. Nor should we. The "client" might be offline, such as a mail user agent that uses S/MIME. The "client" might have no user interface for certificates, such as an IPsec box. Let's be realistic: will the end user reading the CPS affect the actions in more that 0.000001% of PKI transactions? If a user has already loaded a root cert, there is essentially no chance that they will read a CPS after the fact. I propose that you don't change anything. --Paul Hoffman, Director --Internet Mail Consortium Received: from indy.gradient.com (root@indy.gradient.com [192.92.110.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA20180 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 14:52:09 -0700 (PDT) Received: from bigbird.gradient.com (bigbird.gradient.com [192.92.110.50]) by indy.gradient.com (8.9.1a/8.9.1) with ESMTP id RAA02946; Mon, 30 Apr 2001 17:52:09 -0400 (EDT) Received: by bigbird.gradient.com with Internet Mail Service (5.5.2650.10) id <2YBR63H4>; Mon, 30 Apr 2001 17:57:31 -0400 Message-ID: <899128A30EEDD1118FC900A0C9C74A34BA9775@bigbird.gradient.com> From: Hal Lockhart <hal.lockhart@entegrity.com> To: "'Bob Jueneman'" <bjueneman@novell.com>, schaen@mitre.org, "'David A. Cooper'" <david.cooper@nist.gov> Cc: ietf-pkix@imc.org, tim.polk@nist.gov Subject: RE: delta CRL security considerations Date: Mon, 30 Apr 2001 17:56:38 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.10) Content-Type: text/plain; charset="iso-8859-1" This might be the time to mention a slightly different point about delta CRLs and bandwidth. In David Cooper's paper, he assumes that the metric to be optimized is peak bandwidth. While this is probably correct for many or most organizations, it is at least possible that some will want to optimize aggregate bandwidth. (For example, if you pay by the byte.) Almost any use of delta CRLs will reduce this. Hal > -----Original Message----- > From: Bob Jueneman [mailto:bjueneman@novell.com] > Sent: Monday, April 30, 2001 4:53 PM > To: schaen@mitre.org > Cc: ietf-pkix@imc.org; tim.polk@nist.gov > Subject: Re: delta CRL security considerations > > > Sam, I agree completely. Maybe I fell into a semantic trap > by seeming to imply that "publish" meant "push all the way > out to every user, whether they want them or not." That > wasn't my intent. By "publish" I meant "make available in a > directory to anyone who looks there." > > In most cases, the distance between the CA and a standard > repository or directory is probably measured in meters, so > that bandwidth is not much of a concern. But the bandwidth > consumed by all of the users, and especially those that may > be at sea or otherwise have only limited communications > facilities available to them, is very much a concern. > > Bob > > >>> Sam Schaen <schaen@mitre.org> 04/30/01 02:41PM >>> > > > Bob Jueneman wrote: > > > Tim, > > > > Publishing a full CRL every time a delta is published does > seem to negate most of the benefit of the delta CRL approach. > > > > I just wanted to dispute the above statement. We [DOD] have > an architecture in which the CAs and Directories are > connected either by high speed LAN or ATM network. We're not > as concerned about the bandwidth cost of pushing the full > CRLs to the directory as the total bandwidth from all the end > entities fetching CRLs from the directory. To the extent > that end-entities can make use of delta CRLs > instead of full CRLs, we think there would be an advantage in > our environment. Clearly there will be other environments > that would be concerned with the cost of publishing the full CRL. > > [snip] > > > Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA15164 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 13:53:33 -0700 (PDT) Received: from INET-PRV-MTA by prv-mail20.provo.novell.com with Novell_GroupWise; Mon, 30 Apr 2001 14:53:00 -0600 Message-Id: <saed7c4c.073@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 6.0 Date: Mon, 30 Apr 2001 14:52:59 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <schaen@mitre.org> Cc: <ietf-pkix@imc.org>, <tim.polk@nist.gov> Subject: Re: delta CRL security considerations Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id NAA15166 Sam, I agree completely. Maybe I fell into a semantic trap by seeming to imply that "publish" meant "push all the way out to every user, whether they want them or not." That wasn't my intent. By "publish" I meant "make available in a directory to anyone who looks there." In most cases, the distance between the CA and a standard repository or directory is probably measured in meters, so that bandwidth is not much of a concern. But the bandwidth consumed by all of the users, and especially those that may be at sea or otherwise have only limited communications facilities available to them, is very much a concern. Bob >>> Sam Schaen <schaen@mitre.org> 04/30/01 02:41PM >>> Bob Jueneman wrote: > Tim, > > Publishing a full CRL every time a delta is published does seem to negate most of the benefit of the delta CRL approach. > I just wanted to dispute the above statement. We [DOD] have an architecture in which the CAs and Directories are connected either by high speed LAN or ATM network. We're not as concerned about the bandwidth cost of pushing the full CRLs to the directory as the total bandwidth from all the end entities fetching CRLs from the directory. To the extent that end-entities can make use of delta CRLs instead of full CRLs, we think there would be an advantage in our environment. Clearly there will be other environments that would be concerned with the cost of publishing the full CRL. [snip] Received: from smtpproxy2.mitre.org (smtpproxy2.mitre.org [128.29.154.90]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA14234 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 13:42:24 -0700 (PDT) Received: from avsrv2.mitre.org (avsrv2.mitre.org [128.29.154.4]) by smtpproxy2.mitre.org (8.9.3/8.9.3) with ESMTP id QAA12138; Mon, 30 Apr 2001 16:41:48 -0400 (EDT) Received: from MAILHUB2 (mailhub2.mitre.org [129.83.221.18]) by smtpsrv2.mitre.org (8.9.3/8.9.3) with ESMTP id QAA27771; Mon, 30 Apr 2001 16:41:47 -0400 (EDT) Received: from schaen-pc.mitre.org (128.29.162.49) by mailhub2.mitre.org with SMTP id 6495061; Mon, 30 Apr 2001 16:41:44 -0400 Message-ID: <3AEDCDF9.B095F828@mitre.org> Date: Mon, 30 Apr 2001 16:41:29 -0400 From: Sam Schaen <schaen@mitre.org> Organization: The MITRE Corporation X-Mailer: Mozilla 4.76 [en]C-20010313M (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Bob Jueneman <bjueneman@novell.com> CC: ietf-pkix@imc.org, tim.polk@nist.gov Subject: Re: delta CRL security considerations References: <saed46a7.069@prv-mail20.provo.novell.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Bob Jueneman wrote: > Tim, > > Publishing a full CRL every time a delta is published does seem to negate most of the benefit of the delta CRL approach. > I just wanted to dispute the above statement. We [DOD] have an architecture in which the CAs and Directories are connected either by high speed LAN or ATM network. We're not as concerned about the bandwidth cost of pushing the full CRLs to the directory as the total bandwidth from all the end entities fetching CRLs from the directory. To the extent that end-entities can make use of delta CRLs instead of full CRLs, we think there would be an advantage in our environment. Clearly there will be other environments that would be concerned with the cost of publishing the full CRL. [snip] Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA12360 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 13:17:06 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id QAA375016; Mon, 30 Apr 2001 16:14:57 -0400 Received: from d02ml237.somers.hqregion.ibm.com (d02ml237.sby.ibm.com [9.45.4.171]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id QAA57752; Mon, 30 Apr 2001 16:11:20 -0400 Importance: Normal Subject: RE: keyCertSign and cRLSign Key Usage Bits To: "Housley, Russ" <rhousley@rsasecurity.com> Cc: Sharon Boeyen <sharon.boeyen@entrust.com>, ietf-pkix@imc.org X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: <OF75E85A19.C21BBC49-ON85256A3E.006EBA8E@somers.hqregion.ibm.com> From: "Tom Gindin" <tgindin@us.ibm.com> Date: Mon, 30 Apr 2001 16:16:29 -0400 X-MIMETrack: Serialize by Router on D02ML237/02/M/IBM(Release 5.0.7 |March 21, 2001) at 04/30/2001 04:16:26 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii My reasoning is somewhat different, but I agree with Russ that in the case where the CRL Signing certificate has the same subject name as the issuing certificate for the certificates in the CRL the CRL signing certificate is part of the core CA functionality and belongs in the caCertificate attribute. When the subject names match, it is probably easiest to think of the two certificates as owned by separate modules within the CA. This does not dispose of the signer of an AA's CRL, nor of the case where the CA assigns a differently named entity to sign CRL's for it. Tom Gindin "Housley, Russ" <rhousley@rsasecurity.com> on 04/30/2001 03:21:13 PM To: Sharon Boeyen <sharon.boeyen@entrust.com> cc: ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Sharon: In my view, certificates that contain public keys used to verify signatures on certificates or CRLs belong to CAs, thus they belong in the cACertificate attribute. Russ At 10:41 AM 4/26/2001 -0400, Sharon Boeyen wrote: >That raises another point - if we modify all this "stuff" to allow >entities other than authorities to sign CRLs, where would those >certificates be stored? The subjects aren't CAs so they don't really >belong in either of these attributes. Inventing another attribute and >object class isn't very attractive either. Thoughts? Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA11492 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 13:08:34 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 30 Apr 2001 20:08:28 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA25013 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 16:08:35 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NS7KH>; Mon, 30 Apr 2001 16:08:34 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.3]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NS7KF; Mon, 30 Apr 2001 16:08:28 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010430160717.01ba1f68@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 30 Apr 2001 16:08:20 -0400 Subject: Re: Dedicated CRL signing keys In-Reply-To: <200104301554.LAA11625@stingray.missi.ncsc.mil> References: <5.0.1.4.2.20010427085811.01af8ab8@exna07.securitydynamics.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Dave: The current text supports your position. That is, CAs MAY use separate keys, and applications SHOULD be able to handle it. Russ = = = = = = = = = = = 5.1.1.3 signatureValue The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertList. The ASN.1 DER encoded tbsCertList is used as the input to the signature function. This signature value is then ASN.1 encoded as a BIT STRING and included in the CRL's signatureValue field. The details of this process are specified for each of the supported algorithms in [PKIXALGS]. CAs MAY use one private key to digitally sign certificates and CRLs, or CAs MAY use separate private keys to digitally sign certificates and CRLs. When separate private keys are employed, each of the public keys associated with these private keys is placed in a separate certificate, one with the keyCertSign bit set in the key usage extension, and one with the cRLSign bit set in the key usage extension (see sec. 4.2.1.3). When separate private keys are employed, certificates issued by the CA contain one authority key identifier, and the corresponding CRLs contain a different authority key identifier. The use of separate CA certificates for validation of certificate signatures and CRL signatures can offer improved security characteristics; however, it imposes a burden on applications, and it might limit interoperability. Many applications construct a certification path, and then validate the certification path (see sec. 6). CRL checking in turn requires a separate certification path to be constructed and validated for the CA's CRL signature validation certificate. Applications that perform CRL checking MUST support certification path validation when certificates and CRLs are digitally signed with the same CA private key. These applications SHOULD support certification path validation when certificates and CRLs are digitally signed with different CA private keys. At 11:52 AM 4/30/2001 -0400, David P. Kemp wrote: >If certificate-using applications MAY handle CRLs signed by a different key >than the certificates, then CAs have no real ability to exercise that option. > >I believe: > >Certificate-using applications SHOULD handle CRLs signed by a different key >than the certificates. > >Dave > > > >"Housley, Russ" wrote: > > Yes. So, I guess we agree. > > > > At 04:47 PM 4/26/2001 -0400, Santosh Chokhani wrote: > > > Russ: Will a CA that signs the certificates and CRLs using different > keys, > > > but same Issuer DN be considered compliant? If yes, then we agree. > > > > > > From: Housley, Russ [mailto:rhousley@rsasecurity.com] > > > > Certificate-using applications must be able to handle certificates > and CRLs > > > > signed by the same key. Certificate-using applications may handle CRLs > > > > signed by a different key than the certificates. > > > > > > > > If you agree with this position, then we agree. > > > > > > > > Russ Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA10903 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 13:03:21 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <J432YBX7>; Mon, 30 Apr 2001 16:02:50 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA4005@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Housley, Russ'" <rhousley@rsasecurity.com>, Sharon Boeyen <sharon.boeyen@entrust.com> Cc: ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Date: Mon, 30 Apr 2001 15:56:44 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D1AF.AEE10B80" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D1AF.AEE10B80 Content-Type: text/plain >From recent exchanges on the list, I'm less convinced that we need to push a defect report against 509 on this topic right now. If we want to loosen some of the language in 509 we can do that through the regular process of new work. From your last few messages, I suspect things will be ok that way. If not let Hoyt and I know and we'll resurrect the defect. Thanks Sharon > -----Original Message----- > From: Housley, Russ [mailto:rhousley@rsasecurity.com] > Sent: Monday, April 30, 2001 3:21 PM > To: Sharon Boeyen > Cc: ietf-pkix@imc.org > Subject: RE: keyCertSign and cRLSign Key Usage Bits > > > Sharon: > > In my view, certificates that contain public keys used to > verify signatures > on certificates or CRLs belong to CAs, thus they belong in the > cACertificate attribute. > > Russ > > At 10:41 AM 4/26/2001 -0400, Sharon Boeyen wrote: > >That raises another point - if we modify all this "stuff" to allow > >entities other than authorities to sign CRLs, where would those > >certificates be stored? The subjects aren't CAs so they don't really > >belong in either of these attributes. Inventing another > attribute and > >object class isn't very attractive either. Thoughts? > ------_=_NextPart_001_01C0D1AF.AEE10B80 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: keyCertSign and cRLSign Key Usage Bits</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>From recent exchanges on the list, I'm less convinced that we need to push </FONT> <BR><FONT SIZE=2>a defect report against 509 on this topic right now. If we want to loosen </FONT> <BR><FONT SIZE=2>some of the language in 509 we can do that through the regular process of new</FONT> <BR><FONT SIZE=2>work. From your last few messages, I suspect things will be ok that way. If </FONT> <BR><FONT SIZE=2>not let Hoyt and I know and we'll resurrect the defect.</FONT> </P> <P><FONT SIZE=2>Thanks</FONT> <BR><FONT SIZE=2>Sharon </FONT> </P> <BR> <P><FONT SIZE=2>> -----Original Message-----</FONT> <BR><FONT SIZE=2>> From: Housley, Russ [<A HREF="mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com</A>]</FONT> <BR><FONT SIZE=2>> Sent: Monday, April 30, 2001 3:21 PM</FONT> <BR><FONT SIZE=2>> To: Sharon Boeyen</FONT> <BR><FONT SIZE=2>> Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>> Subject: RE: keyCertSign and cRLSign Key Usage Bits</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Sharon:</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> In my view, certificates that contain public keys used to </FONT> <BR><FONT SIZE=2>> verify signatures </FONT> <BR><FONT SIZE=2>> on certificates or CRLs belong to CAs, thus they belong in the </FONT> <BR><FONT SIZE=2>> cACertificate attribute.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Russ</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> At 10:41 AM 4/26/2001 -0400, Sharon Boeyen wrote:</FONT> <BR><FONT SIZE=2>> >That raises another point - if we modify all this "stuff" to allow </FONT> <BR><FONT SIZE=2>> >entities other than authorities to sign CRLs, where would those </FONT> <BR><FONT SIZE=2>> >certificates be stored? The subjects aren't CAs so they don't really </FONT> <BR><FONT SIZE=2>> >belong in either of these attributes. Inventing another </FONT> <BR><FONT SIZE=2>> attribute and </FONT> <BR><FONT SIZE=2>> >object class isn't very attractive either. Thoughts?</FONT> <BR><FONT SIZE=2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D1AF.AEE10B80-- Received: from nebula.x509.com (nebula.x509.com [199.175.150.19]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA09708 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 12:52:15 -0700 (PDT) Received: from crack.x509.com (crack.x509.com [199.175.150.1]) by nebula.x509.com (8.11.3/XCERT) with ESMTP id f3UJpib22367 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 12:51:44 -0700 (PDT) Received: from exvan01.x509.com (exvan01.x509.com [10.9.22.50]) by crack.x509.com (8.11.3/XCERT) with ESMTP id f3UJpih11989 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 12:51:44 -0700 (PDT) Received: by exvan01.x509.com with Internet Mail Service (5.5.2653.19) id <JXS703M1>; Mon, 30 Apr 2001 12:51:56 -0700 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.92]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NS68S; Mon, 30 Apr 2001 15:49:40 -0400 Message-Id: <5.0.1.4.2.20010430142758.01bacbe8@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 30 Apr 2001 14:32:27 -0400 To: ietf-pkix@imc.org From: "Housley, Russ" <rhousley@rsasecurity.com> Subject: CPS Pointer Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Trevor Freeman noticed we don't have any guidelines for what forms of URI are supported with the CPS Pointer. Presently, we say: The CPS Pointer qualifier contains a pointer to a Certification Practice Statement (CPS) published by the CA. The pointer is in the form of a URI. Processing requirements for this qualifier are a local matter. No action is mandated by this specification regardless of the criticality value asserted for the extension. So, we are not mandating any behavior on the client. Perhaps we should say something about the CA. Trevor suggests that HTTP and FTP forms of URI are sufficient. Does anyone see any reason to support other protocols for CPS fetching? Russ Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id MAA09516 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 12:49:57 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 30 Apr 2001 19:49:50 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id PAA23414 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 15:49:56 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NS69A>; Mon, 30 Apr 2001 15:49:56 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.92]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NS68W; Mon, 30 Apr 2001 15:49:43 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Sharon Boeyen <sharon.boeyen@entrust.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010430151923.01bc9b80@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 30 Apr 2001 15:21:13 -0400 Subject: RE: keyCertSign and cRLSign Key Usage Bits In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FD6@sottmxs09.entrust .com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sharon: In my view, certificates that contain public keys used to verify signatures on certificates or CRLs belong to CAs, thus they belong in the cACertificate attribute. Russ At 10:41 AM 4/26/2001 -0400, Sharon Boeyen wrote: >That raises another point - if we modify all this "stuff" to allow >entities other than authorities to sign CRLs, where would those >certificates be stored? The subjects aren't CAs so they don't really >belong in either of these attributes. Inventing another attribute and >object class isn't very attractive either. Thoughts? Received: from mail5.microsoft.com (mail5.microsoft.com [131.107.3.121]) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA06047 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 11:10:32 -0700 (PDT) Received: from 157.54.1.52 by mail5.microsoft.com (InterScan E-Mail VirusWall NT); Mon, 30 Apr 2001 10:45:41 -0700 (Pacific Daylight Time) Received: from red-imc-02.redmond.corp.microsoft.com ([157.54.9.107]) by inet-imc-06.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Mon, 30 Apr 2001 10:45:45 -0700 Received: from win-imc-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.39]) by red-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Mon, 30 Apr 2001 10:45:32 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-01.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Mon, 30 Apr 2001 10:45:23 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Dedicated CRL signing keys Date: Mon, 30 Apr 2001 10:45:22 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD689510@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Dedicated CRL signing keys Thread-Index: AcDRjiuM9kZ3CvNDQ1m/cqxLcetmeAADdDLA From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 30 Apr 2001 17:45:23.0297 (UTC) FILETIME=[55070D10:01C0D19D] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id LAA06049 I prefer the statement as is. Changing the may to a should does not get the CAs off the hook. A CA has to make a decision as to what expectations it has for the certificate consuming population of clients it suports. A should is not a must, so this means that conformant clients are not mandated to support CRLs signed with different keys. Vendors thinking of implementing X.509 technology in constrained devices will start looking at alternatives if the bar is set to high for conformant client. Trevor -----Original Message----- From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil] Sent: Monday, April 30, 2001 8:53 AM To: ietf-pkix@imc.org Subject: Re: Dedicated CRL signing keys If certificate-using applications MAY handle CRLs signed by a different key than the certificates, then CAs have no real ability to exercise that option. I believe: Certificate-using applications SHOULD handle CRLs signed by a different key than the certificates. Dave "Housley, Russ" wrote: > Yes. So, I guess we agree. > > At 04:47 PM 4/26/2001 -0400, Santosh Chokhani wrote: > > Russ: Will a CA that signs the certificates and CRLs using different keys, > > but same Issuer DN be considered compliant? If yes, then we agree. > > > > From: Housley, Russ [mailto:rhousley@rsasecurity.com] > > > Certificate-using applications must be able to handle certificates and CRLs > > > signed by the same key. Certificate-using applications may handle CRLs > > > signed by a different key than the certificates. > > > > > > If you agree with this position, then we agree. > > > > > > Russ Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA01768 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 10:04:46 -0700 (PDT) Received: from INET-PRV-MTA by prv-mail20.provo.novell.com with Novell_GroupWise; Mon, 30 Apr 2001 11:04:07 -0600 Message-Id: <saed46a7.069@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 6.0 Date: Mon, 30 Apr 2001 11:03:54 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <ietf-pkix@imc.org>, <tim.polk@nist.gov> Subject: Re: delta CRL security considerations Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id KAA01770 Tim, Publishing a full CRL every time a delta is published does seem to negate most of the benefit of the delta CRL approach. But realistically, probably 90% or more of certificate revocations will be for relatively benign reasons -- someone changed their name, address, department, or even the organization they work for -- but their keys have not been compromised. Without falling into the nonrepudiation tar pit, it may be worth observing that in virtually all of those cases, the individual involved is still liable for whatever they might have been liable for before their status changed, UNLESS there was a change in the extent to which an individual was acting as an authorized agent of the organization, e.g., a purchasing agent or an officer of the company. You might want to consider adding something to the security considerations section that recommends that a full CRL be published along with a delta for any revocations for cause, such as key compromise or change or agency. For the rest of the revocations, presumably it will be sufficient to wait until the next regularly scheduled CRL, whenever that is. I'm not terribly concerned about minimally compliant relying party software. Anyone who is using certificates for any important purpose, as opposed to say casual e-mail or routine SSL server certificates, will almost certainly not use such minimally compliant software. Bob Robert R. Jueneman Security Architect Novell, Inc -- the leading provider of Net services software >>> Tim Polk <tim.polk@nist.gov> 04/27/01 02:39PM >>> Folks, It appears that the WG consensus is to remove the requirement for publication of full CRLs with every delta CRL from son-of-2459. As a result, there is a possibility that minimally compliant PKI clients will not have the same information provided to clients that process delta CRLs. It seems appropriate to note this fact in the security considerations section. We are proposing insertion of four new sentences into the paragraph on revocation. I have supplied the entire paragraph here. The new text begins and ends with two asterisks. -------- excerpt from security considerations ---- The availability and freshness of revocation information will affect the degree of assurance that ought to be placed in a certificate. While certificates expire naturally, events may occur during its natural lifetime which negate the binding between the subject and public key. If revocation information is untimely or unavailable, the assurance associated with the binding is clearly reduced. **Relying parties might not be able to process every critical extension that can appear in a CRL. CAs SHOULD take extra care when making revocation information available only through CRLs that contain critical extensions, particularly if support for those extensions is not mandated by this profile. For example, if revocation information is supplied using a combination of delta CRLs and full CRLs, and the delta CRLs are issued more frequently than the full CRLs, then relying parties that cannot handle the critical extensions related to delta CRL processing will not be able to obtain the most recent revocation information. Alternatively, if a full CRL is issued whenever a delta CRL is issued, then timely revocation information will be available to all relying parties.** Similarly, implementations of the Path Validation mechanism described in section 6 that omit revocation checking provide less assurance than those that support it. ----------------end of excerpt------------ Your comments would be appreciated. Thanks, Tim Polk Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA27302 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 08:55:28 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id LAA11629 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 11:54:59 -0400 (EDT) Message-Id: <200104301554.LAA11625@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Mon, 30 Apr 2001 11:52:57 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Dedicated CRL signing keys References: <5.0.1.4.2.20010427085811.01af8ab8@exna07.securitydynamics.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit If certificate-using applications MAY handle CRLs signed by a different key than the certificates, then CAs have no real ability to exercise that option. I believe: Certificate-using applications SHOULD handle CRLs signed by a different key than the certificates. Dave "Housley, Russ" wrote: > Yes. So, I guess we agree. > > At 04:47 PM 4/26/2001 -0400, Santosh Chokhani wrote: > > Russ: Will a CA that signs the certificates and CRLs using different keys, > > but same Issuer DN be considered compliant? If yes, then we agree. > > > > From: Housley, Russ [mailto:rhousley@rsasecurity.com] > > > Certificate-using applications must be able to handle certificates and CRLs > > > signed by the same key. Certificate-using applications may handle CRLs > > > signed by a different key than the certificates. > > > > > > If you agree with this position, then we agree. > > > > > > Russ Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA25094 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 08:45:03 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id LAA11039 for <ietf-pkix@imc.org>; Mon, 30 Apr 2001 11:44:31 -0400 (EDT) Message-Id: <200104301544.LAA11035@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Mon, 30 Apr 2001 11:42:24 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: keyCertSign and cRLSign Key Usage Bits References: <5.0.1.4.2.20010424154840.01b2fa00@exna07.securitydynamics.com> <5.0.1.4.2.20010426163726.01b58970@exna07.securitydynamics.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Russ, I am not concerned about mixing ACs and PKCs on one CRL. I am concerned about unnecessary complexity in the PKIX spec and unnecessary changes to X.509. You have expanded the description of the cRLSign bit from one sentence to six for no good reason. As Steve Kent says, "We need to make a decision on whether a cert without a CA flag enabled can sign CRLs. If so, then we need to modify a lot of text in 2459, and X.509, to say this clearly." There is no security benefit to changing the text. For that reason, I oppose making it more complex. Rationale: 1) Previously, conforming clients could validate a CRL if the cRLSign bit is asserted and the cA flag is not asserted. This change would declare such clients to be non-conforming. 2) There have been discussions here regarding the necessity of distinguishing between "authority" certificates and "non-authority" certificates for CRL validation. If the cA flag is to be used to convey "authority-ness" for CRLs containing PKCs, what is the equivalent mechanism PKIX clients are expected to use to recognize the "authority" for CRLs containing ACs? My position is that no additional flag is needed in either the CA or the AA case. If the CRL signer has a valid certificate with the cRLSign bit set, then it is an authority because the certificate signer (or it's parent) has said so. Requiring two flags in the same certificate is no more secure than requiring one. 3) The quote from the AC profile does not make sense to me. If an authority can sign both PKCs and ACs, surely it can guarantee that it will not assign duplicate serial numbers. There may be good (operational) reasons for using separate keys to sign PKCs and ACs, but "confusion regarding serial numbers and revocations" isn't one of them. Dave Russ Housley wrote: > > Dave: > > This is not a change. Rather, it complements the AC profile. The AC > profile says: > > The AC issuer's PKC MUST conform to [PKIXPROF], and the keyUsage > extension in the PKC MUST NOT explicitly indicate that the AC > issuer's public key cannot be used to validate a digital signature. > In order to avoid confusion regarding serial numbers and > revocations, an AC issuer MUST NOT also be a PKC Issuer. That is, > an AC issuer cannot be a CA as well. So, the AC issuer's PKC MUST > NOT have a basicConstraints extension with the cA BOOLEAN set to > TRUE. > > Since one issuer cannot issue both ACs and PKCs, then I would expect them > to employ separate CRLs. > > Are you suggesting that ACs and PKCs might be mixed together on one CRL > using the indirect CRL mechanism? > > Russ > > At 08:47 AM 4/25/2001 -0400, David P. Kemp wrote: > >Russ, > > > >Thanks. > > > >However, I am more concerned about the second paragraph than the > >first. Is Last Call the proper time to be proposing, discussing, > >and ratifying such a novel and significant change to the path validation > >algorithm? > > > > Such AA certificates MUST NOT be used to verify signatures > > on CRLs containing revocation information for public key > > certificates; ... > > > >Dave Received: from mail4.microsoft.com (mail4.microsoft.com [131.107.3.122]) by above.proper.com (8.9.3/8.9.3) with SMTP id XAA29604 for <ietf-pkix@imc.org>; Sun, 29 Apr 2001 23:19:06 -0700 (PDT) Received: from 157.54.9.104 by mail4.microsoft.com (InterScan E-Mail VirusWall NT); Sun, 29 Apr 2001 23:17:13 -0700 (Pacific Daylight Time) Received: from red-imc-02.redmond.corp.microsoft.com ([157.54.9.107]) by inet-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Sun, 29 Apr 2001 23:16:37 -0700 Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.82]) by red-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Sun, 29 Apr 2001 23:16:35 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Sun, 29 Apr 2001 23:16:32 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: delta CRL security considerations Date: Sun, 29 Apr 2001 23:16:32 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD631B15@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: delta CRL security considerations Thread-Index: AcDPYEXItwqJDXYHQKismYoppT+IDQB3L2ng From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "Paul Hoffman / IMC" <phoffman@imc.org>, "Tim Polk" <tim.polk@nist.gov>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 30 Apr 2001 06:16:33.0152 (UTC) FILETIME=[1A576800:01C0D13D] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id XAA29606 A similar comment can be made on the use of the Issuing Distribution Point extension, which is another, critical, but not mandated to be suported extension in the CRL. -----Original Message----- From: Paul Hoffman / IMC [mailto:phoffman@imc.org] Sent: Friday, April 27, 2001 2:21 PM To: Tim Polk; ietf-pkix@imc.org Subject: Re: delta CRL security considerations I think this is OK, but similar words have to go into the deltaCRL section as well. Some implementors might not think through the really nasty implications of not issuing full CRLs when they should. --Paul Hoffman, Director --Internet Mail Consortium Received: from cybersoft.cybersoftnet.com (IP.net118-62.psi.net.pa [200.46.118.62] (may be forged)) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA25603 for <ietf-pkix@imc.org>; Sun, 29 Apr 2001 12:08:17 -0700 (PDT) From: toner1@c4.com Received: from 200.46.118.62 (rsvp-208-187-151-155.ac05.dlls.eli.net [208.187.151.155]) by cybersoft.cybersoftnet.com (2.5 Build 2639 (Berkeley 8.8.6)/8.8.4) with SMTP id OAA00534; Sun, 29 Apr 2001 14:07:55 -0500 Message-Id: <200104291907.OAA00534@cybersoft.cybersoftnet.com> Received: from handyandy@republic.com by handyandy@republic.com (8.8.5/8.6.5) with SMTP id GAA04375 for <handyandy@republic.com>; Sun, 29 Apr 2001 14:39:03 -0600 (EST) To: handyandy@republic.com Date: Sun, 29 Apr 01 14:39:03 EST Subject: toner supplies Reply-To: handyandy@republic.com X-PMFLAGS: VCXFDSGDG X-UIDL: FGHFHFG576 Comments: Authenticated sender is <handyandy@republic.com> PLEASE FORWARD TO THE PERSON RESPONSIBLE FOR PURCHASING YOUR LASER PRINTER SUPPLIES **** VORTEX SUPPLIES **** -SPECIALS OF THE DAY ON LASER TONER SUPPLIES AT DISCOUNT PRICES-- LASER PRINTER TONER CARTRIDGES COPIER AND FAX CARTRIDGES WE ARE -->THE<-- PLACE TO BUY YOUR TONER CARTRIDGES BECAUSE YOU SAVE UP TO 30% FROM OFFICE DEPOT'S, QUILL'S OR OFFICE MAX'S EVERY DAY LOW PRICES ORDER BY PHONE:1-888-288-9043 ORDER BY FAX: 1-888-977-1577 CUSTOMER SERVICE: 1-888-248-2015 E-MAIL REMOVAL LINE: 1-888-248-4930 UNIVERSITY AND/OR SCHOOL PURCHASE ORDERS WELCOME. (NO CREDIT APPROVAL REQUIRED) ALL OTHER PURCHASE ORDER REQUESTS REQUIRE CREDIT APPROVAL. PAY BY CHECK (C.O.D), CREDIT CARD OR PURCHASE ORDER (NET 30 DAYS). IF YOUR ORDER IS BY CREDIT CARD PLEASE LEAVE YOUR CREDIT CARD # PLUS EXPIRATION DATE. IF YOUR ORDER IS BY PURCHASE ORDER LEAVE YOUR SHIPPING/BILLING ADDRESSES AND YOUR P.O. NUMBER NO SHIPPING CHARGES FOR ORDERS $49 OR OVER ADD $4.75 FOR ORDERS UNDER $49. C.O.D. ORDERS ADD $4.5 TO SHIPPING CHARGES. FOR THOSE OF YOU WHO REQUIRE MORE INFORMATION ABOUT OUR COMPANY INCUDING FEDERAL TAX ID NUMBER, CLOSEST SHIPPING OR CORPORATE ADDRESS IN THE CONTINENTAL U.S. OR FOR CATALOG REQUESTS PLEASE CALL OUR CUSTOMER SERVICE LINE 1-888-248-2015 OUR NEW , LASER PRINTER TONER CARTRIDGE, PRICES ARE AS FOLLOWS: (PLEASE ORDER BY PAGE NUMBER AND/OR ITEM NUMBER) HEWLETT PACKARD: (ON PAGE 2) ITEM #1 LASERJET SERIES 4L,4P (74A)------------------------$44 ITEM #2 LASERJET SERIES 1100 (92A)-------------------------$44 ITEM #3 LASERJET SERIES 2 (95A)-------------------------------$39 ITEM #4 LASERJET SERIES 2P (75A)-----------------------------$54 ITEM #5 LASERJET SERIES 5P,6P,5MP, 6MP (3903A)--$44 ITEM #6 LASERJET SERIES 5SI, 5000 (29A)------------------$95 ITEM #7 LASERJET SERIES 2100 (96A)-------------------------$74 ITEM #8 LASERJET SERIES 8100 (82X)-----------------------$145 ITEM #9 LASERJET SERIES 5L/6L (3906A0------------------$35 ITEM #10 LASERJET SERIES 4V-------------------------------------$95 ITEM #11 LASERJET SERIES 4000 (27X)-------------------------$72 ITEM #12 LASERJET SERIES 3SI/4SI (91A)--------------------$54 ITEM #13 LASERJET SERIES 4, 4M, 5,5M-----------------------$49 HEWLETT PACKARD FAX (ON PAGE 2) ITEM #14 LASERFAX 500, 700 (FX1)----------$49 ITEM #15 LASERFAX 5000,7000 (FX2)------$54 ITEM #16 LASERFAX (FX3)------------------------$59 ITEM #17 LASERFAX (FX4)------------------------$54 LEXMARK/IBM (ON PAGE 3) OPTRA 4019, 4029 HIGH YIELD---------------$89 OPTRA R, 4039, 4049 HIGH YIELD---------$105 OPTRA E----------------------------------------------------$59 OPTRA N--------------------------------------------------$115 OPTRA S--------------------------------------------------$165 - EPSON (ON PAGE 4) ACTION LASER 7000,7500,8000,9000-------$105 ACTION LASER 1000,1500-------------------------$105 CANON PRINTERS (ON PAGE 5) PLEASE CALL FOR MODELS AND UPDATED PRICES FOR CANON PRINTER CARTRIDGES PANASONIC (0N PAGE 7) NEC SERIES 2 MODELS 90 AND 95----------$105 APPLE (0N PAGE 8) LASER WRITER PRO 600 or 16/600------------$49 LASER WRITER SELECT 300,320,360---------$74 LASER WRITER 300 AND 320----------------------$54 LASER WRITER NT, 2NT------------------------------$54 LASER WRITER 12/640--------------------------------$79 CANON FAX (ON PAGE 9) LASERCLASS 4000 (FX3)---------------------------$59 LASERCLASS 5000,6000,7000 (FX2)---------$54 LASERFAX 5000,7000 (FX2)----------------------$54 LASERFAX 8500,9000 (FX4)----------------------$54 CANON COPIERS (PAGE 10) PC 3, 6RE, 7 AND 11 (A30)---------------------$69 PC 300,320,700,720 and 760 (E-40)--------$89 IF YOUR CARTRIDGE IS NOT LISTED CALL CUSTOMER SERVICE AT 1-888-248-2015 90 DAY UNLIMITED WARRANTY INCLUDED ON ALL PRODUCTS. ALL TRADEMARKS AND BRAND NAMES LISTED ABOVE ARE PROPERTY OF THE RESPECTIVE HOLDERS AND USED FOR DESCRIPTIVE PURPOSES ONLY. Received: from mail2.okwork.gov.tw (IDENT:root@[163.29.128.16]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA25798 for <ietf-pkix@imc.org>; Sat, 28 Apr 2001 06:25:53 -0700 (PDT) From: mike25@msgbox.com Received: from 44mexi7server42 (IDENT:root@localhost.localdomain [127.0.0.1]) by mail2.okwork.gov.tw (8.9.3/8.9.3) with SMTP id VAA06122 for ietf-pkix@imc.org; Sat, 28 Apr 2001 21:34:44 +0800 Date: Sat, 28 Apr 2001 21:34:44 +0800 Message-Id: <200104281334.VAA06122@mail2.okwork.gov.tw> To: <ietf-pkix@imc.org> Subject: ADV: Top Search Engine Placement MIME-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Removal instructions below. I saw your listing on the internet. I work for a company that specializes in getting clients web sites listed as close to the top of the major search engines as possible. Our fee is only $29.95 per month to submit your site at least twice a month to over 350 search engines and directories. To get started and put your web site in the fast lane, call our toll free number below. Mike Bender 888-532-8842 To be removed call: 888-800-6339 X1377 Received: from iaik.tu-graz.ac.at (excalibur.iaik.tu-graz.ac.at [129.27.152.30]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA29298 for <ietf-pkix@imc.org>; Fri, 27 Apr 2001 15:44:11 -0700 (PDT) Received: from plippa [129.27.152.34] by iaik.tu-graz.ac.at (SMTPD32-6.06) id A64225350044; Sat, 28 Apr 2001 00:44:18 +0200 Received: from 127.0.0.1 [127.0.0.1] by plippa (IAIK S/MIME Mapper 2.0 17/November/2000); Sat, 28 Apr 2001 00:45:30 +0100 From: "Peter Lipp" <plippml@iaik.at> To: <ietf-pkix@imc.org> Subject: practical use of certain extensions Date: Sat, 28 Apr 2001 00:45:27 +0200 Message-ID: <EEEMLGNGAECGELLDDHKBGELDCEAA.plippml@iaik.at> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE459@scygmxs01.cygnacom.com> Folks, while I understand the mechanics of some of the extensions or parts of them specified in x.509 and the certificate profice, I have not been able to imagine under which circumstances these things would be useful and used. Could somebody be kind enough to scetch a practical real-world scenario where this would be the case: - inhibitPolicyMapping - inhibitAnyPolicy, including value for certificates that may follow... Peter Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA23590 for <ietf-pkix@imc.org>; Fri, 27 Apr 2001 14:22:36 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JX8DJHNT>; Fri, 27 Apr 2001 17:22:08 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE459@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, "David A. Cooper" <david.cooper@nist.gov> Cc: ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Date: Fri, 27 Apr 2001 17:13:11 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CF5E.DD447320" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CF5E.DD447320 Content-Type: text/plain; charset="iso-8859-1" Russ: I think that checking the basic constraints for CRL is a security requirement on the clients we can do without. No one has given any security benefit of it. All added checks do is add to complexity and hinder interoperability. -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Friday, April 27, 2001 4:05 PM To: David A. Cooper Cc: ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits David: My intent was to impose a requirement on the CAs and AAs. I can see that the proposed wording imposes a difficult requirement on clients. Would anyone object to the deletion of that sentence? If not, I think that the current state of these paragraphs is: The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for verifying a signature on a certificate revocation list (e.g., a CRL or an ARL). This bit MUST be asserted in CA and Attribute Authority (AA) certificates that are used to verify signatures on CRLs. If the cRLSign bit is asserted in a CA certificate, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is asserted in a AA certificate, then the cA bit in the basic constraints extension MUST NOT be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. Russ At 09:37 AM 4/26/2001 -0400, David A. Cooper wrote: >AA certificates MUST NOT be used to verify signatures on CRLs containing >revocation information for public key certificates". The problem is that, >even if a single entity is not allowed to issued both public key >certificates and attribute certificates, there is the possibility that a >single, indirect CRL could cover both types of certificates. If one is >using a CRL to check the status of a public key certificate, then it is >clear that the text below requires that the certificate containing the key >needed to verify the CRL signature must have the cA bit set. But what >about when one is using a CRL to check the status of an attribute >certificate? The quote text seem to suggest that, if the cA bit is not set >in the certificate, the relying party is required to verify that the CRL >does not contain any revocation information for public key certificates. I >can't imagine that there was any intention to impose such a requirement, >but that is what the text seems to say. ------_=_NextPart_001_01C0CF5E.DD447320 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: keyCertSign and cRLSign Key Usage Bits</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Russ:</FONT> </P> <P><FONT SIZE=3D2>I think that checking the basic constraints for CRL = is a security requirement on the clients we can do without. No = one has given any security benefit of it. All added checks do is = add to complexity and hinder interoperability. </FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Housley, Russ [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>Sent: Friday, April 27, 2001 4:05 PM</FONT> <BR><FONT SIZE=3D2>To: David A. Cooper</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: keyCertSign and cRLSign Key Usage = Bits</FONT> </P> <BR> <P><FONT SIZE=3D2>David:</FONT> </P> <P><FONT SIZE=3D2>My intent was to impose a requirement on the CAs and = AAs. I can see that </FONT> <BR><FONT SIZE=3D2>the proposed wording imposes a difficult requirement = on clients.</FONT> </P> <P><FONT SIZE=3D2>Would anyone object to the deletion of that = sentence?</FONT> </P> <P><FONT SIZE=3D2>If not, I think that the current state of these = paragraphs is:</FONT> </P> <P><FONT SIZE=3D2> The keyCertSign = bit is asserted when the subject public key is</FONT> <BR><FONT SIZE=3D2> used for = verifying a signature on public key certificates. If the</FONT> <BR><FONT SIZE=3D2> keyCertSign bit = is asserted, then the cA bit in the basic</FONT> <BR><FONT SIZE=3D2> constraints = extension (see 4.2.1.10) MUST also be asserted. If</FONT> <BR><FONT SIZE=3D2> neither the = cRLSign bit nor the keyCertSign bit are asserted, then</FONT> <BR><FONT SIZE=3D2> the cA bit in = the basic constraints extension MUST NOT be</FONT> <BR><FONT SIZE=3D2> = asserted.</FONT> </P> <P><FONT SIZE=3D2> The cRLSign bit = is asserted when the subject public key is used</FONT> <BR><FONT SIZE=3D2> for verifying a = signature on a certificate revocation list (e.g.,</FONT> <BR><FONT SIZE=3D2> a CRL or an = ARL). This bit MUST be asserted in CA and Attribute</FONT> <BR><FONT SIZE=3D2> Authority (AA) = certificates that are used to verify signatures on</FONT> <BR><FONT SIZE=3D2> CRLs. If = the cRLSign bit is asserted in a CA certificate, then</FONT> <BR><FONT SIZE=3D2> the cA bit in = the basic constraints extension (see 4.2.1.10) MUST</FONT> <BR><FONT SIZE=3D2> also be = asserted. If the cRLSign bit is asserted in a AA</FONT> <BR><FONT SIZE=3D2> certificate, = then the cA bit in the basic constraints extension</FONT> <BR><FONT SIZE=3D2> MUST NOT be = asserted. If neither the cRLSign bit nor the</FONT> <BR><FONT SIZE=3D2> keyCertSign bit = are asserted, then the cA bit in the basic</FONT> <BR><FONT SIZE=3D2> constraints = extension MUST NOT be asserted.</FONT> </P> <P><FONT SIZE=3D2>Russ</FONT> </P> <P><FONT SIZE=3D2>At 09:37 AM 4/26/2001 -0400, David A. Cooper = wrote:</FONT> <BR><FONT SIZE=3D2>>AA certificates MUST NOT be used to verify = signatures on CRLs containing </FONT> <BR><FONT SIZE=3D2>>revocation information for public key = certificates". The problem is that, </FONT> <BR><FONT SIZE=3D2>>even if a single entity is not allowed to issued = both public key </FONT> <BR><FONT SIZE=3D2>>certificates and attribute certificates, there = is the possibility that a </FONT> <BR><FONT SIZE=3D2>>single, indirect CRL could cover both types of = certificates. If one is </FONT> <BR><FONT SIZE=3D2>>using a CRL to check the status of a public key = certificate, then it is </FONT> <BR><FONT SIZE=3D2>>clear that the text below requires that the = certificate containing the key </FONT> <BR><FONT SIZE=3D2>>needed to verify the CRL signature must have the = cA bit set. But what </FONT> <BR><FONT SIZE=3D2>>about when one is using a CRL to check the = status of an attribute </FONT> <BR><FONT SIZE=3D2>>certificate? The quote text seem to suggest = that, if the cA bit is not set </FONT> <BR><FONT SIZE=3D2>>in the certificate, the relying party is = required to verify that the CRL </FONT> <BR><FONT SIZE=3D2>>does not contain any revocation information for = public key certificates. I </FONT> <BR><FONT SIZE=3D2>>can't imagine that there was any intention to = impose such a requirement, </FONT> <BR><FONT SIZE=3D2>>but that is what the text seems to say.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CF5E.DD447320-- Received: from [165.227.249.20] (ip20.proper.com [165.227.249.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA23310; Fri, 27 Apr 2001 14:21:10 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org Message-Id: <p05100317b70f93139d7b@[165.227.249.20]> In-Reply-To: <4.2.0.58.20010427163045.016eb970@email.nist.gov> References: <4.2.0.58.20010427163045.016eb970@email.nist.gov> Date: Fri, 27 Apr 2001 14:21:06 -0700 To: Tim Polk <tim.polk@nist.gov>, ietf-pkix@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: Re: delta CRL security considerations Content-Type: text/plain; charset="us-ascii" ; format="flowed" I think this is OK, but similar words have to go into the deltaCRL section as well. Some implementors might not think through the really nasty implications of not issuing full CRLs when they should. --Paul Hoffman, Director --Internet Mail Consortium Received: from mail2.microsoft.com (mail2.microsoft.com [131.107.3.124]) by above.proper.com (8.9.3/8.9.3) with SMTP id OAA20897 for <ietf-pkix@imc.org>; Fri, 27 Apr 2001 14:00:15 -0700 (PDT) Received: from 157.54.9.100 by mail2.microsoft.com (InterScan E-Mail VirusWall NT); Fri, 27 Apr 2001 13:56:39 -0700 (Pacific Daylight Time) Received: from red-msg-02.redmond.corp.microsoft.com ([157.54.12.70]) by inet-imc-03.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Fri, 27 Apr 2001 13:54:34 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4688.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: delta CRL security considerations Date: Fri, 27 Apr 2001 13:54:34 -0700 Message-ID: <24A715275661C8428C00432EFCA5CB7C02A98A78@red-msg-02.redmond.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: delta CRL security considerations Thread-Index: AcDPWtW1Gs8M8mg6Q7iM/jZ0go/t0AAAWGpg From: "David Cross" <dcross@microsoft.com> To: "Tim Polk" <tim.polk@nist.gov>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 27 Apr 2001 20:54:34.0883 (UTC) FILETIME=[43DC5D30:01C0CF5C] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id OAA20898 Sounds good David B. Cross -----Original Message----- From: Tim Polk [mailto:tim.polk@nist.gov] Sent: Friday, April 27, 2001 1:40 PM To: ietf-pkix@imc.org Subject: delta CRL security considerations Folks, It appears that the WG consensus is to remove the requirement for publication of full CRLs with every delta CRL from son-of-2459. As a result, there is a possibility that minimally compliant PKI clients will not have the same information provided to clients that process delta CRLs. It seems appropriate to note this fact in the security considerations section. We are proposing insertion of four new sentences into the paragraph on revocation. I have supplied the entire paragraph here. The new text begins and ends with two asterisks. -------- excerpt from security considerations ---- The availability and freshness of revocation information will affect the degree of assurance that ought to be placed in a certificate. While certificates expire naturally, events may occur during its natural lifetime which negate the binding between the subject and public key. If revocation information is untimely or unavailable, the assurance associated with the binding is clearly reduced. **Relying parties might not be able to process every critical extension that can appear in a CRL. CAs SHOULD take extra care when making revocation information available only through CRLs that contain critical extensions, particularly if support for those extensions is not mandated by this profile. For example, if revocation information is supplied using a combination of delta CRLs and full CRLs, and the delta CRLs are issued more frequently than the full CRLs, then relying parties that cannot handle the critical extensions related to delta CRL processing will not be able to obtain the most recent revocation information. Alternatively, if a full CRL is issued whenever a delta CRL is issued, then timely revocation information will be available to all relying parties.** Similarly, implementations of the Path Validation mechanism described in section 6 that omit revocation checking provide less assurance than those that support it. ----------------end of excerpt------------ Your comments would be appreciated. Thanks, Tim Polk Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA19719 for <ietf-pkix@imc.org>; Fri, 27 Apr 2001 13:53:48 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f3RKrdU23524; Fri, 27 Apr 2001 13:53:39 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Tim Polk" <tim.polk@nist.gov>, <ietf-pkix@imc.org> Subject: RE: delta CRL security considerations Date: Fri, 27 Apr 2001 13:53:24 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDMEGMCAAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-reply-to: <4.2.0.58.20010427163045.016eb970@email.nist.gov> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Tim, A proposed amendment. Mike > The availability and freshness of revocation information will > affect the degree of assurance that ought to be placed in a > certificate. While certificates expire naturally, events may > occur during its natural lifetime which negate the binding > between the subject and public key. If revocation information > is untimely or unavailable, the assurance associated with the > binding is clearly reduced. > To the extent these principles apply to the certificate and > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > CRL profiles which are the subject of this document, > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > **Relying parties might not be able > to process every critical extension that can appear in a CRL. > . . . Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA18661 for <ietf-pkix@imc.org>; Fri, 27 Apr 2001 13:41:43 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id QAA16109 for <ietf-pkix@imc.org>; Fri, 27 Apr 2001 16:41:44 -0400 (EDT) Message-Id: <4.2.0.58.20010427163045.016eb970@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 27 Apr 2001 16:39:44 -0400 To: ietf-pkix@imc.org From: Tim Polk <tim.polk@nist.gov> Subject: delta CRL security considerations Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Folks, It appears that the WG consensus is to remove the requirement for publication of full CRLs with every delta CRL from son-of-2459. As a result, there is a possibility that minimally compliant PKI clients will not have the same information provided to clients that process delta CRLs. It seems appropriate to note this fact in the security considerations section. We are proposing insertion of four new sentences into the paragraph on revocation. I have supplied the entire paragraph here. The new text begins and ends with two asterisks. -------- excerpt from security considerations ---- The availability and freshness of revocation information will affect the degree of assurance that ought to be placed in a certificate. While certificates expire naturally, events may occur during its natural lifetime which negate the binding between the subject and public key. If revocation information is untimely or unavailable, the assurance associated with the binding is clearly reduced. **Relying parties might not be able to process every critical extension that can appear in a CRL. CAs SHOULD take extra care when making revocation information available only through CRLs that contain critical extensions, particularly if support for those extensions is not mandated by this profile. For example, if revocation information is supplied using a combination of delta CRLs and full CRLs, and the delta CRLs are issued more frequently than the full CRLs, then relying parties that cannot handle the critical extensions related to delta CRL processing will not be able to obtain the most recent revocation information. Alternatively, if a full CRL is issued whenever a delta CRL is issued, then timely revocation information will be available to all relying parties.** Similarly, implementations of the Path Validation mechanism described in section 6 that omit revocation checking provide less assurance than those that support it. ----------------end of excerpt------------ Your comments would be appreciated. Thanks, Tim Polk Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA16517 for <ietf-pkix@imc.org>; Fri, 27 Apr 2001 13:11:59 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 27 Apr 2001 20:11:56 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA19066 for <ietf-pkix@imc.org>; Fri, 27 Apr 2001 16:12:01 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <JST3W9RP>; Fri, 27 Apr 2001 16:12:01 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.39]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JST3W9RN; Fri, 27 Apr 2001 16:11:57 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: "David A. Cooper" <david.cooper@nist.gov> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010427160305.01b98dc8@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Fri, 27 Apr 2001 16:05:04 -0400 Subject: RE: keyCertSign and cRLSign Key Usage Bits In-Reply-To: <4.2.2.20010426085517.00b04840@email.nist.gov> References: <8D7EC1912E25D411A32100D0B76953977CE360@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed David: My intent was to impose a requirement on the CAs and AAs. I can see that the proposed wording imposes a difficult requirement on clients. Would anyone object to the deletion of that sentence? If not, I think that the current state of these paragraphs is: The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for verifying a signature on a certificate revocation list (e.g., a CRL or an ARL). This bit MUST be asserted in CA and Attribute Authority (AA) certificates that are used to verify signatures on CRLs. If the cRLSign bit is asserted in a CA certificate, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is asserted in a AA certificate, then the cA bit in the basic constraints extension MUST NOT be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. Russ At 09:37 AM 4/26/2001 -0400, David A. Cooper wrote: >AA certificates MUST NOT be used to verify signatures on CRLs containing >revocation information for public key certificates". The problem is that, >even if a single entity is not allowed to issued both public key >certificates and attribute certificates, there is the possibility that a >single, indirect CRL could cover both types of certificates. If one is >using a CRL to check the status of a public key certificate, then it is >clear that the text below requires that the certificate containing the key >needed to verify the CRL signature must have the cA bit set. But what >about when one is using a CRL to check the status of an attribute >certificate? The quote text seem to suggest that, if the cA bit is not set >in the certificate, the relying party is required to verify that the CRL >does not contain any revocation information for public key certificates. I >can't imagine that there was any intention to impose such a requirement, >but that is what the text seems to say. Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA02149 for <ietf-pkix@imc.org>; Fri, 27 Apr 2001 08:42:52 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JRDR7L7Y; Fri, 27 Apr 2001 08:37:51 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Housley, Russ" <rhousley@rsasecurity.com> Cc: <ietf-pkix@imc.org> Subject: RE: delta-CRLs and NR Date: Fri, 27 Apr 2001 08:43:26 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGAECACEAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <5.0.1.4.2.20010426144011.01ac8658@exna07.securitydynamics.com> Russ, I'm perfectly comfortable with your wording (and it seems better than mine). - Carlin -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Thursday, April 26, 2001 11:43 AM To: Carlin Covey Cc: ietf-pkix@imc.org Subject: RE: delta-CRLs and NR Carlin: I would prefer to leave the first sentence alone. I think that it is explanation of delta CRLs. However, I like your point, and suggest the addition of the following paragraph: When a conforming CA issues a delta CRL, the delta CRL MUST include a critical delta CRL indicator extension. Russ At 03:41 PM 4/24/2001 -0700, Carlin Covey wrote: >David, > >Thank you for pointing out the "..less than or equal.." >phrase. I had missed the significance. > >My preference is that delta-CRL's be identified only by >the deltaCRLIndicator extension, rather than the >cRLScope extension. > >I propose that the following "sufficient condition" in the >PKIX profile > >"The delta CRL indicator is a critical CRL extension >that identifies a CRL as being a delta CRL." > >be reworded as a "necessary condition" along the lines of > >"A delta CRL MUST be identified via the delta CRL indicator >extension, which MUST be marked as a critical CRL extension." > > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > > >-----Original Message----- >From: David A. Cooper [mailto:david.cooper@nist.gov] >Sent: Tuesday, April 24, 2001 2:06 PM >To: ietf-pkix@imc.org >Subject: RE: delta-CRLs and NR > > >Carlin, > >The quote that you included about the cRLScope extension is correct, but the >end result is (nearly) the same whether delta-CRLs are identified using the >cRLScope extension or the deltaCRLIndicator extension. In addition to the >text that you quoted, X.509 (Ed. 4 v7 is the latest) section 8.5.2.5 states >the following about the cRLScope extension: > > the cRLNumber referenced in the BaseRevocationInfo field of a dCRL >shall be less than or equal > to the cRLNumber of the most recently issued CRL that is complete >for the applicable scope. > >So, while the base CRL referenced by the delta-CRL may not have been issued >as a full CRL, there will be at least one CRL, issued as a full CRL, against >which the delta-CRL may be applied to obtain complete certificate status >information. The full CRL may have been issued after the referenced base >CRL, but one can still apply the delta-CRL to that full CRL. > >As to your second question, the PKIX certificate and CRL profile does not >include the cRLScope extension. So, while X.509 provides two ways to >identify a CRL as being a delta-CRL, PKIX only provides the >deltaCRLIndicator. Would a CRL issuer that used the cRLScope extension be >non-PKIX-compliant? I'll leave that to others to decide. > >Dave > >At 01:35 PM 4/24/01 -0700, Carlin Covey wrote: > >David, > > > >You are correct for delta-CRLs defined with the deltaCRLIndicator, but > >it is also possible to define delta-CRLs using the CRL scope extension. > > > >X.509 Ed. 4 v6 says the following in section 8.5.2.5 'CRL scope extension': > > > >"In the crlScope case, the information in the baseRevocationInfo > >component, indicates the point in time from which the CRL containing > >this extension provides updates. Although this is done by referencing > >a CRL, the referenced CRL may or may not be one that is complete for > >the applicable scope, whereas the deltaCRLIdentifier extension references > >an issued CRL that is complete for the applicable scope." > > > >In an earlier email I made the following observation and asked a question: > > > >"I don't see anywhere in draft-ietf-pkix-new-part1-05 where it says > >that a delta CRL must be identified by a deltaCRLIndicator extension. > >It does say that "The delta CRL indicator is a critical CRL extension > >that identifies a CRL as being a delta CRL." This appears to be a > >sufficient > >condition, but not a necessary condition, for the CRL to be interpreted as >a > >delta CRL. So a PKIX-profile-compliant CRL-issuer could use the crlScope > >extension rather than the deltaCRLIndicator extension to identify delta > >CRLs? > > > > - Russ, is that right?" > > > >Regards, > > > >Carlin > > > >____________________________ > > > >- Carlin Covey > > Cylink Corporation > > > > > >-----Original Message----- > >From: David A. Cooper [mailto:david.cooper@nist.gov] > >Sent: Tuesday, April 24, 2001 12:44 PM > >To: ietf-pkix@imc.org > >Subject: RE: delta-CRLs and NR > > > > > >This is a misunderstanding of the way that delta-CRLs work. A delta-CRL > >specifies a base CRL and provides a list of all certificates whose status > >has changed since the base CRL was issued. When using the >deltaCRLIndicator, > >the referenced base CRL must have been issued as a full CRL (i.e., not a > >delta). Thus, one can always obtain complete revocation information by > >applying a single delta-CRL to the base CRL that it references. > > > >If delta-CRLs are issued more frequently than full CRLs, this will just >mean > >that multiple delta-CRLs will reference the same full CRL as their base. > > > >With the current PKIX standard, one can always get complete revocation > >information by just obtaining a full CRL. If the rules were relaxed, one > >would be required to obtain one full CRL and one delta-CRL. > > > >Dave > > > >At 12:25 PM 4/24/01 -0700, Michael Myers wrote: > > >I understand. But the trajectory of the dialog seemed to be suggesting > > >elimination the full CRL context, hence in that forward scenario one >would > > >have no choice but to face the accumulation task. Also, the proposal to > > >enable a different period of production between a full CRL and its > > >associated deltas (thus enabling periods of delta-only activity between > >full > > >CRL production) does suggest that there might exists cases where more >than > > >one delta is necessary to span the gap between fulls. > > Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id GAA21517 for <ietf-pkix@imc.org>; Fri, 27 Apr 2001 06:31:39 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 27 Apr 2001 13:31:35 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id JAA16248 for <ietf-pkix@imc.org>; Fri, 27 Apr 2001 09:31:35 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <JST3WV83>; Fri, 27 Apr 2001 09:31:34 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.117]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JST3WV8L; Fri, 27 Apr 2001 09:31:30 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010427085811.01af8ab8@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Fri, 27 Apr 2001 08:58:35 -0400 Subject: RE: Dedicated CRL signing keys In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE3D5@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" <html> Yes. So, I guess we agree.<br> <br> At 04:47 PM 4/26/2001 -0400, Santosh Chokhani wrote:<br> <blockquote type=cite class=cite cite><font face="arial" size=2 color="#0000FF">Russ: Will a CA that signs the certificates and CRLs using different keys, but same Issuer DN be considered compliant? If yes, then we agree.</font><br> <br> <font face="Times New Roman, Times" size=2>-----Original Message-----<br> <b>From:</b> Housley, Russ [<a href="mailto:rhousley@rsasecurity.com" eudora="autourl">mailto:rhousley@rsasecurity.com</a>]<br> <b>Sent:</b> Thursday, April 26, 2001 4:36 PM<br> <b>To:</b> Santosh Chokhani<br> <b>Cc:</b> ietf-pkix@imc.org<br> <b>Subject:</b> RE: Dedicated CRL signing keys<br> <br> </font>Santosh:<br> <br> <blockquote type=cite class=cite cite><font size=2>Optional is sufficient. It should NOT be mandatory to have separate signing keys for certificates and CRLs.</font> <br> <font size=2>Thanks. I think we agree.</font> </blockquote><br> If CAs issue CRLs, then the CA can sign certificates and CRLs with the same key, or the CA can use separate keys.<br> <br> Certificate-using applications must be able to handle certificates and CRLs signed by the same key. Certificate-using applications may handle CRLs signed by a different key than the certificates.<br> <br> If you agree with this position, then we agree.<br> <br> Russ</blockquote></html> Received: from gatekeeper.dep.no (gatekeeper.dep.no [132.150.8.1]) by above.proper.com (8.9.3/8.9.3) with SMTP id BAA00827 for <ietf-pkix@imc.org>; Fri, 27 Apr 2001 01:50:55 -0700 (PDT) Received: by gatekeeper.dep.no (SMI-8.6/SMI-SVR4) id KAA12015; Fri, 27 Apr 2001 10:50:23 +0200 Received: from urias-gw.fos.dep.no(132.150.244.2) by gatekeeper via smap (V2.0) id xma011668; Fri, 27 Apr 01 10:48:52 +0200 Received: by B with Internet Mail Service (5.5.2653.19) id <DDQV3KF2>; Fri, 27 Apr 2001 10:53:18 +0200 Message-ID: <DFA3FCFD4822D4118DD400009290939904C6C9@B> From: =?iso-8859-1?Q?Helge_L=E6greid?= <Helge.Laegreid@fos.dep.no> To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Date: Fri, 27 Apr 2001 10:52:59 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C0CEF7.75AF98A0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C0CEF7.75AF98A0 Content-Type: text/plain; charset="iso-8859-1" subscribe ------_=_NextPart_000_01C0CEF7.75AF98A0 Content-Type: application/octet-stream; name="=?iso-8859-1?Q?Helge_L=E6greid=2Evcf?=" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="=?iso-8859-1?Q?Helge_L=E6greid=2Evcf?=" BEGIN:VCARD VERSION:2.1 N:L=E6greid;Helge FN:Helge L=E6greid EMAIL;PREF;INTERNET:Helge.Laegreid@fos.dep.no REV:20010405T081650Z END:VCARD ------_=_NextPart_000_01C0CEF7.75AF98A0-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA13713 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 13:57:07 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JV6F570L>; Thu, 26 Apr 2001 16:56:39 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE3D5@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Date: Thu, 26 Apr 2001 16:47:44 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CE92.24FD48E0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CE92.24FD48E0 Content-Type: text/plain; charset="iso-8859-1" Russ: Will a CA that signs the certificates and CRLs using different keys, but same Issuer DN be considered compliant? If yes, then we agree. -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Thursday, April 26, 2001 4:36 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Santosh: Optional is sufficient. It should NOT be mandatory to have separate signing keys for certificates and CRLs. Thanks. I think we agree. If CAs issue CRLs, then the CA can sign certificates and CRLs with the same key, or the CA can use separate keys. Certificate-using applications must be able to handle certificates and CRLs signed by the same key. Certificate-using applications may handle CRLs signed by a different key than the certificates. If you agree with this position, then we agree. Russ ------_=_NextPart_001_01C0CE92.24FD48E0 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 5.00.2014.210" name=GENERATOR></HEAD> <BODY> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=759415520-26042001>Russ: Will a CA that signs the certificates and CRLs using different keys, but same Issuer DN be considered compliant? If yes, then we agree.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=759415520-26042001></SPAN></FONT> </DIV> <DIV class=OutlookMessageHeader><FONT face="Times New Roman" size=2>-----Original Message-----<BR><B>From:</B> Housley, Russ [mailto:rhousley@rsasecurity.com]<BR><B>Sent:</B> Thursday, April 26, 2001 4:36 PM<BR><B>To:</B> Santosh Chokhani<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: Dedicated CRL signing keys<BR><BR></FONT></DIV>Santosh:<BR><BR> <BLOCKQUOTE class=cite cite type="cite"><FONT size=2>Optional is sufficient. It should NOT be mandatory to have separate signing keys for certificates and CRLs.</FONT> <BR><FONT size=2>Thanks. I think we agree.</FONT> </BLOCKQUOTE><BR>If CAs issue CRLs, then the CA can sign certificates and CRLs with the same key, or the CA can use separate keys.<BR><BR>Certificate-using applications must be able to handle certificates and CRLs signed by the same key. Certificate-using applications may handle CRLs signed by a different key than the certificates.<BR><BR>If you agree with this position, then we agree.<BR><BR>Russ<BR></BODY></HTML> ------_=_NextPart_001_01C0CE92.24FD48E0-- Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA12640 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 13:47:34 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 26 Apr 2001 20:47:32 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA10798 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 16:47:36 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <JST3W3DH>; Thu, 26 Apr 2001 16:47:35 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.45]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JST3W3DB; Thu, 26 Apr 2001 16:47:30 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010426163105.01b46ec8@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 26 Apr 2001 16:35:49 -0400 Subject: RE: Dedicated CRL signing keys In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE2B9@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" <html> Santosh:<br> <br> <blockquote type=cite class=cite cite><font size=2>Optional is sufficient. It should NOT be mandatory to have separate signing keys for certificates and CRLs.</font> <br> <font size=2>Thanks. I think we agree.</font> </blockquote><br> If CAs issue CRLs, then the CA can sign certificates and CRLs with the same key, or the CA can use separate keys.<br> <br> Certificate-using applications must be able to handle certificates and CRLs signed by the same key. Certificate-using applications may handle CRLs signed by a different key than the certificates.<br> <br> If you agree with this position, then we agree.<br> <br> Russ<br> </html> Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA12641 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 13:47:34 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 26 Apr 2001 20:47:32 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA10799 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 16:47:36 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <JST3W3DG>; Thu, 26 Apr 2001 16:47:35 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.45]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JST3W3DD; Thu, 26 Apr 2001 16:47:31 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010426163726.01b58970@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 26 Apr 2001 16:43:44 -0400 Subject: Re: keyCertSign and cRLSign Key Usage Bits In-Reply-To: <200104251249.IAA13850@stingray.missi.ncsc.mil> References: <5.0.1.4.2.20010424154840.01b2fa00@exna07.securitydynamics.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Dave: This is not a change. Rather, it complements the AC profile. The AC profile says: The AC issuer's PKC MUST conform to [PKIXPROF], and the keyUsage extension in the PKC MUST NOT explicitly indicate that the AC issuer's public key cannot be used to validate a digital signature. In order to avoid confusion regarding serial numbers and revocations, an AC issuer MUST NOT also be a PKC Issuer. That is, an AC issuer cannot be a CA as well. So, the AC issuer's PKC MUST NOT have a basicConstraints extension with the cA BOOLEAN set to TRUE. Since one issuer cannot issue both ACs and PKCs, then I would expect them to employ separate CRLs. Are you suggesting that ACs and PKCs might be mixed together on one CRL using the indirect CRL mechanism? Russ At 08:47 AM 4/25/2001 -0400, David P. Kemp wrote: >Russ, > >Thanks. > >However, I am more concerned about the second paragraph than the >first. Is Last Call the proper time to be proposing, discussing, >and ratifying such a novel and significant change to the path validation >algorithm? > > Such AA certificates MUST NOT be used to verify signatures > on CRLs containing revocation information for public key > certificates; ... > >Dave Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA10380 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 13:19:31 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 26 Apr 2001 20:19:29 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA08597 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 16:19:33 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <JST3WNT9>; Thu, 26 Apr 2001 16:19:32 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.45]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JST3WNT7; Thu, 26 Apr 2001 16:19:30 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Carlin Covey <ccovey@cylink.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010426144011.01ac8658@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 26 Apr 2001 14:42:38 -0400 Subject: RE: delta-CRLs and NR In-Reply-To: <DOEOKAMDOBOFDGOPBAHDKEIGCDAA.ccovey@cylink.com> References: <4.2.2.20010424164552.00a673c0@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Carlin: I would prefer to leave the first sentence alone. I think that it is explanation of delta CRLs. However, I like your point, and suggest the addition of the following paragraph: When a conforming CA issues a delta CRL, the delta CRL MUST include a critical delta CRL indicator extension. Russ At 03:41 PM 4/24/2001 -0700, Carlin Covey wrote: >David, > >Thank you for pointing out the "..less than or equal.." >phrase. I had missed the significance. > >My preference is that delta-CRL's be identified only by >the deltaCRLIndicator extension, rather than the >cRLScope extension. > >I propose that the following "sufficient condition" in the >PKIX profile > >"The delta CRL indicator is a critical CRL extension >that identifies a CRL as being a delta CRL." > >be reworded as a "necessary condition" along the lines of > >"A delta CRL MUST be identified via the delta CRL indicator >extension, which MUST be marked as a critical CRL extension." > > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > > >-----Original Message----- >From: David A. Cooper [mailto:david.cooper@nist.gov] >Sent: Tuesday, April 24, 2001 2:06 PM >To: ietf-pkix@imc.org >Subject: RE: delta-CRLs and NR > > >Carlin, > >The quote that you included about the cRLScope extension is correct, but the >end result is (nearly) the same whether delta-CRLs are identified using the >cRLScope extension or the deltaCRLIndicator extension. In addition to the >text that you quoted, X.509 (Ed. 4 v7 is the latest) section 8.5.2.5 states >the following about the cRLScope extension: > > the cRLNumber referenced in the BaseRevocationInfo field of a dCRL >shall be less than or equal > to the cRLNumber of the most recently issued CRL that is complete >for the applicable scope. > >So, while the base CRL referenced by the delta-CRL may not have been issued >as a full CRL, there will be at least one CRL, issued as a full CRL, against >which the delta-CRL may be applied to obtain complete certificate status >information. The full CRL may have been issued after the referenced base >CRL, but one can still apply the delta-CRL to that full CRL. > >As to your second question, the PKIX certificate and CRL profile does not >include the cRLScope extension. So, while X.509 provides two ways to >identify a CRL as being a delta-CRL, PKIX only provides the >deltaCRLIndicator. Would a CRL issuer that used the cRLScope extension be >non-PKIX-compliant? I'll leave that to others to decide. > >Dave > >At 01:35 PM 4/24/01 -0700, Carlin Covey wrote: > >David, > > > >You are correct for delta-CRLs defined with the deltaCRLIndicator, but > >it is also possible to define delta-CRLs using the CRL scope extension. > > > >X.509 Ed. 4 v6 says the following in section 8.5.2.5 'CRL scope extension': > > > >"In the crlScope case, the information in the baseRevocationInfo > >component, indicates the point in time from which the CRL containing > >this extension provides updates. Although this is done by referencing > >a CRL, the referenced CRL may or may not be one that is complete for > >the applicable scope, whereas the deltaCRLIdentifier extension references > >an issued CRL that is complete for the applicable scope." > > > >In an earlier email I made the following observation and asked a question: > > > >"I don't see anywhere in draft-ietf-pkix-new-part1-05 where it says > >that a delta CRL must be identified by a deltaCRLIndicator extension. > >It does say that "The delta CRL indicator is a critical CRL extension > >that identifies a CRL as being a delta CRL." This appears to be a > >sufficient > >condition, but not a necessary condition, for the CRL to be interpreted as >a > >delta CRL. So a PKIX-profile-compliant CRL-issuer could use the crlScope > >extension rather than the deltaCRLIndicator extension to identify delta > >CRLs? > > > > - Russ, is that right?" > > > >Regards, > > > >Carlin > > > >____________________________ > > > >- Carlin Covey > > Cylink Corporation > > > > > >-----Original Message----- > >From: David A. Cooper [mailto:david.cooper@nist.gov] > >Sent: Tuesday, April 24, 2001 12:44 PM > >To: ietf-pkix@imc.org > >Subject: RE: delta-CRLs and NR > > > > > >This is a misunderstanding of the way that delta-CRLs work. A delta-CRL > >specifies a base CRL and provides a list of all certificates whose status > >has changed since the base CRL was issued. When using the >deltaCRLIndicator, > >the referenced base CRL must have been issued as a full CRL (i.e., not a > >delta). Thus, one can always obtain complete revocation information by > >applying a single delta-CRL to the base CRL that it references. > > > >If delta-CRLs are issued more frequently than full CRLs, this will just >mean > >that multiple delta-CRLs will reference the same full CRL as their base. > > > >With the current PKIX standard, one can always get complete revocation > >information by just obtaining a full CRL. If the rules were relaxed, one > >would be required to obtain one full CRL and one delta-CRL. > > > >Dave > > > >At 12:25 PM 4/24/01 -0700, Michael Myers wrote: > > >I understand. But the trajectory of the dialog seemed to be suggesting > > >elimination the full CRL context, hence in that forward scenario one >would > > >have no choice but to face the accumulation task. Also, the proposal to > > >enable a different period of production between a full CRL and its > > >associated deltas (thus enabling periods of delta-only activity between > >full > > >CRL production) does suggest that there might exists cases where more >than > > >one delta is necessary to span the gap between fulls. > > Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA10379 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 13:19:31 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 26 Apr 2001 20:19:29 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA08593 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 16:19:32 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <JST3WNT8>; Thu, 26 Apr 2001 16:19:32 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.45]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JST3WNTV; Thu, 26 Apr 2001 16:19:25 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Carlin Covey <ccovey@cylink.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010425134041.01abddb0@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Wed, 25 Apr 2001 15:50:54 -0400 Subject: RE: delta-CRLs and NR In-Reply-To: <FLEELNBJKAIIGDJJKPDGEEAGCEAA.ccovey@cylink.com> References: <4.2.2.20010424153824.00a612a0@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Carlin: As David Cooper has already pointed out, only the deltaCRLIndicator is part of the profile. The profile allows the use of other extensions. However, other extensions SHOULD not be critical (since they reduce interoperability). Russ At 01:35 PM 4/24/2001 -0700, Carlin Covey wrote: >David, > >You are correct for delta-CRLs defined with the deltaCRLIndicator, but >it is also possible to define delta-CRLs using the CRL scope extension. > >X.509 Ed. 4 v6 says the following in section 8.5.2.5 'CRL scope extension': > >"In the crlScope case, the information in the baseRevocationInfo >component, indicates the point in time from which the CRL containing >this extension provides updates. Although this is done by referencing >a CRL, the referenced CRL may or may not be one that is complete for >the applicable scope, whereas the deltaCRLIdentifier extension references >an issued CRL that is complete for the applicable scope." > >In an earlier email I made the following observation and asked a question: > >"I don't see anywhere in draft-ietf-pkix-new-part1-05 where it says >that a delta CRL must be identified by a deltaCRLIndicator extension. >It does say that "The delta CRL indicator is a critical CRL extension >that identifies a CRL as being a delta CRL." This appears to be a >sufficient >condition, but not a necessary condition, for the CRL to be interpreted as a >delta CRL. So a PKIX-profile-compliant CRL-issuer could use the crlScope >extension rather than the deltaCRLIndicator extension to identify delta >CRLs? > > - Russ, is that right?" > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > > >-----Original Message----- >From: David A. Cooper [mailto:david.cooper@nist.gov] >Sent: Tuesday, April 24, 2001 12:44 PM >To: ietf-pkix@imc.org >Subject: RE: delta-CRLs and NR > > >This is a misunderstanding of the way that delta-CRLs work. A delta-CRL >specifies a base CRL and provides a list of all certificates whose status >has changed since the base CRL was issued. When using the deltaCRLIndicator, >the referenced base CRL must have been issued as a full CRL (i.e., not a >delta). Thus, one can always obtain complete revocation information by >applying a single delta-CRL to the base CRL that it references. > >If delta-CRLs are issued more frequently than full CRLs, this will just mean >that multiple delta-CRLs will reference the same full CRL as their base. > >With the current PKIX standard, one can always get complete revocation >information by just obtaining a full CRL. If the rules were relaxed, one >would be required to obtain one full CRL and one delta-CRL. > >Dave > >At 12:25 PM 4/24/01 -0700, Michael Myers wrote: > >I understand. But the trajectory of the dialog seemed to be suggesting > >elimination the full CRL context, hence in that forward scenario one would > >have no choice but to face the accumulation task. Also, the proposal to > >enable a different period of production between a full CRL and its > >associated deltas (thus enabling periods of delta-only activity between >full > >CRL production) does suggest that there might exists cases where more than > >one delta is necessary to span the gap between fulls. Received: from swan.mail.pas.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA04997 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 11:09:44 -0700 (PDT) Received: from [38.29.65.91] ([38.29.65.91]) by swan.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id LAA02205; Thu, 26 Apr 2001 11:09:20 -0700 (PDT) Mime-Version: 1.0 X-Sender: hoytkesterson@mail.earthlink.net Message-Id: <a05001900b70e0f5272bd@[38.29.132.105]> In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FDF@sottmxs09.entrust.com> References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FDF@sottmxs09.entrust.com> Date: Thu, 26 Apr 2001 11:00:36 -0700 To: Sharon Boeyen <sharon.boeyen@entrust.com>, "'David P. Kemp'" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org From: "Hoyt L. Kesterson II" <hoytkesterson@earthlink.net> Subject: RE: keyCertSign and cRLSign Key Usage Bits Cc: Sharon boeyen <boeyen@entrust.com> Content-Type: text/html; charset="us-ascii" <!doctype html public "-//W3C//DTD W3 HTML//EN"> <html><head><style type="text/css"><!-- blockquote, dl, ul, ol, li { margin-top: 0 ; margin-bottom: 0 } --></style><title>RE: keyCertSign and cRLSign Key Usage Bits</title></head><body> <div>hi dave</div> <div><br></div> <div>this will be unusually short for me - i got 3 sets of guys working on my roof</div> <div><br></div> <div>as i told sharon earlier today. the group created the ca and crl keyusage flags early on in the work (i may be able to find the initial contributions from nick pope). crl distribution point was just being discussed, we wanted to shorten crls. the first proposal was to have crls responsible for ranges of certificates (using the serial number). later we decided to adopt the proposal to have the certificate point to other crl locations but the first texts confined that to points under the CA. later we expanded to the ability to point anywhere, e.g. crl issuer.</div> <div><br></div> <div>i have proposed some text to sharon to describe how a non-ca entity would be identified as a crl issuer for a set of certificates.</div> <div><br></div> <div>i believe your proposed interpretation of using crlsign as an indication of delegation is too divergent from that for ca sign. if CA x issues a certificate to entity y with the CAsign flag on, x is merely granting the right for CA y to issue certificates in CA y's name, not CA x's. i think it is reasonable to keep the same interpretation for cRLsign.</div> <div><br></div> <div>got to go talk to the electrician!</div> <div><br></div> <div> hoyt</div> <div><br></div> <div>At 1:27 PM -0400 4/26/01, Sharon Boeyen wrote:</div> <blockquote type="cite" cite><font size="-1">Hi Dave, my understanding of the crlsign bit is not that it is for delegating</font><br> <font size="-1">that indirect authority, but that it is similar to the keyCertSign bit in that</font><br> <font size="-1">it indicates that the certified key can be used to verify signatures on CRLs</font><br> <font size="-1">issued by the subject of the containing cert. It has nothing to do with delegating</font><br> <font size="-1">authority to issue CRLs on behalf of the issuing CA for the set of certificates issued</font><br> <font size="-1">by that issuer.</font><br> </blockquote> <blockquote type="cite" cite><font size="-1">This bit would be typically be set in any cert issued by one CA to another CA where relying parties would beexpecting to verify signatures on both certificates and CRLs issued by the subject authority and in conjunction with a certification path that contains the cert with this extension.</font><br> </blockquote> <blockquote type="cite" cite><font size="-1">Hoyt, can you comment from the perspective of the historian?? </font><br> </blockquote> <blockquote type="cite" cite><font size="-1">Sharon</font><br> </blockquote> <blockquote type="cite" cite><font size="-1">> -----Original Message-----</font><br> <font size="-1">> From: David P. Kemp [</font><a href="mailto:dpkemp@missi.ncsc.mil"><font size="-1">mailto:dpkemp@missi.ncsc.mil</font></a><font size="-1">]</font><br> <font size="-1">> Sent: Thursday, April 26, 2001 12:35 PM</font><br> <font size="-1">> To: ietf-pkix@imc.org</font><br> <font size="-1">> Cc: Hoyt Kesterson</font><br> <font size="-1">> Subject: Re: keyCertSign and cRLSign Key Usage Bits</font><br> <font size="-1">></font><br> <font size="-1">></font><br> <font size="-1">> The second point is one where some clarifying language in X.509 and</font><br> <font size="-1">> PKIX might be useful.</font><br> <font size="-1">></font><br> <font size="-1">> I've always assumed that the cRLSign bit is set exclusively for the</font><br> <font size="-1">> purpose of delegating to an ICRLA or other agent (including</font><br> <font size="-1">> the CA's own</font><br> <font size="-1">> online CRL-signing key which is different from its offline</font><br> <font size="-1">> cert-signing</font><br> <font size="-1">> key). In other words, for these certs:</font><br> <font size="-1">></font><br> <font size="-1">> CA-1</font><br> <font size="-1">> | CA-2-cert</font><br> <font size="-1">> CA-2</font><br> <font size="-1">> | EE-cert</font><br> <font size="-1">> EE</font><br> <font size="-1">></font><br> <font size="-1">> where CA-2-cert contains a critical keyUsage extension with</font><br> <font size="-1">> keyCertSign</font><br> <font size="-1">> asserted and cRLSign *un-asserted*, the private key which</font><br> <font size="-1">> signs EE-cert</font><br> <font size="-1">> also signs the CRL issued by CA-2 which covers EE. A CA can always</font><br> <font size="-1">> revoke its own certificates without needing permission from</font><br> <font size="-1">> an upstream CA.</font><br> <font size="-1">></font><br> <font size="-1">> If CA-2-cert had cRLSign asserted, then CA-2 could also sign</font><br> <font size="-1">> CRLs covering</font><br> <font size="-1">> certificates signed by the private key which signed CA-2-cert (CA-1's</font><br> <font size="-1">> private key).</font><br> <font size="-1">></font><br> <font size="-1">> Is this not the intent of X.509?</font><br> <font size="-1">></font><br> <font size="-1">> Dave</font><br> <font size="-1">></font><br> <font size="-1">></font><br> <font size="-1">></font><br> <font size="-1">> Sharon Boeyen wrote:</font><br> <font size="-1">> ></font><br> <font size="-1">> > I agree with your first point but not completely with the</font><br> <font size="-1">> second point. The</font><br> <font size="-1">> > cRLSign bit means "for verifying a CA's signature on CRLs".</font><br> <font size="-1">> In a hierarchy,</font><br> <font size="-1">> > for example, one might set this bit, along with the</font><br> <font size="-1">> keyCertSign bit in a cert</font><br> <font size="-1">> > issued to a subordinate CA. The CRLs that you would anticipate that</font><br> <font size="-1">> > subordinate CA to issue are ones for the set of</font><br> <font size="-1">> certificates that the</font><br> <font size="-1">> > subordinate issues, not ones for the certs issued by the CA</font><br> <font size="-1">> issuing that</font><br> <font size="-1">> > subordinate's certificate. That is not the same delegation</font><br> <font size="-1">> we've been</font><br> <font size="-1">> > discussing, where a CA hands off responsibility for issuing</font></blockquote> <blockquote type="cite" cite><font size="-1">> CRLs for its own</font><br> <font size="-1">> > set of certificates to another entity. That needs to be</font><br> <font size="-1">> indicated differently</font><br> <font size="-1">> > so that a relying party knows what entity is authorized to</font><br> <font size="-1">> issue CRLs 'on</font><br> <font size="-1">> > behalf of' another CA.</font><br> <font size="-1">> ></font><br> <font size="-1">> > Sharon</font><br> <font size="-1">> ></font><br> <font size="-1">> > > -----Original Message-----</font><br> <font size="-1">> > > From: David P. Kemp [</font><a href="mailto:dpkemp@missi.ncsc.mil"><font size="-1">mailto:dpkemp@missi.ncsc.mil</font></a><font size="-1">]</font><br> <font size="-1">> > > Sent: Thursday, April 26, 2001 11:31 AM</font><br> <font size="-1">> > > To: ietf-pkix@imc.org</font><br> <font size="-1">> > > Cc: Hoyt Kesterson</font><br> <font size="-1">> > > Subject: Re: keyCertSign and cRLSign Key Usage Bits</font><br> <font size="-1">> > ></font><br> <font size="-1">> > ></font><br> <font size="-1">> > > Sharon,</font><br> <font size="-1">> > ></font><br> <font size="-1">> > > 1) A cert issued for purposes of verifying the signature on a</font><br> <font size="-1">> > > CRL contains</font><br> <font size="-1">> > > at least the cRLSign bit. The digitalSignature bit (which</font><br> <font size="-1">> > > is used for</font><br> <font size="-1">> > > purposes other than b, f, or g), is not necessary.</font><br> <font size="-1">> > ></font><br> <font size="-1">> > > 2) If a CRL is issued by an entity other than the CA that</font><br> <font size="-1">> issues the</font><br> <font size="-1">> > > certificate, that delegation is identified with</font><br> <font size="-1">> integrity by the</font><br> <font size="-1">> > > fact that the CA which issued the EE certificate has</font><br> <font size="-1">> also issued</font><br> <font size="-1">> > > issued a certificate containing the cRLSign bit to the CA's</font><br> <font size="-1">> > > revocation agent. This agent is by definition an "authority",</font><br> <font size="-1">> > > by virtue of being the subject of the cRLSign certificate.</font><br> <font size="-1">> > ></font><br> <font size="-1">> > > Dave</font><br> <font size="-1">> > ></font><br> <font size="-1">> > ></font><br> <font size="-1">> > > Sharon Boeyen wrote:</font><br> <font size="-1">> > > ></font><br> <font size="-1">> > > > Taking a step back at what is 'technically important'. A</font><br> <font size="-1">> > > cert issued for</font><br> <font size="-1">> > > > purposes of cert signature verification contains at least</font><br> <font size="-1">> > > the ca bit set and</font><br> <font size="-1">> > > > the keyUsage keyCertSign. A cert issued for purposes of</font><br> <font size="-1">> > > verifying the</font><br> <font size="-1">> > > > signature on a CRL contains at least the digitalSignature</font><br> <font size="-1">> > > and cRLSign bits of</font><br> <font size="-1">> > > > keyUsage. If a CRL is to be issued by an entity other the</font><br> <font size="-1">> > > CA that issues the</font><br> <font size="-1">> > > > certificate, then there needs to be a way to identify that</font><br> <font size="-1">> > > delegation with</font><br> <font size="-1">> > > > integrity. If the crlDistributionPoints extension is in the</font><br> <font size="-1">> > > certificate, this</font><br> <font size="-1">> > > > can be done by populating the cRLIssuer field and that</font><br> <font size="-1">> > > value needs to</font><br> <font size="-1">> > > > correspond with the issuer name of the CRL being used</font><br> <font size="-1">> (and the other</font><br> <font size="-1">> > > > requirements outlined so nicely by</font><br> <font size="-1">> > > > Santosh in Annex B of 509 also need to be met of course).</font><br> <font size="-1">> > > Other mechanisms</font><br> <font size="-1">> > > > could also be used. As for the schema, there was no problem</font><br> <font size="-1">> > > with the PKI</font><br> <font size="-1">> > > > schema components as long as the crl issuers were also</font><br> <font size="-1">> > > CAs(except that the</font><br> <font size="-1">> > > > requirement for the CA bit to be set in all cases</font><br> <font size="-1">> should probably be</font><br> <font size="-1">> > > > removed).</font><br> <font size="-1">> > ></font><br> <font size="-1">></font></blockquote> <div><br></div> </body> </html> Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA02812 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 10:33:55 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <J432X6YY>; Thu, 26 Apr 2001 13:33:27 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FDF@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'David P. Kemp'" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Cc: Hoyt Kesterson <hoytkesterson@earthlink.net> Subject: RE: keyCertSign and cRLSign Key Usage Bits Date: Thu, 26 Apr 2001 13:27:37 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CE76.2FE7D840" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CE76.2FE7D840 Content-Type: text/plain Hi Dave, my understanding of the crlsign bit is not that it is for delegating that indirect authority, but that it is similar to the keyCertSign bit in that it indicates that the certified key can be used to verify signatures on CRLs issued by the subject of the containing cert. It has nothing to do with delegating authority to issue CRLs on behalf of the issuing CA for the set of certificates issued by that issuer. This bit would be typically be set in any cert issued by one CA to another CA where relying parties would beexpecting to verify signatures on both certificates and CRLs issued by the subject authority and in conjunction with a certification path that contains the cert with this extension. Hoyt, can you comment from the perspective of the historian?? Sharon > -----Original Message----- > From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil] > Sent: Thursday, April 26, 2001 12:35 PM > To: ietf-pkix@imc.org > Cc: Hoyt Kesterson > Subject: Re: keyCertSign and cRLSign Key Usage Bits > > > The second point is one where some clarifying language in X.509 and > PKIX might be useful. > > I've always assumed that the cRLSign bit is set exclusively for the > purpose of delegating to an ICRLA or other agent (including > the CA's own > online CRL-signing key which is different from its offline > cert-signing > key). In other words, for these certs: > > CA-1 > | CA-2-cert > CA-2 > | EE-cert > EE > > where CA-2-cert contains a critical keyUsage extension with > keyCertSign > asserted and cRLSign *un-asserted*, the private key which > signs EE-cert > also signs the CRL issued by CA-2 which covers EE. A CA can always > revoke its own certificates without needing permission from > an upstream CA. > > If CA-2-cert had cRLSign asserted, then CA-2 could also sign > CRLs covering > certificates signed by the private key which signed CA-2-cert (CA-1's > private key). > > Is this not the intent of X.509? > > Dave > > > > Sharon Boeyen wrote: > > > > I agree with your first point but not completely with the > second point. The > > cRLSign bit means "for verifying a CA's signature on CRLs". > In a hierarchy, > > for example, one might set this bit, along with the > keyCertSign bit in a cert > > issued to a subordinate CA. The CRLs that you would anticipate that > > subordinate CA to issue are ones for the set of > certificates that the > > subordinate issues, not ones for the certs issued by the CA > issuing that > > subordinate's certificate. That is not the same delegation > we've been > > discussing, where a CA hands off responsibility for issuing > CRLs for its own > > set of certificates to another entity. That needs to be > indicated differently > > so that a relying party knows what entity is authorized to > issue CRLs 'on > > behalf of' another CA. > > > > Sharon > > > > > -----Original Message----- > > > From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil] > > > Sent: Thursday, April 26, 2001 11:31 AM > > > To: ietf-pkix@imc.org > > > Cc: Hoyt Kesterson > > > Subject: Re: keyCertSign and cRLSign Key Usage Bits > > > > > > > > > Sharon, > > > > > > 1) A cert issued for purposes of verifying the signature on a > > > CRL contains > > > at least the cRLSign bit. The digitalSignature bit (which > > > is used for > > > purposes other than b, f, or g), is not necessary. > > > > > > 2) If a CRL is issued by an entity other than the CA that > issues the > > > certificate, that delegation is identified with > integrity by the > > > fact that the CA which issued the EE certificate has > also issued > > > issued a certificate containing the cRLSign bit to the CA's > > > revocation agent. This agent is by definition an "authority", > > > by virtue of being the subject of the cRLSign certificate. > > > > > > Dave > > > > > > > > > Sharon Boeyen wrote: > > > > > > > > Taking a step back at what is 'technically important'. A > > > cert issued for > > > > purposes of cert signature verification contains at least > > > the ca bit set and > > > > the keyUsage keyCertSign. A cert issued for purposes of > > > verifying the > > > > signature on a CRL contains at least the digitalSignature > > > and cRLSign bits of > > > > keyUsage. If a CRL is to be issued by an entity other the > > > CA that issues the > > > > certificate, then there needs to be a way to identify that > > > delegation with > > > > integrity. If the crlDistributionPoints extension is in the > > > certificate, this > > > > can be done by populating the cRLIssuer field and that > > > value needs to > > > > correspond with the issuer name of the CRL being used > (and the other > > > > requirements outlined so nicely by > > > > Santosh in Annex B of 509 also need to be met of course). > > > Other mechanisms > > > > could also be used. As for the schema, there was no problem > > > with the PKI > > > > schema components as long as the crl issuers were also > > > CAs(except that the > > > > requirement for the CA bit to be set in all cases > should probably be > > > > removed). > > > > ------_=_NextPart_001_01C0CE76.2FE7D840 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: keyCertSign and cRLSign Key Usage Bits</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Hi Dave, my understanding of the crlsign bit is not = that it is for delegating </FONT> <BR><FONT SIZE=3D2>that indirect authority, but that it is similar to = the keyCertSign bit in that</FONT> <BR><FONT SIZE=3D2>it indicates that the certified key can be used to = verify signatures on CRLs </FONT> <BR><FONT SIZE=3D2>issued by the subject of the containing cert. It has = nothing to do with delegating</FONT> <BR><FONT SIZE=3D2>authority to issue CRLs on behalf of the issuing CA = for the set of certificates issued </FONT> <BR><FONT SIZE=3D2>by that issuer. </FONT> </P> <P><FONT SIZE=3D2>This bit would be typically be set in any cert issued = by one CA to another CA where relying parties would beexpecting to = verify signatures on both certificates and CRLs issued by the subject = authority and in conjunction with a certification path that contains = the cert with this extension. </FONT></P> <P><FONT SIZE=3D2>Hoyt, can you comment from the perspective of the = historian?? </FONT> </P> <P><FONT SIZE=3D2>Sharon </FONT> </P> <P><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: David P. Kemp [<A = HREF=3D"mailto:dpkemp@missi.ncsc.mil">mailto:dpkemp@missi.ncsc.mil</A>]<= /FONT> <BR><FONT SIZE=3D2>> Sent: Thursday, April 26, 2001 12:35 PM</FONT> <BR><FONT SIZE=3D2>> To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Cc: Hoyt Kesterson</FONT> <BR><FONT SIZE=3D2>> Subject: Re: keyCertSign and cRLSign Key Usage = Bits</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> The second point is one where some clarifying = language in X.509 and</FONT> <BR><FONT SIZE=3D2>> PKIX might be useful.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> I've always assumed that the cRLSign bit is set = exclusively for the</FONT> <BR><FONT SIZE=3D2>> purpose of delegating to an ICRLA or other = agent (including </FONT> <BR><FONT SIZE=3D2>> the CA's own</FONT> <BR><FONT SIZE=3D2>> online CRL-signing key which is different from = its offline </FONT> <BR><FONT SIZE=3D2>> cert-signing</FONT> <BR><FONT SIZE=3D2>> key). In other words, for these = certs:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> CA-1</FONT> <BR><FONT SIZE=3D2>> | = CA-2-cert</FONT> <BR><FONT SIZE=3D2>> CA-2</FONT> <BR><FONT SIZE=3D2>> | EE-cert</FONT> <BR><FONT SIZE=3D2>> EE</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> where CA-2-cert contains a critical keyUsage = extension with </FONT> <BR><FONT SIZE=3D2>> keyCertSign</FONT> <BR><FONT SIZE=3D2>> asserted and cRLSign *un-asserted*, the private = key which </FONT> <BR><FONT SIZE=3D2>> signs EE-cert</FONT> <BR><FONT SIZE=3D2>> also signs the CRL issued by CA-2 which covers = EE. A CA can always</FONT> <BR><FONT SIZE=3D2>> revoke its own certificates without needing = permission from </FONT> <BR><FONT SIZE=3D2>> an upstream CA.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> If CA-2-cert had cRLSign asserted, then CA-2 = could also sign </FONT> <BR><FONT SIZE=3D2>> CRLs covering</FONT> <BR><FONT SIZE=3D2>> certificates signed by the private key which = signed CA-2-cert (CA-1's</FONT> <BR><FONT SIZE=3D2>> private key).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Is this not the intent of X.509?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Dave</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Sharon Boeyen wrote:</FONT> <BR><FONT SIZE=3D2>> > </FONT> <BR><FONT SIZE=3D2>> > I agree with your first point but not = completely with the </FONT> <BR><FONT SIZE=3D2>> second point. The</FONT> <BR><FONT SIZE=3D2>> > cRLSign bit means "for verifying a = CA's signature on CRLs". </FONT> <BR><FONT SIZE=3D2>> In a hierarchy,</FONT> <BR><FONT SIZE=3D2>> > for example, one might set this bit, along = with the </FONT> <BR><FONT SIZE=3D2>> keyCertSign bit in a cert</FONT> <BR><FONT SIZE=3D2>> > issued to a subordinate CA. The CRLs that = you would anticipate that</FONT> <BR><FONT SIZE=3D2>> > subordinate CA to issue are ones for the = set of </FONT> <BR><FONT SIZE=3D2>> certificates that the</FONT> <BR><FONT SIZE=3D2>> > subordinate issues, not ones for the certs = issued by the CA </FONT> <BR><FONT SIZE=3D2>> issuing that</FONT> <BR><FONT SIZE=3D2>> > subordinate's certificate. That is not the = same delegation </FONT> <BR><FONT SIZE=3D2>> we've been</FONT> <BR><FONT SIZE=3D2>> > discussing, where a CA hands off = responsibility for issuing </FONT> <BR><FONT SIZE=3D2>> CRLs for its own</FONT> <BR><FONT SIZE=3D2>> > set of certificates to another entity. = That needs to be </FONT> <BR><FONT SIZE=3D2>> indicated differently</FONT> <BR><FONT SIZE=3D2>> > so that a relying party knows what entity = is authorized to </FONT> <BR><FONT SIZE=3D2>> issue CRLs 'on</FONT> <BR><FONT SIZE=3D2>> > behalf of' another CA.</FONT> <BR><FONT SIZE=3D2>> > </FONT> <BR><FONT SIZE=3D2>> > Sharon</FONT> <BR><FONT SIZE=3D2>> > </FONT> <BR><FONT SIZE=3D2>> > > -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> > > From: David P. Kemp [<A = HREF=3D"mailto:dpkemp@missi.ncsc.mil">mailto:dpkemp@missi.ncsc.mil</A>]<= /FONT> <BR><FONT SIZE=3D2>> > > Sent: Thursday, April 26, 2001 11:31 = AM</FONT> <BR><FONT SIZE=3D2>> > > To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> > > Cc: Hoyt Kesterson</FONT> <BR><FONT SIZE=3D2>> > > Subject: Re: keyCertSign and cRLSign = Key Usage Bits</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > > Sharon,</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > > 1) A cert issued for purposes of = verifying the signature on a</FONT> <BR><FONT SIZE=3D2>> > > CRL contains</FONT> <BR><FONT SIZE=3D2>> > > at least the = cRLSign bit. The digitalSignature bit (which</FONT> <BR><FONT SIZE=3D2>> > > is used for</FONT> <BR><FONT SIZE=3D2>> > > purposes other than = b, f, or g), is not necessary.</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > > 2) If a CRL is issued by an entity = other than the CA that </FONT> <BR><FONT SIZE=3D2>> issues the</FONT> <BR><FONT SIZE=3D2>> > > certificate, that = delegation is identified with </FONT> <BR><FONT SIZE=3D2>> integrity by the</FONT> <BR><FONT SIZE=3D2>> > > fact that the CA = which issued the EE certificate has </FONT> <BR><FONT SIZE=3D2>> also issued</FONT> <BR><FONT SIZE=3D2>> > > issued a = certificate containing the cRLSign bit to the CA's</FONT> <BR><FONT SIZE=3D2>> > > revocation = agent. This agent is by definition an = "authority",</FONT> <BR><FONT SIZE=3D2>> > > by virtue of being = the subject of the cRLSign certificate.</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > > Dave</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > > Sharon Boeyen wrote:</FONT> <BR><FONT SIZE=3D2>> > > ></FONT> <BR><FONT SIZE=3D2>> > > > Taking a step back at what is = 'technically important'. A</FONT> <BR><FONT SIZE=3D2>> > > cert issued for</FONT> <BR><FONT SIZE=3D2>> > > > purposes of cert signature = verification contains at least</FONT> <BR><FONT SIZE=3D2>> > > the ca bit set and</FONT> <BR><FONT SIZE=3D2>> > > > the keyUsage keyCertSign. A cert = issued for purposes of</FONT> <BR><FONT SIZE=3D2>> > > verifying the</FONT> <BR><FONT SIZE=3D2>> > > > signature on a CRL contains at = least the digitalSignature</FONT> <BR><FONT SIZE=3D2>> > > and cRLSign bits of</FONT> <BR><FONT SIZE=3D2>> > > > keyUsage. If a CRL is to be = issued by an entity other the</FONT> <BR><FONT SIZE=3D2>> > > CA that issues the</FONT> <BR><FONT SIZE=3D2>> > > > certificate, then there needs to = be a way to identify that</FONT> <BR><FONT SIZE=3D2>> > > delegation with</FONT> <BR><FONT SIZE=3D2>> > > > integrity. If the = crlDistributionPoints extension is in the</FONT> <BR><FONT SIZE=3D2>> > > certificate, this</FONT> <BR><FONT SIZE=3D2>> > > > can be done by populating the = cRLIssuer field and that</FONT> <BR><FONT SIZE=3D2>> > > value needs to</FONT> <BR><FONT SIZE=3D2>> > > > correspond with the issuer name = of the CRL being used </FONT> <BR><FONT SIZE=3D2>> (and the other</FONT> <BR><FONT SIZE=3D2>> > > > requirements outlined so nicely = by</FONT> <BR><FONT SIZE=3D2>> > > > Santosh in Annex B of 509 also = need to be met of course).</FONT> <BR><FONT SIZE=3D2>> > > Other mechanisms</FONT> <BR><FONT SIZE=3D2>> > > > could also be used. As for the = schema, there was no problem</FONT> <BR><FONT SIZE=3D2>> > > with the PKI</FONT> <BR><FONT SIZE=3D2>> > > > schema components as long as the = crl issuers were also</FONT> <BR><FONT SIZE=3D2>> > > CAs(except that the</FONT> <BR><FONT SIZE=3D2>> > > > requirement for the CA bit to be = set in all cases </FONT> <BR><FONT SIZE=3D2>> should probably be</FONT> <BR><FONT SIZE=3D2>> > > > removed).</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CE76.2FE7D840-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA01533 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 10:15:25 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JV6F5Y8S>; Thu, 26 Apr 2001 13:14:56 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE3AA@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Cc: Hoyt Kesterson <hoytkesterson@earthlink.net> Subject: RE: keyCertSign and cRLSign Key Usage Bits Date: Thu, 26 Apr 2001 13:06:02 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CE73.2BFCE9D0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CE73.2BFCE9D0 Content-Type: text/plain; charset="iso-8859-1" Dave: Not that alone. As we have discussed in this thread, for operational security considerations, a CA may have a separate key (but the same name) for signing CRL. That key may be certified by the CA itself and/or the CA's parent. -----Original Message----- From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil] Sent: Thursday, April 26, 2001 12:35 PM To: ietf-pkix@imc.org Cc: Hoyt Kesterson Subject: Re: keyCertSign and cRLSign Key Usage Bits The second point is one where some clarifying language in X.509 and PKIX might be useful. I've always assumed that the cRLSign bit is set exclusively for the purpose of delegating to an ICRLA or other agent (including the CA's own online CRL-signing key which is different from its offline cert-signing key). In other words, for these certs: CA-1 | CA-2-cert CA-2 | EE-cert EE where CA-2-cert contains a critical keyUsage extension with keyCertSign asserted and cRLSign *un-asserted*, the private key which signs EE-cert also signs the CRL issued by CA-2 which covers EE. A CA can always revoke its own certificates without needing permission from an upstream CA. If CA-2-cert had cRLSign asserted, then CA-2 could also sign CRLs covering certificates signed by the private key which signed CA-2-cert (CA-1's private key). Is this not the intent of X.509? Dave Sharon Boeyen wrote: > > I agree with your first point but not completely with the second point. The > cRLSign bit means "for verifying a CA's signature on CRLs". In a hierarchy, > for example, one might set this bit, along with the keyCertSign bit in a cert > issued to a subordinate CA. The CRLs that you would anticipate that > subordinate CA to issue are ones for the set of certificates that the > subordinate issues, not ones for the certs issued by the CA issuing that > subordinate's certificate. That is not the same delegation we've been > discussing, where a CA hands off responsibility for issuing CRLs for its own > set of certificates to another entity. That needs to be indicated differently > so that a relying party knows what entity is authorized to issue CRLs 'on > behalf of' another CA. > > Sharon > > > -----Original Message----- > > From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil] > > Sent: Thursday, April 26, 2001 11:31 AM > > To: ietf-pkix@imc.org > > Cc: Hoyt Kesterson > > Subject: Re: keyCertSign and cRLSign Key Usage Bits > > > > > > Sharon, > > > > 1) A cert issued for purposes of verifying the signature on a > > CRL contains > > at least the cRLSign bit. The digitalSignature bit (which > > is used for > > purposes other than b, f, or g), is not necessary. > > > > 2) If a CRL is issued by an entity other than the CA that issues the > > certificate, that delegation is identified with integrity by the > > fact that the CA which issued the EE certificate has also issued > > issued a certificate containing the cRLSign bit to the CA's > > revocation agent. This agent is by definition an "authority", > > by virtue of being the subject of the cRLSign certificate. > > > > Dave > > > > > > Sharon Boeyen wrote: > > > > > > Taking a step back at what is 'technically important'. A > > cert issued for > > > purposes of cert signature verification contains at least > > the ca bit set and > > > the keyUsage keyCertSign. A cert issued for purposes of > > verifying the > > > signature on a CRL contains at least the digitalSignature > > and cRLSign bits of > > > keyUsage. If a CRL is to be issued by an entity other the > > CA that issues the > > > certificate, then there needs to be a way to identify that > > delegation with > > > integrity. If the crlDistributionPoints extension is in the > > certificate, this > > > can be done by populating the cRLIssuer field and that > > value needs to > > > correspond with the issuer name of the CRL being used (and the other > > > requirements outlined so nicely by > > > Santosh in Annex B of 509 also need to be met of course). > > Other mechanisms > > > could also be used. As for the schema, there was no problem > > with the PKI > > > schema components as long as the crl issuers were also > > CAs(except that the > > > requirement for the CA bit to be set in all cases should probably be > > > removed). > > ------_=_NextPart_001_01C0CE73.2BFCE9D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: keyCertSign and cRLSign Key Usage Bits</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Dave:</FONT> </P> <P><FONT SIZE=3D2>Not that alone.</FONT> </P> <P><FONT SIZE=3D2>As we have discussed in this thread, for operational = security considerations, a CA may have a separate key (but the same = name) for signing CRL. That key may be certified by the CA itself = and/or the CA's parent.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: David P. Kemp [<A = HREF=3D"mailto:dpkemp@missi.ncsc.mil">mailto:dpkemp@missi.ncsc.mil</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Thursday, April 26, 2001 12:35 PM</FONT> <BR><FONT SIZE=3D2>To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Cc: Hoyt Kesterson</FONT> <BR><FONT SIZE=3D2>Subject: Re: keyCertSign and cRLSign Key Usage = Bits</FONT> </P> <BR> <P><FONT SIZE=3D2>The second point is one where some clarifying = language in X.509 and</FONT> <BR><FONT SIZE=3D2>PKIX might be useful.</FONT> </P> <P><FONT SIZE=3D2>I've always assumed that the cRLSign bit is set = exclusively for the</FONT> <BR><FONT SIZE=3D2>purpose of delegating to an ICRLA or other agent = (including the CA's own</FONT> <BR><FONT SIZE=3D2>online CRL-signing key which is different from its = offline cert-signing</FONT> <BR><FONT SIZE=3D2>key). In other words, for these certs:</FONT> </P> <P><FONT SIZE=3D2> CA-1</FONT> <BR><FONT SIZE=3D2> | CA-2-cert</FONT> <BR><FONT SIZE=3D2> CA-2</FONT> <BR><FONT SIZE=3D2> | EE-cert</FONT> <BR><FONT SIZE=3D2> EE</FONT> </P> <P><FONT SIZE=3D2>where CA-2-cert contains a critical keyUsage = extension with keyCertSign</FONT> <BR><FONT SIZE=3D2>asserted and cRLSign *un-asserted*, the private key = which signs EE-cert</FONT> <BR><FONT SIZE=3D2>also signs the CRL issued by CA-2 which covers = EE. A CA can always</FONT> <BR><FONT SIZE=3D2>revoke its own certificates without needing = permission from an upstream CA.</FONT> </P> <P><FONT SIZE=3D2>If CA-2-cert had cRLSign asserted, then CA-2 could = also sign CRLs covering</FONT> <BR><FONT SIZE=3D2>certificates signed by the private key which signed = CA-2-cert (CA-1's</FONT> <BR><FONT SIZE=3D2>private key).</FONT> </P> <P><FONT SIZE=3D2>Is this not the intent of X.509?</FONT> </P> <P><FONT SIZE=3D2>Dave</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>Sharon Boeyen wrote:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> I agree with your first point but not = completely with the second point. The</FONT> <BR><FONT SIZE=3D2>> cRLSign bit means "for verifying a CA's = signature on CRLs". In a hierarchy,</FONT> <BR><FONT SIZE=3D2>> for example, one might set this bit, along with = the keyCertSign bit in a cert</FONT> <BR><FONT SIZE=3D2>> issued to a subordinate CA. The CRLs that you = would anticipate that</FONT> <BR><FONT SIZE=3D2>> subordinate CA to issue are ones for the set of = certificates that the</FONT> <BR><FONT SIZE=3D2>> subordinate issues, not ones for the certs = issued by the CA issuing that</FONT> <BR><FONT SIZE=3D2>> subordinate's certificate. That is not the same = delegation we've been</FONT> <BR><FONT SIZE=3D2>> discussing, where a CA hands off responsibility = for issuing CRLs for its own</FONT> <BR><FONT SIZE=3D2>> set of certificates to another entity. That = needs to be indicated differently</FONT> <BR><FONT SIZE=3D2>> so that a relying party knows what entity is = authorized to issue CRLs 'on</FONT> <BR><FONT SIZE=3D2>> behalf of' another CA.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Sharon</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> > From: David P. Kemp [<A = HREF=3D"mailto:dpkemp@missi.ncsc.mil">mailto:dpkemp@missi.ncsc.mil</A>]<= /FONT> <BR><FONT SIZE=3D2>> > Sent: Thursday, April 26, 2001 11:31 = AM</FONT> <BR><FONT SIZE=3D2>> > To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> > Cc: Hoyt Kesterson</FONT> <BR><FONT SIZE=3D2>> > Subject: Re: keyCertSign and cRLSign Key = Usage Bits</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Sharon,</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > 1) A cert issued for purposes of verifying = the signature on a</FONT> <BR><FONT SIZE=3D2>> > CRL contains</FONT> <BR><FONT SIZE=3D2>> > at least the cRLSign = bit. The digitalSignature bit (which</FONT> <BR><FONT SIZE=3D2>> > is used for</FONT> <BR><FONT SIZE=3D2>> > purposes other than b, = f, or g), is not necessary.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > 2) If a CRL is issued by an entity other = than the CA that issues the</FONT> <BR><FONT SIZE=3D2>> > certificate, that = delegation is identified with integrity by the</FONT> <BR><FONT SIZE=3D2>> > fact that the CA which = issued the EE certificate has also issued</FONT> <BR><FONT SIZE=3D2>> > issued a certificate = containing the cRLSign bit to the CA's</FONT> <BR><FONT SIZE=3D2>> > revocation agent. = This agent is by definition an "authority",</FONT> <BR><FONT SIZE=3D2>> > by virtue of being the = subject of the cRLSign certificate.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Dave</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Sharon Boeyen wrote:</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > > Taking a step back at what is = 'technically important'. A</FONT> <BR><FONT SIZE=3D2>> > cert issued for</FONT> <BR><FONT SIZE=3D2>> > > purposes of cert signature = verification contains at least</FONT> <BR><FONT SIZE=3D2>> > the ca bit set and</FONT> <BR><FONT SIZE=3D2>> > > the keyUsage keyCertSign. A cert = issued for purposes of</FONT> <BR><FONT SIZE=3D2>> > verifying the</FONT> <BR><FONT SIZE=3D2>> > > signature on a CRL contains at least = the digitalSignature</FONT> <BR><FONT SIZE=3D2>> > and cRLSign bits of</FONT> <BR><FONT SIZE=3D2>> > > keyUsage. If a CRL is to be issued by = an entity other the</FONT> <BR><FONT SIZE=3D2>> > CA that issues the</FONT> <BR><FONT SIZE=3D2>> > > certificate, then there needs to be a = way to identify that</FONT> <BR><FONT SIZE=3D2>> > delegation with</FONT> <BR><FONT SIZE=3D2>> > > integrity. If the = crlDistributionPoints extension is in the</FONT> <BR><FONT SIZE=3D2>> > certificate, this</FONT> <BR><FONT SIZE=3D2>> > > can be done by populating the = cRLIssuer field and that</FONT> <BR><FONT SIZE=3D2>> > value needs to</FONT> <BR><FONT SIZE=3D2>> > > correspond with the issuer name of = the CRL being used (and the other</FONT> <BR><FONT SIZE=3D2>> > > requirements outlined so nicely = by</FONT> <BR><FONT SIZE=3D2>> > > Santosh in Annex B of 509 also need = to be met of course).</FONT> <BR><FONT SIZE=3D2>> > Other mechanisms</FONT> <BR><FONT SIZE=3D2>> > > could also be used. As for the = schema, there was no problem</FONT> <BR><FONT SIZE=3D2>> > with the PKI</FONT> <BR><FONT SIZE=3D2>> > > schema components as long as the crl = issuers were also</FONT> <BR><FONT SIZE=3D2>> > CAs(except that the</FONT> <BR><FONT SIZE=3D2>> > > requirement for the CA bit to be set = in all cases should probably be</FONT> <BR><FONT SIZE=3D2>> > > removed).</FONT> <BR><FONT SIZE=3D2>> ></FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CE73.2BFCE9D0-- Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA28714 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 09:37:09 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id MAA28576; Thu, 26 Apr 2001 12:36:40 -0400 (EDT) Message-Id: <200104261636.MAA28572@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Thu, 26 Apr 2001 12:34:44 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org CC: Hoyt Kesterson <hoytkesterson@earthlink.net> Subject: Re: keyCertSign and cRLSign Key Usage Bits References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FD9@sottmxs09.entrust.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit The second point is one where some clarifying language in X.509 and PKIX might be useful. I've always assumed that the cRLSign bit is set exclusively for the purpose of delegating to an ICRLA or other agent (including the CA's own online CRL-signing key which is different from its offline cert-signing key). In other words, for these certs: CA-1 | CA-2-cert CA-2 | EE-cert EE where CA-2-cert contains a critical keyUsage extension with keyCertSign asserted and cRLSign *un-asserted*, the private key which signs EE-cert also signs the CRL issued by CA-2 which covers EE. A CA can always revoke its own certificates without needing permission from an upstream CA. If CA-2-cert had cRLSign asserted, then CA-2 could also sign CRLs covering certificates signed by the private key which signed CA-2-cert (CA-1's private key). Is this not the intent of X.509? Dave Sharon Boeyen wrote: > > I agree with your first point but not completely with the second point. The > cRLSign bit means "for verifying a CA's signature on CRLs". In a hierarchy, > for example, one might set this bit, along with the keyCertSign bit in a cert > issued to a subordinate CA. The CRLs that you would anticipate that > subordinate CA to issue are ones for the set of certificates that the > subordinate issues, not ones for the certs issued by the CA issuing that > subordinate's certificate. That is not the same delegation we've been > discussing, where a CA hands off responsibility for issuing CRLs for its own > set of certificates to another entity. That needs to be indicated differently > so that a relying party knows what entity is authorized to issue CRLs 'on > behalf of' another CA. > > Sharon > > > -----Original Message----- > > From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil] > > Sent: Thursday, April 26, 2001 11:31 AM > > To: ietf-pkix@imc.org > > Cc: Hoyt Kesterson > > Subject: Re: keyCertSign and cRLSign Key Usage Bits > > > > > > Sharon, > > > > 1) A cert issued for purposes of verifying the signature on a > > CRL contains > > at least the cRLSign bit. The digitalSignature bit (which > > is used for > > purposes other than b, f, or g), is not necessary. > > > > 2) If a CRL is issued by an entity other than the CA that issues the > > certificate, that delegation is identified with integrity by the > > fact that the CA which issued the EE certificate has also issued > > issued a certificate containing the cRLSign bit to the CA's > > revocation agent. This agent is by definition an "authority", > > by virtue of being the subject of the cRLSign certificate. > > > > Dave > > > > > > Sharon Boeyen wrote: > > > > > > Taking a step back at what is 'technically important'. A > > cert issued for > > > purposes of cert signature verification contains at least > > the ca bit set and > > > the keyUsage keyCertSign. A cert issued for purposes of > > verifying the > > > signature on a CRL contains at least the digitalSignature > > and cRLSign bits of > > > keyUsage. If a CRL is to be issued by an entity other the > > CA that issues the > > > certificate, then there needs to be a way to identify that > > delegation with > > > integrity. If the crlDistributionPoints extension is in the > > certificate, this > > > can be done by populating the cRLIssuer field and that > > value needs to > > > correspond with the issuer name of the CRL being used (and the other > > > requirements outlined so nicely by > > > Santosh in Annex B of 509 also need to be met of course). > > Other mechanisms > > > could also be used. As for the schema, there was no problem > > with the PKI > > > schema components as long as the crl issuers were also > > CAs(except that the > > > requirement for the CA bit to be set in all cases should probably be > > > removed). > > Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA27380 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 09:13:18 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JV6F5X8L>; Thu, 26 Apr 2001 12:12:49 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FD9@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'David P. Kemp'" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Cc: Hoyt Kesterson <hoytkesterson@earthlink.net> Subject: RE: keyCertSign and cRLSign Key Usage Bits Date: Thu, 26 Apr 2001 12:07:01 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CE6A.ED718930" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CE6A.ED718930 Content-Type: text/plain I agree with your first point but not completely with the second point. The cRLSign bit means "for verifying a CA's signature on CRLs". In a hierarchy, for example, one might set this bit, along with the keyCertSign bit in a cert issued to a subordinate CA. The CRLs that you would anticipate that subordinate CA to issue are ones for the set of certificates that the subordinate issues, not ones for the certs issued by the CA issuing that subordinate's certificate. That is not the same delegation we've been discussing, where a CA hands off responsibility for issuing CRLs for its own set of certificates to another entity. That needs to be indicated differently so that a relying party knows what entity is authorized to issue CRLs 'on behalf of' another CA. Sharon > -----Original Message----- > From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil] > Sent: Thursday, April 26, 2001 11:31 AM > To: ietf-pkix@imc.org > Cc: Hoyt Kesterson > Subject: Re: keyCertSign and cRLSign Key Usage Bits > > > Sharon, > > 1) A cert issued for purposes of verifying the signature on a > CRL contains > at least the cRLSign bit. The digitalSignature bit (which > is used for > purposes other than b, f, or g), is not necessary. > > 2) If a CRL is issued by an entity other than the CA that issues the > certificate, that delegation is identified with integrity by the > fact that the CA which issued the EE certificate has also issued > issued a certificate containing the cRLSign bit to the CA's > revocation agent. This agent is by definition an "authority", > by virtue of being the subject of the cRLSign certificate. > > Dave > > > Sharon Boeyen wrote: > > > > Taking a step back at what is 'technically important'. A > cert issued for > > purposes of cert signature verification contains at least > the ca bit set and > > the keyUsage keyCertSign. A cert issued for purposes of > verifying the > > signature on a CRL contains at least the digitalSignature > and cRLSign bits of > > keyUsage. If a CRL is to be issued by an entity other the > CA that issues the > > certificate, then there needs to be a way to identify that > delegation with > > integrity. If the crlDistributionPoints extension is in the > certificate, this > > can be done by populating the cRLIssuer field and that > value needs to > > correspond with the issuer name of the CRL being used (and the other > > requirements outlined so nicely by > > Santosh in Annex B of 509 also need to be met of course). > Other mechanisms > > could also be used. As for the schema, there was no problem > with the PKI > > schema components as long as the crl issuers were also > CAs(except that the > > requirement for the CA bit to be set in all cases should probably be > > removed). > ------_=_NextPart_001_01C0CE6A.ED718930 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: keyCertSign and cRLSign Key Usage Bits</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I agree with your first point but not completely with = the second point. The cRLSign bit means "for verifying a CA's = signature on CRLs". In a hierarchy, for example, one might set = this bit, along with the keyCertSign bit in a cert issued to a = subordinate CA. The CRLs that you would anticipate that subordinate CA = to issue are ones for the set of certificates that the subordinate = issues, not ones for the certs issued by the CA issuing that = subordinate's certificate. That is not the same delegation we've been = discussing, where a CA hands off responsibility for issuing CRLs for = its own set of certificates to another entity. That needs to be = indicated differently so that a relying party knows what entity is = authorized to issue CRLs 'on behalf of' another CA. </FONT></P> <P><FONT SIZE=3D2>Sharon</FONT> </P> <P><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: David P. Kemp [<A = HREF=3D"mailto:dpkemp@missi.ncsc.mil">mailto:dpkemp@missi.ncsc.mil</A>]<= /FONT> <BR><FONT SIZE=3D2>> Sent: Thursday, April 26, 2001 11:31 AM</FONT> <BR><FONT SIZE=3D2>> To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Cc: Hoyt Kesterson</FONT> <BR><FONT SIZE=3D2>> Subject: Re: keyCertSign and cRLSign Key Usage = Bits</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Sharon,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 1) A cert issued for purposes of verifying the = signature on a </FONT> <BR><FONT SIZE=3D2>> CRL contains</FONT> <BR><FONT SIZE=3D2>> at least the cRLSign bit. The = digitalSignature bit (which </FONT> <BR><FONT SIZE=3D2>> is used for</FONT> <BR><FONT SIZE=3D2>> purposes other than b, f, or = g), is not necessary.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 2) If a CRL is issued by an entity other than = the CA that issues the</FONT> <BR><FONT SIZE=3D2>> certificate, that delegation = is identified with integrity by the</FONT> <BR><FONT SIZE=3D2>> fact that the CA which issued = the EE certificate has also issued</FONT> <BR><FONT SIZE=3D2>> issued a certificate = containing the cRLSign bit to the CA's</FONT> <BR><FONT SIZE=3D2>> revocation agent. This = agent is by definition an "authority",</FONT> <BR><FONT SIZE=3D2>> by virtue of being the = subject of the cRLSign certificate.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Dave</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Sharon Boeyen wrote:</FONT> <BR><FONT SIZE=3D2>> > </FONT> <BR><FONT SIZE=3D2>> > Taking a step back at what is 'technically = important'. A </FONT> <BR><FONT SIZE=3D2>> cert issued for</FONT> <BR><FONT SIZE=3D2>> > purposes of cert signature verification = contains at least </FONT> <BR><FONT SIZE=3D2>> the ca bit set and</FONT> <BR><FONT SIZE=3D2>> > the keyUsage keyCertSign. A cert issued = for purposes of </FONT> <BR><FONT SIZE=3D2>> verifying the</FONT> <BR><FONT SIZE=3D2>> > signature on a CRL contains at least the = digitalSignature </FONT> <BR><FONT SIZE=3D2>> and cRLSign bits of</FONT> <BR><FONT SIZE=3D2>> > keyUsage. If a CRL is to be issued by an = entity other the </FONT> <BR><FONT SIZE=3D2>> CA that issues the</FONT> <BR><FONT SIZE=3D2>> > certificate, then there needs to be a way = to identify that </FONT> <BR><FONT SIZE=3D2>> delegation with</FONT> <BR><FONT SIZE=3D2>> > integrity. If the crlDistributionPoints = extension is in the </FONT> <BR><FONT SIZE=3D2>> certificate, this</FONT> <BR><FONT SIZE=3D2>> > can be done by populating the cRLIssuer = field and that </FONT> <BR><FONT SIZE=3D2>> value needs to</FONT> <BR><FONT SIZE=3D2>> > correspond with the issuer name of the CRL = being used (and the other</FONT> <BR><FONT SIZE=3D2>> > requirements outlined so nicely by</FONT> <BR><FONT SIZE=3D2>> > Santosh in Annex B of 509 also need to be = met of course). </FONT> <BR><FONT SIZE=3D2>> Other mechanisms</FONT> <BR><FONT SIZE=3D2>> > could also be used. As for the schema, = there was no problem </FONT> <BR><FONT SIZE=3D2>> with the PKI</FONT> <BR><FONT SIZE=3D2>> > schema components as long as the crl = issuers were also </FONT> <BR><FONT SIZE=3D2>> CAs(except that the</FONT> <BR><FONT SIZE=3D2>> > requirement for the CA bit to be set in = all cases should probably be</FONT> <BR><FONT SIZE=3D2>> > removed).</FONT> <BR><FONT SIZE=3D2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CE6A.ED718930-- Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA21359 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 08:33:40 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id LAA26043; Thu, 26 Apr 2001 11:33:11 -0400 (EDT) Message-Id: <200104261533.LAA26039@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Thu, 26 Apr 2001 11:31:11 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org CC: Hoyt Kesterson <hoytkesterson@earthlink.net> Subject: Re: keyCertSign and cRLSign Key Usage Bits References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FD6@sottmxs09.entrust.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sharon, 1) A cert issued for purposes of verifying the signature on a CRL contains at least the cRLSign bit. The digitalSignature bit (which is used for purposes other than b, f, or g), is not necessary. 2) If a CRL is issued by an entity other than the CA that issues the certificate, that delegation is identified with integrity by the fact that the CA which issued the EE certificate has also issued issued a certificate containing the cRLSign bit to the CA's revocation agent. This agent is by definition an "authority", by virtue of being the subject of the cRLSign certificate. Dave Sharon Boeyen wrote: > > Taking a step back at what is 'technically important'. A cert issued for > purposes of cert signature verification contains at least the ca bit set and > the keyUsage keyCertSign. A cert issued for purposes of verifying the > signature on a CRL contains at least the digitalSignature and cRLSign bits of > keyUsage. If a CRL is to be issued by an entity other the CA that issues the > certificate, then there needs to be a way to identify that delegation with > integrity. If the crlDistributionPoints extension is in the certificate, this > can be done by populating the cRLIssuer field and that value needs to > correspond with the issuer name of the CRL being used (and the other > requirements outlined so nicely by > Santosh in Annex B of 509 also need to be met of course). Other mechanisms > could also be used. As for the schema, there was no problem with the PKI > schema components as long as the crl issuers were also CAs(except that the > requirement for the CA bit to be set in all cases should probably be > removed). Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA17129 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 08:07:46 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JV6F5W9M>; Thu, 26 Apr 2001 11:07:16 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE395@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Sharon Boeyen <sharon.boeyen@entrust.com>, Santosh Chokhani <chokhani@cygnacom.com>, "David A. Cooper" <david.cooper@nist.gov>, ietf-pkix@imc.org Cc: "Hoyt Kesterson (E-mail)" <hoytkesterson@earthlink.net> Subject: RE: keyCertSign and cRLSign Key Usage Bits Date: Thu, 26 Apr 2001 10:58:21 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CE61.55A85A60" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CE61.55A85A60 Content-Type: text/plain; charset="iso-8859-1" My suggestion is NOT to change the standard. That is require the CRL signer to be a caCertificate and make sure that the basic constraint extension is present with cA flag set to .TRUE. My suggestion is however that the clients be not required to validate all this except cRLSign bit in the keyUsage extension. -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Thursday, April 26, 2001 10:42 AM To: Santosh Chokhani; David A. Cooper; ietf-pkix@imc.org Cc: Hoyt Kesterson (E-mail) Subject: RE: keyCertSign and cRLSign Key Usage Bits Santosh I see your point on the schema - actually 509 contains the exact same text and would also need to be modified. I assume that the appropriate change would be to delete the text that requires the ca bit to be set in any cert that goes into the cACertificate attribute. As for the crossCertificatePair attribute, I guess it would need to be lifted there as well (assuming a CA would want to issue a cert to another CA for purposes of verifying signatures on CRLs but not on certificates)? That raises another point - if we modify all this "stuff" to allow entities other than authorities to sign CRLs, where would those certificates be stored? The subjects aren't CAs so they don't really belong in either of these attributes. Inventing another attribute and object class isn't very attractive either. Thoughts? Dave, I realize you weren't suggesting we do this, but I do want to say that I would not support changing the meaning of the ca bit in basic constraints. That is there as one of many 'business controls" that a CA can use to ensure that the certificate it issues (containing those constraints), when used by conforming path validation systems, achieves that CAs intended result. That is very specific, very important, and I wouldn't want to see it generalized. Nor would I support requiring any ties between the basicConstraints extension and other extensions within X.509. 509 needs to remain flexible to allow PKIX and other profiles to determine their own requirements for such combinations. As for the definition of a CA, in addition to issuing certificates it has responsibility for certificate revocation, which it may perform directly or delegate to another 'authority/entity'. If that delegation can be to an entity other than an authority, then you still have a schema problem regardless of what you do with the ca bit and keyUsage. Taking a step back at what is 'technically important'. A cert issued for purposes of cert signature verification contains at least the ca bit set and the keyUsage keyCertSign. A cert issued for purposes of verifying the signature on a CRL contains at least the digitalSignature and cRLSign bits of keyUsage. If a CRL is to be issued by an entity other the CA that issues the certificate, then there needs to be a way to identify that delegation with integrity. If the crlDistributionPoints extension is in the certificate, this can be done by populating the cRLIssuer field and that value needs to correspond with the issuer name of the CRL being used (and the other requirements outlined so nicely by Santosh in Annex B of 509 also need to be met of course). Other mechanisms could also be used. As for the schema, there was no problem with the PKI schema components as long as the crl issuers were also CAs(except that the requirement for the CA bit to be set in all cases should probably be removed). Assuming PKIX reaches consensus on wanting entities other than authorities to issue crls, then additional schema work is at least needed and some re-writing of text in 509 to permit that would also be needed. Hoyt and I have already started working on a proposed draft defect report for that text, in anticipation of that consensus, but we haven't looked at schema implications yet. -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Thursday, April 26, 2001 9:53 AM To: David A. Cooper; ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Dave: My opinion are based on the fact that the current X.509 text says that CA issues CRLs. Thus, if the key is used to sign the CRL, it is a CA and hence the caCertificate. I think this is not a security issue (in my mind). We need to make sure that the X.509 language and ldap schema align. I still believe that those clients that do not make checks that are not relevant to security, should be considered compliant. -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Thursday, April 26, 2001 9:37 AM To: ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Santosh, I think you bring up an interesting issue with the LDAP schema no matter what we do. As I pointed out yesterday, a CA may have a key pair that it only uses for PKI transaction messages. A certificate that includes the public key from this key pair would only have the digitalSignature KeyUsage bit set. The proposed text below states that the cA bit in basicConstraints should not be set. So, we would still have cases in which a certificate has been issued to a CA and either basicConstraints is absent or cA is set to false. (Technically, according to RFC 2587, we are OK if basicConstraints is absent, but this isn't really a good way out of the problem). A CA may also be issued a certificate in which the public key is intended to be used for key management. Same problem. I asked yesterday what the meaning of the cA bit was. X.509 states that "[t]he cA component indicates if the certified public key may be used to verify certificate signatures." Do we intend to change X.509 and PKIX to state that the cA bit should be set whenever the subject is a CA? If not, then the LDAP schema will need to deal with certificates issued to CAs in which either basicConstraints is absent or is present with cA set to FALSE. If so, then we need to change the text to eliminate any tying between the cA bit and the contents of KeyUsage. If we want to go with the proposed text below, then we will need to change both X.509 and PKIX to state that "the cA component indicates if the certified public key may be used to verify certificate or CRL signatures". We will also need to do something about the awkward connection between the cA bit and CRLs. Currently the text states that the cA bit should be set if the CRL issuing subject is issuing CRLs that cover public key certificates, but not attribute certificates. It further states that " AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates". The problem is that, even if a single entity is not allowed to issued both public key certificates and attribute certificates, there is the possibility that a single, indirect CRL could cover both types of certificates. If one is using a CRL to check the status of a public key certificate, then it is clear that the text below requires that the certificate containing the key needed to verify the CRL signature must have the cA bit set. But what about when one is using a CRL to check the status of an attribute certificate? The quote text seem to suggest that, if the cA bit is not set in the certificate, the relying party is required to verify that the CRL does not contain any revocation information for public key certificates. I can't imagine that there was any intention to impose such a requirement, but that is what the text seems to say. I think I have made my own opinion on this topic clear. X.509 does not state that the cA bit in basicConstraints should be set if the subject is a CA, it states that the bit should be set if the certified public key may be used to verify certificate signatures. The two are not synonymous. If we change the standard to state that the cA bit indicates whether the subject is a CA, it may solve the LDAP schema problem, but it will require that the remove any dependencies between the cA bit and the KeyUsage extension. As Tony said yesterday, we need to go back and clearly define the terms we are using. X.509 defines a CA as an entity that issues public key certificates. Is this the correct definition? Or is a CA an entity that issues public key certificates or CRLs that provide revocation information about public key certificates? Or it is something else? Does the cA bit indicate if the certified public key can be used to verify signatures on certificates, as X.509 states, or does it indicate that the subject is a CA, or something else? If we can't get agreement that the standard means what it says, how can we expect people to understand the standard? Dave At 08:20 AM 4/26/01 -0400, Santosh Chokhani wrote: Steve: My rationale is as follows: There is no security benefit to checking the bit. The basic constraints and associated path length may determine whether a CA can create a CA or not. But, that is only useful for certificate path and since keyCertSign bit will not be set, the entity will NOT be able to create new CAs. So, I think check is not relevant from security viewpoint. Now, it may break some of the language (again not security) in ldap schema if we populate the certificate in caCertificate or crossCertificatePair and do not set the basic constraints. So, it is a mixed bag. I still think we should ask for the CAs to set the basic constraint bit so the ldap schema does not get screwed up and NOT require the client to check the bit. My rule on clients is simple. Maximize security and interoperability. Make all checks that are security relevant and no more and that will lead to greater interoperability. -----Original Message----- From: Stephen Kent [ mailto:kent@bbn.com <mailto:kent@bbn.com> ] Sent: Wednesday, April 25, 2001 3:51 PM To: Ambarish Malpani Cc: ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits At 10:55 AM -0700 4/24/01, Ambarish Malpani wrote: I agree, also. Ambarish I disagree. We need to make a decision on whether a cert without a CA flag enabled can sign CRLs. If so, then we need to modify a lot of text in 2459, and in X.509, to say this clearly. Suggesting that a client be "forgiving" in this context is not a viable proposal for a standard. Steve --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. <http://www.valicert.com/> http://www.valicert.com Mountain View, CA 94043 -----Original Message----- From: Santosh Chokhani [ mailto:chokhani@cygnacom.com <mailto:chokhani@cygnacom.com> ] Sent: Tuesday, April 24, 2001 8:22 AM To: Housley, Russ; ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Russ: I agree with the text. I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI). But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension. -----Original Message----- From: Housley, Russ [ mailto:rhousley@rsasecurity.com <mailto:rhousley@rsasecurity.com> ] Sent: Tuesday, April 24, 2001 10:37 AM To: ietf-pkix@imc.org Subject: keyCertSign and cRLSign Key Usage Bits The consensus on these bits is not totally clear to me. Yet, several points have been consistently, and I think that the following text incorporates them. The debate regarding he linkage between these bits and the cA bit in the basic constraints extension does not seem to be over, and I have not made any changes in that area. Please use this new thread to discuss any remaining unresolved points. The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. This bit MUST only be asserted in CA certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for verifying a signature on a certificate revocation list (e.g., a CRL or an ARL). This bit MUST be asserted in CA and Attribute Authority (AA) certificates that are used to verify signatures on CRLs. If the cRLSign bit is asserted in a CA certificate, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is asserted in a AA certificate, then the cA bit in the basic constraints extension MUST NOT be asserted. Such AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates; however, these AA certificates MAY be used to verify signatures on CRLs containing revocation information concerning attribute certificates. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. Russ ------_=_NextPart_001_01C0CE61.55A85A60 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 5.00.2014.210" name=GENERATOR></HEAD> <BODY> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=917120415-26042001>My suggestion is NOT to change the standard. That is require the CRL signer to be a caCertificate and make sure that the basic constraint extension is present with cA flag set to .TRUE.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=917120415-26042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=917120415-26042001>My suggestion is however that the clients be not required to validate all this except cRLSign bit in the keyUsage extension.</SPAN></FONT></DIV> <DIV> </DIV> <DIV> </DIV> <DIV class=OutlookMessageHeader><FONT face="Times New Roman" size=2>-----Original Message-----<BR><B>From:</B> Sharon Boeyen [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Thursday, April 26, 2001 10:42 AM<BR><B>To:</B> Santosh Chokhani; David A. Cooper; ietf-pkix@imc.org<BR><B>Cc:</B> Hoyt Kesterson (E-mail)<BR><B>Subject:</B> RE: keyCertSign and cRLSign Key Usage Bits<BR><BR></FONT></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>Santosh I see your point on the schema - actually 509 contains the exact same text and would also need to </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>be modified. I assume that the appropriate change would be to delete the text that requires the ca bit to be set in </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>any cert that goes into the cACertificate attribute. As for the crossCertificatePair attribute, I guess it would need</FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>to be lifted there as well (assuming a CA would want to issue a cert to another CA for purposes of verifying signatures</FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>on CRLs but not on certificates)?</FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2></FONT></SPAN> </DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>That raises another point - if we modify all this "stuff" to allow entities other than authorities to sign CRLs, where </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>would those certificates be stored? The subjects aren't CAs so they don't really belong in either of these attributes.</FONT></SPAN><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2> </FONT></SPAN><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>Inventing another attribute and object class isn't very attractive either. Thoughts?</FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2></FONT></SPAN> </DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>Dave, I realize you weren't suggesting we do this, but I do want to say that I would not support changing the </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>meaning of the ca bit in basic constraints. That is there as one of many 'business controls" that a CA can use to </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>ensure that the certificate it issues (containing those constraints), when used by conforming path validation systems, </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>achieves that CAs intended result. That is very specific, very important, and I wouldn't want to see it generalized. </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>Nor would I support requiring any ties between the basicConstraints extension and other extensions within X.509. 509</FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>needs to remain flexible to allow PKIX and other profiles to determine their own requirements for such combinations.</FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2></FONT></SPAN> </DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2>As for the definition of a CA, in addition to issuing certificates it has responsibility for certificate revocation, which it may perform directly or delegate to another 'authority/entity'. If that delegation can be to an entity other than an authority, then you still have a schema problem regardless of what you do with the ca bit and keyUsage. </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2></FONT></SPAN> </DIV> <DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=786041614-26042001>Taking a step back at what is 'technically important'. A cert issued for purposes of cert signature verification contains at least the ca bit set and the keyUsage keyCertSign. A cert issued for purposes of verifying the signature on a CRL contains at least the digitalSignature and cRLSign bits of keyUsage. If a CRL is to be issued by an entity other the CA that issues the certificate, then there needs to be a way to identify that delegation with integrity. If the crlDistributionPoints extension is in the certificate, this can be done by populating the cRLIssuer field and that value needs to correspond with the issuer name of the CRL being used (and the other requirements outlined so nicely by </SPAN></FONT></FONT></FONT></DIV> <DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=786041614-26042001>Santosh in Annex B of 509 also need to be met of course). Other mechanisms could also be used. As for the schema, there was no problem with the PKI schema components as long as the crl issuers were also CAs(except that the requirement for the CA bit to be set in all cases should probably be removed). </SPAN></FONT></FONT></FONT></DIV> <DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=786041614-26042001></SPAN></FONT></FONT></FONT> </DIV> <DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=786041614-26042001>Assuming PKIX reaches consensus on wanting entities other than authorities to issue crls, then additional schema work is at least needed and some re-writing of text in 509 to permit that would also be needed. Hoyt and I have already </SPAN></FONT></FONT></FONT></DIV> <DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=786041614-26042001>started working on a proposed draft defect report for that text, in anticipation of that consensus, but we haven't looked</SPAN></FONT></FONT></FONT></DIV> <DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=786041614-26042001>at schema implications yet. </SPAN></FONT></FONT></FONT><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=786041614-26042001> </SPAN></FONT></FONT></FONT></DIV> <DIV><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial size=2></FONT></SPAN> </DIV> <DIV><SPAN class=786041614-26042001></SPAN><FONT face=Tahoma><FONT size=2><SPAN class=786041614-26042001><FONT color=#0000ff face=Arial> </FONT></SPAN></FONT></FONT></DIV> <DIV><FONT face=Tahoma><FONT size=2><SPAN class=786041614-26042001> </SPAN>-----Original Message-----<BR><B>From:</B> Santosh Chokhani [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Thursday, April 26, 2001 9:53 AM<BR><B>To:</B> David A. Cooper; ietf-pkix@imc.org<BR><B>Subject:</B> RE: keyCertSign and cRLSign Key Usage Bits<BR><BR></DIV></FONT></FONT> <BLOCKQUOTE dir=ltr style="BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px"> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=04585913-26042001>Dave:</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=04585913-26042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=04585913-26042001>My opinion are based on the fact that the current X.509 text says that CA issues CRLs. Thus, if the key is used to sign the CRL, it is a CA and hence the caCertificate.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=04585913-26042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=04585913-26042001>I think this is not a security issue (in my mind). We need to make sure that the X.509 language and ldap schema align.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=04585913-26042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=04585913-26042001>I still believe that those clients that do not make checks that are not relevant to security, should be considered compliant.</SPAN></FONT></DIV> <DIV> </DIV> <DIV class=OutlookMessageHeader><FONT face="Times New Roman" size=2>-----Original Message-----<BR><B>From:</B> David A. Cooper [mailto:david.cooper@nist.gov]<BR><B>Sent:</B> Thursday, April 26, 2001 9:37 AM<BR><B>To:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: keyCertSign and cRLSign Key Usage Bits<BR><BR></FONT></DIV>Santosh,<BR><BR>I think you bring up an interesting issue with the LDAP schema no matter what we do. As I pointed out yesterday, a CA may have a key pair that it only uses for PKI transaction messages. A certificate that includes the public key from this key pair would only have the digitalSignature KeyUsage bit set. The proposed text below states that the cA bit in basicConstraints should not be set. So, we would still have cases in which a certificate has been issued to a CA and either basicConstraints is absent or cA is set to false. (Technically, according to RFC 2587, we are OK if basicConstraints is absent, but this isn't really a good way out of the problem). A CA may also be issued a certificate in which the public key is intended to be used for key management. Same problem.<BR><BR>I asked yesterday what the meaning of the cA bit was. X.509 states that "[t]he <FONT size=2>cA</FONT> component indicates if the certified public key may be used to verify certificate signatures." Do we intend to change X.509 and PKIX to state that the cA bit should be set whenever the subject is a CA? If not, then the LDAP schema will need to deal with certificates issued to CAs in which either basicConstraints is absent or is present with cA set to FALSE. If so, then we need to change the text to eliminate any tying between the cA bit and the contents of KeyUsage.<BR><BR>If we want to go with the proposed text below, then we will need to change both X.509 and PKIX to state that "the cA component indicates if the certified public key may be used to verify certificate or CRL signatures". We will also need to do something about the awkward connection between the cA bit and CRLs. Currently the text states that the cA bit should be set if the CRL issuing subject is issuing CRLs that cover public key certificates, but not attribute certificates. It further states that " <BLOCKQUOTE><FONT size=2>AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates". The problem is that, even if a single entity is not allowed to issued both public key certificates and attribute certificates, there is the possibility that a single, indirect CRL could cover both types of certificates. If one is using a CRL to check the status of a public key certificate, then it is clear that the text below requires that the certificate containing the key needed to verify the CRL signature must have the cA bit set. But what about when one is using a CRL to check the status of an attribute certificate? The quote text seem to suggest that, if the cA bit is not set in the certificate, the relying party is required to verify that the CRL does not contain any revocation information for public key certificates. I can't imagine that there was any intention to impose such a requirement, but that is what the text seems to say.<BR><BR></FONT></BLOCKQUOTE>I think I have made my own opinion on this topic clear. X.509 does not state that the cA bit in basicConstraints should be set if the subject is a CA, it states that the bit should be set if the certified public key may be used to verify certificate signatures. The two are not synonymous. If we change the standard to state that the cA bit indicates whether the subject is a CA, it may solve the LDAP schema problem, but it will require that the remove any dependencies between the cA bit and the KeyUsage extension.<BR><BR>As Tony said yesterday, we need to go back and clearly define the terms we are using. X.509 defines a CA as an entity that issues public key certificates. Is this the correct definition? Or is a CA an entity that issues public key certificates or CRLs that provide revocation information about public key certificates? Or it is something else? Does the cA bit indicate if the certified public key can be used to verify signatures on certificates, as X.509 states, or does it indicate that the subject is a CA, or something else? If we can't get agreement that the standard means what it says, how can we expect people to understand the standard?<BR><BR>Dave<BR><BR>At 08:20 AM 4/26/01 -0400, Santosh Chokhani wrote:<BR><FONT color=#0000ff face=arial size=2> <BLOCKQUOTE cite type="cite">Steve:</FONT><BR> <BR><FONT color=#0000ff face=arial size=2>My rationale is as follows: There is no security benefit to checking the bit. The basic constraints and associated path length may determine whether a CA can create a CA or not. But, that is only useful for certificate path and since keyCertSign bit will not be set, the entity will NOT be able to create new CAs.</FONT><BR> <BR><FONT color=#0000ff face=arial size=2>So, I think check is not relevant from security viewpoint.</FONT><BR> <BR><FONT color=#0000ff face=arial size=2>Now, it may break some of the language (again not security) in ldap schema if we populate the certificate in caCertificate or crossCertificatePair and do not set the basic constraints.</FONT><BR> <BR><FONT color=#0000ff face=arial size=2>So, it is a mixed bag. I still think we should ask for the CAs to set the basic constraint bit so the ldap schema does not get screwed up and NOT require the client to check the bit. My rule on clients is simple. Maximize security and interoperability. Make all checks that are security relevant and no more and that will lead to greater interoperability.</FONT><BR> <BR> <BR><FONT face="Times New Roman, Times" size=2>-----Original Message-----<BR><B>From:</B> Stephen Kent [<A href="mailto:kent@bbn.com" eudora="autourl">mailto:kent@bbn.com</A>]<BR><B>Sent:</B> Wednesday, April 25, 2001 3:51 PM<BR><B>To:</B> Ambarish Malpani<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: keyCertSign and cRLSign Key Usage Bits<BR><BR></FONT>At 10:55 AM -0700 4/24/01, Ambarish Malpani wrote:<BR> <BLOCKQUOTE cite type="cite"><BR><FONT color=#0000ff face=arial size=2>I agree, also.<BR><BR>Ambarish</FONT></BLOCKQUOTE><BR>I disagree. We need to make a decision on whether a cert without a CA flag enabled can sign CRLs. If so, then we need to modify a lot of text in 2459, and in X.509, to say this clearly. Suggesting that a client be "forgiving" in this context is not a viable proposal for a standard.<BR><BR>Steve<BR> <BLOCKQUOTE cite type="cite"><BR> <BR><FONT size=2>---------------------------------------------------------------------<BR>Ambarish Malpani<BR>Architect 650.567.5457<BR>ValiCert, Inc. ambarish@valicert.com<BR>339 N. Bernardo Ave. </FONT><A href="http://www.valicert.com/"><FONT size=2>http://www.valicert.com</A><BR>Mountain View, CA 94043</FONT> <BLOCKQUOTE><FONT face=tahoma size=2> <DL> <DD>-----Original Message----- <DD>From:</B> Santosh Chokhani [<A href="mailto:chokhani@cygnacom.com" eudora="autourl">mailto:chokhani@cygnacom.com</A>] <DD>Sent:</B> Tuesday, April 24, 2001 8:22 AM <DD>To:</B> Housley, Russ; ietf-pkix@imc.org <DD>Subject:</B> RE: keyCertSign and cRLSign Key Usage Bits</FONT><BR><BR> <DD>Russ: I agree with the text.<BR><BR> <DD>I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI).<BR><BR> <DD>But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension.<BR><BR> <DD>-----Original Message----- <DD>From: Housley, Russ [<A href="mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com</A>] <DD>Sent: Tuesday, April 24, 2001 10:37 AM <DD>To: ietf-pkix@imc.org <DD>Subject: keyCertSign and cRLSign Key Usage Bits<BR><BR><BR><BR> <DD>The consensus on these bits is not totally clear to me. Yet, several <DD>points have been consistently, and I think that the following text <DD>incorporates them. The debate regarding he linkage between these bits and <DD>the cA bit in the basic constraints extension does not seem to be over, and <DD>I have not made any changes in that area. Please use this new thread to <DD>discuss any remaining unresolved points.<BR><BR> <DD> The keyCertSign bit is asserted when the subject public key is <DD> used for verifying a signature on public key certificates. This <DD> bit MUST only be asserted in CA certificates. If the keyCertSign <DD> bit is asserted, then the cA bit in the basic constraints <DD> extension (see 4.2.1.10) MUST also be asserted. If neither the <DD> cRLSign bit nor the keyCertSign bit are asserted, then the cA bit <DD> in the basic constraints extension MUST NOT be asserted.<BR><BR> <DD> The cRLSign bit is asserted when the subject public key is used <DD> for verifying a signature on a certificate revocation list (e.g., <DD> a CRL or an ARL). This bit MUST be asserted in CA and Attribute <DD> Authority (AA) certificates that are used to verify signatures on <DD> CRLs. If the cRLSign bit is asserted in a CA certificate, then <DD> the cA bit in the basic constraints extension (see 4.2.1.10) MUST <DD> also be asserted. If the cRLSign bit is asserted in a AA <DD> certificate, then the cA bit in the basic constraints extension <DD> MUST NOT be asserted. Such AA certificates MUST NOT be used to <DD> verify signatures on CRLs containing revocation information for <DD> public key certificates; however, these AA certificates MAY be <DD> used to verify signatures on CRLs containing revocation <DD> information concerning attribute certificates. If neither the <DD> cRLSign bit nor the keyCertSign bit are asserted, then the cA bit <DD> in the basic constraints extension MUST NOT be asserted.<BR><BR> <DD>Russ </DD></DL></BLOCKQUOTE></BLOCKQUOTE><BR></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0CE61.55A85A60-- Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA16434 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 07:53:22 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <J432X6KM>; Thu, 26 Apr 2001 10:52:52 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FD8@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Tom Gindin'" <tgindin@us.ibm.com>, Sharon Boeyen <sharon.boeyen@entrust.com> Cc: "'Tony Bartoletti'" <azb@llnl.gov>, "David A. Cooper" <david.cooper@nist.gov>, ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Date: Thu, 26 Apr 2001 10:46:59 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CE5F.BF5BE6E0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CE5F.BF5BE6E0 Content-Type: text/plain Hi Tom, Quite honestly I think the text for the schema was written when we all envisioned CAs issuing CRLs for the certificates they issued. Anything else (like indirect or non CA issuers) wasn't at the forefront of our minds when we labored over that text. That was such a long long long debate that when we reached words that nobody objected strongly to, I think we were all just happy to have it done. We focused so much on the which certs go where between self issued and non self-issued that CRL signing was not a key contributor to at least my thought process :-( I suspect that needs revisting. Sharon > -----Original Message----- > From: Tom Gindin [mailto:tgindin@us.ibm.com] > Sent: Thursday, April 26, 2001 10:01 AM > To: Sharon Boeyen > Cc: 'Tony Bartoletti'; David A. Cooper; ietf-pkix@imc.org > Subject: RE: cA flag and CRL issuers (was Re: Last Call: > draft-ietf-pkix-new-part1-06.txt comments) > > > > Thanks for clearing that up. On a related subject, do > self-issued > (i.e. having the same issuer and subject name, but not self-signed) > CRL-signing certificates get published in the directory's > caCertificate > attribute or the userCertificate one? How about other > certificates issued > with the same subject DN as the CA certificate? > > Tom Gindin > > > Sharon Boeyen <sharon.boeyen@entrust.com> on 04/25/2001 03:34:33 PM > > To: "'Tony Bartoletti'" <azb@llnl.gov>, "David A. Cooper" > <david.cooper@nist.gov>, ietf-pkix@imc.org > cc: > Subject: RE: cA flag and CRL issuers (was Re: Last Call: > draft-ietf-pkix > -new-part1-06.txt comments) > > > Tony, since PKIX profiles 509, here are answers from that > standard. While > PKIX may > use different language to describe these, they should still > be aligned with > the > basic definitions. > > > Hope that helps > Sharon > > > > -----Original Message----- > > From: Tony Bartoletti [mailto:azb@llnl.gov] > > Sent: Wednesday, April 25, 2001 2:54 PM > > To: David A. Cooper; ietf-pkix@imc.org > > Subject: Re: cA flag and CRL issuers (was Re: Last Call: > > draft-ietf-pkix-new-part1-06.txt comments) > > > > > > All, > > > > In trying to parse this issue (and Russ Housley's previous > > proposed text) it > > appears that terminology needs a bit of shoring up, at least for me. > > > > Can anyone answer these "simple" questions? > > > > 1. Is a "CA Certificate" defined to be: > > > > a. A certificate whose subject is a CA > > b. A certificate with "cA" bit set. > > c. A certificate with either kCertSign or cRLSign set? > > > > (Are (a) and (b) equivalent "if its a CA certificate"?) > > > Clause 7 "A CA-certificate is a certificate issued by a CA to > a subject > that is itslef a CA and therefore is capable of issuing public-key > certificates." It then goes on to define the different types of > CA-certificate (Self issued, Self signed and cross). > > > No a) and b) are not strictly equivalent. Clause 8.4.2.1 on basic > constraints "...with the certified public key being used to verify > certificate signatures", that's the key to use of that bit in the > extension. > > > > > > 2. Is the term "public key certificate" intended to represent: > > > > a. Only certificates that bind keys to "DN/Identity" > > b. Certificates that bind keys to anything (e.g., > "attributes") > > > > For instance, is an "Attribute Certificate" considered to be a > > subset of "public key certificates", or not? > > > No, attribute certificates are not subsets of public-key > certificates. They > are > 'certificates' but do NOT contain a public-key and are therefore not a > subset. > (see 3.3.1 and 3.3.4.4) > > > > 3. Is an "AA" considered to be: > > > > a. A "CA that certifies attributes and not DN/Identity", > > (yet still a CA, since they author/authorize certificates.) > > b. Not a CA, since the term CA is "reserved" to "DN/Identity" > > > > > No an AA is not a CA of any sort. CA is an authority for public-key > certificates only and AA is an authority for attribute > certificates only > (see 3.3.2 and 3.3.16. The term 'authority' used alone is defined to > include > both (see 3.3.6). > > > > 4. Is an "AA Certificate" a form of "CA Certificate" or not? > > (Answer should be derived from response to (3). > > > No. (as per response to 3) > > > > 5. If both "CRLs and ARLs" are examples of "certificate > > revocation lists" > > then is an ARL: > > > > a. An instance of CRL (that happens not to revoke any > > DN/ID certs)? > > b. Never a CRL, since every CRL involves DN/ID certificates? > > > Actually 509 added specific acronyms for each type of CRL. What used > to be called an "ARL" (Authority Revocation List) is now a "CARL" > Certification Authority Revocation List) and is a revocation list of > public-key > certificates issued to CAs that are no longer considered valid by the > certificate issuer (3.3.17). The equivalent of that for attribute > authorities > would be an AARL (Attribute Authority Revocation List)as > defined in 3.3.3. > > > > > > I submit that more than half of the dialogs/debates on this list can > > be traced to confusion regarding these fundamental terms. > > > > ___tony___ > > > > > > At 01:25 PM 4/25/01 -0400, David A. Cooper wrote: > > >Steve, > > > > > >If we are going to change PKIX to require the cA bit in > > basicConstraints > > >to be set even when the subject public key can only be used > > to verify > > >signatures on CRLs, then we need to be sure that the text > > clearly explains > > >to readers when the cA bit should or should not be set. Currently > > >new-part1-06 states that "[t]he cA bit indicates if the > > certified public > > >key may be used to verify signatures on other certificates." > > The clearly > > >is not accurate, since if the cA bit is set one still does not know > > >whether the subject public key may be used to verify signatures on > > >certificates. One must look at the keyUsage extension to make that > > >determination. > > > > > >I think it would be helpful to the discussion that we are > > having if you > > >would clearly state your interpretation of the meaning of > > the cA bit in > > >basicConstraints. > > > > > > From what I have read so far, it appears that you believe > > that the cA > > > bit should be used to indicate if the subject of the > > certificate is a CA. > > > But, if this is the case, then new-part1-06 still does not > > accurately > > > reflect your notion of the cA bit. Currently the text > > states that the cA > > > bit may only be set if the keyCertSign bit or the cRLSign > > bit in keyUsage > > > is set. However, a CA does more than just issue > > certificates and CRLs. A > > > CA may have a private key dedicated to signing PKI > > transaction messages > > > (e.g., certification response, revocation response, > > proof-of-possession > > > challenge). If a certificate were issued to a CA with its > > PKI transaction > > > message verification key as the subject public key, neither the > > > keyCertSign nor the cRLSign bit in KeyUsage would be set, > > but the subject > > > of the certificate would still be a CA. > > > > > >So, should the cA bit be used to indicate if the certificate > > subject is a > > >CA or to indicate that the subject public key may be used to verify > > >signatures on certificates and/or CRLs? If the latter, then not all > > >certificates issued to CAs will have the cA bit set. > > > > > >Dave > > > > > >At 01:31 PM 4/20/01 -0400, Stephen Kent wrote: > > > >>The description of basic constraints in X.509 further > > supports the idea > > > that the cA bit is used to specify certificate issuing, not > > certificate > > > and/or CRL issuing: > > > >> > > > >>"This field indicates if the subject may act as a CA, with the > > > certified public key being used to verify certificate > > signatures. ... The > > > cA component indicates if the certified public key may be > > used to verify > > > certificate signatures. ... if the value of cA is not set to > > true then the > > > certified public key shall not be used to verify a > > certificate signature" > > > >> > > > >> > > > >>pkix-new-part1-05 states something similar: > > > >> > > > >>"The cA bit indicates if the certified public key may be > > used to verify > > > signatures on other certificates. If the cA bit is > > asserted, then the > > > keyCertSign bit in the key usage extension (see 4.2.1.3) > > MUST also be > > > asserted. If the cA bit is not asserted, then the > > keyCertSign bit in the > > > key usage extension MUST NOT be asserted." > > > > > > > >again, this supports the notion that a CA signs certs, > but it says > > > nothing about whether a CA or some other entity signs > CRLs. We have > > > uncovered a number of instances where less than perfect > > wording has lead > > > to confusion and our recent dialogue suggests that some of > > the quotes you > > > cite are examples of this. > > > > Tony Bartoletti 925-422-3881 <azb@llnl.gov> > > Information Operations, Warfare and Assurance Center > > Lawrence Livermore National Laboratory > > Livermore, CA 94551-9900 > > > > > > > > > > > ------_=_NextPart_001_01C0CE5F.BF5BE6E0 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments)</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>Hi Tom,</FONT> </P> <P><FONT SIZE=2>Quite honestly I think the text for the schema was written when we all envisioned </FONT> <BR><FONT SIZE=2>CAs issuing CRLs for the certificates they issued. Anything else (like indirect or </FONT> <BR><FONT SIZE=2>non CA issuers) wasn't at the forefront of our minds when we labored over that text.</FONT> </P> <P><FONT SIZE=2>That was such a long long long debate that when we reached words that nobody objected</FONT> <BR><FONT SIZE=2>strongly to, I think we were all just happy to have it done. We focused so much on the </FONT> <BR><FONT SIZE=2>which certs go where between self issued and non self-issued that CRL signing was </FONT> <BR><FONT SIZE=2>not a key contributor to at least my thought process :-( I suspect that needs revisting.</FONT> </P> <P><FONT SIZE=2>Sharon </FONT> </P> <P><FONT SIZE=2>> -----Original Message-----</FONT> <BR><FONT SIZE=2>> From: Tom Gindin [<A HREF="mailto:tgindin@us.ibm.com">mailto:tgindin@us.ibm.com</A>]</FONT> <BR><FONT SIZE=2>> Sent: Thursday, April 26, 2001 10:01 AM</FONT> <BR><FONT SIZE=2>> To: Sharon Boeyen</FONT> <BR><FONT SIZE=2>> Cc: 'Tony Bartoletti'; David A. Cooper; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>> Subject: RE: cA flag and CRL issuers (was Re: Last Call:</FONT> <BR><FONT SIZE=2>> draft-ietf-pkix-new-part1-06.txt comments)</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Thanks for clearing that up. On a related subject, do </FONT> <BR><FONT SIZE=2>> self-issued</FONT> <BR><FONT SIZE=2>> (i.e. having the same issuer and subject name, but not self-signed)</FONT> <BR><FONT SIZE=2>> CRL-signing certificates get published in the directory's </FONT> <BR><FONT SIZE=2>> caCertificate</FONT> <BR><FONT SIZE=2>> attribute or the userCertificate one? How about other </FONT> <BR><FONT SIZE=2>> certificates issued</FONT> <BR><FONT SIZE=2>> with the same subject DN as the CA certificate?</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Tom Gindin</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Sharon Boeyen <sharon.boeyen@entrust.com> on 04/25/2001 03:34:33 PM</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> To: "'Tony Bartoletti'" <azb@llnl.gov>, "David A. Cooper"</FONT> <BR><FONT SIZE=2>> <david.cooper@nist.gov>, ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>> cc:</FONT> <BR><FONT SIZE=2>> Subject: RE: cA flag and CRL issuers (was Re: Last Call: </FONT> <BR><FONT SIZE=2>> draft-ietf-pkix</FONT> <BR><FONT SIZE=2>> -new-part1-06.txt comments)</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Tony, since PKIX profiles 509, here are answers from that </FONT> <BR><FONT SIZE=2>> standard. While</FONT> <BR><FONT SIZE=2>> PKIX may</FONT> <BR><FONT SIZE=2>> use different language to describe these, they should still </FONT> <BR><FONT SIZE=2>> be aligned with</FONT> <BR><FONT SIZE=2>> the</FONT> <BR><FONT SIZE=2>> basic definitions.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Hope that helps</FONT> <BR><FONT SIZE=2>> Sharon</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> > -----Original Message-----</FONT> <BR><FONT SIZE=2>> > From: Tony Bartoletti [<A HREF="mailto:azb@llnl.gov">mailto:azb@llnl.gov</A>]</FONT> <BR><FONT SIZE=2>> > Sent: Wednesday, April 25, 2001 2:54 PM</FONT> <BR><FONT SIZE=2>> > To: David A. Cooper; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>> > Subject: Re: cA flag and CRL issuers (was Re: Last Call:</FONT> <BR><FONT SIZE=2>> > draft-ietf-pkix-new-part1-06.txt comments)</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > All,</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > In trying to parse this issue (and Russ Housley's previous</FONT> <BR><FONT SIZE=2>> > proposed text) it</FONT> <BR><FONT SIZE=2>> > appears that terminology needs a bit of shoring up, at least for me.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > Can anyone answer these "simple" questions?</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > 1. Is a "CA Certificate" defined to be:</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > a. A certificate whose subject is a CA</FONT> <BR><FONT SIZE=2>> > b. A certificate with "cA" bit set.</FONT> <BR><FONT SIZE=2>> > c. A certificate with either kCertSign or cRLSign set?</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > (Are (a) and (b) equivalent "if its a CA certificate"?)</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Clause 7 "A CA-certificate is a certificate issued by a CA to </FONT> <BR><FONT SIZE=2>> a subject</FONT> <BR><FONT SIZE=2>> that is itslef a CA and therefore is capable of issuing public-key</FONT> <BR><FONT SIZE=2>> certificates." It then goes on to define the different types of</FONT> <BR><FONT SIZE=2>> CA-certificate (Self issued, Self signed and cross).</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> No a) and b) are not strictly equivalent. Clause 8.4.2.1 on basic</FONT> <BR><FONT SIZE=2>> constraints "...with the certified public key being used to verify</FONT> <BR><FONT SIZE=2>> certificate signatures", that's the key to use of that bit in the</FONT> <BR><FONT SIZE=2>> extension.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > 2. Is the term "public key certificate" intended to represent:</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > a. Only certificates that bind keys to "DN/Identity"</FONT> <BR><FONT SIZE=2>> > b. Certificates that bind keys to anything (e.g., </FONT> <BR><FONT SIZE=2>> "attributes")</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > For instance, is an "Attribute Certificate" considered to be a</FONT> <BR><FONT SIZE=2>> > subset of "public key certificates", or not?</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> No, attribute certificates are not subsets of public-key </FONT> <BR><FONT SIZE=2>> certificates. They</FONT> <BR><FONT SIZE=2>> are</FONT> <BR><FONT SIZE=2>> 'certificates' but do NOT contain a public-key and are therefore not a</FONT> <BR><FONT SIZE=2>> subset.</FONT> <BR><FONT SIZE=2>> (see 3.3.1 and 3.3.4.4)</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > 3. Is an "AA" considered to be:</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > a. A "CA that certifies attributes and not DN/Identity",</FONT> <BR><FONT SIZE=2>> > (yet still a CA, since they author/authorize certificates.)</FONT> <BR><FONT SIZE=2>> > b. Not a CA, since the term CA is "reserved" to "DN/Identity"</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> No an AA is not a CA of any sort. CA is an authority for public-key</FONT> <BR><FONT SIZE=2>> certificates only and AA is an authority for attribute </FONT> <BR><FONT SIZE=2>> certificates only</FONT> <BR><FONT SIZE=2>> (see 3.3.2 and 3.3.16. The term 'authority' used alone is defined to</FONT> <BR><FONT SIZE=2>> include</FONT> <BR><FONT SIZE=2>> both (see 3.3.6).</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> > 4. Is an "AA Certificate" a form of "CA Certificate" or not?</FONT> <BR><FONT SIZE=2>> > (Answer should be derived from response to (3).</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> No. (as per response to 3)</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > 5. If both "CRLs and ARLs" are examples of "certificate</FONT> <BR><FONT SIZE=2>> > revocation lists"</FONT> <BR><FONT SIZE=2>> > then is an ARL:</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > a. An instance of CRL (that happens not to revoke any</FONT> <BR><FONT SIZE=2>> > DN/ID certs)?</FONT> <BR><FONT SIZE=2>> > b. Never a CRL, since every CRL involves DN/ID certificates?</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Actually 509 added specific acronyms for each type of CRL. What used</FONT> <BR><FONT SIZE=2>> to be called an "ARL" (Authority Revocation List) is now a "CARL"</FONT> <BR><FONT SIZE=2>> Certification Authority Revocation List) and is a revocation list of</FONT> <BR><FONT SIZE=2>> public-key</FONT> <BR><FONT SIZE=2>> certificates issued to CAs that are no longer considered valid by the</FONT> <BR><FONT SIZE=2>> certificate issuer (3.3.17). The equivalent of that for attribute</FONT> <BR><FONT SIZE=2>> authorities</FONT> <BR><FONT SIZE=2>> would be an AARL (Attribute Authority Revocation List)as </FONT> <BR><FONT SIZE=2>> defined in 3.3.3.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > I submit that more than half of the dialogs/debates on this list can</FONT> <BR><FONT SIZE=2>> > be traced to confusion regarding these fundamental terms.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > ___tony___</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > At 01:25 PM 4/25/01 -0400, David A. Cooper wrote:</FONT> <BR><FONT SIZE=2>> > >Steve,</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >If we are going to change PKIX to require the cA bit in</FONT> <BR><FONT SIZE=2>> > basicConstraints</FONT> <BR><FONT SIZE=2>> > >to be set even when the subject public key can only be used</FONT> <BR><FONT SIZE=2>> > to verify</FONT> <BR><FONT SIZE=2>> > >signatures on CRLs, then we need to be sure that the text</FONT> <BR><FONT SIZE=2>> > clearly explains</FONT> <BR><FONT SIZE=2>> > >to readers when the cA bit should or should not be set. Currently</FONT> <BR><FONT SIZE=2>> > >new-part1-06 states that "[t]he cA bit indicates if the</FONT> <BR><FONT SIZE=2>> > certified public</FONT> <BR><FONT SIZE=2>> > >key may be used to verify signatures on other certificates."</FONT> <BR><FONT SIZE=2>> > The clearly</FONT> <BR><FONT SIZE=2>> > >is not accurate, since if the cA bit is set one still does not know</FONT> <BR><FONT SIZE=2>> > >whether the subject public key may be used to verify signatures on</FONT> <BR><FONT SIZE=2>> > >certificates. One must look at the keyUsage extension to make that</FONT> <BR><FONT SIZE=2>> > >determination.</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >I think it would be helpful to the discussion that we are</FONT> <BR><FONT SIZE=2>> > having if you</FONT> <BR><FONT SIZE=2>> > >would clearly state your interpretation of the meaning of</FONT> <BR><FONT SIZE=2>> > the cA bit in</FONT> <BR><FONT SIZE=2>> > >basicConstraints.</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > > From what I have read so far, it appears that you believe</FONT> <BR><FONT SIZE=2>> > that the cA</FONT> <BR><FONT SIZE=2>> > > bit should be used to indicate if the subject of the</FONT> <BR><FONT SIZE=2>> > certificate is a CA.</FONT> <BR><FONT SIZE=2>> > > But, if this is the case, then new-part1-06 still does not</FONT> <BR><FONT SIZE=2>> > accurately</FONT> <BR><FONT SIZE=2>> > > reflect your notion of the cA bit. Currently the text</FONT> <BR><FONT SIZE=2>> > states that the cA</FONT> <BR><FONT SIZE=2>> > > bit may only be set if the keyCertSign bit or the cRLSign</FONT> <BR><FONT SIZE=2>> > bit in keyUsage</FONT> <BR><FONT SIZE=2>> > > is set. However, a CA does more than just issue</FONT> <BR><FONT SIZE=2>> > certificates and CRLs. A</FONT> <BR><FONT SIZE=2>> > > CA may have a private key dedicated to signing PKI</FONT> <BR><FONT SIZE=2>> > transaction messages</FONT> <BR><FONT SIZE=2>> > > (e.g., certification response, revocation response,</FONT> <BR><FONT SIZE=2>> > proof-of-possession</FONT> <BR><FONT SIZE=2>> > > challenge). If a certificate were issued to a CA with its</FONT> <BR><FONT SIZE=2>> > PKI transaction</FONT> <BR><FONT SIZE=2>> > > message verification key as the subject public key, neither the</FONT> <BR><FONT SIZE=2>> > > keyCertSign nor the cRLSign bit in KeyUsage would be set,</FONT> <BR><FONT SIZE=2>> > but the subject</FONT> <BR><FONT SIZE=2>> > > of the certificate would still be a CA.</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >So, should the cA bit be used to indicate if the certificate</FONT> <BR><FONT SIZE=2>> > subject is a</FONT> <BR><FONT SIZE=2>> > >CA or to indicate that the subject public key may be used to verify</FONT> <BR><FONT SIZE=2>> > >signatures on certificates and/or CRLs? If the latter, then not all</FONT> <BR><FONT SIZE=2>> > >certificates issued to CAs will have the cA bit set.</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >Dave</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >At 01:31 PM 4/20/01 -0400, Stephen Kent wrote:</FONT> <BR><FONT SIZE=2>> > > >>The description of basic constraints in X.509 further</FONT> <BR><FONT SIZE=2>> > supports the idea</FONT> <BR><FONT SIZE=2>> > > that the cA bit is used to specify certificate issuing, not</FONT> <BR><FONT SIZE=2>> > certificate</FONT> <BR><FONT SIZE=2>> > > and/or CRL issuing:</FONT> <BR><FONT SIZE=2>> > > >></FONT> <BR><FONT SIZE=2>> > > >>"This field indicates if the subject may act as a CA, with the</FONT> <BR><FONT SIZE=2>> > > certified public key being used to verify certificate</FONT> <BR><FONT SIZE=2>> > signatures. ... The</FONT> <BR><FONT SIZE=2>> > > cA component indicates if the certified public key may be</FONT> <BR><FONT SIZE=2>> > used to verify</FONT> <BR><FONT SIZE=2>> > > certificate signatures. ... if the value of cA is not set to</FONT> <BR><FONT SIZE=2>> > true then the</FONT> <BR><FONT SIZE=2>> > > certified public key shall not be used to verify a</FONT> <BR><FONT SIZE=2>> > certificate signature"</FONT> <BR><FONT SIZE=2>> > > >></FONT> <BR><FONT SIZE=2>> > > >></FONT> <BR><FONT SIZE=2>> > > >>pkix-new-part1-05 states something similar:</FONT> <BR><FONT SIZE=2>> > > >></FONT> <BR><FONT SIZE=2>> > > >>"The cA bit indicates if the certified public key may be</FONT> <BR><FONT SIZE=2>> > used to verify</FONT> <BR><FONT SIZE=2>> > > signatures on other certificates. If the cA bit is</FONT> <BR><FONT SIZE=2>> > asserted, then the</FONT> <BR><FONT SIZE=2>> > > keyCertSign bit in the key usage extension (see 4.2.1.3)</FONT> <BR><FONT SIZE=2>> > MUST also be</FONT> <BR><FONT SIZE=2>> > > asserted. If the cA bit is not asserted, then the</FONT> <BR><FONT SIZE=2>> > keyCertSign bit in the</FONT> <BR><FONT SIZE=2>> > > key usage extension MUST NOT be asserted."</FONT> <BR><FONT SIZE=2>> > > ></FONT> <BR><FONT SIZE=2>> > > >again, this supports the notion that a CA signs certs, </FONT> <BR><FONT SIZE=2>> but it says</FONT> <BR><FONT SIZE=2>> > > nothing about whether a CA or some other entity signs </FONT> <BR><FONT SIZE=2>> CRLs. We have</FONT> <BR><FONT SIZE=2>> > > uncovered a number of instances where less than perfect</FONT> <BR><FONT SIZE=2>> > wording has lead</FONT> <BR><FONT SIZE=2>> > > to confusion and our recent dialogue suggests that some of</FONT> <BR><FONT SIZE=2>> > the quotes you</FONT> <BR><FONT SIZE=2>> > > cite are examples of this.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > Tony Bartoletti 925-422-3881 <azb@llnl.gov></FONT> <BR><FONT SIZE=2>> > Information Operations, Warfare and Assurance Center</FONT> <BR><FONT SIZE=2>> > Lawrence Livermore National Laboratory</FONT> <BR><FONT SIZE=2>> > Livermore, CA 94551-9900</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CE5F.BF5BE6E0-- Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA16085 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 07:48:08 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <J432X6JW>; Thu, 26 Apr 2001 10:47:39 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FD6@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: Santosh Chokhani <chokhani@cygnacom.com>, "David A. Cooper" <david.cooper@nist.gov>, ietf-pkix@imc.org Cc: "Hoyt Kesterson (E-mail)" <hoytkesterson@earthlink.net> Subject: RE: keyCertSign and cRLSign Key Usage Bits Date: Thu, 26 Apr 2001 10:41:48 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CE5F.05F12A80" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CE5F.05F12A80 Content-Type: text/plain; charset="iso-8859-1" Santosh I see your point on the schema - actually 509 contains the exact same text and would also need to be modified. I assume that the appropriate change would be to delete the text that requires the ca bit to be set in any cert that goes into the cACertificate attribute. As for the crossCertificatePair attribute, I guess it would need to be lifted there as well (assuming a CA would want to issue a cert to another CA for purposes of verifying signatures on CRLs but not on certificates)? That raises another point - if we modify all this "stuff" to allow entities other than authorities to sign CRLs, where would those certificates be stored? The subjects aren't CAs so they don't really belong in either of these attributes. Inventing another attribute and object class isn't very attractive either. Thoughts? Dave, I realize you weren't suggesting we do this, but I do want to say that I would not support changing the meaning of the ca bit in basic constraints. That is there as one of many 'business controls" that a CA can use to ensure that the certificate it issues (containing those constraints), when used by conforming path validation systems, achieves that CAs intended result. That is very specific, very important, and I wouldn't want to see it generalized. Nor would I support requiring any ties between the basicConstraints extension and other extensions within X.509. 509 needs to remain flexible to allow PKIX and other profiles to determine their own requirements for such combinations. As for the definition of a CA, in addition to issuing certificates it has responsibility for certificate revocation, which it may perform directly or delegate to another 'authority/entity'. If that delegation can be to an entity other than an authority, then you still have a schema problem regardless of what you do with the ca bit and keyUsage. Taking a step back at what is 'technically important'. A cert issued for purposes of cert signature verification contains at least the ca bit set and the keyUsage keyCertSign. A cert issued for purposes of verifying the signature on a CRL contains at least the digitalSignature and cRLSign bits of keyUsage. If a CRL is to be issued by an entity other the CA that issues the certificate, then there needs to be a way to identify that delegation with integrity. If the crlDistributionPoints extension is in the certificate, this can be done by populating the cRLIssuer field and that value needs to correspond with the issuer name of the CRL being used (and the other requirements outlined so nicely by Santosh in Annex B of 509 also need to be met of course). Other mechanisms could also be used. As for the schema, there was no problem with the PKI schema components as long as the crl issuers were also CAs(except that the requirement for the CA bit to be set in all cases should probably be removed). Assuming PKIX reaches consensus on wanting entities other than authorities to issue crls, then additional schema work is at least needed and some re-writing of text in 509 to permit that would also be needed. Hoyt and I have already started working on a proposed draft defect report for that text, in anticipation of that consensus, but we haven't looked at schema implications yet. -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Thursday, April 26, 2001 9:53 AM To: David A. Cooper; ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Dave: My opinion are based on the fact that the current X.509 text says that CA issues CRLs. Thus, if the key is used to sign the CRL, it is a CA and hence the caCertificate. I think this is not a security issue (in my mind). We need to make sure that the X.509 language and ldap schema align. I still believe that those clients that do not make checks that are not relevant to security, should be considered compliant. -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Thursday, April 26, 2001 9:37 AM To: ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Santosh, I think you bring up an interesting issue with the LDAP schema no matter what we do. As I pointed out yesterday, a CA may have a key pair that it only uses for PKI transaction messages. A certificate that includes the public key from this key pair would only have the digitalSignature KeyUsage bit set. The proposed text below states that the cA bit in basicConstraints should not be set. So, we would still have cases in which a certificate has been issued to a CA and either basicConstraints is absent or cA is set to false. (Technically, according to RFC 2587, we are OK if basicConstraints is absent, but this isn't really a good way out of the problem). A CA may also be issued a certificate in which the public key is intended to be used for key management. Same problem. I asked yesterday what the meaning of the cA bit was. X.509 states that "[t]he cA component indicates if the certified public key may be used to verify certificate signatures." Do we intend to change X.509 and PKIX to state that the cA bit should be set whenever the subject is a CA? If not, then the LDAP schema will need to deal with certificates issued to CAs in which either basicConstraints is absent or is present with cA set to FALSE. If so, then we need to change the text to eliminate any tying between the cA bit and the contents of KeyUsage. If we want to go with the proposed text below, then we will need to change both X.509 and PKIX to state that "the cA component indicates if the certified public key may be used to verify certificate or CRL signatures". We will also need to do something about the awkward connection between the cA bit and CRLs. Currently the text states that the cA bit should be set if the CRL issuing subject is issuing CRLs that cover public key certificates, but not attribute certificates. It further states that " AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates". The problem is that, even if a single entity is not allowed to issued both public key certificates and attribute certificates, there is the possibility that a single, indirect CRL could cover both types of certificates. If one is using a CRL to check the status of a public key certificate, then it is clear that the text below requires that the certificate containing the key needed to verify the CRL signature must have the cA bit set. But what about when one is using a CRL to check the status of an attribute certificate? The quote text seem to suggest that, if the cA bit is not set in the certificate, the relying party is required to verify that the CRL does not contain any revocation information for public key certificates. I can't imagine that there was any intention to impose such a requirement, but that is what the text seems to say. I think I have made my own opinion on this topic clear. X.509 does not state that the cA bit in basicConstraints should be set if the subject is a CA, it states that the bit should be set if the certified public key may be used to verify certificate signatures. The two are not synonymous. If we change the standard to state that the cA bit indicates whether the subject is a CA, it may solve the LDAP schema problem, but it will require that the remove any dependencies between the cA bit and the KeyUsage extension. As Tony said yesterday, we need to go back and clearly define the terms we are using. X.509 defines a CA as an entity that issues public key certificates. Is this the correct definition? Or is a CA an entity that issues public key certificates or CRLs that provide revocation information about public key certificates? Or it is something else? Does the cA bit indicate if the certified public key can be used to verify signatures on certificates, as X.509 states, or does it indicate that the subject is a CA, or something else? If we can't get agreement that the standard means what it says, how can we expect people to understand the standard? Dave At 08:20 AM 4/26/01 -0400, Santosh Chokhani wrote: Steve: My rationale is as follows: There is no security benefit to checking the bit. The basic constraints and associated path length may determine whether a CA can create a CA or not. But, that is only useful for certificate path and since keyCertSign bit will not be set, the entity will NOT be able to create new CAs. So, I think check is not relevant from security viewpoint. Now, it may break some of the language (again not security) in ldap schema if we populate the certificate in caCertificate or crossCertificatePair and do not set the basic constraints. So, it is a mixed bag. I still think we should ask for the CAs to set the basic constraint bit so the ldap schema does not get screwed up and NOT require the client to check the bit. My rule on clients is simple. Maximize security and interoperability. Make all checks that are security relevant and no more and that will lead to greater interoperability. -----Original Message----- From: Stephen Kent [ mailto:kent@bbn.com <mailto:kent@bbn.com> ] Sent: Wednesday, April 25, 2001 3:51 PM To: Ambarish Malpani Cc: ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits At 10:55 AM -0700 4/24/01, Ambarish Malpani wrote: I agree, also. Ambarish I disagree. We need to make a decision on whether a cert without a CA flag enabled can sign CRLs. If so, then we need to modify a lot of text in 2459, and in X.509, to say this clearly. Suggesting that a client be "forgiving" in this context is not a viable proposal for a standard. Steve --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. <http://www.valicert.com/> http://www.valicert.com Mountain View, CA 94043 -----Original Message----- From: Santosh Chokhani [ mailto:chokhani@cygnacom.com <mailto:chokhani@cygnacom.com> ] Sent: Tuesday, April 24, 2001 8:22 AM To: Housley, Russ; ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Russ: I agree with the text. I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI). But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension. -----Original Message----- From: Housley, Russ [ mailto:rhousley@rsasecurity.com <mailto:rhousley@rsasecurity.com> ] Sent: Tuesday, April 24, 2001 10:37 AM To: ietf-pkix@imc.org Subject: keyCertSign and cRLSign Key Usage Bits The consensus on these bits is not totally clear to me. Yet, several points have been consistently, and I think that the following text incorporates them. The debate regarding he linkage between these bits and the cA bit in the basic constraints extension does not seem to be over, and I have not made any changes in that area. Please use this new thread to discuss any remaining unresolved points. The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. This bit MUST only be asserted in CA certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for verifying a signature on a certificate revocation list (e.g., a CRL or an ARL). This bit MUST be asserted in CA and Attribute Authority (AA) certificates that are used to verify signatures on CRLs. If the cRLSign bit is asserted in a CA certificate, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is asserted in a AA certificate, then the cA bit in the basic constraints extension MUST NOT be asserted. Such AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates; however, these AA certificates MAY be used to verify signatures on CRLs containing revocation information concerning attribute certificates. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. Russ ------_=_NextPart_001_01C0CE5F.05F12A80 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>Santosh I see your point on the schema - actually 509 contains the exact same text and would also need to </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>be modified. I assume that the appropriate change would be to delete the text that requires the ca bit to be set in </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>any cert that goes into the cACertificate attribute. As for the crossCertificatePair attribute, I guess it would need</FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>to be lifted there as well (assuming a CA would want to issue a cert to another CA for purposes of verifying signatures</FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>on CRLs but not on certificates)?</FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>That raises another point - if we modify all this "stuff" to allow entities other than authorities to sign CRLs, where </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>would those certificates be stored? The subjects aren't CAs so they don't really belong in either of these attributes.</FONT></SPAN><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2> </FONT></SPAN><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>Inventing another attribute and object class isn't very attractive either. Thoughts?</FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>Dave, I realize you weren't suggesting we do this, but I do want to say that I would not support changing the </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>meaning of the ca bit in basic constraints. That is there as one of many 'business controls" that a CA can use to </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>ensure that the certificate it issues (containing those constraints), when used by conforming path validation systems, </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>achieves that CAs intended result. That is very specific, very important, and I wouldn't want to see it generalized. </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>Nor would I support requiring any ties between the basicConstraints extension and other extensions within X.509. 509</FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>needs to remain flexible to allow PKIX and other profiles to determine their own requirements for such combinations.</FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2>As for the definition of a CA, in addition to issuing certificates it has responsibility for certificate revocation, which it may perform directly or delegate to another 'authority/entity'. If that delegation can be to an entity other than an authority, then you still have a schema problem regardless of what you do with the ca bit and keyUsage. </FONT></SPAN></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=786041614-26042001>Taking a step back at what is 'technically important'. A cert issued for purposes of cert signature verification contains at least the ca bit set and the keyUsage keyCertSign. A cert issued for purposes of verifying the signature on a CRL contains at least the digitalSignature and cRLSign bits of keyUsage. If a CRL is to be issued by an entity other the CA that issues the certificate, then there needs to be a way to identify that delegation with integrity. If the crlDistributionPoints extension is in the certificate, this can be done by populating the cRLIssuer field and that value needs to correspond with the issuer name of the CRL being used (and the other requirements outlined so nicely by </SPAN></FONT></FONT></FONT></DIV> <DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=786041614-26042001>Santosh in Annex B of 509 also need to be met of course). Other mechanisms could also be used. As for the schema, there was no problem with the PKI schema components as long as the crl issuers were also CAs(except that the requirement for the CA bit to be set in all cases should probably be removed). </SPAN></FONT></FONT></FONT></DIV> <DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=786041614-26042001></SPAN></FONT></FONT></FONT> </DIV> <DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=786041614-26042001>Assuming PKIX reaches consensus on wanting entities other than authorities to issue crls, then additional schema work is at least needed and some re-writing of text in 509 to permit that would also be needed. Hoyt and I have already </SPAN></FONT></FONT></FONT></DIV> <DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=786041614-26042001>started working on a proposed draft defect report for that text, in anticipation of that consensus, but we haven't looked</SPAN></FONT></FONT></FONT></DIV> <DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=786041614-26042001>at schema implications yet. </SPAN></FONT></FONT></FONT><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN class=786041614-26042001> </SPAN></FONT></FONT></FONT></DIV> <DIV><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=786041614-26042001></SPAN><FONT face=Tahoma><FONT size=2><SPAN class=786041614-26042001><FONT face=Arial color=#0000ff> </FONT></SPAN></FONT></FONT></DIV> <DIV><FONT face=Tahoma><FONT size=2><SPAN class=786041614-26042001> </SPAN>-----Original Message-----<BR><B>From:</B> Santosh Chokhani [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Thursday, April 26, 2001 9:53 AM<BR><B>To:</B> David A. Cooper; ietf-pkix@imc.org<BR><B>Subject:</B> RE: keyCertSign and cRLSign Key Usage Bits<BR><BR></DIV></FONT></FONT> <BLOCKQUOTE dir=ltr style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=04585913-26042001>Dave:</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=04585913-26042001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=04585913-26042001>My opinion are based on the fact that the current X.509 text says that CA issues CRLs. Thus, if the key is used to sign the CRL, it is a CA and hence the caCertificate.</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=04585913-26042001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=04585913-26042001>I think this is not a security issue (in my mind). We need to make sure that the X.509 language and ldap schema align.</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=04585913-26042001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=04585913-26042001>I still believe that those clients that do not make checks that are not relevant to security, should be considered compliant.</SPAN></FONT></DIV> <DIV> </DIV> <DIV class=OutlookMessageHeader><FONT face="Times New Roman" size=2>-----Original Message-----<BR><B>From:</B> David A. Cooper [mailto:david.cooper@nist.gov]<BR><B>Sent:</B> Thursday, April 26, 2001 9:37 AM<BR><B>To:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: keyCertSign and cRLSign Key Usage Bits<BR><BR></FONT></DIV>Santosh,<BR><BR>I think you bring up an interesting issue with the LDAP schema no matter what we do. As I pointed out yesterday, a CA may have a key pair that it only uses for PKI transaction messages. A certificate that includes the public key from this key pair would only have the digitalSignature KeyUsage bit set. The proposed text below states that the cA bit in basicConstraints should not be set. So, we would still have cases in which a certificate has been issued to a CA and either basicConstraints is absent or cA is set to false. (Technically, according to RFC 2587, we are OK if basicConstraints is absent, but this isn't really a good way out of the problem). A CA may also be issued a certificate in which the public key is intended to be used for key management. Same problem.<BR><BR>I asked yesterday what the meaning of the cA bit was. X.509 states that "[t]he <FONT size=2>cA</FONT> component indicates if the certified public key may be used to verify certificate signatures." Do we intend to change X.509 and PKIX to state that the cA bit should be set whenever the subject is a CA? If not, then the LDAP schema will need to deal with certificates issued to CAs in which either basicConstraints is absent or is present with cA set to FALSE. If so, then we need to change the text to eliminate any tying between the cA bit and the contents of KeyUsage.<BR><BR>If we want to go with the proposed text below, then we will need to change both X.509 and PKIX to state that "the cA component indicates if the certified public key may be used to verify certificate or CRL signatures". We will also need to do something about the awkward connection between the cA bit and CRLs. Currently the text states that the cA bit should be set if the CRL issuing subject is issuing CRLs that cover public key certificates, but not attribute certificates. It further states that " <BLOCKQUOTE><FONT size=2>AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates". The problem is that, even if a single entity is not allowed to issued both public key certificates and attribute certificates, there is the possibility that a single, indirect CRL could cover both types of certificates. If one is using a CRL to check the status of a public key certificate, then it is clear that the text below requires that the certificate containing the key needed to verify the CRL signature must have the cA bit set. But what about when one is using a CRL to check the status of an attribute certificate? The quote text seem to suggest that, if the cA bit is not set in the certificate, the relying party is required to verify that the CRL does not contain any revocation information for public key certificates. I can't imagine that there was any intention to impose such a requirement, but that is what the text seems to say.<BR><BR></FONT></BLOCKQUOTE>I think I have made my own opinion on this topic clear. X.509 does not state that the cA bit in basicConstraints should be set if the subject is a CA, it states that the bit should be set if the certified public key may be used to verify certificate signatures. The two are not synonymous. If we change the standard to state that the cA bit indicates whether the subject is a CA, it may solve the LDAP schema problem, but it will require that the remove any dependencies between the cA bit and the KeyUsage extension.<BR><BR>As Tony said yesterday, we need to go back and clearly define the terms we are using. X.509 defines a CA as an entity that issues public key certificates. Is this the correct definition? Or is a CA an entity that issues public key certificates or CRLs that provide revocation information about public key certificates? Or it is something else? Does the cA bit indicate if the certified public key can be used to verify signatures on certificates, as X.509 states, or does it indicate that the subject is a CA, or something else? If we can't get agreement that the standard means what it says, how can we expect people to understand the standard?<BR><BR>Dave<BR><BR>At 08:20 AM 4/26/01 -0400, Santosh Chokhani wrote:<BR><FONT face=arial color=#0000ff size=2> <BLOCKQUOTE type="cite" cite>Steve:</FONT><BR> <BR><FONT face=arial color=#0000ff size=2>My rationale is as follows: There is no security benefit to checking the bit. The basic constraints and associated path length may determine whether a CA can create a CA or not. But, that is only useful for certificate path and since keyCertSign bit will not be set, the entity will NOT be able to create new CAs.</FONT><BR> <BR><FONT face=arial color=#0000ff size=2>So, I think check is not relevant from security viewpoint.</FONT><BR> <BR><FONT face=arial color=#0000ff size=2>Now, it may break some of the language (again not security) in ldap schema if we populate the certificate in caCertificate or crossCertificatePair and do not set the basic constraints.</FONT><BR> <BR><FONT face=arial color=#0000ff size=2>So, it is a mixed bag. I still think we should ask for the CAs to set the basic constraint bit so the ldap schema does not get screwed up and NOT require the client to check the bit. My rule on clients is simple. Maximize security and interoperability. Make all checks that are security relevant and no more and that will lead to greater interoperability.</FONT><BR> <BR> <BR><FONT face="Times New Roman, Times" size=2>-----Original Message-----<BR><B>From:</B> Stephen Kent [<A href="mailto:kent@bbn.com" eudora="autourl">mailto:kent@bbn.com</A>]<BR><B>Sent:</B> Wednesday, April 25, 2001 3:51 PM<BR><B>To:</B> Ambarish Malpani<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: keyCertSign and cRLSign Key Usage Bits<BR><BR></FONT>At 10:55 AM -0700 4/24/01, Ambarish Malpani wrote:<BR> <BLOCKQUOTE type="cite" cite><BR><FONT face=arial color=#0000ff size=2>I agree, also.<BR><BR>Ambarish</FONT></BLOCKQUOTE><BR>I disagree. We need to make a decision on whether a cert without a CA flag enabled can sign CRLs. If so, then we need to modify a lot of text in 2459, and in X.509, to say this clearly. Suggesting that a client be "forgiving" in this context is not a viable proposal for a standard.<BR><BR>Steve<BR> <BLOCKQUOTE type="cite" cite><BR> <BR><FONT size=2>---------------------------------------------------------------------<BR>Ambarish Malpani<BR>Architect 650.567.5457<BR>ValiCert, Inc. ambarish@valicert.com<BR>339 N. Bernardo Ave. </FONT><A href="http://www.valicert.com/"><FONT size=2>http://www.valicert.com</A><BR>Mountain View, CA 94043</FONT> <BLOCKQUOTE><FONT face=tahoma size=2> <DL> <DD>-----Original Message----- <DD>From:</B> Santosh Chokhani [<A href="mailto:chokhani@cygnacom.com" eudora="autourl">mailto:chokhani@cygnacom.com</A>] <DD>Sent:</B> Tuesday, April 24, 2001 8:22 AM <DD>To:</B> Housley, Russ; ietf-pkix@imc.org <DD>Subject:</B> RE: keyCertSign and cRLSign Key Usage Bits</FONT><BR><BR> <DD>Russ: I agree with the text.<BR><BR> <DD>I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI).<BR><BR> <DD>But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension.<BR><BR> <DD>-----Original Message----- <DD>From: Housley, Russ [<A href="mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com</A>] <DD>Sent: Tuesday, April 24, 2001 10:37 AM <DD>To: ietf-pkix@imc.org <DD>Subject: keyCertSign and cRLSign Key Usage Bits<BR><BR><BR><BR> <DD>The consensus on these bits is not totally clear to me. Yet, several <DD>points have been consistently, and I think that the following text <DD>incorporates them. The debate regarding he linkage between these bits and <DD>the cA bit in the basic constraints extension does not seem to be over, and <DD>I have not made any changes in that area. Please use this new thread to <DD>discuss any remaining unresolved points.<BR><BR> <DD> The keyCertSign bit is asserted when the subject public key is <DD> used for verifying a signature on public key certificates. This <DD> bit MUST only be asserted in CA certificates. If the keyCertSign <DD> bit is asserted, then the cA bit in the basic constraints <DD> extension (see 4.2.1.10) MUST also be asserted. If neither the <DD> cRLSign bit nor the keyCertSign bit are asserted, then the cA bit <DD> in the basic constraints extension MUST NOT be asserted.<BR><BR> <DD> The cRLSign bit is asserted when the subject public key is used <DD> for verifying a signature on a certificate revocation list (e.g., <DD> a CRL or an ARL). This bit MUST be asserted in CA and Attribute <DD> Authority (AA) certificates that are used to verify signatures on <DD> CRLs. If the cRLSign bit is asserted in a CA certificate, then <DD> the cA bit in the basic constraints extension (see 4.2.1.10) MUST <DD> also be asserted. If the cRLSign bit is asserted in a AA <DD> certificate, then the cA bit in the basic constraints extension <DD> MUST NOT be asserted. Such AA certificates MUST NOT be used to <DD> verify signatures on CRLs containing revocation information for <DD> public key certificates; however, these AA certificates MAY be <DD> used to verify signatures on CRLs containing revocation <DD> information concerning attribute certificates. If neither the <DD> cRLSign bit nor the keyCertSign bit are asserted, then the cA bit <DD> in the basic constraints extension MUST NOT be asserted.<BR><BR> <DD>Russ </DD></DL></BLOCKQUOTE></BLOCKQUOTE><BR></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0CE5F.05F12A80-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA13631 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 07:02:42 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JV6F5V4R>; Thu, 26 Apr 2001 10:02:12 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE372@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "David A. Cooper" <david.cooper@nist.gov>, ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Date: Thu, 26 Apr 2001 09:53:18 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CE58.3F8CA640" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CE58.3F8CA640 Content-Type: text/plain; charset="iso-8859-1" Dave: My opinion are based on the fact that the current X.509 text says that CA issues CRLs. Thus, if the key is used to sign the CRL, it is a CA and hence the caCertificate. I think this is not a security issue (in my mind). We need to make sure that the X.509 language and ldap schema align. I still believe that those clients that do not make checks that are not relevant to security, should be considered compliant. -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Thursday, April 26, 2001 9:37 AM To: ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Santosh, I think you bring up an interesting issue with the LDAP schema no matter what we do. As I pointed out yesterday, a CA may have a key pair that it only uses for PKI transaction messages. A certificate that includes the public key from this key pair would only have the digitalSignature KeyUsage bit set. The proposed text below states that the cA bit in basicConstraints should not be set. So, we would still have cases in which a certificate has been issued to a CA and either basicConstraints is absent or cA is set to false. (Technically, according to RFC 2587, we are OK if basicConstraints is absent, but this isn't really a good way out of the problem). A CA may also be issued a certificate in which the public key is intended to be used for key management. Same problem. I asked yesterday what the meaning of the cA bit was. X.509 states that "[t]he cA component indicates if the certified public key may be used to verify certificate signatures." Do we intend to change X.509 and PKIX to state that the cA bit should be set whenever the subject is a CA? If not, then the LDAP schema will need to deal with certificates issued to CAs in which either basicConstraints is absent or is present with cA set to FALSE. If so, then we need to change the text to eliminate any tying between the cA bit and the contents of KeyUsage. If we want to go with the proposed text below, then we will need to change both X.509 and PKIX to state that "the cA component indicates if the certified public key may be used to verify certificate or CRL signatures". We will also need to do something about the awkward connection between the cA bit and CRLs. Currently the text states that the cA bit should be set if the CRL issuing subject is issuing CRLs that cover public key certificates, but not attribute certificates. It further states that " AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates". The problem is that, even if a single entity is not allowed to issued both public key certificates and attribute certificates, there is the possibility that a single, indirect CRL could cover both types of certificates. If one is using a CRL to check the status of a public key certificate, then it is clear that the text below requires that the certificate containing the key needed to verify the CRL signature must have the cA bit set. But what about when one is using a CRL to check the status of an attribute certificate? The quote text seem to suggest that, if the cA bit is not set in the certificate, the relying party is required to verify that the CRL does not contain any revocation information for public key certificates. I can't imagine that there was any intention to impose such a requirement, but that is what the text seems to say. I think I have made my own opinion on this topic clear. X.509 does not state that the cA bit in basicConstraints should be set if the subject is a CA, it states that the bit should be set if the certified public key may be used to verify certificate signatures. The two are not synonymous. If we change the standard to state that the cA bit indicates whether the subject is a CA, it may solve the LDAP schema problem, but it will require that the remove any dependencies between the cA bit and the KeyUsage extension. As Tony said yesterday, we need to go back and clearly define the terms we are using. X.509 defines a CA as an entity that issues public key certificates. Is this the correct definition? Or is a CA an entity that issues public key certificates or CRLs that provide revocation information about public key certificates? Or it is something else? Does the cA bit indicate if the certified public key can be used to verify signatures on certificates, as X.509 states, or does it indicate that the subject is a CA, or something else? If we can't get agreement that the standard means what it says, how can we expect people to understand the standard? Dave At 08:20 AM 4/26/01 -0400, Santosh Chokhani wrote: Steve: My rationale is as follows: There is no security benefit to checking the bit. The basic constraints and associated path length may determine whether a CA can create a CA or not. But, that is only useful for certificate path and since keyCertSign bit will not be set, the entity will NOT be able to create new CAs. So, I think check is not relevant from security viewpoint. Now, it may break some of the language (again not security) in ldap schema if we populate the certificate in caCertificate or crossCertificatePair and do not set the basic constraints. So, it is a mixed bag. I still think we should ask for the CAs to set the basic constraint bit so the ldap schema does not get screwed up and NOT require the client to check the bit. My rule on clients is simple. Maximize security and interoperability. Make all checks that are security relevant and no more and that will lead to greater interoperability. -----Original Message----- From: Stephen Kent [ mailto:kent@bbn.com <mailto:kent@bbn.com> ] Sent: Wednesday, April 25, 2001 3:51 PM To: Ambarish Malpani Cc: ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits At 10:55 AM -0700 4/24/01, Ambarish Malpani wrote: I agree, also. Ambarish I disagree. We need to make a decision on whether a cert without a CA flag enabled can sign CRLs. If so, then we need to modify a lot of text in 2459, and in X.509, to say this clearly. Suggesting that a client be "forgiving" in this context is not a viable proposal for a standard. Steve --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. <http://www.valicert.com/> http://www.valicert.com Mountain View, CA 94043 -----Original Message----- From: Santosh Chokhani [ mailto:chokhani@cygnacom.com <mailto:chokhani@cygnacom.com> ] Sent: Tuesday, April 24, 2001 8:22 AM To: Housley, Russ; ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Russ: I agree with the text. I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI). But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension. -----Original Message----- From: Housley, Russ [ mailto:rhousley@rsasecurity.com <mailto:rhousley@rsasecurity.com> ] Sent: Tuesday, April 24, 2001 10:37 AM To: ietf-pkix@imc.org Subject: keyCertSign and cRLSign Key Usage Bits The consensus on these bits is not totally clear to me. Yet, several points have been consistently, and I think that the following text incorporates them. The debate regarding he linkage between these bits and the cA bit in the basic constraints extension does not seem to be over, and I have not made any changes in that area. Please use this new thread to discuss any remaining unresolved points. The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. This bit MUST only be asserted in CA certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for verifying a signature on a certificate revocation list (e.g., a CRL or an ARL). This bit MUST be asserted in CA and Attribute Authority (AA) certificates that are used to verify signatures on CRLs. If the cRLSign bit is asserted in a CA certificate, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is asserted in a AA certificate, then the cA bit in the basic constraints extension MUST NOT be asserted. Such AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates; however, these AA certificates MAY be used to verify signatures on CRLs containing revocation information concerning attribute certificates. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. Russ ------_=_NextPart_001_01C0CE58.3F8CA640 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 5.00.2014.210" name=GENERATOR></HEAD> <BODY> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=04585913-26042001>Dave:</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=04585913-26042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=04585913-26042001>My opinion are based on the fact that the current X.509 text says that CA issues CRLs. Thus, if the key is used to sign the CRL, it is a CA and hence the caCertificate.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=04585913-26042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=04585913-26042001>I think this is not a security issue (in my mind). We need to make sure that the X.509 language and ldap schema align.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=04585913-26042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=04585913-26042001>I still believe that those clients that do not make checks that are not relevant to security, should be considered compliant.</SPAN></FONT></DIV> <DIV> </DIV> <DIV class=OutlookMessageHeader><FONT face="Times New Roman" size=2>-----Original Message-----<BR><B>From:</B> David A. Cooper [mailto:david.cooper@nist.gov]<BR><B>Sent:</B> Thursday, April 26, 2001 9:37 AM<BR><B>To:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: keyCertSign and cRLSign Key Usage Bits<BR><BR></FONT></DIV>Santosh,<BR><BR>I think you bring up an interesting issue with the LDAP schema no matter what we do. As I pointed out yesterday, a CA may have a key pair that it only uses for PKI transaction messages. A certificate that includes the public key from this key pair would only have the digitalSignature KeyUsage bit set. The proposed text below states that the cA bit in basicConstraints should not be set. So, we would still have cases in which a certificate has been issued to a CA and either basicConstraints is absent or cA is set to false. (Technically, according to RFC 2587, we are OK if basicConstraints is absent, but this isn't really a good way out of the problem). A CA may also be issued a certificate in which the public key is intended to be used for key management. Same problem.<BR><BR>I asked yesterday what the meaning of the cA bit was. X.509 states that "[t]he <FONT size=2>cA</FONT> component indicates if the certified public key may be used to verify certificate signatures." Do we intend to change X.509 and PKIX to state that the cA bit should be set whenever the subject is a CA? If not, then the LDAP schema will need to deal with certificates issued to CAs in which either basicConstraints is absent or is present with cA set to FALSE. If so, then we need to change the text to eliminate any tying between the cA bit and the contents of KeyUsage.<BR><BR>If we want to go with the proposed text below, then we will need to change both X.509 and PKIX to state that "the cA component indicates if the certified public key may be used to verify certificate or CRL signatures". We will also need to do something about the awkward connection between the cA bit and CRLs. Currently the text states that the cA bit should be set if the CRL issuing subject is issuing CRLs that cover public key certificates, but not attribute certificates. It further states that " <BLOCKQUOTE><FONT size=2>AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates". The problem is that, even if a single entity is not allowed to issued both public key certificates and attribute certificates, there is the possibility that a single, indirect CRL could cover both types of certificates. If one is using a CRL to check the status of a public key certificate, then it is clear that the text below requires that the certificate containing the key needed to verify the CRL signature must have the cA bit set. But what about when one is using a CRL to check the status of an attribute certificate? The quote text seem to suggest that, if the cA bit is not set in the certificate, the relying party is required to verify that the CRL does not contain any revocation information for public key certificates. I can't imagine that there was any intention to impose such a requirement, but that is what the text seems to say.<BR><BR></FONT></BLOCKQUOTE>I think I have made my own opinion on this topic clear. X.509 does not state that the cA bit in basicConstraints should be set if the subject is a CA, it states that the bit should be set if the certified public key may be used to verify certificate signatures. The two are not synonymous. If we change the standard to state that the cA bit indicates whether the subject is a CA, it may solve the LDAP schema problem, but it will require that the remove any dependencies between the cA bit and the KeyUsage extension.<BR><BR>As Tony said yesterday, we need to go back and clearly define the terms we are using. X.509 defines a CA as an entity that issues public key certificates. Is this the correct definition? Or is a CA an entity that issues public key certificates or CRLs that provide revocation information about public key certificates? Or it is something else? Does the cA bit indicate if the certified public key can be used to verify signatures on certificates, as X.509 states, or does it indicate that the subject is a CA, or something else? If we can't get agreement that the standard means what it says, how can we expect people to understand the standard?<BR><BR>Dave<BR><BR>At 08:20 AM 4/26/01 -0400, Santosh Chokhani wrote:<BR><FONT color=#0000ff face=arial size=2> <BLOCKQUOTE cite type="cite">Steve:</FONT><BR> <BR><FONT color=#0000ff face=arial size=2>My rationale is as follows: There is no security benefit to checking the bit. The basic constraints and associated path length may determine whether a CA can create a CA or not. But, that is only useful for certificate path and since keyCertSign bit will not be set, the entity will NOT be able to create new CAs.</FONT><BR> <BR><FONT color=#0000ff face=arial size=2>So, I think check is not relevant from security viewpoint.</FONT><BR> <BR><FONT color=#0000ff face=arial size=2>Now, it may break some of the language (again not security) in ldap schema if we populate the certificate in caCertificate or crossCertificatePair and do not set the basic constraints.</FONT><BR> <BR><FONT color=#0000ff face=arial size=2>So, it is a mixed bag. I still think we should ask for the CAs to set the basic constraint bit so the ldap schema does not get screwed up and NOT require the client to check the bit. My rule on clients is simple. Maximize security and interoperability. Make all checks that are security relevant and no more and that will lead to greater interoperability.</FONT><BR> <BR> <BR><FONT face="Times New Roman, Times" size=2>-----Original Message-----<BR><B>From:</B> Stephen Kent [<A href="mailto:kent@bbn.com" eudora="autourl">mailto:kent@bbn.com</A>]<BR><B>Sent:</B> Wednesday, April 25, 2001 3:51 PM<BR><B>To:</B> Ambarish Malpani<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: keyCertSign and cRLSign Key Usage Bits<BR><BR></FONT>At 10:55 AM -0700 4/24/01, Ambarish Malpani wrote:<BR> <BLOCKQUOTE cite type="cite"><BR><FONT color=#0000ff face=arial size=2>I agree, also.<BR><BR>Ambarish</FONT></BLOCKQUOTE><BR>I disagree. We need to make a decision on whether a cert without a CA flag enabled can sign CRLs. If so, then we need to modify a lot of text in 2459, and in X.509, to say this clearly. Suggesting that a client be "forgiving" in this context is not a viable proposal for a standard.<BR><BR>Steve<BR> <BLOCKQUOTE cite type="cite"><BR> <BR><FONT size=2>---------------------------------------------------------------------<BR>Ambarish Malpani<BR>Architect 650.567.5457<BR>ValiCert, Inc. ambarish@valicert.com<BR>339 N. Bernardo Ave. </FONT><A href="http://www.valicert.com/"><FONT size=2>http://www.valicert.com</A><BR>Mountain View, CA 94043</FONT> <BLOCKQUOTE><FONT face=tahoma size=2> <DL> <DD>-----Original Message----- <DD>From:</B> Santosh Chokhani [<A href="mailto:chokhani@cygnacom.com" eudora="autourl">mailto:chokhani@cygnacom.com</A>] <DD>Sent:</B> Tuesday, April 24, 2001 8:22 AM <DD>To:</B> Housley, Russ; ietf-pkix@imc.org <DD>Subject:</B> RE: keyCertSign and cRLSign Key Usage Bits</FONT><BR><BR> <DD>Russ: I agree with the text.<BR><BR> <DD>I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI).<BR><BR> <DD>But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension.<BR><BR> <DD>-----Original Message----- <DD>From: Housley, Russ [<A href="mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com</A>] <DD>Sent: Tuesday, April 24, 2001 10:37 AM <DD>To: ietf-pkix@imc.org <DD>Subject: keyCertSign and cRLSign Key Usage Bits<BR><BR><BR><BR> <DD>The consensus on these bits is not totally clear to me. Yet, several <DD>points have been consistently, and I think that the following text <DD>incorporates them. The debate regarding he linkage between these bits and <DD>the cA bit in the basic constraints extension does not seem to be over, and <DD>I have not made any changes in that area. Please use this new thread to <DD>discuss any remaining unresolved points.<BR><BR> <DD> The keyCertSign bit is asserted when the subject public key is <DD> used for verifying a signature on public key certificates. This <DD> bit MUST only be asserted in CA certificates. If the keyCertSign <DD> bit is asserted, then the cA bit in the basic constraints <DD> extension (see 4.2.1.10) MUST also be asserted. If neither the <DD> cRLSign bit nor the keyCertSign bit are asserted, then the cA bit <DD> in the basic constraints extension MUST NOT be asserted.<BR><BR> <DD> The cRLSign bit is asserted when the subject public key is used <DD> for verifying a signature on a certificate revocation list (e.g., <DD> a CRL or an ARL). This bit MUST be asserted in CA and Attribute <DD> Authority (AA) certificates that are used to verify signatures on <DD> CRLs. If the cRLSign bit is asserted in a CA certificate, then <DD> the cA bit in the basic constraints extension (see 4.2.1.10) MUST <DD> also be asserted. If the cRLSign bit is asserted in a AA <DD> certificate, then the cA bit in the basic constraints extension <DD> MUST NOT be asserted. Such AA certificates MUST NOT be used to <DD> verify signatures on CRLs containing revocation information for <DD> public key certificates; however, these AA certificates MAY be <DD> used to verify signatures on CRLs containing revocation <DD> information concerning attribute certificates. If neither the <DD> cRLSign bit nor the keyCertSign bit are asserted, then the cA bit <DD> in the basic constraints extension MUST NOT be asserted.<BR><BR> <DD>Russ </DD></DL></BLOCKQUOTE></BLOCKQUOTE><BR></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0CE58.3F8CA640-- Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA13301 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 07:00:39 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id JAA352828; Thu, 26 Apr 2001 09:59:05 -0400 Received: from d02ml237.somers.hqregion.ibm.com (d02ml237.sby.ibm.com [9.45.4.171]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id JAA22362; Thu, 26 Apr 2001 09:55:32 -0400 Importance: Normal Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) To: Sharon Boeyen <sharon.boeyen@entrust.com> Cc: "'Tony Bartoletti'" <azb@llnl.gov>, "David A. Cooper" <david.cooper@nist.gov>, ietf-pkix@imc.org X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: <OFF058CF63.84C62946-ON85256A39.006E13FB@somers.hqregion.ibm.com> From: "Tom Gindin" <tgindin@us.ibm.com> Date: Thu, 26 Apr 2001 10:00:33 -0400 X-MIMETrack: Serialize by Router on D02ML237/02/M/IBM(Release 5.0.7 |March 21, 2001) at 04/26/2001 10:00:30 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Thanks for clearing that up. On a related subject, do self-issued (i.e. having the same issuer and subject name, but not self-signed) CRL-signing certificates get published in the directory's caCertificate attribute or the userCertificate one? How about other certificates issued with the same subject DN as the CA certificate? Tom Gindin Sharon Boeyen <sharon.boeyen@entrust.com> on 04/25/2001 03:34:33 PM To: "'Tony Bartoletti'" <azb@llnl.gov>, "David A. Cooper" <david.cooper@nist.gov>, ietf-pkix@imc.org cc: Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix -new-part1-06.txt comments) Tony, since PKIX profiles 509, here are answers from that standard. While PKIX may use different language to describe these, they should still be aligned with the basic definitions. Hope that helps Sharon > -----Original Message----- > From: Tony Bartoletti [mailto:azb@llnl.gov] > Sent: Wednesday, April 25, 2001 2:54 PM > To: David A. Cooper; ietf-pkix@imc.org > Subject: Re: cA flag and CRL issuers (was Re: Last Call: > draft-ietf-pkix-new-part1-06.txt comments) > > > All, > > In trying to parse this issue (and Russ Housley's previous > proposed text) it > appears that terminology needs a bit of shoring up, at least for me. > > Can anyone answer these "simple" questions? > > 1. Is a "CA Certificate" defined to be: > > a. A certificate whose subject is a CA > b. A certificate with "cA" bit set. > c. A certificate with either kCertSign or cRLSign set? > > (Are (a) and (b) equivalent "if its a CA certificate"?) Clause 7 "A CA-certificate is a certificate issued by a CA to a subject that is itslef a CA and therefore is capable of issuing public-key certificates." It then goes on to define the different types of CA-certificate (Self issued, Self signed and cross). No a) and b) are not strictly equivalent. Clause 8.4.2.1 on basic constraints "...with the certified public key being used to verify certificate signatures", that's the key to use of that bit in the extension. > > 2. Is the term "public key certificate" intended to represent: > > a. Only certificates that bind keys to "DN/Identity" > b. Certificates that bind keys to anything (e.g., "attributes") > > For instance, is an "Attribute Certificate" considered to be a > subset of "public key certificates", or not? No, attribute certificates are not subsets of public-key certificates. They are 'certificates' but do NOT contain a public-key and are therefore not a subset. (see 3.3.1 and 3.3.4.4) > > 3. Is an "AA" considered to be: > > a. A "CA that certifies attributes and not DN/Identity", > (yet still a CA, since they author/authorize certificates.) > b. Not a CA, since the term CA is "reserved" to "DN/Identity" > No an AA is not a CA of any sort. CA is an authority for public-key certificates only and AA is an authority for attribute certificates only (see 3.3.2 and 3.3.16. The term 'authority' used alone is defined to include both (see 3.3.6). > 4. Is an "AA Certificate" a form of "CA Certificate" or not? > (Answer should be derived from response to (3). No. (as per response to 3) > > 5. If both "CRLs and ARLs" are examples of "certificate > revocation lists" > then is an ARL: > > a. An instance of CRL (that happens not to revoke any > DN/ID certs)? > b. Never a CRL, since every CRL involves DN/ID certificates? Actually 509 added specific acronyms for each type of CRL. What used to be called an "ARL" (Authority Revocation List) is now a "CARL" Certification Authority Revocation List) and is a revocation list of public-key certificates issued to CAs that are no longer considered valid by the certificate issuer (3.3.17). The equivalent of that for attribute authorities would be an AARL (Attribute Authority Revocation List)as defined in 3.3.3. > > I submit that more than half of the dialogs/debates on this list can > be traced to confusion regarding these fundamental terms. > > ___tony___ > > > At 01:25 PM 4/25/01 -0400, David A. Cooper wrote: > >Steve, > > > >If we are going to change PKIX to require the cA bit in > basicConstraints > >to be set even when the subject public key can only be used > to verify > >signatures on CRLs, then we need to be sure that the text > clearly explains > >to readers when the cA bit should or should not be set. Currently > >new-part1-06 states that "[t]he cA bit indicates if the > certified public > >key may be used to verify signatures on other certificates." > The clearly > >is not accurate, since if the cA bit is set one still does not know > >whether the subject public key may be used to verify signatures on > >certificates. One must look at the keyUsage extension to make that > >determination. > > > >I think it would be helpful to the discussion that we are > having if you > >would clearly state your interpretation of the meaning of > the cA bit in > >basicConstraints. > > > > From what I have read so far, it appears that you believe > that the cA > > bit should be used to indicate if the subject of the > certificate is a CA. > > But, if this is the case, then new-part1-06 still does not > accurately > > reflect your notion of the cA bit. Currently the text > states that the cA > > bit may only be set if the keyCertSign bit or the cRLSign > bit in keyUsage > > is set. However, a CA does more than just issue > certificates and CRLs. A > > CA may have a private key dedicated to signing PKI > transaction messages > > (e.g., certification response, revocation response, > proof-of-possession > > challenge). If a certificate were issued to a CA with its > PKI transaction > > message verification key as the subject public key, neither the > > keyCertSign nor the cRLSign bit in KeyUsage would be set, > but the subject > > of the certificate would still be a CA. > > > >So, should the cA bit be used to indicate if the certificate > subject is a > >CA or to indicate that the subject public key may be used to verify > >signatures on certificates and/or CRLs? If the latter, then not all > >certificates issued to CAs will have the cA bit set. > > > >Dave > > > >At 01:31 PM 4/20/01 -0400, Stephen Kent wrote: > > >>The description of basic constraints in X.509 further > supports the idea > > that the cA bit is used to specify certificate issuing, not > certificate > > and/or CRL issuing: > > >> > > >>"This field indicates if the subject may act as a CA, with the > > certified public key being used to verify certificate > signatures. ... The > > cA component indicates if the certified public key may be > used to verify > > certificate signatures. ... if the value of cA is not set to > true then the > > certified public key shall not be used to verify a > certificate signature" > > >> > > >> > > >>pkix-new-part1-05 states something similar: > > >> > > >>"The cA bit indicates if the certified public key may be > used to verify > > signatures on other certificates. If the cA bit is > asserted, then the > > keyCertSign bit in the key usage extension (see 4.2.1.3) > MUST also be > > asserted. If the cA bit is not asserted, then the > keyCertSign bit in the > > key usage extension MUST NOT be asserted." > > > > > >again, this supports the notion that a CA signs certs, but it says > > nothing about whether a CA or some other entity signs CRLs. We have > > uncovered a number of instances where less than perfect > wording has lead > > to confusion and our recent dialogue suggests that some of > the quotes you > > cite are examples of this. > > Tony Bartoletti 925-422-3881 <azb@llnl.gov> > Information Operations, Warfare and Assurance Center > Lawrence Livermore National Laboratory > Livermore, CA 94551-9900 > > > > Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA11962 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 06:37:22 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id JAA05667 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 09:37:19 -0400 (EDT) Message-Id: <4.2.2.20010426085517.00b04840@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 26 Apr 2001 09:37:03 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: RE: keyCertSign and cRLSign Key Usage Bits In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE360@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_4052544==_.ALT" --=====================_4052544==_.ALT Content-Type: text/plain; charset="us-ascii" Santosh, I think you bring up an interesting issue with the LDAP schema no matter what we do. As I pointed out yesterday, a CA may have a key pair that it only uses for PKI transaction messages. A certificate that includes the public key from this key pair would only have the digitalSignature KeyUsage bit set. The proposed text below states that the cA bit in basicConstraints should not be set. So, we would still have cases in which a certificate has been issued to a CA and either basicConstraints is absent or cA is set to false. (Technically, according to RFC 2587, we are OK if basicConstraints is absent, but this isn't really a good way out of the problem). A CA may also be issued a certificate in which the public key is intended to be used for key management. Same problem. I asked yesterday what the meaning of the cA bit was. X.509 states that "[t]he cA component indicates if the certified public key may be used to verify certificate signatures." Do we intend to change X.509 and PKIX to state that the cA bit should be set whenever the subject is a CA? If not, then the LDAP schema will need to deal with certificates issued to CAs in which either basicConstraints is absent or is present with cA set to FALSE. If so, then we need to change the text to eliminate any tying between the cA bit and the contents of KeyUsage. If we want to go with the proposed text below, then we will need to change both X.509 and PKIX to state that "the cA component indicates if the certified public key may be used to verify certificate or CRL signatures". We will also need to do something about the awkward connection between the cA bit and CRLs. Currently the text states that the cA bit should be set if the CRL issuing subject is issuing CRLs that cover public key certificates, but not attribute certificates. It further states that " >AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates". The problem is that, even if a single entity is not allowed to issued both public key certificates and attribute certificates, there is the possibility that a single, indirect CRL could cover both types of certificates. If one is using a CRL to check the status of a public key certificate, then it is clear that the text below requires that the certificate containing the key needed to verify the CRL signature must have the cA bit set. But what about when one is using a CRL to check the status of an attribute certificate? The quote text seem to suggest that, if the cA bit is not set in the certificate, the relying party is required to verify that the CRL does not contain any revocation information for public key certificates. I can't imagine that there was any intention to impose such a requirement, but that is what the text seems to say. > I think I have made my own opinion on this topic clear. X.509 does not state that the cA bit in basicConstraints should be set if the subject is a CA, it states that the bit should be set if the certified public key may be used to verify certificate signatures. The two are not synonymous. If we change the standard to state that the cA bit indicates whether the subject is a CA, it may solve the LDAP schema problem, but it will require that the remove any dependencies between the cA bit and the KeyUsage extension. As Tony said yesterday, we need to go back and clearly define the terms we are using. X.509 defines a CA as an entity that issues public key certificates. Is this the correct definition? Or is a CA an entity that issues public key certificates or CRLs that provide revocation information about public key certificates? Or it is something else? Does the cA bit indicate if the certified public key can be used to verify signatures on certificates, as X.509 states, or does it indicate that the subject is a CA, or something else? If we can't get agreement that the standard means what it says, how can we expect people to understand the standard? Dave At 08:20 AM 4/26/01 -0400, Santosh Chokhani wrote: >Steve: > >My rationale is as follows: There is no security benefit to checking the bit. The basic constraints and associated path length may determine whether a CA can create a CA or not. But, that is only useful for certificate path and since keyCertSign bit will not be set, the entity will NOT be able to create new CAs. > >So, I think check is not relevant from security viewpoint. > >Now, it may break some of the language (again not security) in ldap schema if we populate the certificate in caCertificate or crossCertificatePair and do not set the basic constraints. > >So, it is a mixed bag. I still think we should ask for the CAs to set the basic constraint bit so the ldap schema does not get screwed up and NOT require the client to check the bit. My rule on clients is simple. Maximize security and interoperability. Make all checks that are security relevant and no more and that will lead to greater interoperability. > > >-----Original Message----- >From: Stephen Kent [mailto:kent@bbn.com] >Sent: Wednesday, April 25, 2001 3:51 PM >To: Ambarish Malpani >Cc: ietf-pkix@imc.org >Subject: RE: keyCertSign and cRLSign Key Usage Bits > >At 10:55 AM -0700 4/24/01, Ambarish Malpani wrote: >> >>I agree, also. >> >>Ambarish > >I disagree. We need to make a decision on whether a cert without a CA flag enabled can sign CRLs. If so, then we need to modify a lot of text in 2459, and in X.509, to say this clearly. Suggesting that a client be "forgiving" in this context is not a viable proposal for a standard. > >Steve >> >> >>--------------------------------------------------------------------- >>Ambarish Malpani >>Architect 650.567.5457 >>ValiCert, Inc. ambarish@valicert.com >>339 N. Bernardo Ave. <http://www.valicert.com/>http://www.valicert.com >>Mountain View, CA 94043 >>>-----Original Message----- >>>From: Santosh Chokhani [mailto:chokhani@cygnacom.com] >>>Sent: Tuesday, April 24, 2001 8:22 AM >>>To: Housley, Russ; ietf-pkix@imc.org >>>Subject: RE: keyCertSign and cRLSign Key Usage Bits >>> >>>Russ: I agree with the text. >>> >>>I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI). >>> >>>But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension. >>> >>>-----Original Message----- >>>From: Housley, Russ [<mailto:rhousley@rsasecurity.com>mailto:rhousley@rsasecurity.com] >>>Sent: Tuesday, April 24, 2001 10:37 AM >>>To: ietf-pkix@imc.org >>>Subject: keyCertSign and cRLSign Key Usage Bits >>> >>> >>> >>>The consensus on these bits is not totally clear to me. Yet, several >>>points have been consistently, and I think that the following text >>>incorporates them. The debate regarding he linkage between these bits and >>>the cA bit in the basic constraints extension does not seem to be over, and >>>I have not made any changes in that area. Please use this new thread to >>>discuss any remaining unresolved points. >>> >>> The keyCertSign bit is asserted when the subject public key is >>> used for verifying a signature on public key certificates. This >>> bit MUST only be asserted in CA certificates. If the keyCertSign >>> bit is asserted, then the cA bit in the basic constraints >>> extension (see 4.2.1.10) MUST also be asserted. If neither the >>> cRLSign bit nor the keyCertSign bit are asserted, then the cA bit >>> in the basic constraints extension MUST NOT be asserted. >>> >>> The cRLSign bit is asserted when the subject public key is used >>> for verifying a signature on a certificate revocation list (e.g., >>> a CRL or an ARL). This bit MUST be asserted in CA and Attribute >>> Authority (AA) certificates that are used to verify signatures on >>> CRLs. If the cRLSign bit is asserted in a CA certificate, then >>> the cA bit in the basic constraints extension (see 4.2.1.10) MUST >>> also be asserted. If the cRLSign bit is asserted in a AA >>> certificate, then the cA bit in the basic constraints extension >>> MUST NOT be asserted. Such AA certificates MUST NOT be used to >>> verify signatures on CRLs containing revocation information for >>> public key certificates; however, these AA certificates MAY be >>> used to verify signatures on CRLs containing revocation >>> information concerning attribute certificates. If neither the >>> cRLSign bit nor the keyCertSign bit are asserted, then the cA bit >>> in the basic constraints extension MUST NOT be asserted. >>> >>>Russ > --=====================_4052544==_.ALT Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> Santosh,<br> <br> I think you bring up an interesting issue with the LDAP schema no matter what we do. As I pointed out yesterday, a CA may have a key pair that it only uses for PKI transaction messages. A certificate that includes the public key from this key pair would only have the digitalSignature KeyUsage bit set. The proposed text below states that the cA bit in basicConstraints should not be set. So, we would still have cases in which a certificate has been issued to a CA and either basicConstraints is absent or cA is set to false. (Technically, according to RFC 2587, we are OK if basicConstraints is absent, but this isn't really a good way out of the problem). A CA may also be issued a certificate in which the public key is intended to be used for key management. Same problem.<br> <br> I asked yesterday what the meaning of the cA bit was. X.509 states that "[t]he <font size=3D2>cA</font> component indicates if the certified public key may be used to verify certificate signatures." Do we intend to change X.509 and PKIX to state that the cA bit should be set whenever the subject is a CA? If not, then the LDAP schema will need to deal with certificates issued to CAs in which either basicConstraints is absent or is present with cA set to FALSE. If so, then we need to change the text to eliminate any tying between the cA bit and the contents of KeyUsage.<br> <br> If we want to go with the proposed text below, then we will need to change both X.509 and PKIX to state that "the cA component indicates if the certified public key may be used to verify certificate or CRL signatures". We will also need to do something about the awkward connection between the cA bit and CRLs. Currently the text states that the cA bit should be set if the CRL issuing subject is issuing CRLs that cover public key certificates, but not attribute certificates. It further states that "<blockquote><font size=3D2>AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates". The problem is that, even if a single entity is not allowed to issued both public key certificates and attribute certificates, there is the possibility that a single, indirect CRL could cover both types of certificates. If one is using a CRL to check the status of a public key certificate, then it is clear that the text below requires that the certificate containing the key needed to verify the CRL signature must have the cA bit set. But what about when one is using a CRL to check the status of an attribute certificate? The quote text seem to suggest that, if the cA bit is not set in the certificate, the relying party is required to verify that the CRL does not contain any revocation information for public key certificates. I can't imagine that there was any intention to impose such a requirement, but that is what the text seems to say.<br> <br> </font></blockquote>I think I have made my own opinion on this topic clear. X.509 does not state that the cA bit in basicConstraints should be set if the subject is a CA, it states that the bit should be set if the certified public key may be used to verify certificate signatures. The two are not synonymous. If we change the standard to state that the cA bit indicates whether the subject is a CA, it may solve the LDAP schema problem, but it will require that the remove any dependencies between the cA bit and the KeyUsage extension.<br> <br> As Tony said yesterday, we need to go back and clearly define the terms we are using. X.509 defines a CA as an entity that issues public key certificates. Is this the correct definition? Or is a CA an entity that issues public key certificates or CRLs that provide revocation information about public key certificates? Or it is something else? Does the cA bit indicate if the certified public key can be used to verify signatures on certificates, as X.509 states, or does it indicate that the subject is a CA, or something else? If we can't get agreement that the standard means what it says, how can we expect people to understand the standard?<br> <br> Dave<br> <br> At 08:20 AM 4/26/01 -0400, Santosh Chokhani wrote:<br> <font face=3D"arial" size=3D2 color=3D"#0000FF"><blockquote type=3Dcite= cite>Steve:</font><br> <br> <font face=3D"arial" size=3D2 color=3D"#0000FF">My rationale is as follows: There is no security benefit to checking the bit. The basic constraints and associated path length may determine whether a CA can create a CA or not. But, that is only useful for certificate path and since keyCertSign bit will not be set, the entity will NOT be able to create new CAs.</font><br> <br> <font face=3D"arial" size=3D2 color=3D"#0000FF">So, I think check is not relevant from security viewpoint.</font><br> <br> <font face=3D"arial" size=3D2 color=3D"#0000FF">Now, it may break some of th= e language (again not security) in ldap schema if we populate the certificate in caCertificate or crossCertificatePair and do not set the basic constraints.</font><br> <br> <font face=3D"arial" size=3D2 color=3D"#0000FF">So, it is a mixed bag. = I still think we should ask for the CAs to set the basic constraint bit so the ldap schema does not get screwed up and NOT require the client to check the bit. My rule on clients is simple. Maximize security and interoperability. Make all checks that are security relevant and no more and that will lead to greater interoperability.</font><br> <br> <br> <font face=3D"Times New Roman, Times" size=3D2>-----Original Message-----<br> <b>From:</b> Stephen Kent [<a href=3D"mailto:kent@bbn.com"= eudora=3D"autourl">mailto:kent@bbn.com</a>]<br> <b>Sent:</b> Wednesday, April 25, 2001 3:51 PM<br> <b>To:</b> Ambarish Malpani<br> <b>Cc:</b> ietf-pkix@imc.org<br> <b>Subject:</b> RE: keyCertSign and cRLSign Key Usage Bits<br> <br> </font>At 10:55 AM -0700 4/24/01, Ambarish Malpani wrote:<br> <blockquote type=3Dcite cite> <br> <font face=3D"arial" size=3D2 color=3D"#0000FF">I agree, also.<br> <br> Ambarish</font></blockquote><br> I disagree. We need to make a decision on whether a cert without a CA flag enabled can sign CRLs. If so, then we need to modify a lot of text in 2459, and in X.509, to say this clearly. Suggesting that a client be "forgiving" in this context is not a viable proposal for a standard.<br> <br> Steve<br> <blockquote type=3Dcite cite><br> <br> <font= size=3D2>------------------------------------------------------------------= ---<br> Ambarish Malpani<br> Architect &= nbsp;  = ; &nb= sp; 650.567.5457<br> ValiCert, Inc. = &nbs= p; ambarish@valicert.com<br> 339 N. Bernardo Ave. = </font> <a href=3D"http://www.valicert.com/"><font= size=3D2>http://www.valicert.com</a><br> Mountain View, CA 94043</font><blockquote><font face=3D"tahoma" size=3D2> <dl> <dd>-----Original Message----- <dd>From:</b> Santosh Chokhani [<a href=3D"mailto:chokhani@cygnacom.com"= eudora=3D"autourl">mailto:chokhani@cygnacom.com</a>] <dd>Sent:</b> Tuesday, April 24, 2001 8:22 AM <dd>To:</b> Housley, Russ; ietf-pkix@imc.org <dd>Subject:</b> RE: keyCertSign and cRLSign Key Usage Bits</font><br> <br> <dd>Russ: I agree with the text.<br> <br> <dd>I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI).<br> <br> <dd>But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension.<br> <br> <dd>-----Original Message----- <dd>From: Housley, Russ [<a= href=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com</a= >] <dd>Sent: Tuesday, April 24, 2001 10:37 AM <dd>To: ietf-pkix@imc.org <dd>Subject: keyCertSign and cRLSign Key Usage Bits<br> <br> <br> <br> <dd>The consensus on these bits is not totally clear to me. Yet, several <dd>points have been consistently, and I think that the following text <dd>incorporates them. The debate regarding he linkage between these bits and <dd>the cA bit in the basic constraints extension does not seem to be over, and <dd>I have not made any changes in that area. Please use this new thread to <dd>discuss any remaining unresolved points.<br> <br> <dd> The keyCertSign bit is asserted when the subject public key is <dd> used for verifying a signature on public key certificates. This <dd> bit MUST only be asserted in CA certificates. If the keyCertSign <dd> bit is asserted, then the cA bit in the basic constraints <dd> extension (see 4.2.1.10) MUST also be asserted. If neither the <dd> cRLSign bit nor the keyCertSign bit are asserted, then the cA bit <dd> in the basic constraints extension MUST NOT be asserted.<br> <br> <dd> The cRLSign bit is asserted when the subject public key is used <dd> for verifying a signature on a certificate revocation list (e.g., <dd> a CRL or an ARL). This bit MUST be asserted in CA and Attribute <dd> Authority (AA) certificates that are used to verify signatures on <dd> CRLs. If the cRLSign bit is asserted in a CA certificate, then <dd> the cA bit in the basic constraints extension (see 4.2.1.10) MUST <dd> also be asserted. If the cRLSign bit is asserted in a AA <dd> certificate, then the cA bit in the basic constraints extension <dd> MUST NOT be asserted. Such AA certificates MUST NOT be used to <dd> verify signatures on CRLs containing revocation information for <dd> public key certificates; however, these AA certificates MAY be <dd> used to verify signatures on CRLs containing revocation <dd> information concerning attribute certificates. If neither the <dd> cRLSign bit nor the keyCertSign bit are asserted, then the cA bit <dd> in the basic constraints extension MUST NOT be asserted.<br> <br> <dd>Russ </dl></blockquote></blockquote><br> </html> --=====================_4052544==_.ALT-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA11353 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 06:30:40 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JV6F5VC0>; Thu, 26 Apr 2001 09:30:13 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FD1@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Tony Bartoletti'" <azb@llnl.gov>, ietf-pkix@imc.org Cc: Sharon Boeyen <sharon.boeyen@entrust.com>, Peter Williams <peterw@valicert.com> Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix -new-part1-06.txt comments) Date: Thu, 26 Apr 2001 09:24:25 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CE54.368451F0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CE54.368451F0 Content-Type: text/plain Tony, on the binding of a key to attributes the 509 standard has at least 2 ways to do this. One is to include the attributes of interest in a public-key certificate in the subjectDirectoryAttributes extension. If, however you want to use the more flexible approach of assigning attributes through attribute certificates, then there are 3 ways to identify the holder of the attribute certificate. One of those is to identify the user with the baseCertificateID component that points directly to a specific public-key certificate for that user. If this mechanism is used, that means that in order for the holder to use the privileges assigned in the attribute cert, they must be authenticated using the indicated public-key certificate (the user's DN can optionally also be present in order to help the verifier locate that public-key certificate). There are some other interesting PMI extensions as well including one that allows the issuer of the attribute certificate to indicate the certificate policies that are the only acceptable ones for the associated public-key certificate used for authentication. So there are mechanisms for relating the use of attribute certs for authorization with the PKI used for authentication. In 2459, the use of CRL (I believe) applies to two cases. In one instance it is the full and complete CRL (including all revocation noticies for all certs of all types issued by a CA) and in the other case it equates to what 509 defines as an EPRL (End- Entity Public-key Certificate Revocation List). The 2459 use of ARL equates to the 509 CARL (Certification Authority Revocation List). 509 also defines AARL and ACRL for the equivalent in the attribute cert space. As for the issuance of a single CRL that contains both revocation notices for public-key and for attribute certs, 509 does allow this as well. In the reasonCode extension (8.5.2.2) and in the cRLDistributionPoints extension (8.56.2.1) you'll find that we added 2 new reasons (privilegeWithdrawn and aaCompromise) to the existing set, so a CRL can cover any combination of reason codes. In the crlScope (8.5.2.5) extension you'll find that we use the term "authority" rather than CA so that could inclode both. In the issuingDistributionPoint extension (8.6.2.2) there are now onlyContainsUserCerts, onlyContainsAuthorityCerts and onlyContainsAttributeCerts, so all combinations are permitted. Cheers, Sharon Hope that helps Sharon > -----Original Message----- > From: Tony Bartoletti [mailto:azb@llnl.gov] > Sent: Wednesday, April 25, 2001 5:28 PM > To: ietf-pkix@imc.org > Cc: Sharon Boeyen; Peter Williams > Subject: RE: cA flag and CRL issuers (was Re: Last Call: > draft-ietf-pkix > -new-part1-06.txt comments) > > > > Sharon and Peter, > > Thank you both for the explanations. I now understand that an > "attribute certificate" does NOT certify a key. Thus, an "AA" > is not an "[Attribute] Certificate Authority" (A-CA) but rather > is an "[Attribute Certificate] Authority]" (AC-A). What is > called a "CA" is actually a "(Public) Key Certificate Authority". > > Are there no instruments that attest (e.g.): > > "(anonymous) signer with this key is 21 years old"? > > That is, bind a "key to attributes, sans DN/Identity"? > Could a CA do this using PMI extension attributes? > > Finally, does anyone know if the PKIX "CRL/ARL" maps to > CARL/AARL? And does this imply that no one can sign or > verify a list containing both PKC and AC revocations? > > Thanks again for your previous (extensive) response! > > ___tony___ > > > Tony Bartoletti 925-422-3881 <azb@llnl.gov> > Information Operations, Warfare and Assurance Center > Lawrence Livermore National Laboratory > Livermore, CA 94551-9900 > > > > ------_=_NextPart_001_01C0CE54.368451F0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: cA flag and CRL issuers (was Re: Last Call: = draft-ietf-pkix -new-part1-06.txt comments)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Tony, on the binding of a key to attributes the 509 = standard has at least</FONT> <BR><FONT SIZE=3D2>2 ways to do this. One is to include the attributes = of interest </FONT> <BR><FONT SIZE=3D2>in a public-key certificate in the = subjectDirectoryAttributes extension.</FONT> <BR><FONT SIZE=3D2>If, however you want to use the more flexible = approach of assigning attributes</FONT> <BR><FONT SIZE=3D2>through attribute certificates, then there are 3 = ways to identify the </FONT> <BR><FONT SIZE=3D2>holder of the attribute certificate. One of those is = to identify the user</FONT> <BR><FONT SIZE=3D2>with the baseCertificateID component that points = directly to a specific </FONT> <BR><FONT SIZE=3D2>public-key certificate for that user. If this = mechanism is used, that </FONT> <BR><FONT SIZE=3D2>means that in order for the holder to use the = privileges assigned in </FONT> <BR><FONT SIZE=3D2>the attribute cert, they must be authenticated using = the indicated public-key </FONT> <BR><FONT SIZE=3D2>certificate (the user's DN can optionally also be = present in order to help </FONT> <BR><FONT SIZE=3D2>the verifier locate that public-key certificate). = There are some other interesting </FONT> <BR><FONT SIZE=3D2>PMI extensions as well including one that allows the = issuer of the attribute </FONT> <BR><FONT SIZE=3D2>certificate to indicate the certificate policies = that are the only acceptable </FONT> <BR><FONT SIZE=3D2>ones for the associated public-key certificate used = for authentication. So there </FONT> <BR><FONT SIZE=3D2>are mechanisms for relating the use of attribute = certs for authorization with the </FONT> <BR><FONT SIZE=3D2>PKI used for authentication.</FONT> </P> <P><FONT SIZE=3D2>In 2459, the use of CRL (I believe) applies to two = cases. In one instance it is the </FONT> <BR><FONT SIZE=3D2>full and complete CRL (including all revocation = noticies for all certs of all types </FONT> <BR><FONT SIZE=3D2>issued by a CA) and in the other case it equates to = what 509 defines as an EPRL (End-</FONT> <BR><FONT SIZE=3D2>Entity Public-key Certificate Revocation List). The = 2459 use of ARL equates to </FONT> <BR><FONT SIZE=3D2>the 509 CARL (Certification Authority Revocation = List). </FONT> </P> <P><FONT SIZE=3D2>509 also defines AARL and ACRL for the equivalent in = the attribute cert space.</FONT> </P> <P><FONT SIZE=3D2>As for the issuance of a single CRL that contains = both revocation notices for public-key </FONT> <BR><FONT SIZE=3D2>and for attribute certs, 509 does allow this as = well. In the reasonCode extension (8.5.2.2) and in the = cRLDistributionPoints extension (8.56.2.1) you'll find that we added 2 = new reasons (privilegeWithdrawn and aaCompromise) to the existing set, = so a CRL can cover any combination of reason codes. In the crlScope = (8.5.2.5) extension you'll find </FONT></P> <P><FONT SIZE=3D2>that we use the term "authority" rather = than CA so that could inclode both. In the issuingDistributionPoint = extension (8.6.2.2) there are now onlyContainsUserCerts, = onlyContainsAuthorityCerts and onlyContainsAttributeCerts, so all = combinations are </FONT></P> <P><FONT SIZE=3D2>permitted. </FONT> </P> <P><FONT SIZE=3D2>Cheers,</FONT> <BR><FONT SIZE=3D2>Sharon </FONT> </P> <P><FONT SIZE=3D2>Hope that helps</FONT> <BR><FONT SIZE=3D2>Sharon</FONT> </P> <P><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: Tony Bartoletti [<A = HREF=3D"mailto:azb@llnl.gov">mailto:azb@llnl.gov</A>]</FONT> <BR><FONT SIZE=3D2>> Sent: Wednesday, April 25, 2001 5:28 PM</FONT> <BR><FONT SIZE=3D2>> To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Cc: Sharon Boeyen; Peter Williams</FONT> <BR><FONT SIZE=3D2>> Subject: RE: cA flag and CRL issuers (was Re: = Last Call: </FONT> <BR><FONT SIZE=3D2>> draft-ietf-pkix</FONT> <BR><FONT SIZE=3D2>> -new-part1-06.txt comments)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Sharon and Peter,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Thank you both for the explanations. I = now understand that an</FONT> <BR><FONT SIZE=3D2>> "attribute certificate" does NOT = certify a key. Thus, an "AA"</FONT> <BR><FONT SIZE=3D2>> is not an "[Attribute] Certificate = Authority" (A-CA) but rather</FONT> <BR><FONT SIZE=3D2>> is an "[Attribute Certificate] = Authority]" (AC-A). What is</FONT> <BR><FONT SIZE=3D2>> called a "CA" is actually a = "(Public) Key Certificate Authority".</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Are there no instruments that attest = (e.g.):</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> "(anonymous) = signer with this key is 21 years old"?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> That is, bind a "key to attributes, sans = DN/Identity"?</FONT> <BR><FONT SIZE=3D2>> Could a CA do this using PMI extension = attributes?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Finally, does anyone know if the PKIX = "CRL/ARL" maps to</FONT> <BR><FONT SIZE=3D2>> CARL/AARL? And does this imply that no = one can sign or</FONT> <BR><FONT SIZE=3D2>> verify a list containing both PKC and AC = revocations?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Thanks again for your previous (extensive) = response!</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> ___tony___</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Tony Bartoletti 925-422-3881 = <azb@llnl.gov></FONT> <BR><FONT SIZE=3D2>> Information Operations, Warfare and Assurance = Center</FONT> <BR><FONT SIZE=3D2>> Lawrence Livermore National Laboratory</FONT> <BR><FONT SIZE=3D2>> Livermore, CA 94551-9900</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CE54.368451F0-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA06138 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 05:30:18 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JV6F54HR>; Thu, 26 Apr 2001 08:29:48 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE360@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Stephen Kent <kent@bbn.com>, Ambarish Malpani <ambarish@valicert.com> Cc: ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Date: Thu, 26 Apr 2001 08:20:54 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CE4B.5758CB80" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CE4B.5758CB80 Content-Type: text/plain; charset="iso-8859-1" Steve: My rationale is as follows: There is no security benefit to checking the bit. The basic constraints and associated path length may determine whether a CA can create a CA or not. But, that is only useful for certificate path and since keyCertSign bit will not be set, the entity will NOT be able to create new CAs. So, I think check is not relevant from security viewpoint. Now, it may break some of the language (again not security) in ldap schema if we populate the certificate in caCertificate or crossCertificatePair and do not set the basic constraints. So, it is a mixed bag. I still think we should ask for the CAs to set the basic constraint bit so the ldap schema does not get screwed up and NOT require the client to check the bit. My rule on clients is simple. Maximize security and interoperability. Make all checks that are security relevant and no more and that will lead to greater interoperability. -----Original Message----- From: Stephen Kent [mailto:kent@bbn.com] Sent: Wednesday, April 25, 2001 3:51 PM To: Ambarish Malpani Cc: ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits At 10:55 AM -0700 4/24/01, Ambarish Malpani wrote: I agree, also. Ambarish I disagree. We need to make a decision on whether a cert without a CA flag enabled can sign CRLs. If so, then we need to modify a lot of text in 2459, and in X.509, to say this clearly. Suggesting that a client be "forgiving" in this context is not a viable proposal for a standard. Steve --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. <http://www.valicert.com/> http://www.valicert.com Mountain View, CA 94043 -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Tuesday, April 24, 2001 8:22 AM To: Housley, Russ; ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Russ: I agree with the text. I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI). But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension. -----Original Message----- From: Housley, Russ [ <mailto:rhousley@rsasecurity.com> mailto:rhousley@rsasecurity.com] Sent: Tuesday, April 24, 2001 10:37 AM To: ietf-pkix@imc.org Subject: keyCertSign and cRLSign Key Usage Bits The consensus on these bits is not totally clear to me. Yet, several points have been consistently, and I think that the following text incorporates them. The debate regarding he linkage between these bits and the cA bit in the basic constraints extension does not seem to be over, and I have not made any changes in that area. Please use this new thread to discuss any remaining unresolved points. The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. This bit MUST only be asserted in CA certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for verifying a signature on a certificate revocation list (e.g., a CRL or an ARL). This bit MUST be asserted in CA and Attribute Authority (AA) certificates that are used to verify signatures on CRLs. If the cRLSign bit is asserted in a CA certificate, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is asserted in a AA certificate, then the cA bit in the basic constraints extension MUST NOT be asserted. Such AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates; however, these AA certificates MAY be used to verify signatures on CRLs containing revocation information concerning attribute certificates. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. Russ ------_=_NextPart_001_01C0CE4B.5758CB80 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>RE: keyCertSign and cRLSign Key Usage Bits</TITLE> <STYLE type=text/css>BLOCKQUOTE { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } DL { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } UL { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } OL { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } LI { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } </STYLE> <META content="MSHTML 5.00.2014.210" name=GENERATOR></HEAD> <BODY> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=394012212-26042001>Steve:</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=394012212-26042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=394012212-26042001>My rationale is as follows: There is no security benefit to checking the bit. The basic constraints and associated path length may determine whether a CA can create a CA or not. But, that is only useful for certificate path and since keyCertSign bit will not be set, the entity will NOT be able to create new CAs.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=394012212-26042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=394012212-26042001>So, I think check is not relevant from security viewpoint.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=394012212-26042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=394012212-26042001>Now, it may break some of the language (again not security) in ldap schema if we populate the certificate in caCertificate or crossCertificatePair and do not set the basic constraints.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=394012212-26042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=394012212-26042001>So, it is a mixed bag. I still think we should ask for the CAs to set the basic constraint bit so the ldap schema does not get screwed up and NOT require the client to check the bit. My rule on clients is simple. Maximize security and interoperability. Make all checks that are security relevant and no more and that will lead to greater interoperability.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=394012212-26042001></SPAN></FONT> </DIV> <DIV> </DIV> <DIV class=OutlookMessageHeader><FONT face="Times New Roman" size=2>-----Original Message-----<BR><B>From:</B> Stephen Kent [mailto:kent@bbn.com]<BR><B>Sent:</B> Wednesday, April 25, 2001 3:51 PM<BR><B>To:</B> Ambarish Malpani<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: keyCertSign and cRLSign Key Usage Bits<BR><BR></FONT></DIV> <DIV>At 10:55 AM -0700 4/24/01, Ambarish Malpani wrote:</DIV> <BLOCKQUOTE cite type="cite"> </BLOCKQUOTE> <BLOCKQUOTE cite type="cite"><FONT color=#0000ff face=Arial size=-1>I agree, also.</FONT></BLOCKQUOTE> <BLOCKQUOTE cite type="cite"><FONT color=#0000ff face=Arial size=-1><BR>Ambarish</FONT></BLOCKQUOTE> <DIV><BR></DIV> <DIV>I disagree. We need to make a decision on whether a cert without a CA flag enabled can sign CRLs. If so, then we need to modify a lot of text in 2459, and in X.509, to say this clearly. Suggesting that a client be "forgiving" in this context is not a viable proposal for a standard.</DIV> <DIV><BR>Steve</DIV> <BLOCKQUOTE cite type="cite"><BR> </BLOCKQUOTE> <BLOCKQUOTE cite type="cite"><FONT size=-1>---------------------------------------------------------------------<BR>Ambarish Malpani<BR>Architect <SPAN></SPAN> <SPAN></SPAN> <SPAN></SPAN> <SPAN></SPAN> 650.567.5457<BR>ValiCert, Inc. <SPAN></SPAN> <SPAN></SPAN> ambarish@valicert.com<BR>339 N. Bernardo Ave. <SPAN></SPAN> <SPAN></SPAN> </FONT> <A href="http://www.valicert.com/"><FONT size=-1>http://www.valicert.com</FONT></A><FONT size=-1><BR>Mountain View, CA 94043</FONT><BR> <BLOCKQUOTE><FONT face=Tahoma size=-1>-----Original Message-----<BR><B>From:</B> Santosh Chokhani [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Tuesday, April 24, 2001 8:22 AM<BR><B>To:</B> Housley, Russ; ietf-pkix@imc.org<BR><B>Subject:</B> RE: keyCertSign and cRLSign Key Usage Bits</FONT><BR><FONT face=Tahoma size=-1></FONT></BLOCKQUOTE> <BLOCKQUOTE><FONT size=-1>Russ: I agree with the text.</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE><FONT size=-1>I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI).</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE><FONT size=-1>But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension.</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE><FONT size=-1>-----Original Message-----</FONT><BR><FONT size=-1>From: Housley, Russ [</FONT><A href="mailto:rhousley@rsasecurity.com"><FONT size=-1>mailto:rhousley@rsasecurity.com</FONT></A><FONT size=-1>]</FONT><BR><FONT size=-1>Sent: Tuesday, April 24, 2001 10:37 AM</FONT><BR><FONT size=-1>To: ietf-pkix@imc.org</FONT><BR><FONT size=-1>Subject: keyCertSign and cRLSign Key Usage Bits</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE><BR></BLOCKQUOTE> <BLOCKQUOTE><FONT size=-1>The consensus on these bits is not totally clear to me. Yet, several</FONT><BR><FONT size=-1>points have been consistently, and I think that the following text</FONT><BR><FONT size=-1>incorporates them. The debate regarding he linkage between these bits and</FONT><BR><FONT size=-1>the cA bit in the basic constraints extension does not seem to be over, and</FONT><BR><FONT size=-1>I have not made any changes in that area. Please use this new thread to</FONT><BR><FONT size=-1>discuss any remaining unresolved points.</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE><FONT size=-1> The keyCertSign bit is asserted when the subject public key is</FONT><BR><FONT size=-1> used for verifying a signature on public key certificates. This</FONT><BR><FONT size=-1> bit MUST only be asserted in CA certificates. If the keyCertSign</FONT><BR><FONT size=-1> bit is asserted, then the cA bit in the basic constraints</FONT><BR><FONT size=-1> extension (see 4.2.1.10) MUST also be asserted. If neither the</FONT><BR><FONT size=-1> cRLSign bit nor the keyCertSign bit are asserted, then the cA bit</FONT><BR><FONT size=-1> in the basic constraints extension MUST NOT be asserted.</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE><FONT size=-1> The cRLSign bit is asserted when the subject public key is used</FONT><BR><FONT size=-1> for verifying a signature on a certificate revocation list (e.g.,</FONT><BR><FONT size=-1> a CRL or an ARL). This bit MUST be asserted in CA and Attribute</FONT><BR><FONT size=-1> Authority (AA) certificates that are used to verify signatures on</FONT><BR><FONT size=-1> CRLs. If the cRLSign bit is asserted in a CA certificate, then</FONT><BR><FONT size=-1> the cA bit in the basic constraints extension (see 4.2.1.10) MUST</FONT><BR><FONT size=-1> also be asserted. If the cRLSign bit is asserted in a AA</FONT><BR><FONT size=-1> certificate, then the cA bit in the basic constraints extension</FONT><BR><FONT size=-1> MUST NOT be asserted. Such AA certificates MUST NOT be used to</FONT><BR><FONT size=-1> verify signatures on CRLs containing revocation information for</FONT><BR><FONT size=-1> public key certificates; however, these AA certificates MAY be</FONT><BR><FONT size=-1> used to verify signatures on CRLs containing revocation</FONT><BR><FONT size=-1> information concerning attribute certificates. If neither the</FONT><BR><FONT size=-1> cRLSign bit nor the keyCertSign bit are asserted, then the cA bit</FONT><BR><FONT size=-1> in the basic constraints extension MUST NOT be asserted.</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE><FONT size=-1>Russ</FONT></BLOCKQUOTE></BLOCKQUOTE> <DIV><BR></DIV></BODY></HTML> ------_=_NextPart_001_01C0CE4B.5758CB80-- Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA01022 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 04:21:14 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA28072; Thu, 26 Apr 2001 07:21:14 -0400 (EDT) Message-Id: <200104261121.HAA28072@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; CC: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-josefsson-pkix-dns-00.txt Date: Thu, 26 Apr 2001 07:21:13 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Internet X.509 Public Key Infrastructure Operational Protocols - DNS Author(s) : S. Josefsson Filename : draft-josefsson-pkix-dns-00.txt Pages : 9 Date : 25-Apr-01 The protocol conventions described in this document satisfy some of the operational requirements of the Internet Public Key Infrastructure (PKI). This document specifies the conventions for using the Domain Name System (DNS) to obtain certificates and certificate revocation lists (CRLs) from PKI repositories. Additional mechanisms addressing PKIX operational requirements are specified in separate documents. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-josefsson-pkix-dns-00.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-josefsson-pkix-dns-00.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-josefsson-pkix-dns-00.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20010425142853.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-josefsson-pkix-dns-00.txt --OtherAccess Content-Type: Message/External-body; name="draft-josefsson-pkix-dns-00.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20010425142853.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA00817 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 04:20:09 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA27850; Thu, 26 Apr 2001 07:20:09 -0400 (EDT) Message-Id: <200104261120.HAA27850@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-2797-bis-00.txt Date: Thu, 26 Apr 2001 07:20:08 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Certificate Management Messages over CMS Author(s) : M. Myers, X. Liu, J. Schaad, J. Weinstein Filename : draft-ietf-pkix-2797-bis-00.txt Pages : Date : 09-Mar-01 This document defines a Certificate Management protocol using CMS (CMC). This protocol addresses two immediate needs within the Internet PKI community: 1. The need for an interface to public key certification products and services based on [CMS] and [PKCS10], and 2. The need in [SMIMEV3] for a certificate enrollment protocol for DSA-signed certificates with Diffie-Hellman public keys. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-2797-bis-00.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-2797-bis-00.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-2797-bis-00.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20010425092751.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-2797-bis-00.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-2797-bis-00.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20010425092751.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from aifhs8.alcatel.fr (aifhs8.alcatel.fr [212.208.74.153]) by above.proper.com (8.9.3/8.9.3) with ESMTP id BAA14881 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 01:24:26 -0700 (PDT) From: David.Fontanella@alcatel.fr Received: from frmta004.netfr.alcatel.fr (frmta004.netfr.alcatel.fr [155.132.182.160]) by aifhs8.alcatel.fr (ALCANET/SMTP2) with SMTP id KAA16156 for <ietf-pkix@imc.org>; Thu, 26 Apr 2001 10:24:11 +0200 (MET DST) Received: by frmta004.netfr.alcatel.fr(Lotus SMTP MTA v4.6.7 (934.1 12-30-1999)) id C1256A3A.002E2211 ; Thu, 26 Apr 2001 10:23:53 +0200 X-Lotus-FromDomain: ALCATEL To: ietf-pkix@imc.org Message-ID: <C1256A3A.002E2010.00@frmta004.netfr.alcatel.fr> Date: Thu, 26 Apr 2001 10:23:47 +0200 Subject: unsubscribe Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline unsubscribe Received: from blue01.identrus.com ([216.213.93.123]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA20504 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 17:48:39 -0700 (PDT) Received: by BLUE01 with Internet Mail Service (5.5.2653.19) id <JP9YGWYA>; Wed, 25 Apr 2001 20:46:58 -0400 Message-ID: <2B55DABB95C4D4119C1300508BD953F11442D5@BLUE01> From: Dave Oshman <Dave.Oshman@identrus.com> To: "'Stephen Kent'" <kent@bbn.com> Cc: ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Date: Wed, 25 Apr 2001 20:46:48 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CDEA.5FD1CC00" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CDEA.5FD1CC00 Content-Type: text/plain; charset="iso-8859-1" Steve-- 2459 does not seem to disallow this now. It is simply not clear on it. I agree that the standard needs to be unambiguous. We need to clearly define what CA=true means. If it means the PK in this cert is used to verify signatures on certificates, then this means that the CA flag should not be set for a CRL Signing certificate. Regards, Dave -----Original Message----- From: Stephen Kent [mailto:kent@bbn.com] Sent: Wednesday, April 25, 2001 3:51 PM To: Ambarish Malpani Cc: ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits At 10:55 AM -0700 4/24/01, Ambarish Malpani wrote: I agree, also. Ambarish I disagree. We need to make a decision on whether a cert without a CA flag enabled can sign CRLs. If so, then we need to modify a lot of text in 2459, and in X.509, to say this clearly. Suggesting that a client be "forgiving" in this context is not a viable proposal for a standard. Steve --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. <http://www.valicert.com/> http://www.valicert.com Mountain View, CA 94043 -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Tuesday, April 24, 2001 8:22 AM To: Housley, Russ; ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Russ: I agree with the text. I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI). But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension. -----Original Message----- From: Housley, Russ [ <mailto:rhousley@rsasecurity.com> mailto:rhousley@rsasecurity.com] Sent: Tuesday, April 24, 2001 10:37 AM To: ietf-pkix@imc.org Subject: keyCertSign and cRLSign Key Usage Bits The consensus on these bits is not totally clear to me. Yet, several points have been consistently, and I think that the following text incorporates them. The debate regarding he linkage between these bits and the cA bit in the basic constraints extension does not seem to be over, and I have not made any changes in that area. Please use this new thread to discuss any remaining unresolved points. The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. This bit MUST only be asserted in CA certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for verifying a signature on a certificate revocation list (e.g., a CRL or an ARL). This bit MUST be asserted in CA and Attribute Authority (AA) certificates that are used to verify signatures on CRLs. If the cRLSign bit is asserted in a CA certificate, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is asserted in a AA certificate, then the cA bit in the basic constraints extension MUST NOT be asserted. Such AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates; however, these AA certificates MAY be used to verify signatures on CRLs containing revocation information concerning attribute certificates. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. Russ ------_=_NextPart_001_01C0CDEA.5FD1CC00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <TITLE>RE: keyCertSign and cRLSign Key Usage Bits</TITLE> <STYLE type=3Dtext/css>BLOCKQUOTE { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } DL { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } UL { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } OL { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } LI { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } </STYLE> <META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D212354400-26042001>Steve--</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D212354400-26042001>2459=20 does not seem to disallow this now. It is simply not clear on it. I = agree that=20 the standard needs to be unambiguous. We need to clearly define what = CA=3Dtrue=20 means. If it means the PK in this cert is used to verify signatures on=20 certificates, then this means that the CA flag should not be set for a = CRL=20 Signing certificate.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D212354400-26042001>Regards,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D212354400-26042001>Dave</SPAN></FONT></DIV> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Stephen Kent=20 [mailto:kent@bbn.com]<BR><B>Sent:</B> Wednesday, April 25, 2001 3:51=20 PM<BR><B>To:</B> Ambarish Malpani<BR><B>Cc:</B>=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: keyCertSign and cRLSign Key = Usage=20 Bits<BR><BR></DIV></FONT> <DIV>At 10:55 AM -0700 4/24/01, Ambarish Malpani wrote:</DIV> <BLOCKQUOTE cite type=3D"cite"> </BLOCKQUOTE> <BLOCKQUOTE cite type=3D"cite"><FONT color=3D#0000ff face=3DArial = size=3D-1>I agree,=20 also.</FONT></BLOCKQUOTE> <BLOCKQUOTE cite type=3D"cite"><FONT color=3D#0000ff face=3DArial=20 size=3D-1><BR>Ambarish</FONT></BLOCKQUOTE> <DIV><BR></DIV> <DIV>I disagree. We need to make a decision on whether a cert without = a CA=20 flag enabled can sign CRLs. If so, then we need to modify a lot of = text in=20 2459, and in X.509, to say this clearly. Suggesting that a client be=20 "forgiving" in this context is not a viable proposal for a = standard.</DIV> <DIV><BR>Steve</DIV> <BLOCKQUOTE cite type=3D"cite"><BR> </BLOCKQUOTE> <BLOCKQUOTE cite type=3D"cite"><FONT=20 = size=3D-1>--------------------------------------------------------------= -------<BR>Ambarish=20 = Malpani<BR>Architect &nbs= p; <SPAN></SPAN> &nb= sp; <SPAN></SPAN> &n= bsp; <SPAN></SPAN> &= nbsp; <SPAN></SPAN> =20 650.567.5457<BR>ValiCert,=20 = Inc. <SPAN></= SPAN> <= SPAN></SPAN> = =20 ambarish@valicert.com<BR>339 N. Bernardo=20 = Ave. <SPAN></= SPAN> <= SPAN></SPAN> </FONT>=20 <A href=3D"http://www.valicert.com/"><FONT=20 size=3D-1>http://www.valicert.com</FONT></A><FONT = size=3D-1><BR>Mountain View,=20 CA 94043</FONT><BR> <BLOCKQUOTE><FONT face=3DTahoma size=3D-1>-----Original=20 Message-----<BR><B>From:</B> Santosh Chokhani=20 [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Tuesday, April 24, = 2001=20 8:22 AM<BR><B>To:</B> Housley, Russ; = ietf-pkix@imc.org<BR><B>Subject:</B>=20 RE: keyCertSign and cRLSign Key Usage Bits</FONT><BR><FONT = face=3DTahoma=20 size=3D-1></FONT></BLOCKQUOTE> <BLOCKQUOTE><FONT size=3D-1>Russ: I agree with the=20 text.</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE><FONT size=3D-1>I also know that Steve Kent and Sharon = Boeyen=20 feel that X.509 states that only CA can issue CRL (the context of = my=20 comments being PKI only and not PMI).</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE><FONT size=3D-1>But, using the theory that you suggest = that the=20 client be forgiving, I would consider a client compliant if it = did NOT=20 check the basic constraint extension while verifying a signature = on a=20 CRL. It need to ensure that the cRLSign bit is set in the = keyUsage=20 extension.</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE><FONT size=3D-1>-----Original = Message-----</FONT><BR><FONT=20 size=3D-1>From: Housley, Russ [</FONT><A=20 href=3D"mailto:rhousley@rsasecurity.com"><FONT=20 size=3D-1>mailto:rhousley@rsasecurity.com</FONT></A><FONT=20 size=3D-1>]</FONT><BR><FONT size=3D-1>Sent: Tuesday, April 24, = 2001 10:37=20 AM</FONT><BR><FONT size=3D-1>To: = ietf-pkix@imc.org</FONT><BR><FONT=20 size=3D-1>Subject: keyCertSign and cRLSign Key Usage=20 Bits</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE><BR></BLOCKQUOTE> <BLOCKQUOTE><FONT size=3D-1>The consensus on these bits is not = totally clear=20 to me. Yet, several</FONT><BR><FONT size=3D-1>points have = been=20 consistently, and I think that the following text</FONT><BR><FONT = size=3D-1>incorporates them. The debate regarding he = linkage between=20 these bits and</FONT><BR><FONT size=3D-1>the cA bit in the basic = constraints=20 extension does not seem to be over, and</FONT><BR><FONT = size=3D-1>I have not=20 made any changes in that area. Please use this new thread=20 to</FONT><BR><FONT size=3D-1>discuss any remaining unresolved=20 points.</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE><FONT size=3D-1> = The=20 keyCertSign bit is asserted when the subject public key = is</FONT><BR><FONT=20 size=3D-1> used for verifying = a=20 signature on public key certificates. This</FONT><BR><FONT=20 size=3D-1> bit MUST only be = asserted in=20 CA certificates. If the keyCertSign</FONT><BR><FONT=20 size=3D-1> bit is asserted, = then the cA=20 bit in the basic constraints</FONT><BR><FONT=20 size=3D-1> extension (see = 4.2.1.10) MUST=20 also be asserted. If neither the</FONT><BR><FONT=20 size=3D-1> cRLSign bit nor = the=20 keyCertSign bit are asserted, then the cA bit</FONT><BR><FONT=20 size=3D-1> in the basic = constraints=20 extension MUST NOT be asserted.</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE><FONT size=3D-1> = The cRLSign=20 bit is asserted when the subject public key is = used</FONT><BR><FONT=20 size=3D-1> for verifying a = signature on=20 a certificate revocation list (e.g.,</FONT><BR><FONT=20 size=3D-1> a CRL or an = ARL). This=20 bit MUST be asserted in CA and Attribute</FONT><BR><FONT=20 size=3D-1> Authority (AA) = certificates=20 that are used to verify signatures on</FONT><BR><FONT=20 size=3D-1> CRLs. If the = cRLSign=20 bit is asserted in a CA certificate, then</FONT><BR><FONT=20 size=3D-1> the cA bit in the = basic=20 constraints extension (see 4.2.1.10) MUST</FONT><BR><FONT=20 size=3D-1> also be = asserted. If=20 the cRLSign bit is asserted in a AA</FONT><BR><FONT=20 size=3D-1> certificate, then = the cA bit=20 in the basic constraints extension</FONT><BR><FONT=20 size=3D-1> MUST NOT be = asserted. =20 Such AA certificates MUST NOT be used to</FONT><BR><FONT=20 size=3D-1> verify signatures = on CRLs=20 containing revocation information for</FONT><BR><FONT=20 size=3D-1> public key = certificates;=20 however, these AA certificates MAY be</FONT><BR><FONT=20 size=3D-1> used to verify = signatures on=20 CRLs containing revocation</FONT><BR><FONT=20 size=3D-1> information = concerning=20 attribute certificates. If neither the</FONT><BR><FONT=20 size=3D-1> cRLSign bit nor = the=20 keyCertSign bit are asserted, then the cA bit</FONT><BR><FONT=20 size=3D-1> in the basic = constraints=20 extension MUST NOT be asserted.</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE><FONT size=3D-1>Russ</FONT></BLOCKQUOTE></BLOCKQUOTE> <DIV><BR></DIV></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0CDEA.5FD1CC00-- Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA20072 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 17:37:40 -0700 (PDT) Received: from [128.33.238.17] (TC017.BBN.COM [128.33.238.17]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id UAA14952; Wed, 25 Apr 2001 20:37:39 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <p05010400b70cdaa78f2e@[128.33.238.94]> In-Reply-To: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C65@exchange.valicert.com> References: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C65@exchange.valicert.com> Date: Wed, 25 Apr 2001 15:50:45 -0400 To: Ambarish Malpani <ambarish@valicert.com> From: Stephen Kent <kent@bbn.com> Subject: RE: keyCertSign and cRLSign Key Usage Bits Cc: ietf-pkix@imc.org Content-Type: multipart/alternative; boundary="============_-1223877090==_ma============" --============_-1223877090==_ma============ Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 10:55 AM -0700 4/24/01, Ambarish Malpani wrote: > >I agree, also. > >Ambarish I disagree. We need to make a decision on whether a cert without a CA flag enabled can sign CRLs. If so, then we need to modify a lot of text in 2459, and in X.509, to say this clearly. Suggesting that a client be "forgiving" in this context is not a viable proposal for a standard. Steve > > >--------------------------------------------------------------------- >Ambarish Malpani >Architect 650.567.5457 >ValiCert, Inc. ambarish@valicert.com >339 N. Bernardo Ave. ><http://www.valicert.com/>http://www.valicert.com >Mountain View, CA 94043 > >-----Original Message----- >From: Santosh Chokhani [mailto:chokhani@cygnacom.com] >Sent: Tuesday, April 24, 2001 8:22 AM >To: Housley, Russ; ietf-pkix@imc.org >Subject: RE: keyCertSign and cRLSign Key Usage Bits > >Russ: I agree with the text. > >I also know that Steve Kent and Sharon Boeyen feel that X.509 states >that only CA can issue CRL (the context of my comments being PKI >only and not PMI). > >But, using the theory that you suggest that the client be forgiving, >I would consider a client compliant if it did NOT check the basic >constraint extension while verifying a signature on a CRL. It need >to ensure that the cRLSign bit is set in the keyUsage extension. > >-----Original Message----- >From: Housley, Russ >[<mailto:rhousley@rsasecurity.com>mailto:rhousley@rsasecurity.com] >Sent: Tuesday, April 24, 2001 10:37 AM >To: ietf-pkix@imc.org >Subject: keyCertSign and cRLSign Key Usage Bits > > >The consensus on these bits is not totally clear to me. Yet, several >points have been consistently, and I think that the following text >incorporates them. The debate regarding he linkage between these bits and >the cA bit in the basic constraints extension does not seem to be over, and >I have not made any changes in that area. Please use this new thread to >discuss any remaining unresolved points. > > The keyCertSign bit is asserted when the subject public key is > used for verifying a signature on public key certificates. This > bit MUST only be asserted in CA certificates. If the keyCertSign > bit is asserted, then the cA bit in the basic constraints > extension (see 4.2.1.10) MUST also be asserted. If neither the > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > in the basic constraints extension MUST NOT be asserted. > > The cRLSign bit is asserted when the subject public key is used > for verifying a signature on a certificate revocation list (e.g., > a CRL or an ARL). This bit MUST be asserted in CA and Attribute > Authority (AA) certificates that are used to verify signatures on > CRLs. If the cRLSign bit is asserted in a CA certificate, then > the cA bit in the basic constraints extension (see 4.2.1.10) MUST > also be asserted. If the cRLSign bit is asserted in a AA > certificate, then the cA bit in the basic constraints extension > MUST NOT be asserted. Such AA certificates MUST NOT be used to > verify signatures on CRLs containing revocation information for > public key certificates; however, these AA certificates MAY be > used to verify signatures on CRLs containing revocation > information concerning attribute certificates. If neither the > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > in the basic constraints extension MUST NOT be asserted. > >Russ --============_-1223877090==_ma============ Content-Type: text/html; charset="us-ascii" <!doctype html public "-//W3C//DTD W3 HTML//EN"> <html><head><style type="text/css"><!-- blockquote, dl, ul, ol, li { margin-top: 0 ; margin-bottom: 0 } --></style><title>RE: keyCertSign and cRLSign Key Usage Bits</title></head><body> <div>At 10:55 AM -0700 4/24/01, Ambarish Malpani wrote:</div> <blockquote type="cite" cite> </blockquote> <blockquote type="cite" cite><font face="Arial" size="-1" color="#0000FF">I agree, also.</font></blockquote> <blockquote type="cite" cite><font face="Arial" size="-1" color="#0000FF"><br> Ambarish</font></blockquote> <div><br></div> <div>I disagree. We need to make a decision on whether a cert without a CA flag enabled can sign CRLs. If so, then we need to modify a lot of text in 2459, and in X.509, to say this clearly. Suggesting that a client be "forgiving" in this context is not a viable proposal for a standard.</div> <div><br> Steve</div> <blockquote type="cite" cite> <br> </blockquote> <blockquote type="cite" cite><font size="-1" >---------------------------------------------------------------------<br > Ambarish Malpani<br> Architect <span ></span > <span ></span > <span ></span > <span ></span> 650.567.5457<br> ValiCert, Inc. <span ></span > <span ></span > ambarish@valicert.com<br> 339 N. Bernardo Ave. <span ></span > <span ></span> </font> <a href="http://www.valicert.com/"><font size="-1">http://www.valicert.com</font></a><font size="-1"><br> Mountain View, CA 94043</font><br> <blockquote><font face="Tahoma" size="-1">-----Original Message-----<br> <b>From:</b> Santosh Chokhani [mailto:chokhani@cygnacom.com]<br> <b>Sent:</b> Tuesday, April 24, 2001 8:22 AM<br> <b>To:</b> Housley, Russ; ietf-pkix@imc.org<br> <b>Subject:</b> RE: keyCertSign and cRLSign Key Usage Bits</font><br> <font face="Tahoma" size="-1"></font></blockquote> <blockquote><font size="-1">Russ: I agree with the text.</font><br> </blockquote> <blockquote><font size="-1">I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI).</font><br> </blockquote> <blockquote><font size="-1">But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension.</font><br> </blockquote> <blockquote><font size="-1">-----Original Message-----</font><br> <font size="-1">From: Housley, Russ [</font><a href="mailto:rhousley@rsasecurity.com"><font size="-1">mailto:rhousley@rsasecurity.com</font></a><font size="-1">]</font><br> <font size="-1">Sent: Tuesday, April 24, 2001 10:37 AM</font><br> <font size="-1">To: ietf-pkix@imc.org</font><br> <font size="-1">Subject: keyCertSign and cRLSign Key Usage Bits</font><br> </blockquote> <blockquote><br></blockquote> <blockquote><font size="-1">The consensus on these bits is not totally clear to me. Yet, several</font><br> <font size="-1">points have been consistently, and I think that the following text</font><br> <font size="-1">incorporates them. The debate regarding he linkage between these bits and</font><br> <font size="-1">the cA bit in the basic constraints extension does not seem to be over, and</font><br> <font size="-1">I have not made any changes in that area. Please use this new thread to</font><br> <font size="-1">discuss any remaining unresolved points.</font><br> </blockquote> <blockquote><font size="-1"> The keyCertSign bit is asserted when the subject public key is</font><br> <font size="-1"> used for verifying a signature on public key certificates. This</font><br> <font size="-1"> bit MUST only be asserted in CA certificates. If the keyCertSign</font><br> <font size="-1"> bit is asserted, then the cA bit in the basic constraints</font><br> <font size="-1"> extension (see 4.2.1.10) MUST also be asserted. If neither the</font><br> <font size="-1"> cRLSign bit nor the keyCertSign bit are asserted, then the cA bit</font><br> <font size="-1"> in the basic constraints extension MUST NOT be asserted.</font><br> </blockquote> <blockquote><font size="-1"> The cRLSign bit is asserted when the subject public key is used</font><br> <font size="-1"> for verifying a signature on a certificate revocation list (e.g.,</font><br> <font size="-1"> a CRL or an ARL). This bit MUST be asserted in CA and Attribute</font><br> <font size="-1"> Authority (AA) certificates that are used to verify signatures on</font><br> <font size="-1"> CRLs. If the cRLSign bit is asserted in a CA certificate, then</font><br> <font size="-1"> the cA bit in the basic constraints extension (see 4.2.1.10) MUST</font><br> <font size="-1"> also be asserted. If the cRLSign bit is asserted in a AA</font><br> <font size="-1"> certificate, then the cA bit in the basic constraints extension</font><br> <font size="-1"> MUST NOT be asserted. Such AA certificates MUST NOT be used to</font><br> <font size="-1"> verify signatures on CRLs containing revocation information for</font><br> <font size="-1"> public key certificates; however, these AA certificates MAY be</font><br> <font size="-1"> used to verify signatures on CRLs containing revocation</font><br> <font size="-1"> information concerning attribute certificates. If neither the</font><br> <font size="-1"> cRLSign bit nor the keyCertSign bit are asserted, then the cA bit</font><br> <font size="-1"> in the basic constraints extension MUST NOT be asserted.</font><br> </blockquote> <blockquote><font size="-1">Russ</font></blockquote> </blockquote> <div><br></div> </body> </html> --============_-1223877090==_ma============-- Received: from smtp-2.llnl.gov (smtp-2.llnl.gov [128.115.250.82]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA16427 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 14:23:18 -0700 (PDT) Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-2.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id OAA10894; Wed, 25 Apr 2001 14:22:48 -0700 (PDT) Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id OAA23360; Wed, 25 Apr 2001 14:22:48 -0700 (PDT) Message-Id: <4.3.2.7.2.20010425140118.00b30850@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 25 Apr 2001 14:27:44 -0700 To: ietf-pkix@imc.org From: Tony Bartoletti <azb@llnl.gov> Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix -new-part1-06.txt comments) Cc: Sharon Boeyen <sharon.boeyen@entrust.com>, Peter Williams <peterw@valicert.com> In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FCF@sottmxs09.entrust .com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sharon and Peter, Thank you both for the explanations. I now understand that an "attribute certificate" does NOT certify a key. Thus, an "AA" is not an "[Attribute] Certificate Authority" (A-CA) but rather is an "[Attribute Certificate] Authority]" (AC-A). What is called a "CA" is actually a "(Public) Key Certificate Authority". Are there no instruments that attest (e.g.): "(anonymous) signer with this key is 21 years old"? That is, bind a "key to attributes, sans DN/Identity"? Could a CA do this using PMI extension attributes? Finally, does anyone know if the PKIX "CRL/ARL" maps to CARL/AARL? And does this imply that no one can sign or verify a list containing both PKC and AC revocations? Thanks again for your previous (extensive) response! ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA14457 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 12:40:49 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <J43HQZK7>; Wed, 25 Apr 2001 15:40:19 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FCF@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Tony Bartoletti'" <azb@llnl.gov>, "David A. Cooper" <david.cooper@nist.gov>, ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix -new-part1-06.txt comments) Date: Wed, 25 Apr 2001 15:34:33 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CDBE.C166BD30" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CDBE.C166BD30 Content-Type: text/plain; charset="iso-8859-1" Tony, since PKIX profiles 509, here are answers from that standard. While PKIX may use different language to describe these, they should still be aligned with the basic definitions. Hope that helps Sharon > -----Original Message----- > From: Tony Bartoletti [mailto:azb@llnl.gov] > Sent: Wednesday, April 25, 2001 2:54 PM > To: David A. Cooper; ietf-pkix@imc.org > Subject: Re: cA flag and CRL issuers (was Re: Last Call: > draft-ietf-pkix-new-part1-06.txt comments) > > > All, > > In trying to parse this issue (and Russ Housley's previous > proposed text) it > appears that terminology needs a bit of shoring up, at least for me. > > Can anyone answer these "simple" questions? > > 1. Is a "CA Certificate" defined to be: > > a. A certificate whose subject is a CA > b. A certificate with "cA" bit set. > c. A certificate with either kCertSign or cRLSign set? > > (Are (a) and (b) equivalent "if its a CA certificate"?) Clause 7 "A CA-certificate is a certificate issued by a CA to a subject that is itslef a CA and therefore is capable of issuing public-key certificates." It then goes on to define the different types of CA-certificate (Self issued, Self signed and cross). No a) and b) are not strictly equivalent. Clause 8.4.2.1 on basic constraints "...with the certified public key being used to verify certificate signatures", that's the key to use of that bit in the extension. > > 2. Is the term "public key certificate" intended to represent: > > a. Only certificates that bind keys to "DN/Identity" > b. Certificates that bind keys to anything (e.g., "attributes") > > For instance, is an "Attribute Certificate" considered to be a > subset of "public key certificates", or not? No, attribute certificates are not subsets of public-key certificates. They are 'certificates' but do NOT contain a public-key and are therefore not a subset. (see 3.3.1 and 3.3.4.4) > > 3. Is an "AA" considered to be: > > a. A "CA that certifies attributes and not DN/Identity", > (yet still a CA, since they author/authorize certificates.) > b. Not a CA, since the term CA is "reserved" to "DN/Identity" > No an AA is not a CA of any sort. CA is an authority for public-key certificates only and AA is an authority for attribute certificates only (see 3.3.2 and 3.3.16. The term 'authority' used alone is defined to include both (see 3.3.6). > 4. Is an "AA Certificate" a form of "CA Certificate" or not? > (Answer should be derived from response to (3). No. (as per response to 3) > > 5. If both "CRLs and ARLs" are examples of "certificate > revocation lists" > then is an ARL: > > a. An instance of CRL (that happens not to revoke any > DN/ID certs)? > b. Never a CRL, since every CRL involves DN/ID certificates? Actually 509 added specific acronyms for each type of CRL. What used to be called an "ARL" (Authority Revocation List) is now a "CARL" Certification Authority Revocation List) and is a revocation list of public-key certificates issued to CAs that are no longer considered valid by the certificate issuer (3.3.17). The equivalent of that for attribute authorities would be an AARL (Attribute Authority Revocation List)as defined in 3.3.3. > > I submit that more than half of the dialogs/debates on this list can > be traced to confusion regarding these fundamental terms. > > ___tony___ > > > At 01:25 PM 4/25/01 -0400, David A. Cooper wrote: > >Steve, > > > >If we are going to change PKIX to require the cA bit in > basicConstraints > >to be set even when the subject public key can only be used > to verify > >signatures on CRLs, then we need to be sure that the text > clearly explains > >to readers when the cA bit should or should not be set. Currently > >new-part1-06 states that "[t]he cA bit indicates if the > certified public > >key may be used to verify signatures on other certificates." > The clearly > >is not accurate, since if the cA bit is set one still does not know > >whether the subject public key may be used to verify signatures on > >certificates. One must look at the keyUsage extension to make that > >determination. > > > >I think it would be helpful to the discussion that we are > having if you > >would clearly state your interpretation of the meaning of > the cA bit in > >basicConstraints. > > > > From what I have read so far, it appears that you believe > that the cA > > bit should be used to indicate if the subject of the > certificate is a CA. > > But, if this is the case, then new-part1-06 still does not > accurately > > reflect your notion of the cA bit. Currently the text > states that the cA > > bit may only be set if the keyCertSign bit or the cRLSign > bit in keyUsage > > is set. However, a CA does more than just issue > certificates and CRLs. A > > CA may have a private key dedicated to signing PKI > transaction messages > > (e.g., certification response, revocation response, > proof-of-possession > > challenge). If a certificate were issued to a CA with its > PKI transaction > > message verification key as the subject public key, neither the > > keyCertSign nor the cRLSign bit in KeyUsage would be set, > but the subject > > of the certificate would still be a CA. > > > >So, should the cA bit be used to indicate if the certificate > subject is a > >CA or to indicate that the subject public key may be used to verify > >signatures on certificates and/or CRLs? If the latter, then not all > >certificates issued to CAs will have the cA bit set. > > > >Dave > > > >At 01:31 PM 4/20/01 -0400, Stephen Kent wrote: > > >>The description of basic constraints in X.509 further > supports the idea > > that the cA bit is used to specify certificate issuing, not > certificate > > and/or CRL issuing: > > >> > > >>"This field indicates if the subject may act as a CA, with the > > certified public key being used to verify certificate > signatures. ... The > > cA component indicates if the certified public key may be > used to verify > > certificate signatures. ... if the value of cA is not set to > true then the > > certified public key shall not be used to verify a > certificate signature" > > >> > > >> > > >>pkix-new-part1-05 states something similar: > > >> > > >>"The cA bit indicates if the certified public key may be > used to verify > > signatures on other certificates. If the cA bit is > asserted, then the > > keyCertSign bit in the key usage extension (see 4.2.1.3) > MUST also be > > asserted. If the cA bit is not asserted, then the > keyCertSign bit in the > > key usage extension MUST NOT be asserted." > > > > > >again, this supports the notion that a CA signs certs, but it says > > nothing about whether a CA or some other entity signs CRLs. We have > > uncovered a number of instances where less than perfect > wording has lead > > to confusion and our recent dialogue suggests that some of > the quotes you > > cite are examples of this. > > Tony Bartoletti 925-422-3881 <azb@llnl.gov> > Information Operations, Warfare and Assurance Center > Lawrence Livermore National Laboratory > Livermore, CA 94551-9900 > > > > ------_=_NextPart_001_01C0CDBE.C166BD30 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: cA flag and CRL issuers (was Re: Last Call: = draft-ietf-pkix-new-part1-06.txt comments)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Tony, since PKIX profiles 509, here are answers from = that standard. While PKIX may </FONT> <BR><FONT SIZE=3D2>use different language to describe these, they = should still be aligned with the </FONT> <BR><FONT SIZE=3D2>basic definitions. </FONT> </P> <P><FONT SIZE=3D2>Hope that helps</FONT> <BR><FONT SIZE=3D2>Sharon</FONT> </P> <P><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: Tony Bartoletti [<A = HREF=3D"mailto:azb@llnl.gov">mailto:azb@llnl.gov</A>]</FONT> <BR><FONT SIZE=3D2>> Sent: Wednesday, April 25, 2001 2:54 PM</FONT> <BR><FONT SIZE=3D2>> To: David A. Cooper; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Subject: Re: cA flag and CRL issuers (was Re: = Last Call:</FONT> <BR><FONT SIZE=3D2>> draft-ietf-pkix-new-part1-06.txt = comments)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> All,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> In trying to parse this issue (and Russ = Housley's previous </FONT> <BR><FONT SIZE=3D2>> proposed text) it</FONT> <BR><FONT SIZE=3D2>> appears that terminology needs a bit of shoring = up, at least for me.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Can anyone answer these "simple" = questions?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 1. Is a "CA Certificate" = defined to be:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> a. A = certificate whose subject is a CA</FONT> <BR><FONT SIZE=3D2>> b. A = certificate with "cA" bit set.</FONT> <BR><FONT SIZE=3D2>> c. A = certificate with either kCertSign or cRLSign set?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT = SIZE=3D2>> = (Are (a) and (b) equivalent "if its a CA = certificate"?)</FONT> </P> <P><FONT SIZE=3D2>Clause 7 "A CA-certificate is a certificate = issued by a CA to a subject that is itslef a CA and therefore is = capable of issuing public-key certificates." It then goes on to = define the different types of CA-certificate (Self issued, Self signed = and cross).</FONT></P> <P><FONT SIZE=3D2>No a) and b) are not strictly equivalent. Clause = 8.4.2.1 on basic constraints "...with the certified public key = being used to verify certificate signatures", that's the key to = use of that bit in the extension.</FONT></P> <P><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 2. Is the term "public key = certificate" intended to represent:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> a. Only = certificates that bind keys to "DN/Identity"</FONT> <BR><FONT SIZE=3D2>> b. = Certificates that bind keys to anything (e.g., = "attributes")</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> For instance, is = an "Attribute Certificate" considered to be a</FONT> <BR><FONT SIZE=3D2>> subset of = "public key certificates", or not?</FONT> </P> <P><FONT SIZE=3D2>No, attribute certificates are not subsets of = public-key certificates. They are </FONT> <BR><FONT SIZE=3D2>'certificates' but do NOT contain a public-key and = are therefore not a subset.</FONT> <BR><FONT SIZE=3D2>(see 3.3.1 and 3.3.4.4)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 3. Is an "AA" considered to = be:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> a. A = "CA that certifies attributes and not DN/Identity",</FONT> <BR><FONT = SIZE=3D2>> = (yet still a CA, since they author/authorize certificates.)</FONT> <BR><FONT SIZE=3D2>> b. Not a = CA, since the term CA is "reserved" to = "DN/Identity"</FONT> <BR><FONT SIZE=3D2>> </FONT> </P> <P><FONT SIZE=3D2>No an AA is not a CA of any sort. CA is an authority = for public-key</FONT> <BR><FONT SIZE=3D2>certificates only and AA is an authority for = attribute certificates only </FONT> <BR><FONT SIZE=3D2>(see 3.3.2 and 3.3.16. The term 'authority' used = alone is defined to include</FONT> <BR><FONT SIZE=3D2>both (see 3.3.6). </FONT> </P> <P><FONT SIZE=3D2>> 4. Is an "AA Certificate" a form = of "CA Certificate" or not?</FONT> <BR><FONT SIZE=3D2>> (Answer should be = derived from response to (3).</FONT> </P> <P><FONT SIZE=3D2>No. (as per response to 3) </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 5. If both "CRLs and ARLs" are = examples of "certificate </FONT> <BR><FONT SIZE=3D2>> revocation lists"</FONT> <BR><FONT SIZE=3D2>> then is an = ARL:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> a. An = instance of CRL (that happens not to revoke any </FONT> <BR><FONT SIZE=3D2>> DN/ID certs)?</FONT> <BR><FONT SIZE=3D2>> b. Never a = CRL, since every CRL involves DN/ID certificates?</FONT> </P> <P><FONT SIZE=3D2>Actually 509 added specific acronyms for each type of = CRL. What used </FONT> <BR><FONT SIZE=3D2>to be called an "ARL" (Authority = Revocation List) is now a "CARL" </FONT> <BR><FONT SIZE=3D2>Certification Authority Revocation List) and is a = revocation list of public-key</FONT> <BR><FONT SIZE=3D2>certificates issued to CAs that are no longer = considered valid by the </FONT> <BR><FONT SIZE=3D2>certificate issuer (3.3.17). The equivalent of that = for attribute authorities </FONT> <BR><FONT SIZE=3D2>would be an AARL (Attribute Authority Revocation = List)as defined in 3.3.3. </FONT> </P> <P><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> I submit that more than half of the = dialogs/debates on this list can</FONT> <BR><FONT SIZE=3D2>> be traced to confusion regarding these = fundamental terms.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> ___tony___</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> At 01:25 PM 4/25/01 -0400, David A. Cooper = wrote:</FONT> <BR><FONT SIZE=3D2>> >Steve,</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >If we are going to change PKIX to require = the cA bit in </FONT> <BR><FONT SIZE=3D2>> basicConstraints </FONT> <BR><FONT SIZE=3D2>> >to be set even when the subject public key = can only be used </FONT> <BR><FONT SIZE=3D2>> to verify </FONT> <BR><FONT SIZE=3D2>> >signatures on CRLs, then we need to be sure = that the text </FONT> <BR><FONT SIZE=3D2>> clearly explains </FONT> <BR><FONT SIZE=3D2>> >to readers when the cA bit should or should = not be set. Currently </FONT> <BR><FONT SIZE=3D2>> >new-part1-06 states that "[t]he cA bit = indicates if the </FONT> <BR><FONT SIZE=3D2>> certified public </FONT> <BR><FONT SIZE=3D2>> >key may be used to verify signatures on = other certificates." </FONT> <BR><FONT SIZE=3D2>> The clearly </FONT> <BR><FONT SIZE=3D2>> >is not accurate, since if the cA bit is set = one still does not know </FONT> <BR><FONT SIZE=3D2>> >whether the subject public key may be used = to verify signatures on </FONT> <BR><FONT SIZE=3D2>> >certificates. One must look at the keyUsage = extension to make that </FONT> <BR><FONT SIZE=3D2>> >determination.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >I think it would be helpful to the = discussion that we are </FONT> <BR><FONT SIZE=3D2>> having if you </FONT> <BR><FONT SIZE=3D2>> >would clearly state your interpretation of = the meaning of </FONT> <BR><FONT SIZE=3D2>> the cA bit in </FONT> <BR><FONT SIZE=3D2>> >basicConstraints.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > From what I have read so far, it = appears that you believe </FONT> <BR><FONT SIZE=3D2>> that the cA </FONT> <BR><FONT SIZE=3D2>> > bit should be used to indicate if the = subject of the </FONT> <BR><FONT SIZE=3D2>> certificate is a CA. </FONT> <BR><FONT SIZE=3D2>> > But, if this is the case, then = new-part1-06 still does not </FONT> <BR><FONT SIZE=3D2>> accurately </FONT> <BR><FONT SIZE=3D2>> > reflect your notion of the cA bit. = Currently the text </FONT> <BR><FONT SIZE=3D2>> states that the cA </FONT> <BR><FONT SIZE=3D2>> > bit may only be set if the keyCertSign bit = or the cRLSign </FONT> <BR><FONT SIZE=3D2>> bit in keyUsage </FONT> <BR><FONT SIZE=3D2>> > is set. However, a CA does more than just = issue </FONT> <BR><FONT SIZE=3D2>> certificates and CRLs. A </FONT> <BR><FONT SIZE=3D2>> > CA may have a private key dedicated to = signing PKI </FONT> <BR><FONT SIZE=3D2>> transaction messages </FONT> <BR><FONT SIZE=3D2>> > (e.g., certification response, revocation = response, </FONT> <BR><FONT SIZE=3D2>> proof-of-possession </FONT> <BR><FONT SIZE=3D2>> > challenge). If a certificate were issued = to a CA with its </FONT> <BR><FONT SIZE=3D2>> PKI transaction </FONT> <BR><FONT SIZE=3D2>> > message verification key as the subject = public key, neither the </FONT> <BR><FONT SIZE=3D2>> > keyCertSign nor the cRLSign bit in = KeyUsage would be set, </FONT> <BR><FONT SIZE=3D2>> but the subject </FONT> <BR><FONT SIZE=3D2>> > of the certificate would still be a = CA.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >So, should the cA bit be used to indicate = if the certificate </FONT> <BR><FONT SIZE=3D2>> subject is a </FONT> <BR><FONT SIZE=3D2>> >CA or to indicate that the subject public = key may be used to verify </FONT> <BR><FONT SIZE=3D2>> >signatures on certificates and/or CRLs? If = the latter, then not all </FONT> <BR><FONT SIZE=3D2>> >certificates issued to CAs will have the cA = bit set.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Dave</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >At 01:31 PM 4/20/01 -0400, Stephen Kent = wrote:</FONT> <BR><FONT SIZE=3D2>> > >>The description of basic = constraints in X.509 further </FONT> <BR><FONT SIZE=3D2>> supports the idea </FONT> <BR><FONT SIZE=3D2>> > that the cA bit is used to specify = certificate issuing, not </FONT> <BR><FONT SIZE=3D2>> certificate </FONT> <BR><FONT SIZE=3D2>> > and/or CRL issuing:</FONT> <BR><FONT SIZE=3D2>> > >></FONT> <BR><FONT SIZE=3D2>> > >>"This field indicates if the = subject may act as a CA, with the </FONT> <BR><FONT SIZE=3D2>> > certified public key being used to verify = certificate </FONT> <BR><FONT SIZE=3D2>> signatures. ... The </FONT> <BR><FONT SIZE=3D2>> > cA component indicates if the certified = public key may be </FONT> <BR><FONT SIZE=3D2>> used to verify </FONT> <BR><FONT SIZE=3D2>> > certificate signatures. ... if the value = of cA is not set to </FONT> <BR><FONT SIZE=3D2>> true then the </FONT> <BR><FONT SIZE=3D2>> > certified public key shall not be used to = verify a </FONT> <BR><FONT SIZE=3D2>> certificate signature"</FONT> <BR><FONT SIZE=3D2>> > >></FONT> <BR><FONT SIZE=3D2>> > >></FONT> <BR><FONT SIZE=3D2>> > >>pkix-new-part1-05 states something = similar:</FONT> <BR><FONT SIZE=3D2>> > >></FONT> <BR><FONT SIZE=3D2>> > >>"The cA bit indicates if the = certified public key may be </FONT> <BR><FONT SIZE=3D2>> used to verify </FONT> <BR><FONT SIZE=3D2>> > signatures on other certificates. If the = cA bit is </FONT> <BR><FONT SIZE=3D2>> asserted, then the </FONT> <BR><FONT SIZE=3D2>> > keyCertSign bit in the key usage extension = (see 4.2.1.3) </FONT> <BR><FONT SIZE=3D2>> MUST also be </FONT> <BR><FONT SIZE=3D2>> > asserted. If the cA bit is not asserted, = then the </FONT> <BR><FONT SIZE=3D2>> keyCertSign bit in the </FONT> <BR><FONT SIZE=3D2>> > key usage extension MUST NOT be = asserted."</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > >again, this supports the notion that a = CA signs certs, but it says </FONT> <BR><FONT SIZE=3D2>> > nothing about whether a CA or some other = entity signs CRLs. We have </FONT> <BR><FONT SIZE=3D2>> > uncovered a number of instances where less = than perfect </FONT> <BR><FONT SIZE=3D2>> wording has lead </FONT> <BR><FONT SIZE=3D2>> > to confusion and our recent dialogue = suggests that some of </FONT> <BR><FONT SIZE=3D2>> the quotes you </FONT> <BR><FONT SIZE=3D2>> > cite are examples of this.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Tony Bartoletti 925-422-3881 = <azb@llnl.gov></FONT> <BR><FONT SIZE=3D2>> Information Operations, Warfare and Assurance = Center</FONT> <BR><FONT SIZE=3D2>> Lawrence Livermore National Laboratory</FONT> <BR><FONT SIZE=3D2>> Livermore, CA 94551-9900</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CDBE.C166BD30-- Received: from smtp-1.llnl.gov (smtp-1.llnl.gov [128.115.250.81]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA13370 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 11:50:11 -0700 (PDT) Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-1.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id LAA16170; Wed, 25 Apr 2001 11:49:42 -0700 (PDT) Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id LAA16014; Wed, 25 Apr 2001 11:49:42 -0700 (PDT) Message-Id: <4.3.2.7.2.20010425112229.00aee7a0@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 25 Apr 2001 11:54:09 -0700 To: "David A. Cooper" <david.cooper@nist.gov>, ietf-pkix@imc.org From: Tony Bartoletti <azb@llnl.gov> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) In-Reply-To: <4.2.2.20010425132032.00af9740@email.nist.gov> References: <p05010410b7051d55d9b1@[128.33.4.39]> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010418133051.00addb60@email.nist.gov> <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id LAA13371 All, In trying to parse this issue (and Russ Housley's previous proposed text) it appears that terminology needs a bit of shoring up, at least for me. Can anyone answer these "simple" questions? 1. Is a "CA Certificate" defined to be: a. A certificate whose subject is a CA b. A certificate with "cA" bit set. c. A certificate with either kCertSign or cRLSign set? (Are (a) and (b) equivalent "if its a CA certificate"?) 2. Is the term "public key certificate" intended to represent: a. Only certificates that bind keys to "DN/Identity" b. Certificates that bind keys to anything (e.g., "attributes") For instance, is an "Attribute Certificate" considered to be a subset of "public key certificates", or not? 3. Is an "AA" considered to be: a. A "CA that certifies attributes and not DN/Identity", (yet still a CA, since they author/authorize certificates.) b. Not a CA, since the term CA is "reserved" to "DN/Identity" 4. Is an "AA Certificate" a form of "CA Certificate" or not? (Answer should be derived from response to (3). 5. If both "CRLs and ARLs" are examples of "certificate revocation lists" then is an ARL: a. An instance of CRL (that happens not to revoke any DN/ID certs)? b. Never a CRL, since every CRL involves DN/ID certificates? I submit that more than half of the dialogs/debates on this list can be traced to confusion regarding these fundamental terms. ___tony___ At 01:25 PM 4/25/01 -0400, David A. Cooper wrote: >Steve, > >If we are going to change PKIX to require the cA bit in basicConstraints >to be set even when the subject public key can only be used to verify >signatures on CRLs, then we need to be sure that the text clearly explains >to readers when the cA bit should or should not be set. Currently >new-part1-06 states that "[t]he cA bit indicates if the certified public >key may be used to verify signatures on other certificates." The clearly >is not accurate, since if the cA bit is set one still does not know >whether the subject public key may be used to verify signatures on >certificates. One must look at the keyUsage extension to make that >determination. > >I think it would be helpful to the discussion that we are having if you >would clearly state your interpretation of the meaning of the cA bit in >basicConstraints. > > From what I have read so far, it appears that you believe that the cA > bit should be used to indicate if the subject of the certificate is a CA. > But, if this is the case, then new-part1-06 still does not accurately > reflect your notion of the cA bit. Currently the text states that the cA > bit may only be set if the keyCertSign bit or the cRLSign bit in keyUsage > is set. However, a CA does more than just issue certificates and CRLs. A > CA may have a private key dedicated to signing PKI transaction messages > (e.g., certification response, revocation response, proof-of-possession > challenge). If a certificate were issued to a CA with its PKI transaction > message verification key as the subject public key, neither the > keyCertSign nor the cRLSign bit in KeyUsage would be set, but the subject > of the certificate would still be a CA. > >So, should the cA bit be used to indicate if the certificate subject is a >CA or to indicate that the subject public key may be used to verify >signatures on certificates and/or CRLs? If the latter, then not all >certificates issued to CAs will have the cA bit set. > >Dave > >At 01:31 PM 4/20/01 -0400, Stephen Kent wrote: > >>The description of basic constraints in X.509 further supports the idea > that the cA bit is used to specify certificate issuing, not certificate > and/or CRL issuing: > >> > >>"This field indicates if the subject may act as a CA, with the > certified public key being used to verify certificate signatures. Â… The > cA component indicates if the certified public key may be used to verify > certificate signatures. Â… if the value of cA is not set to true then the > certified public key shall not be used to verify a certificate signature" > >> > >> > >>pkix-new-part1-05 states something similar: > >> > >>"The cA bit indicates if the certified public key may be used to verify > signatures on other certificates. If the cA bit is asserted, then the > keyCertSign bit in the key usage extension (see 4.2.1.3) MUST also be > asserted. If the cA bit is not asserted, then the keyCertSign bit in the > key usage extension MUST NOT be asserted." > > > >again, this supports the notion that a CA signs certs, but it says > nothing about whether a CA or some other entity signs CRLs. We have > uncovered a number of instances where less than perfect wording has lead > to confusion and our recent dialogue suggests that some of the quotes you > cite are examples of this. Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA10270 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 10:25:38 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id NAA21167 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 13:25:38 -0400 (EDT) Message-Id: <4.2.2.20010425132032.00af9740@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 25 Apr 2001 13:25:23 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) In-Reply-To: <p05010410b7051d55d9b1@[128.33.4.39]> References: <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010418133051.00addb60@email.nist.gov> <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id KAA10272 Steve, If we are going to change PKIX to require the cA bit in basicConstraints to be set even when the subject public key can only be used to verify signatures on CRLs, then we need to be sure that the text clearly explains to readers when the cA bit should or should not be set. Currently new-part1-06 states that "[t]he cA bit indicates if the certified public key may be used to verify signatures on other certificates." The clearly is not accurate, since if the cA bit is set one still does not know whether the subject public key may be used to verify signatures on certificates. One must look at the keyUsage extension to make that determination. I think it would be helpful to the discussion that we are having if you would clearly state your interpretation of the meaning of the cA bit in basicConstraints. From what I have read so far, it appears that you believe that the cA bit should be used to indicate if the subject of the certificate is a CA. But, if this is the case, then new-part1-06 still does not accurately reflect your notion of the cA bit. Currently the text states that the cA bit may only be set if the keyCertSign bit or the cRLSign bit in keyUsage is set. However, a CA does more than just issue certificates and CRLs. A CA may have a private key dedicated to signing PKI transaction messages (e.g., certification response, revocation response, proof-of-possession challenge). If a certificate were issued to a CA with its PKI transaction message verification key as the subject public key, neither the keyCertSign nor the cRLSign bit in KeyUsage would be set, but the subject of the certificate would still be a CA. So, should the cA bit be used to indicate if the certificate subject is a CA or to indicate that the subject public key may be used to verify signatures on certificates and/or CRLs? If the latter, then not all certificates issued to CAs will have the cA bit set. Dave At 01:31 PM 4/20/01 -0400, Stephen Kent wrote: >>The description of basic constraints in X.509 further supports the idea that the cA bit is used to specify certificate issuing, not certificate and/or CRL issuing: >> >>"This field indicates if the subject may act as a CA, with the certified public key being used to verify certificate signatures. Â… The cA component indicates if the certified public key may be used to verify certificate signatures. Â… if the value of cA is not set to true then the certified public key shall not be used to verify a certificate signature" >> >> >>pkix-new-part1-05 states something similar: >> >>"The cA bit indicates if the certified public key may be used to verify signatures on other certificates. If the cA bit is asserted, then the keyCertSign bit in the key usage extension (see 4.2.1.3) MUST also be asserted. If the cA bit is not asserted, then the keyCertSign bit in the key usage extension MUST NOT be asserted." > >again, this supports the notion that a CA signs certs, but it says nothing about whether a CA or some other entity signs CRLs. We have uncovered a number of instances where less than perfect wording has lead to confusion and our recent dialogue suggests that some of the quotes you cite are examples of this. Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA08528 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 09:58:02 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id MAA23749; Wed, 25 Apr 2001 12:56:55 -0400 (EDT) Message-Id: <200104251656.MAA23745@stingray.missi.ncsc.mil> From: "Fillingham, David W." <dwfilli@missi.ncsc.mil> To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, "'pki-twg@nist.gov'" <pki-twg@nist.gov>, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, * ALL FIREBURST USERS * <all@missi.ncsc.mil>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner, Clark J." <cjwagne@missi.ncsc.mil>, "'judith.spencer@gsa.gov'" <judith.spencer@gsa.gov>, "'Michelle.Moldenhauer@do.treas.gov'" <Michelle.Moldenhauer@do.treas.gov>, "'Steve Hanna (SUN)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com> Subject: RE: DoD Bridge Certification Authority Phase II Demonstrations Date: Wed, 25 Apr 2001 13:00:07 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="------------InterScan_NT_MIME_Boundary" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --------------InterScan_NT_MIME_Boundary Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CDA9.2E45D730" ------_=_NextPart_001_01C0CDA9.2E45D730 Content-Type: text/plain; charset="ISO-8859-1" This is a reminder that showings of the Department of Defense Bridge Certification Authority Technology Demonstration will begin tomorrow. There are about 110 open slots (total) for those who would like to view one of our nine scheduled demonstrations. If you have already registered for the demonstration, you should have received an e-mail confirmation that you have been registered. A network failure here on 6 - 9 April may have prevented some of your registration requests from being received. If you did not receive an e-mail confirmation, please re-register. Demonstration dates, times, directions, and registration instructions are included below. Dave Fillingham NSA > -----Original Message----- > From: Fillingham, David W. > Sent: Friday, April 06, 2001 10:49 AM > To: 'ietf-pkix@imc.org'; 'KPCMWG'; 'DoD PKI TWG'; 'pki-twg@nist.gov'; > 'Bridge CA Mail List'; 'BCA Integration'; * ALL FIREBURST USERS *; 'Steve > Capps'; Wagner, Clark J.; 'judith.spencer@gsa.gov'; > 'Michelle.Moldenhauer@do.treas.gov'; 'Steve Hanna (SUN)'; 'Susan Dernik' > Subject: DoD Bridge Certification Authority Phase II Demonstrations > > For the last few years, the National Security Agency has led the > development of Bridge Certification Authority (BCA) technology > demonstrations. In 1999, Phase One of the Department of Defense BCA > Technology Demonstration showed the technical feasibility of achieving > signed e-mail interoperability using multi-vendor cross-certification in > conjunction with chained directory systems. > > Phase Two of the demonstration is now ready to be shown. Phase Two of the > DoD Bridge CA Phase II Technology Demonstration includes: > > Technologies: > > -- Certificate chain building in complex certificate graphs; > -- Integration of both mesh-style cross-certified PKIs and hierarchical > PKIs; > -- Multi-signature/hash algorithm processing in certificate chains; > -- Certificate acceptance/rejection based on Certificate Policy > processing, including policy mapping; > -- Transitive trust limitation using Name Constraints processing; > -- Access Control using X.509 compliant attribute certificates (same > attribute certificates used for e-mail and web based access control); > -- E-mail access control using S/MIME V3 labeling; > -- E-mail encryption using public key certificates authenticated via a > Bridge Certification Authority; > -- Border Directories; > -- Multivendor directory interoperation via X.500 chaining; and, > -- Transparent sharing of certificate revocation information across > several PKIs using products of multiple PKI vendors. > > Client Applications: > > -- Baltimore Technologies MailSecure enabled Microsoft Outlook > -- Entrust Enabled Microsoft Outlook > -- Getronics S/MIME Freeware Library, Certificate Management Library, and > Access Control Library enabled Qualcomm Eudora > -- Getronics Certificate Management Library and Access Control Library > enabled Netscape Web Server > > Freeware Libraries: > > -- Cygnacom Certificate Path Development Library > <http://www.cygnacom.com/products/index.htm> > > -- Getronics S/MIME (Version 3) Freeware Library > <http://www.getronicsgov.com/hot/sfl_home.htm> > > -- Getronics Certificate Management Library > <http://www.getronicsgov.com/hot/cml_home.htm> > > -- Getronics Access Control Library > <http://www.getronicsgov.com/hot/acl_home.htm> > > CA vendor interoperability demonstrations: > > -- Baltimore Technologies > -- Entrust Technologies > -- Motorola > -- SPYRUS > > Directory Interoperability: > > -- Entrust ICL > -- Entegrity Safepages Directory > > Demonstrations will be held at the following locations and dates (note > that you MUST REGISTER to attend! Registration information is provided > below): > > ---------- > CygnaCom > Suite 100 West > 7927 Jones Branch Dr. > McLean, Virginia > > Directions to CygnaCom are located at: > <http://www.cygnacom.com/contact/directions.htm> > > 26 April 2001 - 0900 > > 26 April 2001 - 1300 > > 16 May 2001 - 0900 > > 16 May 2001 - 1300 > > --------- > Getronics Government Solutions > 141 National Business Parkway, Suite 210 > Annapolis Junction, Maryland > > From Washington DC: Take I-95 north; take MD Rt 32 east exit; take Dorsey > Run exit; at stop sign turn left on Dorsey Run; at stop light turn right > on > Guilford Road which becomes National Business Pkwy. > > From Baltimore: Take BW Parkway (295) south; take MD Rt 32 west exit; stay > in right lane of the exit which runs into National Business Pkwy; make a > right on National Business Pkwy. > > 30 April 2001 - 1300 > > 8 May 2001 - 0900 > > 8 May 2001 - 1300 > > 24 May 2001 - 0900 > > 24 May 2001 - 1300 > > --------- > > All showings last about half a day - with a mixture of conference room > briefings and laboratory demonstrations. > > We are limited by available demonstration space to an absolute maximum of > 20 participants at each showing. > > IMPORTANT: PLEASE REGISTER WITH LISA FAULKNER (llfaulk@missi.ncsc.mil > <mailto:llfaulk@missi.ncsc.mil>) AND MYSELF (dwfilli@missi.ncsc.mil > <mailto:dwfilli@missi.ncsc.mil>) IF YOU PLAN TO ATTEND. IF YOU DO NOT > REGISTER TO ATTEND, YOU WILL NOT BE ADMITTED TO THE DEMONSTRATION. > > Please provide the following information to register: > > -- Name > -- Organization > -- E-mail address > -- Date and time of the demonstration showing you wish to attend (with > alternates, if possible) > > We look forward to seeing you at the demonstration! > > Dave Fillingham > NSA > > ------_=_NextPart_001_01C0CDA9.2E45D730 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3DISO-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>RE: DoD Bridge Certification Authority Phase II = Demonstrations</TITLE> </HEAD> <BODY> <P><FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">This is a reminder = that showings of the Department of Defense Bridge Certification = Authority Technology Demonstration will begin tomorrow. There are = about 110 open slots (total) for those who would like to view one of = our nine scheduled demonstrations.</FONT></P> <P><FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">If you have already = registered for the demonstration, you should have received an e-mail = confirmation that you have been registered. A network failure = here on 6 - 9 April may have prevented some of your registration = requests from being received. If you did not receive an e-mail = confirmation, please re-register.</FONT></P> <P><FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">Demonstration dates, = times, directions, and registration instructions are included = below.</FONT> </P> <P><FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">Dave = Fillingham</FONT> <BR><FONT COLOR=3D"#000080" SIZE=3D2 FACE=3D"Arial">NSA</FONT> </P> <UL> <P><FONT SIZE=3D1 FACE=3D"Arial">-----Original Message-----</FONT> <BR><B><FONT SIZE=3D1 FACE=3D"Arial">From: </FONT></B> <FONT = SIZE=3D1 FACE=3D"Arial">Fillingham, David W. </FONT> <BR><B><FONT SIZE=3D1 FACE=3D"Arial">Sent: </FONT></B> <FONT = SIZE=3D1 FACE=3D"Arial">Friday, April 06, 2001 10:49 AM</FONT> <BR><B><FONT SIZE=3D1 = FACE=3D"Arial">To: </FONT></B> <FONT SIZE=3D1 = FACE=3D"Arial">'ietf-pkix@imc.org'; 'KPCMWG'; 'DoD PKI TWG'; = 'pki-twg@nist.gov'; 'Bridge CA Mail List'; 'BCA Integration'; * ALL = FIREBURST USERS *; 'Steve Capps'; Wagner, Clark J.; = 'judith.spencer@gsa.gov'; 'Michelle.Moldenhauer@do.treas.gov'; 'Steve = Hanna (SUN)'; 'Susan Dernik'</FONT></P> <P><B><FONT SIZE=3D1 = FACE=3D"Arial">Subject: </FONT>= </B> <FONT SIZE=3D1 FACE=3D"Arial">DoD Bridge Certification Authority = Phase II Demonstrations</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">For the last few years, the National = Security Agency has led the development of Bridge Certification = Authority (BCA) technology demonstrations. In 1999, Phase One of = the Department of Defense BCA Technology Demonstration showed the = technical feasibility of achieving signed e-mail interoperability using = multi-vendor cross-certification in conjunction with chained directory = systems.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Phase Two of the demonstration is now = ready to be shown. Phase Two of the DoD Bridge CA Phase II = Technology Demonstration includes: </FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Technologies: </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Certificate chain building = in complex certificate graphs;</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Integration of both = mesh-style cross-certified PKIs and hierarchical PKIs;</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Multi-signature/hash = algorithm processing in certificate chains;</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Certificate = acceptance/rejection based on Certificate Policy processing, including = policy mapping;<BR> -- Transitive trust limitation using Name Constraints = processing;<BR> -- Access Control using X.509 compliant attribute certificates = (same attribute certificates used for e-mail and web based access = control);</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">-- E-mail access control using = S/MIME V3 labeling;<BR> -- E-mail encryption using public key certificates authenticated = via a Bridge Certification Authority;<BR> -- Border Directories;<BR> -- Multivendor directory interoperation via X.500 chaining; = and,</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Transparent sharing of = certificate revocation information across several PKIs using = products of multiple PKI vendors.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Client Applications: </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Baltimore Technologies = MailSecure enabled Microsoft Outlook</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Entrust Enabled Microsoft = Outlook<BR> -- Getronics S/MIME Freeware Library, Certificate Management = Library, and Access Control Library enabled Qualcomm Eudora<BR> -- Getronics Certificate Management Library and Access Control = Library enabled Netscape Web Server</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Freeware Libraries:</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Cygnacom Certificate Path = Development Library</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> <<A = HREF=3D"http://www.cygnacom.com/products/index.htm" = TARGET=3D"_blank">http://www.cygnacom.com/products/index.htm</A>></FO= NT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">-- Getronics S/MIME (Version 3) = Freeware Library</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> <<A = HREF=3D"http://www.getronicsgov.com/hot/sfl_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/sfl_home.htm</A>></= FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">-- Getronics Certificate = Management Library</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> <<A = HREF=3D"http://www.getronicsgov.com/hot/cml_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/cml_home.htm</A>></= FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">-- Getronics Access Control = Library</FONT> <BR><FONT SIZE=3D2 = FACE=3D"Arial"> = <<A HREF=3D"http://www.getronicsgov.com/hot/acl_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/acl_home.htm</A>></= FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">CA vendor interoperability = demonstrations: </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Baltimore Technologies<BR> -- Entrust Technologies<BR> -- Motorola<BR> -- SPYRUS </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Directory Interoperability:</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">-- Entrust ICL</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Entegrity Safepages = Directory</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Demonstrations will be held at the = following locations and dates (note that you MUST REGISTER to = attend! Registration information is provided below):</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">----------</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">CygnaCom</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Suite 100 West</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">7927 Jones Branch Dr.<BR> McLean, Virginia</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Directions to CygnaCom are located = at: <U> <<A = HREF=3D"http://www.cygnacom.com/contact/directions.htm" = TARGET=3D"_blank">http://www.cygnacom.com/contact/directions.htm</A>>= </U> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">26 April 2001 - 0900</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">26 April 2001 - 1300</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">16 May 2001 - 0900</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">16 May 2001 - 1300</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">---------</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Getronics Government Solutions</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">141 National Business Parkway, Suite = 210</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Annapolis Junction, Maryland</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">From Washington DC: Take I-95 north; = take MD Rt 32 east exit; take Dorsey</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Run exit; at stop sign turn left on = Dorsey Run; at stop light turn right on</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Guilford Road which becomes National = Business Pkwy. </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">From Baltimore: Take BW Parkway (295) = south; take MD Rt 32 west exit; stay</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">in right lane of the exit which runs = into National Business Pkwy; make a</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">right on National Business = Pkwy.</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">30 April 2001 - 1300</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">8 May 2001 - 0900</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">8 May 2001 - 1300</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">24 May 2001 - 0900</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">24 May 2001 - 1300 </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">---------</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">All showings last about half a day - = with a mixture of conference room briefings and laboratory = demonstrations.</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">We are limited by available = demonstration space to an absolute maximum of 20 participants at each = showing. </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">IMPORTANT: PLEASE REGISTER WITH = LISA FAULKNER (</FONT><U><FONT SIZE=3D2 = FACE=3D"Arial">llfaulk@missi.ncsc.mil <<A = HREF=3D"mailto:llfaulk@missi.ncsc.mil">mailto:llfaulk@missi.ncsc.mil</A>= ></FONT></U><FONT SIZE=3D2 FACE=3D"Arial">) AND MYSELF = (</FONT><U><FONT SIZE=3D2 FACE=3D"Arial">dwfilli@missi.ncsc.mil <<A = HREF=3D"mailto:dwfilli@missi.ncsc.mil">mailto:dwfilli@missi.ncsc.mil</A>= ></FONT></U><FONT SIZE=3D2 FACE=3D"Arial">) IF YOU PLAN TO = ATTEND. IF YOU DO NOT REGISTER TO ATTEND, YOU WILL NOT BE = ADMITTED TO THE DEMONSTRATION.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Please provide the following = information to register:</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Name</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Organization</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- E-mail address</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Date and time of the = demonstration showing you wish to attend (with alternates, if = possible)</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">We look forward to seeing you at the = demonstration!</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Dave Fillingham</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">NSA</FONT> </P> <BR> </UL> </BODY> </HTML> ------_=_NextPart_001_01C0CDA9.2E45D730-- --------------InterScan_NT_MIME_Boundary-- Received: from sol4.rmc.ca (sol4.rmc.ca [137.94.1.134]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA03175 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 08:00:57 -0700 (PDT) Received: from rmc.ca ([137.94.177.160]) by sol4.rmc.ca (Netscape Messaging Server 4.1) with ESMTP id GCCSAO00.841 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 10:59:12 -0400 Message-ID: <3AE6E609.43B164FB@rmc.ca> Date: Wed, 25 Apr 2001 10:58:17 -0400 From: "David Deplanche" <deplanche-d@rmc.ca> Organization: RMC ECE X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: unsubscribe Content-Type: multipart/mixed; boundary="------------71E1A6F4427435816D5C0D31" This is a multi-part message in MIME format. --------------71E1A6F4427435816D5C0D31 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------71E1A6F4427435816D5C0D31 Content-Type: text/x-vcard; charset=us-ascii; name="deplanche-d.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Dave DePlanche Content-Disposition: attachment; filename="deplanche-d.vcf" begin:vcard n:DePlanche;Dave tel;cell:613-540-3103 tel;fax:613-544-8107 tel;work:613-541-6000 ext 6453 x-mozilla-html:FALSE adr:;;;;;; version:2.1 email;internet:deplanche-d@rmc.ca fn:Dave DePlanche end:vcard --------------71E1A6F4427435816D5C0D31-- Received: from aifhs8.alcatel.fr (aifhs8.alcatel.fr [212.208.74.153]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA27097 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 06:11:59 -0700 (PDT) From: David.Fontanella@alcatel.fr Received: from frmta004.netfr.alcatel.fr (frmta004.netfr.alcatel.fr [155.132.182.160]) by aifhs8.alcatel.fr (ALCANET/SMTP2) with SMTP id PAA20499 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 15:11:45 +0200 (MET DST) Received: by frmta004.netfr.alcatel.fr(Lotus SMTP MTA v4.6.7 (934.1 12-30-1999)) id C1256A39.00486F33 ; Wed, 25 Apr 2001 15:11:10 +0200 X-Lotus-FromDomain: ALCATEL To: ietf-pkix@imc.org Message-ID: <C1256A39.00486D6C.00@frmta004.netfr.alcatel.fr> Date: Wed, 25 Apr 2001 15:10:50 +0200 Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline unsubscribe Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA26253 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 05:49:46 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id IAA13854 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 08:49:17 -0400 (EDT) Message-Id: <200104251249.IAA13850@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Wed, 25 Apr 2001 08:47:15 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: keyCertSign and cRLSign Key Usage Bits References: <5.0.1.4.2.20010424154840.01b2fa00@exna07.securitydynamics.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Russ, Thanks. However, I am more concerned about the second paragraph than the first. Is Last Call the proper time to be proposing, discussing, and ratifying such a novel and significant change to the path validation algorithm? Such AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates; ... Dave Russ Housley wrote: > > Dave: > > If the cA bit is asserted, then it is a CA certificate. However, the > keyCertSign and/or the cRLSign bits tell what the CA is going to do with > this particular public key. > > I have no problem deleting the second sentence. > > Russ > > At 02:48 PM 4/24/2001 -0400, David P. Kemp wrote: > >Russ, > > > >With regard to keyCertSign: > > > >I still don't see a definition of "CA certificates", so I still think > >sentence 2 ("This bit MUST only be asserted in CA certificates.") should > >be deleted. Is the following true? > > > > If the cA bit or the keyCertSign bit is asserted, then the > > certificate is a CA certificate. > > If neither the cA bit nor the keyCertSign bit are asserted, then > > the certificate is not a CA certificate. > > > >If those statements are true, then sentence 2 adds nothing except > >confusion: there is the question of whether it is the identical > >requirement to sentence 3 or a different requirement. > > > >Sentences 3 and 4 are quite sufficient; sentence 2 should be deleted. > > > >--------------------------------------------------------------------- > > > >The second paragraph assumes that we have consensus that the cA bit > >should be used to determine which authorities can revoke which certs. > >I don't believe there is consensus on that point. > > > >Additionally: > > > >* Sentences 1 and 2 are redundant; only one of them is needed. > > > >* Sentence 3 does not contain any useful information about cRLSign. > >(If the cRLSign bit is *not* asserted in a CA certificate, the cA bit > >must still be asserted.) > > > >* Sentence 4 is a policy statement unrelated to CRL signing. Do we have > >consensus that a CA may not also be an AA? If so, that policy should > >be stated under attribute certificate issuance, not under key usage. > > > >* Sentence 5 does not define "AA certificates". Should an AA be able > >to sign CRLs using a new key which lists ACs signed with the old key? > >Should an AA be able to delegate CRL signing to a key that cannot sign > >ACs? (I believe the consensus is yes on both counts.) If so, and if > >PKIX is to have a testable requirement along the lines of your new > >langage, then it must tell implementations how to recognize an > >"AA certificate", including one that can revoke but cannot sign ACs. > > > >* The final sentence is repeated verbatim from paragraph 1; does it have > >any greater effect if written twice? > > > >------------------- > > > >I propose something quite close to the language in new-part1-04. The > >rest of your new cRLSign language is just fluff because there is no way > >to determine whether an application complies with it. > > > > > > The keyCertSign bit is asserted when the subject public key > > is used for verifying a signature on public key certificates. > > If the keyCertSign bit is asserted, then the cA bit in the basic > > constraints extension (see 4.2.1.10) MUST also be asserted. > > If neither the keyCertSign bit nor the cRLSign bit are asserted, > > then the cA bit in the basic constraints extension MUST NOT be > > asserted. > > > > The cRLSign bit MUST be asserted when the subject public key is > > used for verifying a signature on certificate revocation lists > > (e.g., CRLs or ARLs). > > {If the cRLSign bit is asserted, then either the cA bit > > in the basic constraints extension or the the authority > > bit in the basicAttConstraints extension MUST also be > > asserted.}* > > > > > >* The last sentence, in {braces}, is an example of how one might > >write a testable requirement. I don't actually believe it should be > >included in 2459bis. > > > >If PKIX wants to use the cA bit to control revocation, and it > >is not going to profile X.509's SOAIdentifier or basicAttConstraints > >extensions, then it MUST use something other than handwaving to > >distinguish EE certs from AA certs. That's why I don't believe there > >should be any linkage between the cRLSign bit and the cA bit. > > > >Dave > > > > > > > > > >"Housley, Russ" wrote: > > > > > > The consensus on these bits is not totally clear to me. Yet, several > > > points have been consistently, and I think that the following text > > > incorporates them. The debate regarding he linkage between these bits and > > > the cA bit in the basic constraints extension does not seem to be over, and > > > I have not made any changes in that area. Please use this new thread to > > > discuss any remaining unresolved points. > > > > > > The keyCertSign bit is asserted when the subject public key is > > > used for verifying a signature on public key certificates. This > > > bit MUST only be asserted in CA certificates. If the keyCertSign > > > bit is asserted, then the cA bit in the basic constraints > > > extension (see 4.2.1.10) MUST also be asserted. If neither the > > > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > > > in the basic constraints extension MUST NOT be asserted. > > > > > > The cRLSign bit is asserted when the subject public key is used > > > for verifying a signature on a certificate revocation list (e.g., > > > a CRL or an ARL). This bit MUST be asserted in CA and Attribute > > > Authority (AA) certificates that are used to verify signatures on > > > CRLs. If the cRLSign bit is asserted in a CA certificate, then > > > the cA bit in the basic constraints extension (see 4.2.1.10) MUST > > > also be asserted. If the cRLSign bit is asserted in a AA > > > certificate, then the cA bit in the basic constraints extension > > > MUST NOT be asserted. Such AA certificates MUST NOT be used to > > > verify signatures on CRLs containing revocation information for > > > public key certificates; however, these AA certificates MAY be > > > used to verify signatures on CRLs containing revocation > > > information concerning attribute certificates. If neither the > > > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > > > in the basic constraints extension MUST NOT be asserted. > > > > > > Russ Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA17604 for <ietf-pkix@imc.org>; Wed, 25 Apr 2001 03:35:08 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JTZ236VN>; Wed, 25 Apr 2001 06:34:38 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE2B9@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: David Cross <dcross@microsoft.com>, "Housley, Russ" <rhousley@rsasecurity.com>, Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Date: Wed, 25 Apr 2001 06:25:45 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CD72.168848D0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CD72.168848D0 Content-Type: text/plain; charset="iso-8859-1" Russ: Optional is sufficient. It should NOT be mandatory to have separate signing keys for certificates and CRLs. Thanks. I think we agree. -----Original Message----- From: David Cross [mailto:dcross@microsoft.com] Sent: Tuesday, April 24, 2001 9:21 PM To: Housley, Russ; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Optional please - it will take time to build up a large support base for this on the client side. David B. Cross -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Tuesday, April 24, 2001 5:55 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Santosh: The profile already allows CAs and clients to include the features your are advocating. We are debating which are mandatory to implement vs. optional. Russ At 03:41 PM 4/24/2001 -0400, Santosh Chokhani wrote: >Russ: > >May be there is a middle ground in terms not requiring the clients to >process the chains, but also not declaring PKI that have CA and clients >that conform to this. > >I would like us to accommodate both without requiring ALL clients to >have >the capability. > >For example, we can say that the client need not process these types of >trust paths, but CA who use separate keys and clients who can build and >process these chains are also compliant. > >-----Original Message----- >From: Housley, Russ >[<mailto:rhousley@rsasecurity.com>mailto:rhousley@rsasecurity.com] >Sent: Tuesday, April 24, 2001 2:27 PM >To: Santosh Chokhani >Cc: ietf-pkix@imc.org >Subject: RE: Dedicated CRL signing keys > >Santosh: > >Interoperability is just as important as security. Further, complexity >leads to implementation flaws which reduces security. In several >places, the working group has decided that interoperability is more >important than security. In fact, the PKIX profile does not require >that a CA issue CRLs (see section 3.3, last paragraph). > >The PKIX profile places requirements on CAs and clients. How can we >say that clients MUST be able to handle certs and CRLs signed with >different keys when we do not require CAs to issue them at all? >Further, placing such a requirement on clients forces them to be able >to build certification paths during CRL checking. We already know that >some clients cannot do this (an interoperability issue). And, asking >them to do so will add complexity (a security assurance issue). > >Russ > >At 08:54 AM 4/24/2001 -0400, Santosh Chokhani wrote: > > >Russ: > > > >One of your comments yesterday was that we can make a choice between > >simpler client and operational security when I said that some > >implementations require separate CRL signing keys for operational > >security reasons. > > > >While I agree with you that this is a trade-off an enterprise needs > >to make. But, I think the Internet RFC should not make such a > >choice. I am saying that the RFC should permit both: simple client > >(same key for certificate and CRL signing) as well as different keys > >for certificate and CRL signing. > > > >PKIX working group is after all, all about security. We should not > >say that a secure implementation is not compliant with PKIX. ------_=_NextPart_001_01C0CD72.168848D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: Dedicated CRL signing keys</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Russ:</FONT> </P> <P><FONT SIZE=3D2>Optional is sufficient. It should NOT be = mandatory to have separate signing keys for certificates and = CRLs.</FONT> </P> <P><FONT SIZE=3D2>Thanks. I think we agree.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: David Cross [<A = HREF=3D"mailto:dcross@microsoft.com">mailto:dcross@microsoft.com</A>]</F= ONT> <BR><FONT SIZE=3D2>Sent: Tuesday, April 24, 2001 9:21 PM</FONT> <BR><FONT SIZE=3D2>To: Housley, Russ; Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: Dedicated CRL signing keys</FONT> </P> <BR> <P><FONT SIZE=3D2>Optional please - it will take time to build up a = large support base for</FONT> <BR><FONT SIZE=3D2>this on the client side.</FONT> </P> <P><FONT SIZE=3D2>David B. Cross</FONT> <BR><FONT SIZE=3D2> </FONT> </P> <P><FONT SIZE=3D2> </FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Housley, Russ [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>] </FONT> <BR><FONT SIZE=3D2>Sent: Tuesday, April 24, 2001 5:55 PM</FONT> <BR><FONT SIZE=3D2>To: Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: Dedicated CRL signing keys</FONT> </P> <BR> <P><FONT SIZE=3D2>Santosh:</FONT> </P> <P><FONT SIZE=3D2>The profile already allows CAs and clients to include = the features your</FONT> <BR><FONT SIZE=3D2>are </FONT> <BR><FONT SIZE=3D2>advocating. We are debating which are = mandatory to implement vs.</FONT> <BR><FONT SIZE=3D2>optional.</FONT> </P> <P><FONT SIZE=3D2>Russ</FONT> </P> <BR> <P><FONT SIZE=3D2>At 03:41 PM 4/24/2001 -0400, Santosh Chokhani = wrote:</FONT> </P> <P><FONT SIZE=3D2>>Russ:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>May be there is a middle ground in terms not = requiring the clients to</FONT> <BR><FONT SIZE=3D2>>process the chains, but also not declaring PKI = that have CA and clients</FONT> </P> <P><FONT SIZE=3D2>>that conform to this.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>I would like us to accommodate both without = requiring ALL clients to </FONT> <BR><FONT SIZE=3D2>>have</FONT> <BR><FONT SIZE=3D2>>the capability.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>For example, we can say that the client need not = process these types of</FONT> <BR><FONT SIZE=3D2>>trust paths, but CA who use separate keys and = clients who can build and</FONT> </P> <P><FONT SIZE=3D2>>process these chains are also compliant.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>>From: Housley, Russ</FONT> <BR><FONT SIZE=3D2>>[<<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>><A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>>Sent: Tuesday, April 24, 2001 2:27 PM</FONT> <BR><FONT SIZE=3D2>>To: Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>>Subject: RE: Dedicated CRL signing keys</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Santosh:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Interoperability is just as important as = security. Further, complexity</FONT> </P> <P><FONT SIZE=3D2>>leads to implementation flaws which reduces = security. In several </FONT> <BR><FONT SIZE=3D2>>places, the working group has decided that = interoperability is more </FONT> <BR><FONT SIZE=3D2>>important than security. In fact, the PKIX = profile does not require </FONT> <BR><FONT SIZE=3D2>>that a CA issue CRLs (see section 3.3, last = paragraph).</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>The PKIX profile places requirements on CAs and = clients. How can we </FONT> <BR><FONT SIZE=3D2>>say that clients MUST be able to handle certs = and CRLs signed with </FONT> <BR><FONT SIZE=3D2>>different keys when we do not require CAs to = issue them at all? </FONT> <BR><FONT SIZE=3D2>>Further, placing such a requirement on clients = forces them to be able </FONT> <BR><FONT SIZE=3D2>>to build certification paths during CRL = checking. We already know that</FONT> </P> <P><FONT SIZE=3D2>>some clients cannot do this (an interoperability = issue). And, asking </FONT> <BR><FONT SIZE=3D2>>them to do so will add complexity (a security = assurance issue).</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Russ</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>At 08:54 AM 4/24/2001 -0400, Santosh Chokhani = wrote:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> >Russ:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >One of your comments yesterday was that we = can make a choice between </FONT> <BR><FONT SIZE=3D2>> >simpler client and operational security = when I said that some </FONT> <BR><FONT SIZE=3D2>> >implementations require separate CRL = signing keys for operational </FONT> <BR><FONT SIZE=3D2>> >security reasons.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >While I agree with you that this is a = trade-off an enterprise needs </FONT> <BR><FONT SIZE=3D2>> >to make. But, I think the Internet = RFC should not make such a </FONT> <BR><FONT SIZE=3D2>> >choice. I am saying that the RFC = should permit both: simple client </FONT> <BR><FONT SIZE=3D2>> >(same key for certificate and CRL signing) = as well as different keys </FONT> <BR><FONT SIZE=3D2>> >for certificate and CRL signing.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >PKIX working group is after all, all about = security. We should not </FONT> <BR><FONT SIZE=3D2>> >say that a secure implementation is not = compliant with PKIX.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CD72.168848D0-- Received: from mail4.microsoft.com (mail4.microsoft.com [131.107.3.122]) by above.proper.com (8.9.3/8.9.3) with SMTP id SAA08034 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 18:35:14 -0700 (PDT) Received: from 157.54.9.108 by mail4.microsoft.com (InterScan E-Mail VirusWall NT); Tue, 24 Apr 2001 18:21:06 -0700 (Pacific Daylight Time) Received: from red-msg-02.redmond.corp.microsoft.com ([157.54.12.70]) by inet-imc-05.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Tue, 24 Apr 2001 18:20:39 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4688.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Dedicated CRL signing keys Date: Tue, 24 Apr 2001 18:20:38 -0700 Message-ID: <24A715275661C8428C00432EFCA5CB7C02A98945@red-msg-02.redmond.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Dedicated CRL signing keys Thread-Index: AcDNI7SsRdAelb+BTDucBrXkx0yMFgAAgCiw From: "David Cross" <dcross@microsoft.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, "Santosh Chokhani" <chokhani@cygnacom.com> Cc: <ietf-pkix@imc.org> X-OriginalArrivalTime: 25 Apr 2001 01:20:39.0329 (UTC) FILETIME=[F02C4110:01C0CD25] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id SAA08035 Optional please - it will take time to build up a large support base for this on the client side. David B. Cross -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Tuesday, April 24, 2001 5:55 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Santosh: The profile already allows CAs and clients to include the features your are advocating. We are debating which are mandatory to implement vs. optional. Russ At 03:41 PM 4/24/2001 -0400, Santosh Chokhani wrote: >Russ: > >May be there is a middle ground in terms not requiring the clients to >process the chains, but also not declaring PKI that have CA and clients >that conform to this. > >I would like us to accommodate both without requiring ALL clients to >have >the capability. > >For example, we can say that the client need not process these types of >trust paths, but CA who use separate keys and clients who can build and >process these chains are also compliant. > >-----Original Message----- >From: Housley, Russ >[<mailto:rhousley@rsasecurity.com>mailto:rhousley@rsasecurity.com] >Sent: Tuesday, April 24, 2001 2:27 PM >To: Santosh Chokhani >Cc: ietf-pkix@imc.org >Subject: RE: Dedicated CRL signing keys > >Santosh: > >Interoperability is just as important as security. Further, complexity >leads to implementation flaws which reduces security. In several >places, the working group has decided that interoperability is more >important than security. In fact, the PKIX profile does not require >that a CA issue CRLs (see section 3.3, last paragraph). > >The PKIX profile places requirements on CAs and clients. How can we >say that clients MUST be able to handle certs and CRLs signed with >different keys when we do not require CAs to issue them at all? >Further, placing such a requirement on clients forces them to be able >to build certification paths during CRL checking. We already know that >some clients cannot do this (an interoperability issue). And, asking >them to do so will add complexity (a security assurance issue). > >Russ > >At 08:54 AM 4/24/2001 -0400, Santosh Chokhani wrote: > > >Russ: > > > >One of your comments yesterday was that we can make a choice between > >simpler client and operational security when I said that some > >implementations require separate CRL signing keys for operational > >security reasons. > > > >While I agree with you that this is a trade-off an enterprise needs > >to make. But, I think the Internet RFC should not make such a > >choice. I am saying that the RFC should permit both: simple client > >(same key for certificate and CRL signing) as well as different keys > >for certificate and CRL signing. > > > >PKIX working group is after all, all about security. We should not > >say that a secure implementation is not compliant with PKIX. Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id RAA05575 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 17:59:10 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 25 Apr 2001 00:59:11 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id UAA16646 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 20:59:12 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <JST3VQGS>; Tue, 24 Apr 2001 20:59:13 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.56]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JST3VQGR; Tue, 24 Apr 2001 20:59:07 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010424172558.01a83830@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Tue, 24 Apr 2001 20:54:57 -0400 Subject: RE: Dedicated CRL signing keys In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE294@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Santosh: The profile already allows CAs and clients to include the features your are advocating. We are debating which are mandatory to implement vs. optional. Russ At 03:41 PM 4/24/2001 -0400, Santosh Chokhani wrote: >Russ: > >May be there is a middle ground in terms not requiring the clients to >process the chains, but also not declaring PKI that have CA and clients >that conform to this. > >I would like us to accommodate both without requiring ALL clients to have >the capability. > >For example, we can say that the client need not process these types of >trust paths, but CA who use separate keys and clients who can build and >process these chains are also compliant. > >-----Original Message----- >From: Housley, Russ >[<mailto:rhousley@rsasecurity.com>mailto:rhousley@rsasecurity.com] >Sent: Tuesday, April 24, 2001 2:27 PM >To: Santosh Chokhani >Cc: ietf-pkix@imc.org >Subject: RE: Dedicated CRL signing keys > >Santosh: > >Interoperability is just as important as security. Further, complexity >leads to implementation flaws which reduces security. In several places, >the working group has decided that interoperability is more important than >security. In fact, the PKIX profile does not require that a CA issue CRLs >(see section 3.3, last paragraph). > >The PKIX profile places requirements on CAs and clients. How can we say >that clients MUST be able to handle certs and CRLs signed with different >keys when we do not require CAs to issue them at all? Further, placing >such a requirement on clients forces them to be able to build certification >paths during CRL checking. We already know that some clients cannot do >this (an interoperability issue). And, asking them to do so will add >complexity (a security assurance issue). > >Russ > >At 08:54 AM 4/24/2001 -0400, Santosh Chokhani wrote: > > >Russ: > > > >One of your comments yesterday was that we can make a choice between > >simpler client and operational security when I said that some > >implementations require separate CRL signing keys for operational security > >reasons. > > > >While I agree with you that this is a trade-off an enterprise needs to > >make. But, I think the Internet RFC should not make such a choice. I am > >saying that the RFC should permit both: simple client (same key for > >certificate and CRL signing) as well as different keys for certificate and > >CRL signing. > > > >PKIX working group is after all, all about security. We should not say > >that a secure implementation is not compliant with PKIX. Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA27820 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 15:42:10 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JRDR7BKD; Tue, 24 Apr 2001 15:37:17 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "David A. Cooper" <david.cooper@nist.gov>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs and NR Date: Tue, 24 Apr 2001 15:41:03 -0700 Message-ID: <DOEOKAMDOBOFDGOPBAHDKEIGCDAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <4.2.2.20010424164552.00a673c0@email.nist.gov> David, Thank you for pointing out the "..less than or equal.." phrase. I had missed the significance. My preference is that delta-CRL's be identified only by the deltaCRLIndicator extension, rather than the cRLScope extension. I propose that the following "sufficient condition" in the PKIX profile "The delta CRL indicator is a critical CRL extension that identifies a CRL as being a delta CRL." be reworded as a "necessary condition" along the lines of "A delta CRL MUST be identified via the delta CRL indicator extension, which MUST be marked as a critical CRL extension." Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Tuesday, April 24, 2001 2:06 PM To: ietf-pkix@imc.org Subject: RE: delta-CRLs and NR Carlin, The quote that you included about the cRLScope extension is correct, but the end result is (nearly) the same whether delta-CRLs are identified using the cRLScope extension or the deltaCRLIndicator extension. In addition to the text that you quoted, X.509 (Ed. 4 v7 is the latest) section 8.5.2.5 states the following about the cRLScope extension: the cRLNumber referenced in the BaseRevocationInfo field of a dCRL shall be less than or equal to the cRLNumber of the most recently issued CRL that is complete for the applicable scope. So, while the base CRL referenced by the delta-CRL may not have been issued as a full CRL, there will be at least one CRL, issued as a full CRL, against which the delta-CRL may be applied to obtain complete certificate status information. The full CRL may have been issued after the referenced base CRL, but one can still apply the delta-CRL to that full CRL. As to your second question, the PKIX certificate and CRL profile does not include the cRLScope extension. So, while X.509 provides two ways to identify a CRL as being a delta-CRL, PKIX only provides the deltaCRLIndicator. Would a CRL issuer that used the cRLScope extension be non-PKIX-compliant? I'll leave that to others to decide. Dave At 01:35 PM 4/24/01 -0700, Carlin Covey wrote: >David, > >You are correct for delta-CRLs defined with the deltaCRLIndicator, but >it is also possible to define delta-CRLs using the CRL scope extension. > >X.509 Ed. 4 v6 says the following in section 8.5.2.5 'CRL scope extension': > >"In the crlScope case, the information in the baseRevocationInfo >component, indicates the point in time from which the CRL containing >this extension provides updates. Although this is done by referencing >a CRL, the referenced CRL may or may not be one that is complete for >the applicable scope, whereas the deltaCRLIdentifier extension references >an issued CRL that is complete for the applicable scope." > >In an earlier email I made the following observation and asked a question: > >"I don't see anywhere in draft-ietf-pkix-new-part1-05 where it says >that a delta CRL must be identified by a deltaCRLIndicator extension. >It does say that "The delta CRL indicator is a critical CRL extension >that identifies a CRL as being a delta CRL." This appears to be a >sufficient >condition, but not a necessary condition, for the CRL to be interpreted as a >delta CRL. So a PKIX-profile-compliant CRL-issuer could use the crlScope >extension rather than the deltaCRLIndicator extension to identify delta >CRLs? > > - Russ, is that right?" > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > > >-----Original Message----- >From: David A. Cooper [mailto:david.cooper@nist.gov] >Sent: Tuesday, April 24, 2001 12:44 PM >To: ietf-pkix@imc.org >Subject: RE: delta-CRLs and NR > > >This is a misunderstanding of the way that delta-CRLs work. A delta-CRL >specifies a base CRL and provides a list of all certificates whose status >has changed since the base CRL was issued. When using the deltaCRLIndicator, >the referenced base CRL must have been issued as a full CRL (i.e., not a >delta). Thus, one can always obtain complete revocation information by >applying a single delta-CRL to the base CRL that it references. > >If delta-CRLs are issued more frequently than full CRLs, this will just mean >that multiple delta-CRLs will reference the same full CRL as their base. > >With the current PKIX standard, one can always get complete revocation >information by just obtaining a full CRL. If the rules were relaxed, one >would be required to obtain one full CRL and one delta-CRL. > >Dave > >At 12:25 PM 4/24/01 -0700, Michael Myers wrote: > >I understand. But the trajectory of the dialog seemed to be suggesting > >elimination the full CRL context, hence in that forward scenario one would > >have no choice but to face the accumulation task. Also, the proposal to > >enable a different period of production between a full CRL and its > >associated deltas (thus enabling periods of delta-only activity between >full > >CRL production) does suggest that there might exists cases where more than > >one delta is necessary to span the gap between fulls. > Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id OAA22660 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 14:26:27 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 24 Apr 2001 21:26:28 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id RAB08458 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 17:26:29 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <JST3V344>; Tue, 24 Apr 2001 17:26:29 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.3]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JST3V34Q; Tue, 24 Apr 2001 17:26:25 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010424172156.01b6beb8@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Tue, 24 Apr 2001 17:23:54 -0400 Subject: RE: Dedicated CRL signing keys In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE28C@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Santosh: I know. The point is that a simple client will encounter an unsupported extension. David Cooper has pointed out that this has the effect that clients that might otherwise be able to use the CRL will not be able to use it. I am no longer advocating this approach. Russ At 03:21 PM 4/24/2001 -0400, Santosh Chokhani wrote: >Russ: > >But the semantics of that extension does NOT mean that the CRL is signed >by a different key. > >Actually, a CA typically uses this extension, chops up the CRL and signs >them all using the SAME key. > >-----Original Message----- >From: Housley, Russ >[<mailto:rhousley@rsasecurity.com>mailto:rhousley@rsasecurity.com] >Sent: Tuesday, April 24, 2001 3:11 PM >To: Santosh Chokhani >Cc: Santosh Chokhani; ietf-pkix@imc.org >Subject: RE: Dedicated CRL signing keys > >At 05:25 PM 4/23/2001 -0400, Santosh Chokhani wrote: > > >First, I think that the restriction that a CA who desires to issue > > >Indirect CRL needs to set itself up as a separate name is unduly > > >restrictive. There is no need for a CA to do that. A CA can issue a > full > > >CRL as well as an Indirect CRL and populate these in the same or > different > > >entries (i.e., CRL DP) in the directory. Please review Annex B of X.509 > > >for how to process CRL. So, may be Russ can explain why this requirement > > >comes about. > > > >I agree that the use of a separate name is overly restrictive. That > >portion of my suggestion was, in hind sight, a bad idea. As Tim Polk > >pointed out, CAs cannot change their names when they rekey. > > > >I think that everyone agrees that a CA makes a commitment to provide some > >form of revocation information for the duration of the certificate > >life. When CRLs are employed, does the CA use the same key to sign the CRL > >as was used to sign the certificate? Clearly, the CA is permitted to use > >different keys -- the key usage bits are there to allow this > >separation. However, several clients cannot handle this situation, and > >they would like to see an error message that says "unsupported feature" > >instead of "signature invalid." > > > >Perhaps CA rekey will lead us to an answer. When a CA rekeys, does it are > >subsequent CRLs signed with the new key or the old one? A CA could > >generate one CRL with each key. They two CRLs could even be distributed by > >different distribution point to avoid the download of CRLs that cannot be > >employed. Alternatively, the CA could publish one CRL signed with the new > >key. This leads to the scenario where cert path construction must be > >evoked to generate validate the CRL when trying to validate a certificate > >signed by the old key. This is the behavior that we are trying to make > >SHOULD. > > > >Therefore, the CA MUST generate the CRL using the same key as was used to > >sign the certificate, or it MUST include an extension in the CRL to > >indicate that cert path construction might be needed to validate the CRL > >signature. I proposed that an Issuing Distribution Point (IDP) CRL > >extension might be the correct approach. The IDP extension will not be > >supported by the simple clients, so they can generate the "unsupported > >feature" error, and the more complex clients can use the information in the > >IDP to support path construction. They will of course, also use Authority > >Key Identifier extension. > > > >{Santosh Says: Item 1 will require a change to the IDP extension > >syntax. Would n't that make PKIX non-compliant with X.509?) > >The IDP syntax is: > > issuingDistributionPoint ::= SEQUENCE { > distributionPoint [0] DistributionPointName OPTIONAL, > onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, > onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, > onlySomeReasons [3] ReasonFlags OPTIONAL, > indirectCRL [4] BOOLEAN DEFAULT FALSE } > >I was simply suggesting that this extension be present if the CRL is signed >with a key other than the one used to sign the certificate. I would expect >the distributionPoint field to be present (probably with a URL >(ldap://...)). The boolean flags would be set based on the contents of the >CRL (probably all FALSE). The reason codes would also be set based on the >contents of the CRL (probably absent). > >Russ Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id OAA21642 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 14:16:12 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 24 Apr 2001 21:16:12 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id RAA07728 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 17:16:12 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <JST3V3PW>; Tue, 24 Apr 2001 17:16:12 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.3]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JST3V3PR; Tue, 24 Apr 2001 17:16:03 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010424154840.01b2fa00@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Tue, 24 Apr 2001 15:51:53 -0400 Subject: Re: keyCertSign and cRLSign Key Usage Bits In-Reply-To: <200104241850.OAA25667@stingray.missi.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Dave: If the cA bit is asserted, then it is a CA certificate. However, the keyCertSign and/or the cRLSign bits tell what the CA is going to do with this particular public key. I have no problem deleting the second sentence. Russ At 02:48 PM 4/24/2001 -0400, David P. Kemp wrote: >Russ, > >With regard to keyCertSign: > >I still don't see a definition of "CA certificates", so I still think >sentence 2 ("This bit MUST only be asserted in CA certificates.") should >be deleted. Is the following true? > > If the cA bit or the keyCertSign bit is asserted, then the > certificate is a CA certificate. > If neither the cA bit nor the keyCertSign bit are asserted, then > the certificate is not a CA certificate. > >If those statements are true, then sentence 2 adds nothing except >confusion: there is the question of whether it is the identical >requirement to sentence 3 or a different requirement. > >Sentences 3 and 4 are quite sufficient; sentence 2 should be deleted. > >--------------------------------------------------------------------- > >The second paragraph assumes that we have consensus that the cA bit >should be used to determine which authorities can revoke which certs. >I don't believe there is consensus on that point. > >Additionally: > >* Sentences 1 and 2 are redundant; only one of them is needed. > >* Sentence 3 does not contain any useful information about cRLSign. >(If the cRLSign bit is *not* asserted in a CA certificate, the cA bit >must still be asserted.) > >* Sentence 4 is a policy statement unrelated to CRL signing. Do we have >consensus that a CA may not also be an AA? If so, that policy should >be stated under attribute certificate issuance, not under key usage. > >* Sentence 5 does not define "AA certificates". Should an AA be able >to sign CRLs using a new key which lists ACs signed with the old key? >Should an AA be able to delegate CRL signing to a key that cannot sign >ACs? (I believe the consensus is yes on both counts.) If so, and if >PKIX is to have a testable requirement along the lines of your new >langage, then it must tell implementations how to recognize an >"AA certificate", including one that can revoke but cannot sign ACs. > >* The final sentence is repeated verbatim from paragraph 1; does it have >any greater effect if written twice? > >------------------- > >I propose something quite close to the language in new-part1-04. The >rest of your new cRLSign language is just fluff because there is no way >to determine whether an application complies with it. > > > The keyCertSign bit is asserted when the subject public key > is used for verifying a signature on public key certificates. > If the keyCertSign bit is asserted, then the cA bit in the basic > constraints extension (see 4.2.1.10) MUST also be asserted. > If neither the keyCertSign bit nor the cRLSign bit are asserted, > then the cA bit in the basic constraints extension MUST NOT be > asserted. > > The cRLSign bit MUST be asserted when the subject public key is > used for verifying a signature on certificate revocation lists > (e.g., CRLs or ARLs). > {If the cRLSign bit is asserted, then either the cA bit > in the basic constraints extension or the the authority > bit in the basicAttConstraints extension MUST also be > asserted.}* > > >* The last sentence, in {braces}, is an example of how one might >write a testable requirement. I don't actually believe it should be >included in 2459bis. > >If PKIX wants to use the cA bit to control revocation, and it >is not going to profile X.509's SOAIdentifier or basicAttConstraints >extensions, then it MUST use something other than handwaving to >distinguish EE certs from AA certs. That's why I don't believe there >should be any linkage between the cRLSign bit and the cA bit. > >Dave > > > > >"Housley, Russ" wrote: > > > > The consensus on these bits is not totally clear to me. Yet, several > > points have been consistently, and I think that the following text > > incorporates them. The debate regarding he linkage between these bits and > > the cA bit in the basic constraints extension does not seem to be over, and > > I have not made any changes in that area. Please use this new thread to > > discuss any remaining unresolved points. > > > > The keyCertSign bit is asserted when the subject public key is > > used for verifying a signature on public key certificates. This > > bit MUST only be asserted in CA certificates. If the keyCertSign > > bit is asserted, then the cA bit in the basic constraints > > extension (see 4.2.1.10) MUST also be asserted. If neither the > > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > > in the basic constraints extension MUST NOT be asserted. > > > > The cRLSign bit is asserted when the subject public key is used > > for verifying a signature on a certificate revocation list (e.g., > > a CRL or an ARL). This bit MUST be asserted in CA and Attribute > > Authority (AA) certificates that are used to verify signatures on > > CRLs. If the cRLSign bit is asserted in a CA certificate, then > > the cA bit in the basic constraints extension (see 4.2.1.10) MUST > > also be asserted. If the cRLSign bit is asserted in a AA > > certificate, then the cA bit in the basic constraints extension > > MUST NOT be asserted. Such AA certificates MUST NOT be used to > > verify signatures on CRLs containing revocation information for > > public key certificates; however, these AA certificates MAY be > > used to verify signatures on CRLs containing revocation > > information concerning attribute certificates. If neither the > > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > > in the basic constraints extension MUST NOT be asserted. > > > > Russ Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA20597 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 14:06:27 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id RAA20747 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 17:06:28 -0400 (EDT) Message-Id: <4.2.2.20010424164552.00a673c0@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 24 Apr 2001 17:05:59 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: RE: delta-CRLs and NR In-Reply-To: <FLEELNBJKAIIGDJJKPDGEEAGCEAA.ccovey@cylink.com> References: <4.2.2.20010424153824.00a612a0@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Carlin, The quote that you included about the cRLScope extension is correct, but the end result is (nearly) the same whether delta-CRLs are identified using the cRLScope extension or the deltaCRLIndicator extension. In addition to the text that you quoted, X.509 (Ed. 4 v7 is the latest) section 8.5.2.5 states the following about the cRLScope extension: the cRLNumber referenced in the BaseRevocationInfo field of a dCRL shall be less than or equal to the cRLNumber of the most recently issued CRL that is complete for the applicable scope. So, while the base CRL referenced by the delta-CRL may not have been issued as a full CRL, there will be at least one CRL, issued as a full CRL, against which the delta-CRL may be applied to obtain complete certificate status information. The full CRL may have been issued after the referenced base CRL, but one can still apply the delta-CRL to that full CRL. As to your second question, the PKIX certificate and CRL profile does not include the cRLScope extension. So, while X.509 provides two ways to identify a CRL as being a delta-CRL, PKIX only provides the deltaCRLIndicator. Would a CRL issuer that used the cRLScope extension be non-PKIX-compliant? I'll leave that to others to decide. Dave At 01:35 PM 4/24/01 -0700, Carlin Covey wrote: >David, > >You are correct for delta-CRLs defined with the deltaCRLIndicator, but >it is also possible to define delta-CRLs using the CRL scope extension. > >X.509 Ed. 4 v6 says the following in section 8.5.2.5 'CRL scope extension': > >"In the crlScope case, the information in the baseRevocationInfo >component, indicates the point in time from which the CRL containing >this extension provides updates. Although this is done by referencing >a CRL, the referenced CRL may or may not be one that is complete for >the applicable scope, whereas the deltaCRLIdentifier extension references >an issued CRL that is complete for the applicable scope." > >In an earlier email I made the following observation and asked a question: > >"I don't see anywhere in draft-ietf-pkix-new-part1-05 where it says >that a delta CRL must be identified by a deltaCRLIndicator extension. >It does say that "The delta CRL indicator is a critical CRL extension >that identifies a CRL as being a delta CRL." This appears to be a >sufficient >condition, but not a necessary condition, for the CRL to be interpreted as a >delta CRL. So a PKIX-profile-compliant CRL-issuer could use the crlScope >extension rather than the deltaCRLIndicator extension to identify delta >CRLs? > > - Russ, is that right?" > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > > >-----Original Message----- >From: David A. Cooper [mailto:david.cooper@nist.gov] >Sent: Tuesday, April 24, 2001 12:44 PM >To: ietf-pkix@imc.org >Subject: RE: delta-CRLs and NR > > >This is a misunderstanding of the way that delta-CRLs work. A delta-CRL >specifies a base CRL and provides a list of all certificates whose status >has changed since the base CRL was issued. When using the deltaCRLIndicator, >the referenced base CRL must have been issued as a full CRL (i.e., not a >delta). Thus, one can always obtain complete revocation information by >applying a single delta-CRL to the base CRL that it references. > >If delta-CRLs are issued more frequently than full CRLs, this will just mean >that multiple delta-CRLs will reference the same full CRL as their base. > >With the current PKIX standard, one can always get complete revocation >information by just obtaining a full CRL. If the rules were relaxed, one >would be required to obtain one full CRL and one delta-CRL. > >Dave > >At 12:25 PM 4/24/01 -0700, Michael Myers wrote: > >I understand. But the trajectory of the dialog seemed to be suggesting > >elimination the full CRL context, hence in that forward scenario one would > >have no choice but to face the accumulation task. Also, the proposal to > >enable a different period of production between a full CRL and its > >associated deltas (thus enabling periods of delta-only activity between >full > >CRL production) does suggest that there might exists cases where more than > >one delta is necessary to span the gap between fulls. > Received: from wfhqex05.gfgsi.com (netva01.getronicsgov.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA18123; Tue, 24 Apr 2001 13:49:05 -0700 (PDT) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id <H95F5JS9>; Tue, 24 Apr 2001 16:49:39 -0400 Message-ID: <0B95FB5619B3D411817E006008A59259692A91@wfhqex06.gfgsi.com> From: "Pawling, John" <John.Pawling@GetronicsGov.com> To: "Pawling, John" <John.Pawling@GetronicsGov.com> Subject: v1.9.1 Certificate Management Library Now Available Date: Tue, 24 Apr 2001 16:49:31 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" All, Getronics Government Solutions has delivered the Version 1.9.1 Certificate Management Library (CML) for MS Windows, Solaris 2.7 and Linux. The v1.9.1 CML is freely available to everyone from the Getronics CML web page <http://www.getronicsgov.com/hot/cml_home.htm>. This release includes bug fixes for the v1.9 CML release, and the integration of the new SNACC string conversion functions into the CML. The v1.9.1 CML requires the latest SNACC release (v1.3 R6). Older versions of the SNACC library will not work. SNACC v1.3 R6 can be downloaded from <http://www.getronicsgov.com/hot/snacc_home.htm>. The v1.9.1 CML is described in the v1.9 CML Application Programming Interface (API) document. It implements the 2000 X.509 Recommendation certification path processing rules and SDN.706. It meets the majority of the IETF PKIX RFC 2459 Certificate/CRL Profile requirements. The CML uses path building software based on the v2.0 CPDL from CygnaCom Solutions, an Entrust Technologies company, to provide robust certification path building capabilities such as using cross certificates. The CML has been used to validate X.509 Certificates and Certificate Revocation Lists (CRL) signed using the Digital Signature Algorithm (DSA) and RSA. Further enhancements, ports and testing of the CML are still in process. Further releases of the CML will be provided as significant capabilities are added. The following enhancements are included in the v1.9.1 CML release (compared with the v1.9 release): 1. Modified DN conversion functions to use new SNACC string conversion functions. Fixed bug in buildRdnString() that incorrectly escaped UTF8 strings. 2. Added call to new SNACC ASN1Terminate() function to free up the global hash tables used to perform the decoding of the ASN.1 ANYs. 3. Corrected logic on freeing objects, when a free callback function was passed in. 4. Modified CMU_BreakUpCertPair and its underlying functions. 5. Corrected argument to function call CMU_genname2str, when the Distribution Point name refers to a full name. The following v1.9.1 CML files are available from the Getronics CML web page: 1) Windows_CMLLibv1.9.1.ZIP: MS Windows Dynamically Linked Libraries (DLL) 2) Windows_CM_Toolv1.9.1.ZIP: CM_Tool executable 3) Solaris_CMLLibv1.9.1.tar.Z: Sun Solaris Libraries 4) Solaris_CM_Toolv1.9.1.tar.z: CM_Tool for Solaris 5) Linux_CMLLibv1.9.1.tar.Z: Linux Libraries 6) Linux_CM_Toolv1.9.1.tar.z: CM_Tool for Linux 7) CML_sourcev1.9.1.tar.Z: Source, including Windows project files 8) CMAPI_data.tar.Z: Test Certs and CRLs used to test CML The v1.9 CML API document (CMv1.9api.doc, CMv1.9api.pdf), v1.9 SRL API document (SRLv1.9api.doc, SRLv1.9api.pdf), and v1.9 CML readme file are also available from the Getronics CML web page. All source code for the CML is being provided at no cost and with no financial limitations regarding its use and distribution. Organizations can use the CML without paying any royalties or licensing fees. The CML was originally developed by the U.S. Government. Getronics is enhancing and supporting the CML under contract to the U.S. Government. The U.S. Government is furnishing the CML software at no cost to the vendor Subject to the conditions of the CML Public License provided with the CML software. The v1.9.1 CML uses the Getronics v1.3 R6 Enhanced SNACC ASN.1 Library to encode/decode objects. Getronics has successfully tested the v1.9.1 CML with the SNACC and CTIL DLLs delivered in conjunction with the v1.10 SFL. Source code for the Getronics-developed CTILs is available from <http://www.getronicsgov.com/hot/sfl_home.htm>. The actual crypto libraries are not provided with the CML or SFL. They must be independently obtained from the appropriate source. The CML can be used in conjunction with the v2.0 CPDL to successfully meet all of the requirements of the Bridge Certification Authority Demonstration effort which includes cross-certified Entrust, Spyrus and Motorola v3 certificate domains. The CML_source.tar.Z file includes the CPDL source code and public license. <http://www.cygnacom.com/products/index.htm> provides more information regarding the CPDL. The National Institute of Standards and Technology (NIST) is providing a standard test suite of X.509 certificate paths <http://csrc.nist.gov/pki/testing/x509paths.html> that can be used for testing applications against RFC 2459. The CML was used to successfully process the NIST test data. The Internet Mail Consortium (IMC) has established a CML web page http://www.imc.org/imc-cml and a CML mail list which is used to: distribute information regarding CML releases; discuss CML-related issues; and allow CML users to provide feedback, comments, bug reports, etc. Subscription information for the imc-cml mailing list is at the IMC web site listed above. All comments regarding the CML source code and documents are welcome. This CML release announcement was sent to several mail lists, but please send all messages regarding the CML to the imc-cml mail list ONLY. Please do not send messages regarding the CML to any of the IETF mail lists. We will respond to all messages sent to the imc-cml mail list. =========================================== John Pawling, John.Pawling@GetronicsGov.com Getronics Government Solutions, LLC =========================================== Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA16963 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 13:36:57 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JRDR7A5R; Tue, 24 Apr 2001 13:32:05 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "David A. Cooper" <david.cooper@nist.gov>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs and NR Date: Tue, 24 Apr 2001 13:35:50 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGEEAGCEAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <4.2.2.20010424153824.00a612a0@email.nist.gov> David, You are correct for delta-CRLs defined with the deltaCRLIndicator, but it is also possible to define delta-CRLs using the CRL scope extension. X.509 Ed. 4 v6 says the following in section 8.5.2.5 'CRL scope extension': "In the crlScope case, the information in the baseRevocationInfo component, indicates the point in time from which the CRL containing this extension provides updates. Although this is done by referencing a CRL, the referenced CRL may or may not be one that is complete for the applicable scope, whereas the deltaCRLIdentifier extension references an issued CRL that is complete for the applicable scope." In an earlier email I made the following observation and asked a question: "I don't see anywhere in draft-ietf-pkix-new-part1-05 where it says that a delta CRL must be identified by a deltaCRLIndicator extension. It does say that "The delta CRL indicator is a critical CRL extension that identifies a CRL as being a delta CRL." This appears to be a sufficient condition, but not a necessary condition, for the CRL to be interpreted as a delta CRL. So a PKIX-profile-compliant CRL-issuer could use the crlScope extension rather than the deltaCRLIndicator extension to identify delta CRLs? - Russ, is that right?" Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Tuesday, April 24, 2001 12:44 PM To: ietf-pkix@imc.org Subject: RE: delta-CRLs and NR This is a misunderstanding of the way that delta-CRLs work. A delta-CRL specifies a base CRL and provides a list of all certificates whose status has changed since the base CRL was issued. When using the deltaCRLIndicator, the referenced base CRL must have been issued as a full CRL (i.e., not a delta). Thus, one can always obtain complete revocation information by applying a single delta-CRL to the base CRL that it references. If delta-CRLs are issued more frequently than full CRLs, this will just mean that multiple delta-CRLs will reference the same full CRL as their base. With the current PKIX standard, one can always get complete revocation information by just obtaining a full CRL. If the rules were relaxed, one would be required to obtain one full CRL and one delta-CRL. Dave At 12:25 PM 4/24/01 -0700, Michael Myers wrote: >I understand. But the trajectory of the dialog seemed to be suggesting >elimination the full CRL context, hence in that forward scenario one would >have no choice but to face the accumulation task. Also, the proposal to >enable a different period of production between a full CRL and its >associated deltas (thus enabling periods of delta-only activity between full >CRL production) does suggest that there might exists cases where more than >one delta is necessary to span the gap between fulls. Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA13647 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 12:50:26 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JSB1PMNF>; Tue, 24 Apr 2001 15:49:56 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE294@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Date: Tue, 24 Apr 2001 15:41:04 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CCF6.7FC34A60" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CCF6.7FC34A60 Content-Type: text/plain; charset="iso-8859-1" Russ: May be there is a middle ground in terms not requiring the clients to process the chains, but also not declaring PKI that have CA and clients that conform to this. I would like us to accommodate both without requiring ALL clients to have the capability. For example, we can say that the client need not process these types of trust paths, but CA who use separate keys and clients who can build and process these chains are also compliant. -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Tuesday, April 24, 2001 2:27 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Santosh: Interoperability is just as important as security. Further, complexity leads to implementation flaws which reduces security. In several places, the working group has decided that interoperability is more important than security. In fact, the PKIX profile does not require that a CA issue CRLs (see section 3.3, last paragraph). The PKIX profile places requirements on CAs and clients. How can we say that clients MUST be able to handle certs and CRLs signed with different keys when we do not require CAs to issue them at all? Further, placing such a requirement on clients forces them to be able to build certification paths during CRL checking. We already know that some clients cannot do this (an interoperability issue). And, asking them to do so will add complexity (a security assurance issue). Russ At 08:54 AM 4/24/2001 -0400, Santosh Chokhani wrote: >Russ: > >One of your comments yesterday was that we can make a choice between >simpler client and operational security when I said that some >implementations require separate CRL signing keys for operational security >reasons. > >While I agree with you that this is a trade-off an enterprise needs to >make. But, I think the Internet RFC should not make such a choice. I am >saying that the RFC should permit both: simple client (same key for >certificate and CRL signing) as well as different keys for certificate and >CRL signing. > >PKIX working group is after all, all about security. We should not say >that a secure implementation is not compliant with PKIX. ------_=_NextPart_001_01C0CCF6.7FC34A60 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: Dedicated CRL signing keys</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Russ:</FONT> </P> <P><FONT SIZE=3D2>May be there is a middle ground in terms not = requiring the clients to process the chains, but also not declaring PKI = that have CA and clients that conform to this.</FONT></P> <P><FONT SIZE=3D2>I would like us to accommodate both without requiring = ALL clients to have the capability.</FONT> </P> <P><FONT SIZE=3D2>For example, we can say that the client need not = process these types of trust paths, but CA who use separate keys and = clients who can build and process these chains are also = compliant.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Housley, Russ [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>Sent: Tuesday, April 24, 2001 2:27 PM</FONT> <BR><FONT SIZE=3D2>To: Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: Dedicated CRL signing keys</FONT> </P> <BR> <P><FONT SIZE=3D2>Santosh:</FONT> </P> <P><FONT SIZE=3D2>Interoperability is just as important as = security. Further, complexity </FONT> <BR><FONT SIZE=3D2>leads to implementation flaws which reduces = security. In several places, </FONT> <BR><FONT SIZE=3D2>the working group has decided that interoperability = is more important than </FONT> <BR><FONT SIZE=3D2>security. In fact, the PKIX profile does not = require that a CA issue CRLs </FONT> <BR><FONT SIZE=3D2>(see section 3.3, last paragraph).</FONT> </P> <P><FONT SIZE=3D2>The PKIX profile places requirements on CAs and = clients. How can we say </FONT> <BR><FONT SIZE=3D2>that clients MUST be able to handle certs and CRLs = signed with different </FONT> <BR><FONT SIZE=3D2>keys when we do not require CAs to issue them at = all? Further, placing </FONT> <BR><FONT SIZE=3D2>such a requirement on clients forces them to be able = to build certification </FONT> <BR><FONT SIZE=3D2>paths during CRL checking. We already know = that some clients cannot do </FONT> <BR><FONT SIZE=3D2>this (an interoperability issue). And, asking = them to do so will add </FONT> <BR><FONT SIZE=3D2>complexity (a security assurance issue).</FONT> </P> <P><FONT SIZE=3D2>Russ</FONT> </P> <BR> <P><FONT SIZE=3D2>At 08:54 AM 4/24/2001 -0400, Santosh Chokhani = wrote:</FONT> </P> <P><FONT SIZE=3D2>>Russ:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>One of your comments yesterday was that we can = make a choice between </FONT> <BR><FONT SIZE=3D2>>simpler client and operational security when I = said that some </FONT> <BR><FONT SIZE=3D2>>implementations require separate CRL signing = keys for operational security </FONT> <BR><FONT SIZE=3D2>>reasons.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>While I agree with you that this is a trade-off = an enterprise needs to </FONT> <BR><FONT SIZE=3D2>>make. But, I think the Internet RFC should = not make such a choice. I am </FONT> <BR><FONT SIZE=3D2>>saying that the RFC should permit both: = simple client (same key for </FONT> <BR><FONT SIZE=3D2>>certificate and CRL signing) as well as = different keys for certificate and </FONT> <BR><FONT SIZE=3D2>>CRL signing.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>PKIX working group is after all, all about = security. We should not say </FONT> <BR><FONT SIZE=3D2>>that a secure implementation is not compliant = with PKIX.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CCF6.7FC34A60-- Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA12723 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 12:43:53 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id PAA21336 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 15:43:54 -0400 (EDT) Message-Id: <4.2.2.20010424153824.00a612a0@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 24 Apr 2001 15:43:45 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: RE: delta-CRLs and NR In-Reply-To: <EOEGJNFMMIBDKGFONJJDOEFHCAAA.myers@coastside.net> References: <8D7EC1912E25D411A32100D0B76953977CE287@scygmxs01.cygnacom.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" This is a misunderstanding of the way that delta-CRLs work. A delta-CRL specifies a base CRL and provides a list of all certificates whose status has changed since the base CRL was issued. When using the deltaCRLIndicator, the referenced base CRL must have been issued as a full CRL (i.e., not a delta). Thus, one can always obtain complete revocation information by applying a single delta-CRL to the base CRL that it references. If delta-CRLs are issued more frequently than full CRLs, this will just mean that multiple delta-CRLs will reference the same full CRL as their base. With the current PKIX standard, one can always get complete revocation information by just obtaining a full CRL. If the rules were relaxed, one would be required to obtain one full CRL and one delta-CRL. Dave At 12:25 PM 4/24/01 -0700, Michael Myers wrote: >I understand. But the trajectory of the dialog seemed to be suggesting >elimination the full CRL context, hence in that forward scenario one would >have no choice but to face the accumulation task. Also, the proposal to >enable a different period of production between a full CRL and its >associated deltas (thus enabling periods of delta-only activity between full >CRL production) does suggest that there might exists cases where more than >one delta is necessary to span the gap between fulls. Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA12693 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 12:43:48 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f3OJhVq11577; Tue, 24 Apr 2001 12:43:31 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Santosh Chokhani" <chokhani@cygnacom.com>, "Tom Gindin" <tgindin@us.ibm.com> Cc: "David P. Kemp" <dpkemp@missi.ncsc.mil>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs and NR Date: Tue, 24 Apr 2001 12:42:02 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDKEFJCAAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE28D@scygmxs01.cygnacom.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Santosh, I think we might be saying the same thing using different words. Mike -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Tuesday, April 24, 2001 12:23 PM To: Michael Myers; Santosh Chokhani; Tom Gindin Cc: David P. Kemp; ietf-pkix@imc.org Subject: RE: delta-CRLs and NR Even if you eliminate the full CRL, each delta refers to a "full CRL base". The base may have been issues some time BC. It does NOT matter. BTW, a pragmatic way to issue deltas is to issue a base also periodically. Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA11759 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 12:33:03 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JSB1PMDD>; Tue, 24 Apr 2001 15:32:33 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE28F@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Michael Myers <myers@coastside.net>, Santosh Chokhani <chokhani@cygnacom.com>, Tom Gindin <tgindin@us.ibm.com> Cc: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Subject: RE: delta-CRLs and NR Date: Tue, 24 Apr 2001 15:23:42 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CCF4.12D74C00" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CCF4.12D74C00 Content-Type: text/plain; charset="iso-8859-1" Mike: Your last statement in contradiction with my grasp of X.509 -----Original Message----- From: Michael Myers [mailto:myers@coastside.net] Sent: Tuesday, April 24, 2001 3:26 PM To: Santosh Chokhani; Tom Gindin Cc: David P. Kemp; ietf-pkix@imc.org Subject: RE: delta-CRLs and NR I understand. But the trajectory of the dialog seemed to be suggesting elimination the full CRL context, hence in that forward scenario one would have no choice but to face the accumulation task. Also, the proposal to enable a different period of production between a full CRL and its associated deltas (thus enabling periods of delta-only activity between full CRL production) does suggest that there might exists cases where more than one delta is necessary to span the gap between fulls. Mike -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Tuesday, April 24, 2001 12:11 PM To: Michael Myers; Tom Gindin Cc: David P. Kemp; ietf-pkix@imc.org Subject: RE: delta-CRLs and NR Mike: You do NOT need to accumulate all the relevant deltas. You only need the referenced base or later and the delta in "your hand" to create a full revocation picture. ------_=_NextPart_001_01C0CCF4.12D74C00 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: delta-CRLs and NR</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>Mike:</FONT> </P> <P><FONT SIZE=2>Your last statement in contradiction with my grasp of X.509</FONT> </P> <P><FONT SIZE=2>-----Original Message-----</FONT> <BR><FONT SIZE=2>From: Michael Myers [<A HREF="mailto:myers@coastside.net">mailto:myers@coastside.net</A>]</FONT> <BR><FONT SIZE=2>Sent: Tuesday, April 24, 2001 3:26 PM</FONT> <BR><FONT SIZE=2>To: Santosh Chokhani; Tom Gindin</FONT> <BR><FONT SIZE=2>Cc: David P. Kemp; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>Subject: RE: delta-CRLs and NR</FONT> </P> <BR> <P><FONT SIZE=2>I understand. But the trajectory of the dialog seemed to be suggesting</FONT> <BR><FONT SIZE=2>elimination the full CRL context, hence in that forward scenario one would</FONT> <BR><FONT SIZE=2>have no choice but to face the accumulation task. Also, the proposal to</FONT> <BR><FONT SIZE=2>enable a different period of production between a full CRL and its</FONT> <BR><FONT SIZE=2>associated deltas (thus enabling periods of delta-only activity between full</FONT> <BR><FONT SIZE=2>CRL production) does suggest that there might exists cases where more than</FONT> <BR><FONT SIZE=2>one delta is necessary to span the gap between fulls.</FONT> </P> <P><FONT SIZE=2>Mike</FONT> </P> <BR> <P><FONT SIZE=2>-----Original Message-----</FONT> <BR><FONT SIZE=2>From: Santosh Chokhani [<A HREF="mailto:chokhani@cygnacom.com">mailto:chokhani@cygnacom.com</A>]</FONT> <BR><FONT SIZE=2>Sent: Tuesday, April 24, 2001 12:11 PM</FONT> <BR><FONT SIZE=2>To: Michael Myers; Tom Gindin</FONT> <BR><FONT SIZE=2>Cc: David P. Kemp; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>Subject: RE: delta-CRLs and NR</FONT> </P> <BR> <P><FONT SIZE=2>Mike:</FONT> <BR><FONT SIZE=2>You do NOT need to accumulate all the relevant deltas. You only need the</FONT> <BR><FONT SIZE=2>referenced base or later and the delta in "your hand" to create a full</FONT> <BR><FONT SIZE=2>revocation picture.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CCF4.12D74C00-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA11525 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 12:32:04 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JSB1PMCM>; Tue, 24 Apr 2001 15:31:35 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE28D@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Michael Myers <myers@coastside.net>, Santosh Chokhani <chokhani@cygnacom.com>, Tom Gindin <tgindin@us.ibm.com> Cc: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Subject: RE: delta-CRLs and NR Date: Tue, 24 Apr 2001 15:22:44 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CCF3.EFF42CD0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CCF3.EFF42CD0 Content-Type: text/plain; charset="iso-8859-1" Even if you eliminate the full CRL, each delta refers to a "full CRL base". The base may have been issues some time BC. It does NOT matter. BTW, a pragmatic way to issue deltas is to issue a base also periodically. -----Original Message----- From: Michael Myers [mailto:myers@coastside.net] Sent: Tuesday, April 24, 2001 3:26 PM To: Santosh Chokhani; Tom Gindin Cc: David P. Kemp; ietf-pkix@imc.org Subject: RE: delta-CRLs and NR I understand. But the trajectory of the dialog seemed to be suggesting elimination the full CRL context, hence in that forward scenario one would have no choice but to face the accumulation task. Also, the proposal to enable a different period of production between a full CRL and its associated deltas (thus enabling periods of delta-only activity between full CRL production) does suggest that there might exists cases where more than one delta is necessary to span the gap between fulls. Mike -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Tuesday, April 24, 2001 12:11 PM To: Michael Myers; Tom Gindin Cc: David P. Kemp; ietf-pkix@imc.org Subject: RE: delta-CRLs and NR Mike: You do NOT need to accumulate all the relevant deltas. You only need the referenced base or later and the delta in "your hand" to create a full revocation picture. ------_=_NextPart_001_01C0CCF3.EFF42CD0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta-CRLs and NR</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Even if you eliminate the full CRL, each delta refers = to a "full CRL base". The base may have been issues = some time BC. It does NOT matter.</FONT></P> <P><FONT SIZE=3D2>BTW, a pragmatic way to issue deltas is to issue a = base also periodically.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Michael Myers [<A = HREF=3D"mailto:myers@coastside.net">mailto:myers@coastside.net</A>]</FON= T> <BR><FONT SIZE=3D2>Sent: Tuesday, April 24, 2001 3:26 PM</FONT> <BR><FONT SIZE=3D2>To: Santosh Chokhani; Tom Gindin</FONT> <BR><FONT SIZE=3D2>Cc: David P. Kemp; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta-CRLs and NR</FONT> </P> <BR> <P><FONT SIZE=3D2>I understand. But the trajectory of the dialog = seemed to be suggesting</FONT> <BR><FONT SIZE=3D2>elimination the full CRL context, hence in that = forward scenario one would</FONT> <BR><FONT SIZE=3D2>have no choice but to face the accumulation = task. Also, the proposal to</FONT> <BR><FONT SIZE=3D2>enable a different period of production between a = full CRL and its</FONT> <BR><FONT SIZE=3D2>associated deltas (thus enabling periods of = delta-only activity between full</FONT> <BR><FONT SIZE=3D2>CRL production) does suggest that there might exists = cases where more than</FONT> <BR><FONT SIZE=3D2>one delta is necessary to span the gap between = fulls.</FONT> </P> <P><FONT SIZE=3D2>Mike</FONT> </P> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Santosh Chokhani [<A = HREF=3D"mailto:chokhani@cygnacom.com">mailto:chokhani@cygnacom.com</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Tuesday, April 24, 2001 12:11 PM</FONT> <BR><FONT SIZE=3D2>To: Michael Myers; Tom Gindin</FONT> <BR><FONT SIZE=3D2>Cc: David P. Kemp; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta-CRLs and NR</FONT> </P> <BR> <P><FONT SIZE=3D2>Mike:</FONT> <BR><FONT SIZE=3D2>You do NOT need to accumulate all the relevant = deltas. You only need the</FONT> <BR><FONT SIZE=3D2>referenced base or later and the delta in "your = hand" to create a full</FONT> <BR><FONT SIZE=3D2>revocation picture.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CCF3.EFF42CD0-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA11166 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 12:30:29 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JSB1PMB1>; Tue, 24 Apr 2001 15:29:59 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE28C@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, Santosh Chokhani <chokhani@cygnacom.com> Cc: Santosh Chokhani <chokhani@cygnacom.com>, ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Date: Tue, 24 Apr 2001 15:21:07 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CCF3.B68BFA40" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CCF3.B68BFA40 Content-Type: text/plain; charset="iso-8859-1" Russ: But the semantics of that extension does NOT mean that the CRL is signed by a different key. Actually, a CA typically uses this extension, chops up the CRL and signs them all using the SAME key. -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Tuesday, April 24, 2001 3:11 PM To: Santosh Chokhani Cc: Santosh Chokhani; ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys At 05:25 PM 4/23/2001 -0400, Santosh Chokhani wrote: > >First, I think that the restriction that a CA who desires to issue > >Indirect CRL needs to set itself up as a separate name is unduly > >restrictive. There is no need for a CA to do that. A CA can issue a full > >CRL as well as an Indirect CRL and populate these in the same or different > >entries (i.e., CRL DP) in the directory. Please review Annex B of X.509 > >for how to process CRL. So, may be Russ can explain why this requirement > >comes about. > >I agree that the use of a separate name is overly restrictive. That >portion of my suggestion was, in hind sight, a bad idea. As Tim Polk >pointed out, CAs cannot change their names when they rekey. > >I think that everyone agrees that a CA makes a commitment to provide some >form of revocation information for the duration of the certificate >life. When CRLs are employed, does the CA use the same key to sign the CRL >as was used to sign the certificate? Clearly, the CA is permitted to use >different keys -- the key usage bits are there to allow this >separation. However, several clients cannot handle this situation, and >they would like to see an error message that says "unsupported feature" >instead of "signature invalid." > >Perhaps CA rekey will lead us to an answer. When a CA rekeys, does it are >subsequent CRLs signed with the new key or the old one? A CA could >generate one CRL with each key. They two CRLs could even be distributed by >different distribution point to avoid the download of CRLs that cannot be >employed. Alternatively, the CA could publish one CRL signed with the new >key. This leads to the scenario where cert path construction must be >evoked to generate validate the CRL when trying to validate a certificate >signed by the old key. This is the behavior that we are trying to make >SHOULD. > >Therefore, the CA MUST generate the CRL using the same key as was used to >sign the certificate, or it MUST include an extension in the CRL to >indicate that cert path construction might be needed to validate the CRL >signature. I proposed that an Issuing Distribution Point (IDP) CRL >extension might be the correct approach. The IDP extension will not be >supported by the simple clients, so they can generate the "unsupported >feature" error, and the more complex clients can use the information in the >IDP to support path construction. They will of course, also use Authority >Key Identifier extension. > >{Santosh Says: Item 1 will require a change to the IDP extension >syntax. Would n't that make PKIX non-compliant with X.509?) The IDP syntax is: issuingDistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, onlySomeReasons [3] ReasonFlags OPTIONAL, indirectCRL [4] BOOLEAN DEFAULT FALSE } I was simply suggesting that this extension be present if the CRL is signed with a key other than the one used to sign the certificate. I would expect the distributionPoint field to be present (probably with a URL (ldap://...)). The boolean flags would be set based on the contents of the CRL (probably all FALSE). The reason codes would also be set based on the contents of the CRL (probably absent). Russ ------_=_NextPart_001_01C0CCF3.B68BFA40 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: Dedicated CRL signing keys</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>Russ:</FONT> </P> <P><FONT SIZE=2>But the semantics of that extension does NOT mean that the CRL is signed by a different key.</FONT> </P> <P><FONT SIZE=2>Actually, a CA typically uses this extension, chops up the CRL and signs them all using the SAME key.</FONT> </P> <P><FONT SIZE=2>-----Original Message-----</FONT> <BR><FONT SIZE=2>From: Housley, Russ [<A HREF="mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com</A>]</FONT> <BR><FONT SIZE=2>Sent: Tuesday, April 24, 2001 3:11 PM</FONT> <BR><FONT SIZE=2>To: Santosh Chokhani</FONT> <BR><FONT SIZE=2>Cc: Santosh Chokhani; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>Subject: RE: Dedicated CRL signing keys</FONT> </P> <BR> <P><FONT SIZE=2>At 05:25 PM 4/23/2001 -0400, Santosh Chokhani wrote:</FONT> <BR><FONT SIZE=2>> >First, I think that the restriction that a CA who desires to issue</FONT> <BR><FONT SIZE=2>> >Indirect CRL needs to set itself up as a separate name is unduly</FONT> <BR><FONT SIZE=2>> >restrictive. There is no need for a CA to do that. A CA can issue a full</FONT> <BR><FONT SIZE=2>> >CRL as well as an Indirect CRL and populate these in the same or different</FONT> <BR><FONT SIZE=2>> >entries (i.e., CRL DP) in the directory. Please review Annex B of X.509</FONT> <BR><FONT SIZE=2>> >for how to process CRL. So, may be Russ can explain why this requirement</FONT> <BR><FONT SIZE=2>> >comes about.</FONT> <BR><FONT SIZE=2>></FONT> <BR><FONT SIZE=2>>I agree that the use of a separate name is overly restrictive. That</FONT> <BR><FONT SIZE=2>>portion of my suggestion was, in hind sight, a bad idea. As Tim Polk</FONT> <BR><FONT SIZE=2>>pointed out, CAs cannot change their names when they rekey.</FONT> <BR><FONT SIZE=2>></FONT> <BR><FONT SIZE=2>>I think that everyone agrees that a CA makes a commitment to provide some</FONT> <BR><FONT SIZE=2>>form of revocation information for the duration of the certificate</FONT> <BR><FONT SIZE=2>>life. When CRLs are employed, does the CA use the same key to sign the CRL</FONT> <BR><FONT SIZE=2>>as was used to sign the certificate? Clearly, the CA is permitted to use</FONT> <BR><FONT SIZE=2>>different keys -- the key usage bits are there to allow this</FONT> <BR><FONT SIZE=2>>separation. However, several clients cannot handle this situation, and</FONT> <BR><FONT SIZE=2>>they would like to see an error message that says "unsupported feature"</FONT> <BR><FONT SIZE=2>>instead of "signature invalid."</FONT> <BR><FONT SIZE=2>></FONT> <BR><FONT SIZE=2>>Perhaps CA rekey will lead us to an answer. When a CA rekeys, does it are</FONT> <BR><FONT SIZE=2>>subsequent CRLs signed with the new key or the old one? A CA could</FONT> <BR><FONT SIZE=2>>generate one CRL with each key. They two CRLs could even be distributed by</FONT> <BR><FONT SIZE=2>>different distribution point to avoid the download of CRLs that cannot be</FONT> <BR><FONT SIZE=2>>employed. Alternatively, the CA could publish one CRL signed with the new</FONT> <BR><FONT SIZE=2>>key. This leads to the scenario where cert path construction must be</FONT> <BR><FONT SIZE=2>>evoked to generate validate the CRL when trying to validate a certificate</FONT> <BR><FONT SIZE=2>>signed by the old key. This is the behavior that we are trying to make </FONT> <BR><FONT SIZE=2>>SHOULD.</FONT> <BR><FONT SIZE=2>></FONT> <BR><FONT SIZE=2>>Therefore, the CA MUST generate the CRL using the same key as was used to</FONT> <BR><FONT SIZE=2>>sign the certificate, or it MUST include an extension in the CRL to</FONT> <BR><FONT SIZE=2>>indicate that cert path construction might be needed to validate the CRL</FONT> <BR><FONT SIZE=2>>signature. I proposed that an Issuing Distribution Point (IDP) CRL</FONT> <BR><FONT SIZE=2>>extension might be the correct approach. The IDP extension will not be</FONT> <BR><FONT SIZE=2>>supported by the simple clients, so they can generate the "unsupported</FONT> <BR><FONT SIZE=2>>feature" error, and the more complex clients can use the information in the</FONT> <BR><FONT SIZE=2>>IDP to support path construction. They will of course, also use Authority</FONT> <BR><FONT SIZE=2>>Key Identifier extension.</FONT> <BR><FONT SIZE=2>></FONT> <BR><FONT SIZE=2>>{Santosh Says: Item 1 will require a change to the IDP extension </FONT> <BR><FONT SIZE=2>>syntax. Would n't that make PKIX non-compliant with X.509?)</FONT> </P> <BR> <P><FONT SIZE=2>The IDP syntax is:</FONT> </P> <P><FONT SIZE=2> issuingDistributionPoint ::= SEQUENCE {</FONT> <BR><FONT SIZE=2> distributionPoint [0] DistributionPointName OPTIONAL,</FONT> <BR><FONT SIZE=2> onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,</FONT> <BR><FONT SIZE=2> onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,</FONT> <BR><FONT SIZE=2> onlySomeReasons [3] ReasonFlags OPTIONAL,</FONT> <BR><FONT SIZE=2> indirectCRL [4] BOOLEAN DEFAULT FALSE }</FONT> </P> <P><FONT SIZE=2>I was simply suggesting that this extension be present if the CRL is signed </FONT> <BR><FONT SIZE=2>with a key other than the one used to sign the certificate. I would expect </FONT> <BR><FONT SIZE=2>the distributionPoint field to be present (probably with a URL </FONT> <BR><FONT SIZE=2>(ldap://...)). The boolean flags would be set based on the contents of the </FONT> <BR><FONT SIZE=2>CRL (probably all FALSE). The reason codes would also be set based on the </FONT> <BR><FONT SIZE=2>contents of the CRL (probably absent).</FONT> </P> <P><FONT SIZE=2>Russ</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CCF3.B68BFA40-- Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA10731 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 12:27:25 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f3OJRGq10114; Tue, 24 Apr 2001 12:27:17 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Santosh Chokhani" <chokhani@cygnacom.com>, "Tom Gindin" <tgindin@us.ibm.com> Cc: "David P. Kemp" <dpkemp@missi.ncsc.mil>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs and NR Date: Tue, 24 Apr 2001 12:25:48 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDOEFHCAAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE287@scygmxs01.cygnacom.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal I understand. But the trajectory of the dialog seemed to be suggesting elimination the full CRL context, hence in that forward scenario one would have no choice but to face the accumulation task. Also, the proposal to enable a different period of production between a full CRL and its associated deltas (thus enabling periods of delta-only activity between full CRL production) does suggest that there might exists cases where more than one delta is necessary to span the gap between fulls. Mike -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Tuesday, April 24, 2001 12:11 PM To: Michael Myers; Tom Gindin Cc: David P. Kemp; ietf-pkix@imc.org Subject: RE: delta-CRLs and NR Mike: You do NOT need to accumulate all the relevant deltas. You only need the referenced base or later and the delta in "your hand" to create a full revocation picture. Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA10018 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 12:20:30 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JSB1PL59>; Tue, 24 Apr 2001 15:20:00 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE287@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Michael Myers <myers@coastside.net>, Tom Gindin <tgindin@us.ibm.com> Cc: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Subject: RE: delta-CRLs and NR Date: Tue, 24 Apr 2001 15:11:09 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CCF2.51AC6B60" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CCF2.51AC6B60 Content-Type: text/plain; charset="iso-8859-1" Mike: You do NOT need to accumulate all the relevant deltas. You only need the referenced base or later and the delta in "your hand" to create a full revocation picture. -----Original Message----- From: Michael Myers [mailto:myers@coastside.net] Sent: Tuesday, April 24, 2001 2:32 PM To: Tom Gindin Cc: David P. Kemp; ietf-pkix@imc.org Subject: RE: delta-CRLs and NR Tom, Perhaps I should have used the term "dispute resolution process" instead of "non-repudiation". I was thinking more in terms of that process and the general notion that one can never have too much documentation proving one's point--i.e. in this case the indisputably "full" CRL-- whereas in day to day activities the efficiencies gained by deltas cover what undoubtedly will be the vastly larger number of undisputed transactions. So I was thinking that it would be unwise for us to needlessly burden 99%(?) of the solution space to address issues associated with the remaining 1%, hence break out fulls from deltas. Now, I'm not a lawyer, but that all said, I think the assured presence of a full CRL in the case of a "dispute resolution event" would very useful to that 1%. One is otherwise faced with proving that one had fully accumulated all relevant deltas. Thus mandate fulls as an assured baseline regardless of the PKI context, but with perhaps a longer production period that nonetheless contributes evidence to a possible discovery process. Again, I'm not a lawyer, but I have played with them on the street. Ultimately, I'm still convinced that the only effective resolution is a dynamically produced, digitally signed assertion (i.e. OCSPv2 with its DPV extension). But that's an entirely different buffalo hunt. Mike > -----Original Message----- > From: Tom Gindin [mailto:tgindin@us.ibm.com] > Sent: Tuesday, April 24, 2001 10:43 AM > To: Michael Myers > Cc: David P. Kemp; ietf-pkix@imc.org > Subject: RE: delta-CRLs and NR > > > > When non-repudiation is an actual practice, doesn't the revocation > status need to be checked as of a time no earlier than the actual > signature > of the non-repudiable message or document? And won't a full CRL (or a > delta, for that matter) rarely have been published with such an effective > time at the time an RP initially receives such a message or document? > It is perfectly true that it is much easier to check a > single full CRL > than a CRL with deltas. However, I don't see why the problem is more > severe for NR except that an NR system is even less tolerant of false > negatives on revocation than authentication is. > > Tom Gindin > ------_=_NextPart_001_01C0CCF2.51AC6B60 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta-CRLs and NR</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Mike:</FONT> </P> <P><FONT SIZE=3D2>You do NOT need to accumulate all the relevant = deltas. You only need the referenced base or later and the delta = in "your hand" to create a full revocation = picture.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Michael Myers [<A = HREF=3D"mailto:myers@coastside.net">mailto:myers@coastside.net</A>]</FON= T> <BR><FONT SIZE=3D2>Sent: Tuesday, April 24, 2001 2:32 PM</FONT> <BR><FONT SIZE=3D2>To: Tom Gindin</FONT> <BR><FONT SIZE=3D2>Cc: David P. Kemp; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta-CRLs and NR</FONT> </P> <BR> <P><FONT SIZE=3D2>Tom,</FONT> </P> <P><FONT SIZE=3D2>Perhaps I should have used the term "dispute = resolution process" instead of</FONT> <BR><FONT SIZE=3D2>"non-repudiation". I was thinking = more in terms of that process and the</FONT> <BR><FONT SIZE=3D2>general notion that one can never have too much = documentation proving one's</FONT> <BR><FONT SIZE=3D2>point--i.e. in this case the indisputably = "full" CRL-- whereas in day to day</FONT> <BR><FONT SIZE=3D2>activities the efficiencies gained by deltas cover = what undoubtedly will be</FONT> <BR><FONT SIZE=3D2>the vastly larger number of undisputed = transactions.</FONT> </P> <P><FONT SIZE=3D2>So I was thinking that it would be unwise for us to = needlessly burden 99%(?)</FONT> <BR><FONT SIZE=3D2>of the solution space to address issues associated = with the remaining 1%,</FONT> <BR><FONT SIZE=3D2>hence break out fulls from deltas. Now, I'm = not a lawyer, but that all</FONT> <BR><FONT SIZE=3D2>said, I think the assured presence of a full CRL in = the case of a "dispute</FONT> <BR><FONT SIZE=3D2>resolution event" would very useful to that = 1%. One is otherwise faced with</FONT> <BR><FONT SIZE=3D2>proving that one had fully accumulated all relevant = deltas. Thus mandate</FONT> <BR><FONT SIZE=3D2>fulls as an assured baseline regardless of the PKI = context, but with perhaps</FONT> <BR><FONT SIZE=3D2>a longer production period that nonetheless = contributes evidence to a</FONT> <BR><FONT SIZE=3D2>possible discovery process. Again, I'm not a = lawyer, but I have played with</FONT> <BR><FONT SIZE=3D2>them on the street.</FONT> </P> <P><FONT SIZE=3D2>Ultimately, I'm still convinced that the only = effective resolution is a</FONT> <BR><FONT SIZE=3D2>dynamically produced, digitally signed assertion = (i.e. OCSPv2 with its DPV</FONT> <BR><FONT SIZE=3D2>extension). But that's an entirely different = buffalo hunt.</FONT> </P> <P><FONT SIZE=3D2>Mike</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: Tom Gindin [<A = HREF=3D"mailto:tgindin@us.ibm.com">mailto:tgindin@us.ibm.com</A>]</FONT>= <BR><FONT SIZE=3D2>> Sent: Tuesday, April 24, 2001 10:43 AM</FONT> <BR><FONT SIZE=3D2>> To: Michael Myers</FONT> <BR><FONT SIZE=3D2>> Cc: David P. Kemp; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Subject: RE: delta-CRLs and NR</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> When = non-repudiation is an actual practice, doesn't the revocation</FONT> <BR><FONT SIZE=3D2>> status need to be checked as of a time no = earlier than the actual</FONT> <BR><FONT SIZE=3D2>> signature</FONT> <BR><FONT SIZE=3D2>> of the non-repudiable message or = document? And won't a full CRL (or a</FONT> <BR><FONT SIZE=3D2>> delta, for that matter) rarely have been = published with such an effective</FONT> <BR><FONT SIZE=3D2>> time at the time an RP initially receives such = a message or document?</FONT> <BR><FONT SIZE=3D2>> It is perfectly = true that it is much easier to check a</FONT> <BR><FONT SIZE=3D2>> single full CRL</FONT> <BR><FONT SIZE=3D2>> than a CRL with deltas. However, I don't = see why the problem is more</FONT> <BR><FONT SIZE=3D2>> severe for NR except that an NR system is even = less tolerant of false</FONT> <BR><FONT SIZE=3D2>> negatives on revocation than authentication = is.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT = SIZE=3D2>>  = ; Tom Gindin</FONT> <BR><FONT SIZE=3D2>></FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CCF2.51AC6B60-- Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id MAA09558 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 12:18:50 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 24 Apr 2001 19:18:50 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id PAA28089; Tue, 24 Apr 2001 15:18:46 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <JS35YVTT>; Tue, 24 Apr 2001 15:18:46 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.102]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JS35YVTR; Tue, 24 Apr 2001 15:18:40 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Santosh Chokhani <chokhani@cygnacom.com> Cc: Santosh Chokhani <chokhani@cygnacom.com>, ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010424150514.01b30eb8@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Tue, 24 Apr 2001 15:10:42 -0400 Subject: RE: Dedicated CRL signing keys In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE204@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 05:25 PM 4/23/2001 -0400, Santosh Chokhani wrote: > >First, I think that the restriction that a CA who desires to issue > >Indirect CRL needs to set itself up as a separate name is unduly > >restrictive. There is no need for a CA to do that. A CA can issue a full > >CRL as well as an Indirect CRL and populate these in the same or different > >entries (i.e., CRL DP) in the directory. Please review Annex B of X.509 > >for how to process CRL. So, may be Russ can explain why this requirement > >comes about. > >I agree that the use of a separate name is overly restrictive. That >portion of my suggestion was, in hind sight, a bad idea. As Tim Polk >pointed out, CAs cannot change their names when they rekey. > >I think that everyone agrees that a CA makes a commitment to provide some >form of revocation information for the duration of the certificate >life. When CRLs are employed, does the CA use the same key to sign the CRL >as was used to sign the certificate? Clearly, the CA is permitted to use >different keys -- the key usage bits are there to allow this >separation. However, several clients cannot handle this situation, and >they would like to see an error message that says "unsupported feature" >instead of "signature invalid." > >Perhaps CA rekey will lead us to an answer. When a CA rekeys, does it are >subsequent CRLs signed with the new key or the old one? A CA could >generate one CRL with each key. They two CRLs could even be distributed by >different distribution point to avoid the download of CRLs that cannot be >employed. Alternatively, the CA could publish one CRL signed with the new >key. This leads to the scenario where cert path construction must be >evoked to generate validate the CRL when trying to validate a certificate >signed by the old key. This is the behavior that we are trying to make >SHOULD. > >Therefore, the CA MUST generate the CRL using the same key as was used to >sign the certificate, or it MUST include an extension in the CRL to >indicate that cert path construction might be needed to validate the CRL >signature. I proposed that an Issuing Distribution Point (IDP) CRL >extension might be the correct approach. The IDP extension will not be >supported by the simple clients, so they can generate the "unsupported >feature" error, and the more complex clients can use the information in the >IDP to support path construction. They will of course, also use Authority >Key Identifier extension. > >{Santosh Says: Item 1 will require a change to the IDP extension >syntax. Would n't that make PKIX non-compliant with X.509?) The IDP syntax is: issuingDistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, onlySomeReasons [3] ReasonFlags OPTIONAL, indirectCRL [4] BOOLEAN DEFAULT FALSE } I was simply suggesting that this extension be present if the CRL is signed with a key other than the one used to sign the certificate. I would expect the distributionPoint field to be present (probably with a URL (ldap://...)). The boolean flags would be set based on the contents of the CRL (probably all FALSE). The reason codes would also be set based on the contents of the CRL (probably absent). Russ Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id MAA09559 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 12:18:51 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 24 Apr 2001 19:18:51 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id PAA28090; Tue, 24 Apr 2001 15:18:46 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <JS35YVTS>; Tue, 24 Apr 2001 15:18:46 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.102]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JS35YVTQ; Tue, 24 Apr 2001 15:18:39 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Sharon Boeyen <sharon.boeyen@entrust.com> Cc: "'Carlin Covey'" <ccovey@cylink.com>, ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010424150244.01b39e68@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Tue, 24 Apr 2001 15:03:14 -0400 Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.t xt comments) In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FC4@sottmxs09.entrust .com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed I strongly agree with this observation. At 04:10 PM 4/23/2001 -0400, Sharon Boeyen wrote: >I suspect indirectDeltas are beyond the scope of what 2459 plans to cover Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA08180 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 11:50:33 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id OAA25671 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 14:50:05 -0400 (EDT) Message-Id: <200104241850.OAA25667@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Tue, 24 Apr 2001 14:48:09 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: keyCertSign and cRLSign Key Usage Bits Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Russ, With regard to keyCertSign: I still don't see a definition of "CA certificates", so I still think sentence 2 ("This bit MUST only be asserted in CA certificates.") should be deleted. Is the following true? If the cA bit or the keyCertSign bit is asserted, then the certificate is a CA certificate. If neither the cA bit nor the keyCertSign bit are asserted, then the certificate is not a CA certificate. If those statements are true, then sentence 2 adds nothing except confusion: there is the question of whether it is the identical requirement to sentence 3 or a different requirement. Sentences 3 and 4 are quite sufficient; sentence 2 should be deleted. --------------------------------------------------------------------- The second paragraph assumes that we have consensus that the cA bit should be used to determine which authorities can revoke which certs. I don't believe there is consensus on that point. Additionally: * Sentences 1 and 2 are redundant; only one of them is needed. * Sentence 3 does not contain any useful information about cRLSign. (If the cRLSign bit is *not* asserted in a CA certificate, the cA bit must still be asserted.) * Sentence 4 is a policy statement unrelated to CRL signing. Do we have consensus that a CA may not also be an AA? If so, that policy should be stated under attribute certificate issuance, not under key usage. * Sentence 5 does not define "AA certificates". Should an AA be able to sign CRLs using a new key which lists ACs signed with the old key? Should an AA be able to delegate CRL signing to a key that cannot sign ACs? (I believe the consensus is yes on both counts.) If so, and if PKIX is to have a testable requirement along the lines of your new langage, then it must tell implementations how to recognize an "AA certificate", including one that can revoke but cannot sign ACs. * The final sentence is repeated verbatim from paragraph 1; does it have any greater effect if written twice? ------------------- I propose something quite close to the language in new-part1-04. The rest of your new cRLSign language is just fluff because there is no way to determine whether an application complies with it. The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If neither the keyCertSign bit nor the cRLSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit MUST be asserted when the subject public key is used for verifying a signature on certificate revocation lists (e.g., CRLs or ARLs). {If the cRLSign bit is asserted, then either the cA bit in the basic constraints extension or the the authority bit in the basicAttConstraints extension MUST also be asserted.}* * The last sentence, in {braces}, is an example of how one might write a testable requirement. I don't actually believe it should be included in 2459bis. If PKIX wants to use the cA bit to control revocation, and it is not going to profile X.509's SOAIdentifier or basicAttConstraints extensions, then it MUST use something other than handwaving to distinguish EE certs from AA certs. That's why I don't believe there should be any linkage between the cRLSign bit and the cA bit. Dave "Housley, Russ" wrote: > > The consensus on these bits is not totally clear to me. Yet, several > points have been consistently, and I think that the following text > incorporates them. The debate regarding he linkage between these bits and > the cA bit in the basic constraints extension does not seem to be over, and > I have not made any changes in that area. Please use this new thread to > discuss any remaining unresolved points. > > The keyCertSign bit is asserted when the subject public key is > used for verifying a signature on public key certificates. This > bit MUST only be asserted in CA certificates. If the keyCertSign > bit is asserted, then the cA bit in the basic constraints > extension (see 4.2.1.10) MUST also be asserted. If neither the > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > in the basic constraints extension MUST NOT be asserted. > > The cRLSign bit is asserted when the subject public key is used > for verifying a signature on a certificate revocation list (e.g., > a CRL or an ARL). This bit MUST be asserted in CA and Attribute > Authority (AA) certificates that are used to verify signatures on > CRLs. If the cRLSign bit is asserted in a CA certificate, then > the cA bit in the basic constraints extension (see 4.2.1.10) MUST > also be asserted. If the cRLSign bit is asserted in a AA > certificate, then the cA bit in the basic constraints extension > MUST NOT be asserted. Such AA certificates MUST NOT be used to > verify signatures on CRLs containing revocation information for > public key certificates; however, these AA certificates MAY be > used to verify signatures on CRLs containing revocation > information concerning attribute certificates. If neither the > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > in the basic constraints extension MUST NOT be asserted. > > Russ Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA07985 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 11:50:06 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id OAA63472; Tue, 24 Apr 2001 14:48:09 -0400 Received: from d02ml237.somers.hqregion.ibm.com (d02ml237.sby.ibm.com [9.45.4.171]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id OAA61920; Tue, 24 Apr 2001 14:44:40 -0400 Importance: Normal Subject: RE: delta-CRLs and NR To: "Michael Myers" <myers@coastside.net> Cc: "David P. Kemp" <dpkemp@missi.ncsc.mil>, <ietf-pkix@imc.org> X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: <OF9A2BC894.3FF85EAF-ON85256A38.00667491@somers.hqregion.ibm.com> From: "Tom Gindin" <tgindin@us.ibm.com> Date: Tue, 24 Apr 2001 14:49:40 -0400 X-MIMETrack: Serialize by Router on D02ML237/02/M/IBM(Release 5.0.7 |March 21, 2001) at 04/24/2001 02:49:35 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii The dispute resolver's point of view is indeed the critical one for NR. However, 2459 section 5.2.4 says that it only takes one delta CRL in combination with its base CRL to give all the information in a full CRL with the effective time of the delta. Thus, the data to be checked during dispute resolution would only need to consist of either a full CRL with time after the document signature or of a delta CRL with such a time along with its base CRL, as would the data which the RP or escrow holder need to archive. Thank you for your help on this, as I need to clarify some wording in the techNR draft. Tom Gindin "Michael Myers" <myers@coastside.net> on 04/24/2001 02:31:45 PM To: Tom Gindin/Watson/IBM@IBMUS cc: "David P. Kemp" <dpkemp@missi.ncsc.mil>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs and NR Tom, Perhaps I should have used the term "dispute resolution process" instead of "non-repudiation". I was thinking more in terms of that process and the general notion that one can never have too much documentation proving one's point--i.e. in this case the indisputably "full" CRL-- whereas in day to day activities the efficiencies gained by deltas cover what undoubtedly will be the vastly larger number of undisputed transactions. So I was thinking that it would be unwise for us to needlessly burden 99% (?) of the solution space to address issues associated with the remaining 1%, hence break out fulls from deltas. Now, I'm not a lawyer, but that all said, I think the assured presence of a full CRL in the case of a "dispute resolution event" would very useful to that 1%. One is otherwise faced with proving that one had fully accumulated all relevant deltas. Thus mandate fulls as an assured baseline regardless of the PKI context, but with perhaps a longer production period that nonetheless contributes evidence to a possible discovery process. Again, I'm not a lawyer, but I have played with them on the street. Ultimately, I'm still convinced that the only effective resolution is a dynamically produced, digitally signed assertion (i.e. OCSPv2 with its DPV extension). But that's an entirely different buffalo hunt. Mike > -----Original Message----- > From: Tom Gindin [mailto:tgindin@us.ibm.com] > Sent: Tuesday, April 24, 2001 10:43 AM > To: Michael Myers > Cc: David P. Kemp; ietf-pkix@imc.org > Subject: RE: delta-CRLs and NR > > > > When non-repudiation is an actual practice, doesn't the revocation > status need to be checked as of a time no earlier than the actual > signature > of the non-repudiable message or document? And won't a full CRL (or a > delta, for that matter) rarely have been published with such an effective > time at the time an RP initially receives such a message or document? > It is perfectly true that it is much easier to check a > single full CRL > than a CRL with deltas. However, I don't see why the problem is more > severe for NR except that an NR system is even less tolerant of false > negatives on revocation than authentication is. > > Tom Gindin > Received: from smtp-2.llnl.gov (smtp-2.llnl.gov [128.115.250.82]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA07479 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 11:44:02 -0700 (PDT) Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-2.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id LAA28442; Tue, 24 Apr 2001 11:43:33 -0700 (PDT) Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id LAA13575; Tue, 24 Apr 2001 11:43:33 -0700 (PDT) Message-Id: <4.3.2.7.2.20010424112937.00af33e0@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 24 Apr 2001 11:48:30 -0700 To: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org From: Tony Bartoletti <azb@llnl.gov> Subject: Re: keyCertSign and cRLSign Key Usage Bits In-Reply-To: <5.0.1.4.2.20010424103004.01af3340@exna07.securitydynamics. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 10:36 AM 4/24/01 -0400, Housley, Russ wrote: >The consensus on these bits is not totally clear to me. Yet, several >points have been consistently, and I think that the following text >incorporates them. The debate regarding he linkage between these bits and >the cA bit in the basic constraints extension does not seem to be over, >and I have not made any changes in that area. Please use this new thread >to discuss any remaining unresolved points. > > The keyCertSign bit is asserted when the subject public key is > used for verifying a signature on public key certificates. This > bit MUST only be asserted in CA certificates. If the keyCertSign > bit is asserted, then the cA bit in the basic constraints > extension (see 4.2.1.10) MUST also be asserted. If neither the > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > in the basic constraints extension MUST NOT be asserted. Russ, Just a clarification on grammar. I find the statement, > "This bit MUST only be asserted in CA certificates" to be a source of ambiguity. It can be interpreted either as A) It is a "MUST" that the bit be set ONLY in CA certificates. I.e., "bit asserted" implies "CA certificate" (This is the correct grammatical interpretation.) or B) It is a "MUST" that the bit be set ONLY in CA certificates, AND the bit MUST BE set in all CA certificates. I.e., "bit asserted" IFF "CA certificate" (This is not what is grammatically implied by the statement, but it "sounds like" it is.) ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA07025 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 11:38:04 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 24 Apr 2001 18:38:04 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id OAA24234 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 14:38:05 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <JS35YT7X>; Tue, 24 Apr 2001 14:38:05 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.102]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JS35YT7M; Tue, 24 Apr 2001 14:38:00 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010424140721.00b0f598@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Tue, 24 Apr 2001 14:26:38 -0400 Subject: RE: Dedicated CRL signing keys In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE217@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Santosh: Interoperability is just as important as security. Further, complexity leads to implementation flaws which reduces security. In several places, the working group has decided that interoperability is more important than security. In fact, the PKIX profile does not require that a CA issue CRLs (see section 3.3, last paragraph). The PKIX profile places requirements on CAs and clients. How can we say that clients MUST be able to handle certs and CRLs signed with different keys when we do not require CAs to issue them at all? Further, placing such a requirement on clients forces them to be able to build certification paths during CRL checking. We already know that some clients cannot do this (an interoperability issue). And, asking them to do so will add complexity (a security assurance issue). Russ At 08:54 AM 4/24/2001 -0400, Santosh Chokhani wrote: >Russ: > >One of your comments yesterday was that we can make a choice between >simpler client and operational security when I said that some >implementations require separate CRL signing keys for operational security >reasons. > >While I agree with you that this is a trade-off an enterprise needs to >make. But, I think the Internet RFC should not make such a choice. I am >saying that the RFC should permit both: simple client (same key for >certificate and CRL signing) as well as different keys for certificate and >CRL signing. > >PKIX working group is after all, all about security. We should not say >that a secure implementation is not compliant with PKIX. Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA06649 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 11:33:16 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f3OIXDq03633; Tue, 24 Apr 2001 11:33:13 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Tom Gindin" <tgindin@us.ibm.com> Cc: "David P. Kemp" <dpkemp@missi.ncsc.mil>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs and NR Date: Tue, 24 Apr 2001 11:31:45 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDKEFECAAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <OF6CE787E8.6F370D41-ON85256A38.0060A67A@somers.hqregion.ibm.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Tom, Perhaps I should have used the term "dispute resolution process" instead of "non-repudiation". I was thinking more in terms of that process and the general notion that one can never have too much documentation proving one's point--i.e. in this case the indisputably "full" CRL-- whereas in day to day activities the efficiencies gained by deltas cover what undoubtedly will be the vastly larger number of undisputed transactions. So I was thinking that it would be unwise for us to needlessly burden 99%(?) of the solution space to address issues associated with the remaining 1%, hence break out fulls from deltas. Now, I'm not a lawyer, but that all said, I think the assured presence of a full CRL in the case of a "dispute resolution event" would very useful to that 1%. One is otherwise faced with proving that one had fully accumulated all relevant deltas. Thus mandate fulls as an assured baseline regardless of the PKI context, but with perhaps a longer production period that nonetheless contributes evidence to a possible discovery process. Again, I'm not a lawyer, but I have played with them on the street. Ultimately, I'm still convinced that the only effective resolution is a dynamically produced, digitally signed assertion (i.e. OCSPv2 with its DPV extension). But that's an entirely different buffalo hunt. Mike > -----Original Message----- > From: Tom Gindin [mailto:tgindin@us.ibm.com] > Sent: Tuesday, April 24, 2001 10:43 AM > To: Michael Myers > Cc: David P. Kemp; ietf-pkix@imc.org > Subject: RE: delta-CRLs and NR > > > > When non-repudiation is an actual practice, doesn't the revocation > status need to be checked as of a time no earlier than the actual > signature > of the non-repudiable message or document? And won't a full CRL (or a > delta, for that matter) rarely have been published with such an effective > time at the time an RP initially receives such a message or document? > It is perfectly true that it is much easier to check a > single full CRL > than a CRL with deltas. However, I don't see why the problem is more > severe for NR except that an NR system is even less tolerant of false > negatives on revocation than authentication is. > > Tom Gindin > Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA04530 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 10:56:31 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GCB00K015UHH4@ext-mail.valicert.com> for ietf-pkix@imc.org; Tue, 24 Apr 2001 10:56:41 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GCB00JL55UGP8@ext-mail.valicert.com>; Tue, 24 Apr 2001 10:56:41 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26P72Z>; Tue, 24 Apr 2001 10:55:20 -0700 Content-return: allowed Date: Tue, 24 Apr 2001 10:55:20 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: keyCertSign and cRLSign Key Usage Bits To: "'Santosh Chokhani'" <chokhani@cygnacom.com>, "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C65@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: multipart/alternative; boundary="Boundary_(ID_zhpmWWWEGepGsY3IvLfDxg)" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --Boundary_(ID_zhpmWWWEGepGsY3IvLfDxg) Content-type: text/plain; charset="iso-8859-1" I agree, also. Ambarish --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com <http://www.valicert.com/> Mountain View, CA 94043 -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Tuesday, April 24, 2001 8:22 AM To: Housley, Russ; ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Russ: I agree with the text. I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI). But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension. -----Original Message----- From: Housley, Russ [ mailto:rhousley@rsasecurity.com <mailto:rhousley@rsasecurity.com> ] Sent: Tuesday, April 24, 2001 10:37 AM To: ietf-pkix@imc.org Subject: keyCertSign and cRLSign Key Usage Bits The consensus on these bits is not totally clear to me. Yet, several points have been consistently, and I think that the following text incorporates them. The debate regarding he linkage between these bits and the cA bit in the basic constraints extension does not seem to be over, and I have not made any changes in that area. Please use this new thread to discuss any remaining unresolved points. The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. This bit MUST only be asserted in CA certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for verifying a signature on a certificate revocation list (e.g., a CRL or an ARL). This bit MUST be asserted in CA and Attribute Authority (AA) certificates that are used to verify signatures on CRLs. If the cRLSign bit is asserted in a CA certificate, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is asserted in a AA certificate, then the cA bit in the basic constraints extension MUST NOT be asserted. Such AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates; however, these AA certificates MAY be used to verify signatures on CRLs containing revocation information concerning attribute certificates. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. Russ --Boundary_(ID_zhpmWWWEGepGsY3IvLfDxg) Content-type: text/html; charset="iso-8859-1" Content-transfer-encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <TITLE>RE: keyCertSign and cRLSign Key Usage Bits</TITLE> <META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV> <DIV><SPAN class=3D292385617-24042001><FONT face=3DArial = color=3D#0000ff size=3D2>I=20 agree, also.</FONT></SPAN></DIV> <DIV><SPAN class=3D292385617-24042001><FONT face=3DArial = color=3D#0000ff=20 size=3D2><BR>Ambarish</FONT></SPAN></DIV> <DIV> </DIV> <P><FONT=20 size=3D2>---------------------------------------------------------------= ------<BR>Ambarish=20 Malpani<BR>Architect &nbs= p; &nbs= p; &nbs= p; &nbs= p; =20 650.567.5457<BR>ValiCert,=20 Inc. &n= bsp; &n= bsp; =20 ambarish@valicert.com<BR>339 N. Bernardo=20 Ave. &n= bsp; &n= bsp; =20 <A target=3D_blank=20 href=3D"http://www.valicert.com/">http://www.valicert.com</A><BR>Mountai= n View, CA=20 94043<BR></FONT></P> <BLOCKQUOTE dir=3Dltr=20 style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px = solid; MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Santosh Chokhani=20 [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Tuesday, April 24, = 2001 8:22=20 AM<BR><B>To:</B> Housley, Russ; ietf-pkix@imc.org<BR><B>Subject:</B> = RE:=20 keyCertSign and cRLSign Key Usage Bits<BR><BR></FONT></DIV> <P><FONT size=3D2>Russ: I agree with the text.</FONT> </P> <P><FONT size=3D2>I also know that Steve Kent and Sharon Boeyen feel = that X.509=20 states that only CA can issue CRL (the context of my comments being = PKI only=20 and not PMI).</FONT></P> <P><FONT size=3D2>But, using the theory that you suggest that the = client be=20 forgiving, I would consider a client compliant if it did NOT check = the basic=20 constraint extension while verifying a signature on a CRL. It = need to=20 ensure that the cRLSign bit is set in the keyUsage = extension.</FONT></P> <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT = size=3D2>From:=20 Housley, Russ [<A=20 = href=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT>=20 <BR><FONT size=3D2>Sent: Tuesday, April 24, 2001 10:37 AM</FONT> = <BR><FONT=20 size=3D2>To: ietf-pkix@imc.org</FONT> <BR><FONT size=3D2>Subject: = keyCertSign and=20 cRLSign Key Usage Bits</FONT> </P><BR> <P><FONT size=3D2>The consensus on these bits is not totally clear to = me. =20 Yet, several </FONT><BR><FONT size=3D2>points have been consistently, = and I=20 think that the following text </FONT><BR><FONT size=3D2>incorporates = them. =20 The debate regarding he linkage between these bits and = </FONT><BR><FONT=20 size=3D2>the cA bit in the basic constraints extension does not seem = to be over,=20 and </FONT><BR><FONT size=3D2>I have not made any changes in that = area. =20 Please use this new thread to </FONT><BR><FONT size=3D2>discuss any = remaining=20 unresolved points.</FONT> </P> <P><FONT size=3D2> The = keyCertSign bit is=20 asserted when the subject public key is</FONT> <BR><FONT=20 size=3D2> used for verifying a = signature on=20 public key certificates. This</FONT> <BR><FONT=20 size=3D2> bit MUST only be = asserted in CA=20 certificates. If the keyCertSign</FONT> <BR><FONT=20 size=3D2> bit is asserted, then = the cA bit=20 in the basic constraints</FONT> <BR><FONT=20 size=3D2> extension (see = 4.2.1.10) MUST also=20 be asserted. If neither the</FONT> <BR><FONT=20 size=3D2> cRLSign bit nor the = keyCertSign=20 bit are asserted, then the cA bit</FONT> <BR><FONT=20 size=3D2> in the basic = constraints extension=20 MUST NOT be asserted.</FONT> </P> <P><FONT size=3D2> The cRLSign = bit is=20 asserted when the subject public key is used</FONT> <BR><FONT=20 size=3D2> for verifying a = signature on a=20 certificate revocation list (e.g.,</FONT> <BR><FONT=20 size=3D2> a CRL or an ARL). = This bit=20 MUST be asserted in CA and Attribute</FONT> <BR><FONT=20 size=3D2> Authority (AA) = certificates that=20 are used to verify signatures on</FONT> <BR><FONT=20 size=3D2> CRLs. If the = cRLSign bit is=20 asserted in a CA certificate, then</FONT> <BR><FONT=20 size=3D2> the cA bit in the basic = constraints extension (see 4.2.1.10) MUST</FONT> <BR><FONT=20 size=3D2> also be asserted. = If the=20 cRLSign bit is asserted in a AA</FONT> <BR><FONT=20 size=3D2> certificate, then the = cA bit in=20 the basic constraints extension</FONT> <BR><FONT=20 size=3D2> MUST NOT be = asserted. Such=20 AA certificates MUST NOT be used to</FONT> <BR><FONT=20 size=3D2> verify signatures on = CRLs=20 containing revocation information for</FONT> <BR><FONT=20 size=3D2> public key = certificates; however,=20 these AA certificates MAY be</FONT> <BR><FONT=20 size=3D2> used to verify = signatures on CRLs=20 containing revocation</FONT> <BR><FONT=20 size=3D2> information concerning = attribute=20 certificates. If neither the</FONT> <BR><FONT=20 size=3D2> cRLSign bit nor the = keyCertSign=20 bit are asserted, then the cA bit</FONT> <BR><FONT=20 size=3D2> in the basic = constraints extension=20 MUST NOT be asserted.</FONT> </P> <P><FONT size=3D2>Russ </FONT></P></BLOCKQUOTE></BODY></HTML> --Boundary_(ID_zhpmWWWEGepGsY3IvLfDxg)-- Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA03635 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 10:43:27 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id NAA291390; Tue, 24 Apr 2001 13:41:10 -0400 Received: from d02ml237.somers.hqregion.ibm.com (d02ml237.sby.ibm.com [9.45.4.171]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id NAA73886; Tue, 24 Apr 2001 13:37:41 -0400 Importance: Normal Subject: RE: delta-CRLs and NR To: "Michael Myers" <myers@coastside.net> Cc: "David P. Kemp" <dpkemp@missi.ncsc.mil>, <ietf-pkix@imc.org> X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: <OF6CE787E8.6F370D41-ON85256A38.0060A67A@somers.hqregion.ibm.com> From: "Tom Gindin" <tgindin@us.ibm.com> Date: Tue, 24 Apr 2001 13:42:44 -0400 X-MIMETrack: Serialize by Router on D02ML237/02/M/IBM(Release 5.0.7 |March 21, 2001) at 04/24/2001 01:42:36 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii When non-repudiation is an actual practice, doesn't the revocation status need to be checked as of a time no earlier than the actual signature of the non-repudiable message or document? And won't a full CRL (or a delta, for that matter) rarely have been published with such an effective time at the time an RP initially receives such a message or document? It is perfectly true that it is much easier to check a single full CRL than a CRL with deltas. However, I don't see why the problem is more severe for NR except that an NR system is even less tolerant of false negatives on revocation than authentication is. Tom Gindin "Michael Myers" <myers@coastside.net> on 04/23/2001 02:30:39 PM To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, <ietf-pkix@imc.org> cc: Subject: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) Dave, But in a broader sense, isn't that precisely the problem directory replication is all about? It would be useful to hear of empirical studies establishing the extent to which PKI information management today dominates directory (X.500, LDAP) operations. I advocate that we need to know what today's ground truth tells us before we flip this parity bit; else wiggle the text as I proposed and so provide everybody the tuning knobs they want to tailor the standard to local needs. More tactically, one could produce a full CRL as a "backup" but let the delta practice take the burden of timeliness and bandwidth efficiency. But in all cases where non-repudiation becomes a true (vice theoretical) issue, there MUST be a full CRL around somewhere that cleanly establishes a context. Else one is faced with reconstituting the full context via re-accumulation of all the relevant deltas. Not an easy task either, and one prone to error. Given the ease with which a full CRL can be produced (assuming mechanisms are in place to produce deltas), just crontab two periods: a "full" production and a "delta" production, with the period of the latter shorter than the former. You don't have to push the full CRL all over the place, but at a minimum certainly have it available. A systems-level tradeoff, as always. But dumping full CRLs entirely and trusting deltas exclusively isn't something I'd advocate to any enterprise concerned about its risk management practices. Mike > -----Original Message----- > From: dpkemp@stingray.missi.ncsc.mil > . . . > The problem is that once the full CRL is signed, it is transmitted across > the network to directory/database/repository replicas and to clients. > If you are a PKI provider (as I am), and you have to provision 3.5 > million subscribers, the cost of that provisioning with full CRLs is > prohibitive, whereas the cost of provisioning with deltas is not. Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA01097 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 10:08:19 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JSB1PJL8>; Tue, 24 Apr 2001 13:07:49 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE258@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Tom Gindin <tgindin@us.ibm.com>, Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org, "Russell Housley (E-mail)" <rhousley@rsasecurity.com> Subject: RE: Dedicated CRL signing keys Date: Tue, 24 Apr 2001 12:58:57 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CCDF.DA264B90" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CCDF.DA264B90 Content-Type: text/plain; charset="iso-8859-1" Tom: I agree with most of what you said. If the CRL signing certificate is self-issued, then it should appear in caCertificate attribute. But, if it is issued by another authority, then it must appear in the crossCertificatePair attribute. In addition, if the issuing authority is in the domain of the subject CA, it must also appear in the caCertificate attribute. The above is based on my understanding on LDAP schema language we agreed to back in 1998 or 1999 after much debate. -----Original Message----- From: Tom Gindin [mailto:tgindin@us.ibm.com] Sent: Tuesday, April 24, 2001 1:02 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org; Russell Housley (E-mail) Subject: RE: Dedicated CRL signing keys On a related point, is it agreed by all that directory publication of CRL signing certificates with the same DN as the CA signing certificate should occur in the caCertificate attribute, and thus a directory-enabled client may find CRL signing certificates by scanning that attribute for certificates which either contain the CRLSign bit within the KeyUsage extension or don't contain the KeyUsage extension at all? RFC 2587 doesn't say anything about this as far as I can tell. Tom Gindin Santosh Chokhani <chokhani@cygnacom.com> on 04/24/2001 08:54:47 AM To: ietf-pkix@imc.org, "Russell Housley (E-mail)" <rhousley@rsasecurity.com> cc: Subject: RE: Dedicated CRL signing keys Russ: One of your comments yesterday was that we can make a choice between simpler client and operational security when I said that some implementations require separate CRL signing keys for operational security reasons. While I agree with you that this is a trade-off an enterprise needs to make. But, I think the Internet RFC should not make such a choice. I am saying that the RFC should permit both: simple client (same key for certificate and CRL signing) as well as different keys for certificate and CRL signing. PKIX working group is after all, all about security. We should not say that a secure implementation is not compliant with PKIX. ------_=_NextPart_001_01C0CCDF.DA264B90 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: Dedicated CRL signing keys</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Tom:</FONT> </P> <P><FONT SIZE=3D2>I agree with most of what you said. If the CRL = signing certificate is self-issued, then it should appear in = caCertificate attribute.</FONT></P> <P><FONT SIZE=3D2>But, if it is issued by another authority, then it = must appear in the crossCertificatePair attribute. In addition, = if the issuing authority is in the domain of the subject CA, it must = also appear in the caCertificate attribute.</FONT></P> <P><FONT SIZE=3D2>The above is based on my understanding on LDAP schema = language we agreed to back in 1998 or 1999 after much debate. </FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Tom Gindin [<A = HREF=3D"mailto:tgindin@us.ibm.com">mailto:tgindin@us.ibm.com</A>]</FONT>= <BR><FONT SIZE=3D2>Sent: Tuesday, April 24, 2001 1:02 PM</FONT> <BR><FONT SIZE=3D2>To: Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org; Russell Housley = (E-mail)</FONT> <BR><FONT SIZE=3D2>Subject: RE: Dedicated CRL signing keys</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2> On a related point, is it = agreed by all that directory publication of</FONT> <BR><FONT SIZE=3D2>CRL signing certificates with the same DN as the CA = signing certificate</FONT> <BR><FONT SIZE=3D2>should occur in the caCertificate attribute, and = thus a directory-enabled</FONT> <BR><FONT SIZE=3D2>client may find CRL signing certificates by scanning = that attribute for</FONT> <BR><FONT SIZE=3D2>certificates which either contain the CRLSign bit = within the KeyUsage</FONT> <BR><FONT SIZE=3D2>extension or don't contain the KeyUsage extension at = all? RFC 2587 doesn't</FONT> <BR><FONT SIZE=3D2>say anything about this as far as I can tell.</FONT> </P> <P><FONT = SIZE=3D2> Tom = Gindin</FONT> </P> <BR> <P><FONT SIZE=3D2>Santosh Chokhani <chokhani@cygnacom.com> on = 04/24/2001 08:54:47 AM</FONT> </P> <P><FONT SIZE=3D2>To: ietf-pkix@imc.org, "Russell = Housley (E-mail)"</FONT> <BR><FONT SIZE=3D2> = <rhousley@rsasecurity.com></FONT> <BR><FONT SIZE=3D2>cc:</FONT> <BR><FONT SIZE=3D2>Subject: RE: Dedicated CRL signing keys</FONT> </P> <BR> <P><FONT SIZE=3D2>Russ:</FONT> </P> <BR> <P><FONT SIZE=3D2>One of your comments yesterday was that we can make a = choice between</FONT> <BR><FONT SIZE=3D2>simpler client and operational security when I said = that some</FONT> <BR><FONT SIZE=3D2>implementations require separate CRL signing keys = for operational security</FONT> <BR><FONT SIZE=3D2>reasons.</FONT> </P> <BR> <P><FONT SIZE=3D2>While I agree with you that this is a trade-off an = enterprise needs to</FONT> <BR><FONT SIZE=3D2>make. But, I think the Internet RFC should not = make such a choice. I am</FONT> <BR><FONT SIZE=3D2>saying that the RFC should permit both: simple = client (same key for</FONT> <BR><FONT SIZE=3D2>certificate and CRL signing) as well as different = keys for certificate and</FONT> <BR><FONT SIZE=3D2>CRL signing.</FONT> </P> <BR> <P><FONT SIZE=3D2>PKIX working group is after all, all about = security. We should not say</FONT> <BR><FONT SIZE=3D2>that a secure implementation is not compliant with = PKIX.</FONT> </P> <BR> </BODY> </HTML> ------_=_NextPart_001_01C0CCDF.DA264B90-- Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA00537 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 10:03:14 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id NAA144092; Tue, 24 Apr 2001 13:00:45 -0400 Received: from d02ml237.somers.hqregion.ibm.com (d02ml237.sby.ibm.com [9.45.4.171]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id MAA81494; Tue, 24 Apr 2001 12:56:53 -0400 Importance: Normal Subject: RE: Dedicated CRL signing keys To: Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org, "Russell Housley (E-mail)" <rhousley@rsasecurity.com> X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: <OF2A572A59.D5AFE154-ON85256A38.005CDD9F@somers.hqregion.ibm.com> From: "Tom Gindin" <tgindin@us.ibm.com> Date: Tue, 24 Apr 2001 13:01:53 -0400 X-MIMETrack: Serialize by Router on D02ML237/02/M/IBM(Release 5.0.7 |March 21, 2001) at 04/24/2001 01:02:11 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii On a related point, is it agreed by all that directory publication of CRL signing certificates with the same DN as the CA signing certificate should occur in the caCertificate attribute, and thus a directory-enabled client may find CRL signing certificates by scanning that attribute for certificates which either contain the CRLSign bit within the KeyUsage extension or don't contain the KeyUsage extension at all? RFC 2587 doesn't say anything about this as far as I can tell. Tom Gindin Santosh Chokhani <chokhani@cygnacom.com> on 04/24/2001 08:54:47 AM To: ietf-pkix@imc.org, "Russell Housley (E-mail)" <rhousley@rsasecurity.com> cc: Subject: RE: Dedicated CRL signing keys Russ: One of your comments yesterday was that we can make a choice between simpler client and operational security when I said that some implementations require separate CRL signing keys for operational security reasons. While I agree with you that this is a trade-off an enterprise needs to make. But, I think the Internet RFC should not make such a choice. I am saying that the RFC should permit both: simple client (same key for certificate and CRL signing) as well as different keys for certificate and CRL signing. PKIX working group is after all, all about security. We should not say that a secure implementation is not compliant with PKIX. Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA21270 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 08:31:51 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JSB1PHXQ>; Tue, 24 Apr 2001 11:31:18 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE24A@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: RE: keyCertSign and cRLSign Key Usage Bits Date: Tue, 24 Apr 2001 11:22:25 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CCD2.5E0DB910" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CCD2.5E0DB910 Content-Type: text/plain; charset="iso-8859-1" Russ: I agree with the text. I also know that Steve Kent and Sharon Boeyen feel that X.509 states that only CA can issue CRL (the context of my comments being PKI only and not PMI). But, using the theory that you suggest that the client be forgiving, I would consider a client compliant if it did NOT check the basic constraint extension while verifying a signature on a CRL. It need to ensure that the cRLSign bit is set in the keyUsage extension. -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Tuesday, April 24, 2001 10:37 AM To: ietf-pkix@imc.org Subject: keyCertSign and cRLSign Key Usage Bits The consensus on these bits is not totally clear to me. Yet, several points have been consistently, and I think that the following text incorporates them. The debate regarding he linkage between these bits and the cA bit in the basic constraints extension does not seem to be over, and I have not made any changes in that area. Please use this new thread to discuss any remaining unresolved points. The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. This bit MUST only be asserted in CA certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for verifying a signature on a certificate revocation list (e.g., a CRL or an ARL). This bit MUST be asserted in CA and Attribute Authority (AA) certificates that are used to verify signatures on CRLs. If the cRLSign bit is asserted in a CA certificate, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is asserted in a AA certificate, then the cA bit in the basic constraints extension MUST NOT be asserted. Such AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates; however, these AA certificates MAY be used to verify signatures on CRLs containing revocation information concerning attribute certificates. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. Russ ------_=_NextPart_001_01C0CCD2.5E0DB910 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: keyCertSign and cRLSign Key Usage Bits</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Russ: I agree with the text.</FONT> </P> <P><FONT SIZE=3D2>I also know that Steve Kent and Sharon Boeyen feel = that X.509 states that only CA can issue CRL (the context of my = comments being PKI only and not PMI).</FONT></P> <P><FONT SIZE=3D2>But, using the theory that you suggest that the = client be forgiving, I would consider a client compliant if it did NOT = check the basic constraint extension while verifying a signature on a = CRL. It need to ensure that the cRLSign bit is set in the = keyUsage extension.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Housley, Russ [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>Sent: Tuesday, April 24, 2001 10:37 AM</FONT> <BR><FONT SIZE=3D2>To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: keyCertSign and cRLSign Key Usage = Bits</FONT> </P> <BR> <P><FONT SIZE=3D2>The consensus on these bits is not totally clear to = me. Yet, several </FONT> <BR><FONT SIZE=3D2>points have been consistently, and I think that the = following text </FONT> <BR><FONT SIZE=3D2>incorporates them. The debate regarding he = linkage between these bits and </FONT> <BR><FONT SIZE=3D2>the cA bit in the basic constraints extension does = not seem to be over, and </FONT> <BR><FONT SIZE=3D2>I have not made any changes in that area. = Please use this new thread to </FONT> <BR><FONT SIZE=3D2>discuss any remaining unresolved points.</FONT> </P> <P><FONT SIZE=3D2> The keyCertSign = bit is asserted when the subject public key is</FONT> <BR><FONT SIZE=3D2> used for = verifying a signature on public key certificates. This</FONT> <BR><FONT SIZE=3D2> bit MUST only = be asserted in CA certificates. If the keyCertSign</FONT> <BR><FONT SIZE=3D2> bit is = asserted, then the cA bit in the basic constraints</FONT> <BR><FONT SIZE=3D2> extension (see = 4.2.1.10) MUST also be asserted. If neither the</FONT> <BR><FONT SIZE=3D2> cRLSign bit nor = the keyCertSign bit are asserted, then the cA bit</FONT> <BR><FONT SIZE=3D2> in the basic = constraints extension MUST NOT be asserted.</FONT> </P> <P><FONT SIZE=3D2> The cRLSign bit = is asserted when the subject public key is used</FONT> <BR><FONT SIZE=3D2> for verifying a = signature on a certificate revocation list (e.g.,</FONT> <BR><FONT SIZE=3D2> a CRL or an = ARL). This bit MUST be asserted in CA and Attribute</FONT> <BR><FONT SIZE=3D2> Authority (AA) = certificates that are used to verify signatures on</FONT> <BR><FONT SIZE=3D2> CRLs. If = the cRLSign bit is asserted in a CA certificate, then</FONT> <BR><FONT SIZE=3D2> the cA bit in = the basic constraints extension (see 4.2.1.10) MUST</FONT> <BR><FONT SIZE=3D2> also be = asserted. If the cRLSign bit is asserted in a AA</FONT> <BR><FONT SIZE=3D2> certificate, = then the cA bit in the basic constraints extension</FONT> <BR><FONT SIZE=3D2> MUST NOT be = asserted. Such AA certificates MUST NOT be used to</FONT> <BR><FONT SIZE=3D2> verify = signatures on CRLs containing revocation information for</FONT> <BR><FONT SIZE=3D2> public key = certificates; however, these AA certificates MAY be</FONT> <BR><FONT SIZE=3D2> used to verify = signatures on CRLs containing revocation</FONT> <BR><FONT SIZE=3D2> information = concerning attribute certificates. If neither the</FONT> <BR><FONT SIZE=3D2> cRLSign bit nor = the keyCertSign bit are asserted, then the cA bit</FONT> <BR><FONT SIZE=3D2> in the basic = constraints extension MUST NOT be asserted.</FONT> </P> <P><FONT SIZE=3D2>Russ </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CCD2.5E0DB910-- Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id HAA16654 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 07:41:07 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 24 Apr 2001 14:41:06 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id KAA03449 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 10:41:07 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <HK1A35GC>; Tue, 24 Apr 2001 10:41:03 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.120]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id HK1A35F3; Tue, 24 Apr 2001 10:40:22 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010424103004.01af3340@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Tue, 24 Apr 2001 10:36:49 -0400 Subject: keyCertSign and cRLSign Key Usage Bits Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed The consensus on these bits is not totally clear to me. Yet, several points have been consistently, and I think that the following text incorporates them. The debate regarding he linkage between these bits and the cA bit in the basic constraints extension does not seem to be over, and I have not made any changes in that area. Please use this new thread to discuss any remaining unresolved points. The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. This bit MUST only be asserted in CA certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for verifying a signature on a certificate revocation list (e.g., a CRL or an ARL). This bit MUST be asserted in CA and Attribute Authority (AA) certificates that are used to verify signatures on CRLs. If the cRLSign bit is asserted in a CA certificate, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is asserted in a AA certificate, then the cA bit in the basic constraints extension MUST NOT be asserted. Such AA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates; however, these AA certificates MAY be used to verify signatures on CRLs containing revocation information concerning attribute certificates. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. Russ Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id HAA16511 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 07:40:26 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 24 Apr 2001 14:40:25 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id KAA03350 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 10:40:26 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <HK1A35FQ>; Tue, 24 Apr 2001 10:40:26 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.120]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id HK1A35FK; Tue, 24 Apr 2001 10:40:19 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Denis Pinkas <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010424092659.01af9748@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Tue, 24 Apr 2001 09:43:32 -0400 Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments In-Reply-To: <3ADF0833.61D9049F@bull.net> References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Denis: I agree with Steve Hanna's observation. However, I think that we can include a bit of notice in section 6.1. I propose the following replacement paragraph: A particular certification path may not, however, be appropriate for all applications. Therefore, an application MAY augment this algorithm to further limit the set of valid paths. The path validation process also determines the set of certificate policies that are valid for this path, based on the certificate policies extension, policy mapping extension, policy constraints extension, and inhibit any-policy extension. To achieve this, the path validation algorithm constructs a valid policy tree. If the set of certificate policies that are valid for this path is not empty, then the result will be a valid policy tree of depth n, otherwise the result will be a null valid policy tree. I suggest that we replace the first paragraph of section 6.2. with: The path validation algorithm describes the process of validating a single certification path. While each certification path begins with a specific trust anchor, there is no requirement that all certification paths validated by a particular system share a single trust anchor. An implementation that supports multiple trust anchors MAY augment the algorithm presented in section 6.1 to further limit the set of valid certification paths which begin with a particular trust anchor. For example, an implementation MAY modify the algorithm to apply name constraints to a specific trust anchor during the initialization phase, or the application MAY require the presence of a particular alternative name form in the end entity certificate, or the application MAY impose requirements on application-specific extensions. Thus, the path validation algorithm presented in section 6.1 defines the minimum conditions for a path to be considered valid. Russ At 05:45 PM 4/19/2001 +0200, Denis Pinkas wrote: >One topic per message: This one about applying constraints to the path >validation algorithm. > >In section 6.2 we now have: > > The path validation algorithm describes the process of validating a > single certification path. While each path begins with a specific > trust anchor, there is no requirement that all paths validated by a > particular system share a single trust anchor. An implementation > that supports multiple trust anchors may augment the algorithm > prresented in section 6.1 to further limit the set of valid paths > >...Please a single r for prresented. > > which begin with a particular trust anchor. For example, an > implementation may specify name constraints that apply to a specific > trust anchor. > > >While the sentence is true in the case of multiple trust anchors it is as >well valid for a single one. So a similar sentence is needed in section 6.1. > >In section 6.1 the text says: > > A particular certification path may not, however, be appropriate for > all applications. The path validation process also determines the > set of certificate policies that are valid for this path, based on > the certificate policies extension, policy mapping extension, policy > constraints extension, and inhibit any-policy extension. > >The text should rather say: > > An application may augment the algorithm presented in section 6.1 > to further limit the set of valid paths. For example, an > implementation may specify additional constraints like name > constraints or specific extensions that apply to the application. > Therefor the conditions which are described in this section are > minimum conditions. The path validation process described in this > section determines the minimum conditions that are to be fulfilled > by the certification path for the set of certificate policies > that are valid for this path, based on the certificate policies > extension, policy mapping extension, policy constraints extension, > and inhibit any-policy extension, as well as for the name > constraints, if any. > >The main difference between 6.1 and 6.2 is that the additional contraints >(policy or name constraints) apply globally to the path validation algorithm >when there is one trust anchor (6.1), but may apply on every trust anchor >where there are multiple trust anchors (6.2). > >Denis Received: from exchsvr1.entegrity.com (exchsvr1.entegrity.com [207.215.19.3]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA13439 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 06:48:52 -0700 (PDT) Received: from cooper.entegrity.com (dave.entegrity.se [195.100.88.62]) by exchsvr1.entegrity.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id GFR1BYSQ; Tue, 24 Apr 2001 06:49:12 -0700 Message-Id: <5.0.2.1.0.20010424154214.01991ec0@exchsvr1.entegrity.com> X-Sender: nada@exchsvr1.entegrity.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Tue, 24 Apr 2001 15:44:57 +0200 To: "Carlin Covey" <ccovey@cylink.com>, "Michael Myers" <myers@coastside.net>, "Santosh Chokhani" <chokhani@cygnacom.com>, "Russ Housley" <rhousley@rsasecurity.com>, ietf-pkix@imc.org From: Nada Kapidzic Cicovic <nada@entegrity.com> Subject: RE: delta-CRLs (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) In-Reply-To: <FLEELNBJKAIIGDJJKPDGKEPNCDAA.ccovey@cylink.com> References: <EOEGJNFMMIBDKGFONJJDKEEHCAAA.myers@coastside.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 05:17 PM 4/23/01 -0700, Carlin Covey wrote: >I vote with Mike and Santosh. I also agree with this proposal. Nada >- Carlin > >-----Original Message----- >From: Michael Myers [mailto:myers@coastside.net] >Sent: Monday, April 23, 2001 12:24 PM >To: Santosh Chokhani; Russ Housley; ietf-pkix@imc.org >Subject: RE: delta-CRLs (was Re: Last >Call:draft-ietf-pkix-new-part1-06.txt comments) > > >Santosh, > >That is precisely what I'm proposing for the WG's consideration. But I do >strongly advocate for a SHALL on full CRL production in any case. Deltas >are a systems-level tuning tool. > >Mike > > >-----Original Message----- >From: Santosh Chokhani [mailto:chokhani@cygnacom.com] >Sent: Monday, April 23, 2001 11:44 AM >To: Michael Myers; Santosh Chokhani; Russ Housley; ietf-pkix@imc.org >Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt >comments) > > >Mike: >I think you are saying that delta can be produced more frequently and there >need not be a full CRL issued when a delta is issued. >If the above is correct paraphrasing of your statement, then I agree. Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA09028 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 06:04:08 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JRXLFD9S>; Tue, 24 Apr 2001 09:03:38 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE217@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: ietf-pkix@imc.org, "Russell Housley (E-mail)" <rhousley@rsasecurity.com> Subject: RE: Dedicated CRL signing keys Date: Tue, 24 Apr 2001 08:54:47 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CCBD.BDC2F650" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CCBD.BDC2F650 Content-Type: text/plain; charset="iso-8859-1" Russ: One of your comments yesterday was that we can make a choice between simpler client and operational security when I said that some implementations require separate CRL signing keys for operational security reasons. While I agree with you that this is a trade-off an enterprise needs to make. But, I think the Internet RFC should not make such a choice. I am saying that the RFC should permit both: simple client (same key for certificate and CRL signing) as well as different keys for certificate and CRL signing. PKIX working group is after all, all about security. We should not say that a secure implementation is not compliant with PKIX. ------_=_NextPart_001_01C0CCBD.BDC2F650 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: Dedicated CRL signing keys</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Russ:</FONT> </P> <P><FONT SIZE=3D2>One of your comments yesterday was that we can make a = choice between simpler client and operational security when I said that = some implementations require separate CRL signing keys for operational = security reasons.</FONT></P> <P><FONT SIZE=3D2>While I agree with you that this is a trade-off an = enterprise needs to make. But, I think the Internet RFC should = not make such a choice. I am saying that the RFC should permit = both: simple client (same key for certificate and CRL signing) as = well as different keys for certificate and CRL signing.</FONT></P> <P><FONT SIZE=3D2>PKIX working group is after all, all about = security. We should not say that a secure implementation is not = compliant with PKIX.</FONT></P> </BODY> </HTML> ------_=_NextPart_001_01C0CCBD.BDC2F650-- Received: from exchsvr1.entegrity.com (exchsvr1.entegrity.com [207.215.19.3]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA06657 for <ietf-pkix@imc.org>; Tue, 24 Apr 2001 05:34:05 -0700 (PDT) Received: from cooper.entegrity.com (dave.entegrity.se [195.100.88.62]) by exchsvr1.entegrity.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id GFR1BYJM; Tue, 24 Apr 2001 05:34:24 -0700 Message-Id: <5.0.2.1.0.20010424141900.02f26770@exchsvr1.entegrity.com> X-Sender: nada@exchsvr1.entegrity.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Tue, 24 Apr 2001 14:30:10 +0200 To: "David A. Cooper" <david.cooper@nist.gov>, ietf-pkix@imc.org From: Nada Kapidzic Cicovic <nada@entegrity.com> Subject: RE: Dedicated CRL signing keys In-Reply-To: <4.2.2.20010423172038.00af8900@email.nist.gov> References: <5.0.1.4.2.20010423154916.01b7de60@exna07.securitydynamics. com> <8D7EC1912E25D411A32100D0B76953977CE1D5@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 05:45 PM 4/23/01 -0400, David A. Cooper wrote: >Russ, > >I have a problem with the idea that we need to include a critical >extension in any CRL where some of the certificates covered by that CRL >were signed using a different key than the one used to sign the CRL. > >The main problem that I see is the CA rekey issue. Suppose that a CA >rekeys and then issues a single CRL, signed with its new private key, that >covers all of its unexpired certificates. The older certificates issued by >this CA will have been signed with the old key, but the newer certificates >will have been signed with the same (new) key as the CRL. As things stand >at the moment, simple clients will be able to use the CRL when validating >the "new" certificates and will fail when using the CRL to validate "old" >certificates. If we place a critical extension in the CRL that the simple >clients can not process, then they won't be able to use the CRL to >validate any certificates. So, adding a critical extension would actually >reduce the functionality of simple clients. > >I also believe that there is already sufficient information available in >the CRLs. A client can simply compare the authority key identifier in the >certificate and the corresponding CRL. If they differ, the client will >know that the certificate and CRL were signed using different keys and can >return an "unsupported feature" error just as if the CRL contained an >unrecognized critical extension. This is my viewpoint exactly. I agree with Dave's reasoning. Nada >Right now, simple clients will return an error if a certificate and its >corresponding CRL were signed using different keys. Simple clients that >want to provide an "unsupported feature" error message instead of >"signature invalid" can compare authority key identifiers in order to >determine which error message to return. If we force the CRLs to include >critical extensions, we will be unnecessarily increasing the number of >cases in which simple clients are unable to validate CRLs. So, I think we >should leave things as they are. > >Dave > >At 04:21 PM 4/23/01 -0400, Housley, Russ wrote: > >I think that everyone agrees that a CA makes a commitment to provide > some form of revocation information for the duration of the certificate > life. When CRLs are employed, does the CA use the same key to sign the > CRL as was used to sign the certificate? Clearly, the CA is permitted to > use different keys -- the key usage bits are there to allow this > separation. However, several clients cannot handle this situation, and > they would like to see an error message that says "unsupported feature" > instead of "signature invalid." > > > >Perhaps CA rekey will lead us to an answer. When a CA rekeys, does it > are subsequent CRLs signed with the new key or the old one? A CA could > generate one CRL with each key. They two CRLs could even be distributed > by different distribution point to avoid the download of CRLs that cannot > be employed. Alternatively, the CA could publish one CRL signed with the > new key. This leads to the scenario where cert path construction must be > evoked to generate validate the CRL when trying to validate a certificate > signed by the old key. This is the behavior that we are trying to make SHOULD. > > > >Therefore, the CA MUST generate the CRL using the same key as was used > to sign the certificate, or it MUST include an extension in the CRL to > indicate that cert path construction might be needed to validate the CRL > signature. I proposed that an Issuing Distribution Point (IDP) CRL > extension might be the correct approach. The IDP extension will not be > supported by the simple clients, so they can generate the "unsupported > feature" error, and the more complex clients can use the information in > the IDP to support path construction. They will of course, also use > Authority Key Identifier extension. Received: from mail5.microsoft.com (mail5.microsoft.com [131.107.3.121]) by above.proper.com (8.9.3/8.9.3) with SMTP id XAA23200 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 23:03:54 -0700 (PDT) Received: from 157.54.7.67 by mail5.microsoft.com (InterScan E-Mail VirusWall NT); Mon, 23 Apr 2001 20:26:19 -0700 (Pacific Daylight Time) Received: from red-msg-02.redmond.corp.microsoft.com ([157.54.12.70]) by inet-imc-04.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Mon, 23 Apr 2001 20:25:43 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) Date: Mon, 23 Apr 2001 20:25:41 -0700 Message-ID: <24A715275661C8428C00432EFCA5CB7C02A988C9@red-msg-02.redmond.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) Thread-Index: AcDMTIKFVQsVyGgzSCqQScMdPhA3ZgAIYLvA From: "David Cross" <dcross@microsoft.com> To: "Paul Hoffman / IMC" <phoffman@imc.org>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 24 Apr 2001 03:25:43.0553 (UTC) FILETIME=[3EA03710:01C0CC6E] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id XAA23203 Sorry, but to be blunt, how is this any different from an OCSP aware client from a CRL aware client? The CA operator knows and anticipates the needs of clients and builds a publication schedule and revocation architecture accordingly. David B. Cross -----Original Message----- From: Paul Hoffman / IMC [mailto:phoffman@imc.org] Sent: Monday, April 23, 2001 4:21 PM To: Ambarish Malpani; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) At 1:02 PM -0700 4/23/01, Ambarish Malpani wrote: > Even if you are requiring clients to pull the CRLs from your >directory, you still need to have enough bandwidth to and replication >of the directory to support all the clients who need to pull the new >CRL every time it is issued. The alternative is that some users would have a different (that is, better) list of what is in the CRL than others, and those others would have no way of knowing that their list of revoked certificates is incomplete. That seems pretty awful to me. To be a bit crass, if you don't have the bandwidth, force your users use delta CRLs, or don't be a CA. If for some reason the wording in son-of-2459 goes towards not requiring a new CRL being issued, there also needs to be a fairly stern warning both in the delta CRL section and in the security considerations section saying that some users will have different views of what certificates have been revoked, and that they won't know it. --Paul Hoffman, Director --Internet Mail Consortium Received: from avocet.mail.pas.earthlink.net (avocet.mail.pas.earthlink.net [207.217.121.50]) by above.proper.com (8.9.3/8.9.3) with ESMTP id VAA19549 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 21:25:56 -0700 (PDT) Received: from kreicher (dialup-209.246.90.76.NewYork1.Level3.net [209.246.90.76]) by avocet.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with SMTP id VAA28007 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 21:25:50 -0700 (PDT) Message-Id: <200104240425.VAA28007@avocet.mail.pas.earthlink.net> From: elan <elanfanmail@yahoo.com> To: ietf-pkix@imc.org Subject: Thought this would be of interest! X-Mailer: Mail Bomber Reply-To: elanfanmail@yahoo.com Date: Tue, 24 Apr 2001 00:27:11 -0500 Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Hello, How are you? We are a Pop/R&B sister duo who write and perform our own songs. If you like, you can hear our songs for free at http://www.mp3.com/elan2. We are sure you will enjoy them and we appreciate the support. <P> <center><a href="http://www.mp3.com/elan2"><img src="http://www.candlesend.com/elanbanner.gif" width="468" height="60" border="0" ></a></center> <P> Received: from chalfont.mail.uk.easynet.net (chalfont.mail.uk.easynet.net [195.40.1.44]) by above.proper.com (8.9.3/8.9.3) with ESMTP id TAA16131; Mon, 23 Apr 2001 19:29:03 -0700 (PDT) Received: from localhost (tnt-13-102.easynet.co.uk [212.134.22.102]) by chalfont.mail.uk.easynet.net (Postfix) with ESMTP id F0559F9805; Tue, 24 Apr 2001 03:28:41 +0100 (BST) X-Sender: southerninternet2001@ukonline.co.uk From: "Southern Internet Ltd." <southerninternet2001@ukonline.co.uk> To: "Laptop Free of charge" <southerninternet2001@ukonline.co.uk> Date: Tue, 24 Apr 2001 03:41:17 +0100 Subject: A Laptop for 25 US Dollars Reply-To: southern5@ukonline.co.uk MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_001__28140776_13277,96" Message-Id: <20010424022842.F0559F9805@chalfont.mail.uk.easynet.net> This is a Multipart MIME message. ------=_NextPart_001__28140776_13277,96 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit THIS OFFER IS AVAILABLE TO EVERY CUSTOMER SUBJECT TO THE FOLLOWING COMPETITION: OMNIBOOK XE3 P3-700 ... All you need to do to get this Laptop Free of charge, is to purchase the "File Crypt Programme" and answer correctly the 60 Questions which will be posted over 60 Days. Info at: southern5@ukonline.co.uk ------=_NextPart_001__28140776_13277,96 Content-Type: image/jpeg; name="omnibook.jpeg" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="omnibook.jpeg" Content-Length: 4038 /9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAKQAA/+4ADkFkb2JlAGTAAAAA Af/bAIQADAgICAkIDAkJDBELCQsRFA8MDA8UFxISFBISFxYRFBMTFBEWFhobHRsaFiMjJiYj IzIyMjIyODg4ODg4ODg4OAEMCwsMDgwPDQ0PFA4ODhQUDxAQDxQcExMUExMcIxoWFhYWGiMg Ih0dHSIgJiYjIyYmMDAuMDA4ODg4ODg4ODg4/8AAEQgAfQB9AwEiAAIRAQMRAf/EAIgAAAIC AwEAAAAAAAAAAAAAAAABBgcDBAUCAQEBAQEAAAAAAAAAAAAAAAAAAQIDEAACAQMCAwUGBAUE AwEAAAABAgMAEQQSBSExIkFRYRMGcYGRMiMUoUJSB8FicpIVgqIzQ7HRJBYRAQEAAgICAgID AAAAAAAAAAABEQIhMUESUWHwgZGhIv/aAAwDAQACEQMRAD8AtS4ovQOQp0CvRenRQK9F6dFA r0Xp1FvX+VlDbYtuw5TBNnOEeZWKlEBF7spBA7fYCKSZEovReqOwfUOHiFf8buGVBIoKfVkk Ctc/MQzMtz7rVI8L11v8Kj6seVGBwMihv90dr1r1TKzr0XqBxfudKkirlbcXjI6pIHBIP9D9 nvrsYf7helsp/LbKONIACUyEaO1+XG1qmKZSS9F68QZGPkIJMeVJozyaNgw+K1kqKV6LinS7 aAHIU6Q5CnQFFFFAUUUUBVVfuHvBM+dIjcYlGNBY/me6G3s6zVl7pmDB2/IyzziQlb9rclHv a1UL6rzWmmghLFidWRIe0s/Sl/Gwv761rxLUviOEeAt3V5SWSJtUTtG3ehKn8KCa8HnWVdCL 1BuMfB2Wde6RePxWxrcT1FiygDJidT3giRR7NXEVwCaVXNTETPbN2hx21bdmCBnsWCuY2PZx B01KsP15v2MQJmTJQD/sWxP+pbVUVbGPnZePYQzOg7gen+08Kvt8wwvCD9z9mEix7hBPiXAv Pp8yG7chqXqHvWpR/ktv+x/yX3CfY6PM+4v0ae+9UX6cyM3dss4k4SWNYnfVps1/lReHDqcg cqtP/CJ/+P8A8f1+Rq1abf8AX5ltVv02+pSydnPSVDkKdIchTrKiiiigKKKKCJ/uFneXgwYC taTJe5H8q8P/ACao/cskZWfkTr8jNpT+helfwFWF+4+7K+5Zrq3DEjGNGRw62up+BZqrIcBa tXqRJ3XomvJNF6RrKkaVFFAUCimoLMFAuSbAeJoJ3+32C7ASIPrZcgRD2hU4X/ua/uq6ft4f t/tdP0dHl6ezTbTb4VAv292pUlRSpKYUY6v5zw/E6vhVg9tb28a/nLM80DkKdIchTrDQoooo CsWVkJjY0uRIQqQozsTyAUXrLUc/cDMlw/TGTJGupWZEkNyLKzeHe1l99BTXqvNaVkjY9czN kSj2kqv8aj96ku8bBkZc5yYJlZyAvlP02Ci3S/EH32qP5WDl4j6MmJoj2ahwPsYcDWtpcpMM JpGi9FZUUUUUBXR9P433G6RXGpIryMD/AC/L/utXOqWeidvedrqLyZMixR+wG3w1H8KuszYl 6W96Jwhj7QJyPqZTar8PkXpXl7z767/bWPGx48bHjx4haOJQi+xRbsrJ20z/AKz9mOMAchTp DkK1MndcPGuC/mSD8idRv49g99TGVblY5p4MdDJPIsUY5s5Cj4muDl75nTKy4unGuCFZh5je 08hXCyo5mbzsstmELqeSZ/lZeN8fykYaj2K6W8TW/S+U9kgyvV+ICse3wyZskhKxsLRxMw/K JJLAnwHGo3uHqPN3KObDy5Fhx3GiRFibyzq6fK6gZHbjx0C1YJ8h5JDAhdGdA0uPEUTImZ7e UrRJriZT2sjK1j4VqMFbzIw8YOKqws0atJHhq/yQx45/+qOXWLEoeF+XIU4nhGtLseSsGrBy NTqWBaYiRC38rx9QI7mv2ca5ks8uHEIs9ZsdAQrzyoMrCdz2a0RSnDsIJHjXQDSxMrYMhxBK SsCs/mwwxyC5nmnQMwdnFrTJ2+FZJcyPJWJM2AeXlnTjSMwTzQOlpRa0Li4t06a1mX6T+0Rl xdnzZRDHE+PkOQI3xwZI3LGy2j59X8vwrSytgzoCxiAyFTgwjvrW36o2AYfCpf8A4bakzBlY 8kuBkMyyYn2y2KMvAWx5OtheuT6gwvUCbhJueSxylLJCuYgEQfy0VQoS/YBx8azZ8z+FlRRl ZSQwII5g8DRUrhbA3CMR5EkOTkcAUkUxSg/pD94+HdWplemUYM+HIUsbeXJxAPdrX/1WcfC5 R8AkgDiTwAq4v212fTkJKR0YUdr9nmMLfHi1VrtuzZse5RfcQkRxnWW5qdPyi44cTar39Ibd 9ls0RYWlyPqt32I6QfdxqziW/o7sdul206XbWVRre98bE3E4WUGTDZEdJYzYi4IOr9Qv2fj2 Vi+m8PmwsJIRzZOQ/qXmvvFd/P2vB3GIJlxh9IIVhwZb9xqKZnpTP25xLhyzS4qOGb7dtE4S 3ILyJB7vhW9dozYyluFxyrXnzIoF1ySLGvexsT7BzNYTuEHks2URNECA8kQCTI5PASwGytx/ Tb2Gs33uBktaZ45XQXVoFuxU9ovpaK35h+Fbyzhpvk400MkTeZDA5DNdTGj95IHUvKxawPjT fGwpY0VohAmNdsYMWbGvdeqF4285SCRb5h299enxhIR5EikniQxtyFzY9vCsEcUcDGRCXdvm C9MZt+ofmpjJnDTy9tnhXzpeuGW7yzhws2RJJw0fd46+WyDgdM3eRyFaUoaGaZJpDDPIhOZp C4xVLfVijhXVjTt+cEG/G/OuqzzJr8tzEZFKv5Z03U8CD2N7xWjLjQLEEZBBhJ1SQwxiSJ2W 2gy40upCAb6tNial0s65WbRqHUJHjSAxZJ6I8aJDHKqIfqPJiPpPUOoeXLz8TQma4ZvKfzIF kMTtEur5l6iMQfVubXBkDAG/dx8Rxea74RDQkyLI2s+dG0a8I2iQFZIf08JL2rxIzdRJXRis YsUsWkggAI4Lkxt5sbC35uXK3bWeVeck4e5CJMqFXSFNEaqymRQp67qgVYxxB6mX+FEO3rjR OMGfzokazQyXZge5GAvakCksSrGC6xn6k8hRF1EEsyZUP/Ne5sulufOsQn1sgg1ZmTHbTkOA kKsCbNHEnDUL8CbmrBv+n8bI3PecfCZftw51GRrMt1GpgtjY+F+NXIiLGiovyoAo9g4VWnor 0rvJ3uDc8yMxYWMpkEsltUsjAhViTsQA31W49lWbWLVgpdtOl21FA5CnSHIU6Dm7n6f23cj5 ksejJHy5CcHFu/v99RrJ9P521qCkJyYYw2jLxCY8lA3E61uRIPA3qb0VZtYlit5ckFQyFc5W uWaFdE6hbdU+Oem3EDUpHGho3AZgCVRmVmtYqymxVgeKkVNdy9P7buN2kQxTn/vhOhz/AFW+ Ye2otuXpfeNuPnbe5yIlvdl/5APFO33V013jN1ct251jLWsQeP8AGvS7hjliMyERyC4dkU2H 9ScCD7K09xlaBgIDHkCQaozHICqg8tZNjet+0Zw85PkyoySoGVrFh2GxuLg8DWj5mGjTrChy ZJjdo72hUE3IYfnuePVfjyFdDbfTe7b099LOnNrdEQ954samm1egNtxfLkzD9y6dQiHTEG9g +b31z22jUiE7Z6X3bfZgzAtCCASemFB3X7bDsFT/AGP0Ztm1hJJVXJyk4q5XSi92lOPLvNd9 I0jQJGoRFFlVRYAeAFeqxa1IKKKKiil206XbQAvblRfwp0UCv4UX8KdFAr+FF/CnRQc7dNi2 7dIyMmK0trLMllkH+rt99c3C9E7Xjz+dOXySPlVrKo/t4mpHRV5wnDwiJGgSNQiKLKqgAACv V/CnRUUr+FF/CnRQK/hRfwp0UCv4Ucb8qdFB/9k= ------=_NextPart_001__28140776_13277,96-- Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA09987 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 17:17:24 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JQV3DWB1; Mon, 23 Apr 2001 17:12:36 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Michael Myers" <myers@coastside.net>, "Santosh Chokhani" <chokhani@cygnacom.com>, "Russ Housley" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Date: Mon, 23 Apr 2001 17:17:53 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGKEPNCDAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <EOEGJNFMMIBDKGFONJJDKEEHCAAA.myers@coastside.net> Importance: Normal I vote with Mike and Santosh. - Carlin -----Original Message----- From: Michael Myers [mailto:myers@coastside.net] Sent: Monday, April 23, 2001 12:24 PM To: Santosh Chokhani; Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Santosh, That is precisely what I'm proposing for the WG's consideration. But I do strongly advocate for a SHALL on full CRL production in any case. Deltas are a systems-level tuning tool. Mike -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Monday, April 23, 2001 11:44 AM To: Michael Myers; Santosh Chokhani; Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Mike: I think you are saying that delta can be produced more frequently and there need not be a full CRL issued when a delta is issued. If the above is correct paraphrasing of your statement, then I agree. Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA08184 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 16:42:53 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JQV3DV8H; Mon, 23 Apr 2001 16:38:01 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Sharon Boeyen" <sharon.boeyen@entrust.com>, "Russ Housley" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Date: Mon, 23 Apr 2001 16:43:18 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGAEPNCDAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000A_01C0CC14.80256340" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FC4@sottmxs09.entrust.com> Importance: Normal This is a multi-part message in MIME format. ------=_NextPart_000_000A_01C0CC14.80256340 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments)Sharon, Thanks for shining some light on the X.509 delta CRL discussions. So it actually IS the intent of X.509 to permit a dCRL to reference multiple base CRLs? That was the interpretation that I placed on the words from section 9 X.509 Ed. 4 draft v6: "A dCRL may also be an indirect CRL in that it may contain updated revocation information related to base CRLs issued by one or more than one authorities." I was beginning to think I had misinterpreted the text. Let me see if I can figure out how these multiple base CRLs are referenced in a dCRL. >From X.509 Section 9 : "A dCRL includes either a deltaCRLIndicator or a crlScope extension to indicate the base revocation information that is being updated with this dCRL." But the deltaCRLIndicator extension references the base CRL issuer only by implication, i.e. it is assumed that the base CRL issuer is the same as the dCRL issuer. So if a dCRL references multiple base CRLs, it must do so via the baseRevocationInfo component of the crlScope extension. >From X.509 Section 9 : "Because of the potential for conflicting information a CRL shall not contain both the deltaCRLIndicator extension and a crlScope extension with the baseRevocationInfo component." So a dCRL that references multiple base CRLs cannot include the deltaCRLIndicator extension. - Sharon, is that right? I don't see anywhere in draft-ietf-pkix-new-part1-05 where it says that a delta CRL must be identified by a deltaCRLIndicator extension. It does say that "The delta CRL indicator is a critical CRL extension that identifies a CRL as being a delta CRL." This appears to be a sufficient condition, but not a necessary condition, for the CRL to be interpreted as a delta CRL. So a PKIX-profile-compliant CRL-issuer could use the crlScope extension rather than the deltaCRLIndicator extension to identify delta CRLs? - Russ, is that right? >From draft-ietf-pkix-new-part1-05 section 5.2.4: "Both the delta CRL and the complete CRL MUST include the CRL number extension (see sec. 5.2.3). The CRL number extension in the delta CRL and the complete CRL MUST contain the same value. " But in order for the CRL number extension in the delta CRL and in the complete CRL to contain the same value, there would have to be only one base CRL per delta CRL or there would have to be multiple CRL number extensions in the delta CRL (without a good way of matching them to the base CRLs). I guess draft-ietf-pkix-new-part1-05 isn't intended to support multiple base CRLs per delta CRL. - Russ, is that right? Just musing ...... Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Monday, April 23, 2001 1:10 PM To: 'Carlin Covey'; Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Carlin, you are correct. That 'indirect delta' is a new facility added into the 4th edition X.509. One example that was used in those discussions was where there might be several CAs operating within a given domain (perhaps a large multinational organization) and each issues its own CRLs on a regular basis. Once retrieved, these CRLs may be cached at the validation step and used until their expiry. However, that multinational may want to issue a single delta CRL every minute and that CRL would contain revocation notices for all the CAs within the organization but perhaps only for the keyCompromise reason. I think you raise an interesting point because in this type of environment the CA that issues the delta could not issue any single corresponding base. However, I suspect indirectDeltas are beyond the scope of what 2459 plans to cover? Sharon > ------=_NextPart_000_000A_01C0CC14.80256340 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>RE: delta-CRLs (was Re: Last = Call:draft-ietf-pkix-new-part1-06.txt comments)</TITLE> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001>Sharon,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001>Thanks=20 for shining some light on the X.509 delta CRL discussions. So it = actually=20 IS</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001>the=20 intent of X.509 to permit a dCRL to reference multiple base CRLs? = That was=20 the </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001>interpretation that I placed on the words = from section=20 9 <FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001>X.509 Ed. 4 draft = v6:</SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001> "A dCRL may=20 also be an indirect CRL </SPAN></FONT><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN class=3D730544716-23042001>in that it may contain updated = revocation=20 </SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>information=20 related to base CRLs </SPAN></FONT><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D730544716-23042001>issued by one or more than one=20 authorities."</SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN class=3D730544716-23042001>I = was beginning=20 to think I had misinterpreted the text. = </SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>Let me see if I=20 can figure out how these multiple base CRLs are referenced in a=20 dCRL.</SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>From X.509=20 Section 9 : "A dCRL includes either a deltaCRLIndicator or a crlScope=20 </SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>extension=20 </SPAN></FONT></SPAN></FONT><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D396575621-23042001><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D730544716-23042001>to indicate the base revocation information = that is=20 being updated with this dCRL."</SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>But the=20 deltaCRLIndicator <FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D730544716-23042001><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D396575621-23042001><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D730544716-23042001><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D396575621-23042001><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D730544716-23042001>extension references the base CRL=20 issuer</SPAN></FONT></SPAN></FONT></SPAN></FONT></SPAN></FONT></SPAN></FO= NT></SPAN></FONT></SPAN></FONT></SPAN></FONT><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN class=3D730544716-23042001> = only by=20 implication,=20 </SPAN></FONT></SPAN></FONT></SPAN></FONT></SPAN></FONT></SPAN></FONT></S= PAN></FONT></SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>i.e. it is=20 assumed that the base CRL issuer is the same as the dCRL=20 issuer.</SPAN></FONT></SPAN></FONT></SPAN></FONT></SPAN></FONT></SPAN></F= ONT></SPAN></FONT></SPAN></FONT></SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT></SPAN></FONT></SPAN></FONT></SP= AN></FONT></SPAN></FONT></SPAN></FONT>So=20 if a dCRL <FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D730544716-23042001>references</SPAN></FONT></SPAN></FONT><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN class=3D730544716-23042001> = multiple base=20 CRLs, it must do so via the baseRevocationInfo=20 </SPAN></FONT></SPAN></FONT></SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>component of=20 the</SPAN></FONT></SPAN></FONT><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D396575621-23042001><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D730544716-23042001> crlScope <FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D396575621-23042001><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D730544716-23042001>extension. =20 </SPAN></FONT></SPAN></FONT></SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT></SPAN></FONT></SPAN></FONT></SP= AN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT></SPAN></FONT><FONT = color=3D#0000ff=20 face=3DArial size=3D2><SPAN class=3D396575621-23042001><FONT = color=3D#0000ff face=3DArial=20 size=3D2><SPAN class=3D730544716-23042001>From X.509 Section 9=20 : </SPAN></FONT></SPAN></FONT> </SPAN></FONT></SPAN></FONT></SP= AN></FONT></SPAN></FONT><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>"Because of the=20 potential for conflicting information a CRL shall=20 </SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>not contain both=20 </SPAN></FONT></SPAN></FONT><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D396575621-23042001><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D730544716-23042001>the deltaCRLIndicator extension and a = crlScope=20 extension with the </SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001>baseRevocationInfo component." = </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT> </SPAN></FONT><FONT = color=3D#0000ff=20 face=3DArial size=3D2><SPAN class=3D396575621-23042001><FONT = color=3D#0000ff face=3DArial=20 size=3D2><SPAN = class=3D730544716-23042001></SPAN></FONT> </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001>So a=20 dCRL that references multiple base CRLs cannot include the = deltaCRLIndicator=20 extension.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001></SPAN></FONT></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001> - =20 </SPAN></FONT>Sharon, is that right?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001>I=20 don't see anywhere in draft-ietf-pkix-new-part1-05 where it says that a = delta=20 CRL must be </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001>identified by a deltaCRLIndicator = extension. It=20 does say that "The delta CRL indicator is </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001>a=20 critical CRL extension that identifies a CRL as being a delta=20 CRL." This appears to be</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001>a=20 sufficient condition, but not a necessary condition, for the CRL to be=20 interpreted as a </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001>delta=20 CRL. So a PKIX-profile-compliant CRL-issuer could use the crlScope = extension rather </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001>than=20 the deltaCRLIndicator extension to identify delta = CRLs?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001> - Russ, = is that=20 right?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001> </SPAN></FONT></DIV> <DIV><SPAN class=3D396575621-23042001><FONT size=3D2><FONT = face=3DArial><FONT=20 color=3D#0000ff><SPAN style=3D"mso-fareast-font-family: 'MS = Mincho'"><SPAN=20 class=3D396575621-23042001>From draft-ietf-pkix-new-part1-05 section = 5.2.4:=20 "</SPAN>Both the delta CRL and the complete CRL <BR>MUST = </SPAN></FONT><FONT=20 color=3D#0000ff><SPAN style=3D"mso-fareast-font-family: 'MS = Mincho'">include the CRL=20 number </SPAN><SPAN style=3D"mso-fareast-font-family: 'MS = Mincho'"></FONT><FONT=20 color=3D#0000ff>extension </FONT></SPAN></FONT></FONT><FONT = face=3DArial><FONT=20 size=3D2><FONT color=3D#0000ff><SPAN=20 style=3D"mso-fareast-font-family: 'MS Mincho'">(see sec. 5.2.3). The CRL = number=20 extension in the <BR>delta CRL and the complete CRL MUST contain the = same value.=20 "</SPAN></SPAN></FONT></FONT></FONT><FONT color=3D#0000ff><SPAN=20 class=3D396575621-23042001></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff><SPAN class=3D396575621-23042001><FONT = face=3DArial=20 size=3D2></FONT></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff><SPAN class=3D396575621-23042001><FONT = face=3DArial=20 size=3D2>But in order for the CRL number extension in the delta CRL and = in the=20 complete CRL to<BR>contain the same value, there would have to be only = one base=20 CRL per delta CRL or </FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff><SPAN class=3D396575621-23042001><FONT = face=3DArial=20 size=3D2>there would have to be multiple CRL number extensions in=20 the</FONT></SPAN></FONT><FONT color=3D#0000ff><SPAN = class=3D396575621-23042001><FONT=20 face=3DArial size=3D2> delta CRL (without a = good</FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff><SPAN class=3D396575621-23042001><FONT = face=3DArial=20 size=3D2>way of matching them to the base CRLs). = </FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff><SPAN=20 class=3D396575621-23042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D396575621-23042001>I=20 guess draft-ietf-pkix-new-part1-05 isn't intended to support multiple = base CRLs=20 per delta CRL.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff><SPAN class=3D396575621-23042001><FONT = face=3DArial=20 size=3D2><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D396575621-23042001></SPAN></FONT></SPAN></FONT></FONT></SPAN></FO= NT> </DIV> <DIV><FONT color=3D#0000ff><SPAN class=3D396575621-23042001><FONT = face=3DArial=20 size=3D2><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001><FONT color=3D#0000ff face=3DArial = size=3D2><SPAN=20 class=3D396575621-23042001> - =20 </SPAN></FONT>Russ, is that = right?</SPAN></FONT></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff><SPAN class=3D396575621-23042001><FONT = face=3DArial=20 size=3D2><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D396575621-23042001></SPAN></FONT></FONT></SPAN></FONT> </DIV= > <DIV><FONT color=3D#0000ff><SPAN class=3D396575621-23042001><FONT = face=3DArial=20 size=3D2>Just musing ...... </FONT></DIV> <DIV> <DIV><FONT color=3D#0000ff><SPAN class=3D730544716-23042001> <P><FONT face=3DArial=20 size=3D2>Regards,<BR><BR>Carlin<BR><BR>____________________________<BR><B= R>- =20 Carlin Covey<BR> Cylink Corporation = </FONT></P></SPAN></FONT></DIV> <DIV><SPAN class=3D730544716-23042001> <P><FONT color=3D#0000ff><SPAN = class=3D730544716-23042001></SPAN></FONT><FONT=20 face=3DArial size=3D2> </FONT></P></SPAN></DIV></SPAN></FONT></DIV> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Sharon Boeyen=20 [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Monday, April 23, = 2001 1:10=20 PM<BR><B>To:</B> 'Carlin Covey'; Russ Housley;=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta-CRLs (was Re: Last=20 Call:draft-ietf-pkix-new-part1-06.txt comments)<BR><BR></DIV></FONT> <P><FONT size=3D2>Carlin, you are correct. That 'indirect delta' is a = new=20 facility added into the 4th edition X.509. One example that was used = in those=20 discussions was where there might be several CAs operating within a = given=20 domain (perhaps a large multinational organization) and each issues = its own=20 CRLs on a regular basis. Once retrieved, these CRLs may be cached at = the=20 validation step and used until their expiry. However, that = multinational may=20 want to issue a single delta CRL every minute and that CRL would = contain=20 revocation notices for all the CAs within the organization but perhaps = only=20 for the keyCompromise reason. I think you raise an interesting point = because=20 in this type of environment the CA that issues the delta could not = issue any=20 single corresponding base. However, I suspect indirectDeltas are = beyond the=20 scope of what 2459 plans to cover?</FONT></P> <P><FONT size=3D2>Sharon </FONT></P> <P><FONT size=3D2>> </FONT></P></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_000A_01C0CC14.80256340-- Received: from [165.227.249.20] (ip20.proper.com [165.227.249.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA06656; Mon, 23 Apr 2001 16:20:47 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org Message-Id: <p05100809b70a6882b2ea@[165.227.249.20]> In-Reply-To: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C54@exchange.valicert.com> References: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C54@exchange.valicert.com> Date: Mon, 23 Apr 2001 16:20:54 -0700 To: Ambarish Malpani <ambarish@valicert.com>, ietf-pkix@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 1:02 PM -0700 4/23/01, Ambarish Malpani wrote: > Even if you are requiring clients to pull the CRLs from your >directory, you still need to have enough bandwidth to and replication >of the directory to support all the clients who need to pull the >new CRL every time it is issued. The alternative is that some users would have a different (that is, better) list of what is in the CRL than others, and those others would have no way of knowing that their list of revoked certificates is incomplete. That seems pretty awful to me. To be a bit crass, if you don't have the bandwidth, force your users use delta CRLs, or don't be a CA. If for some reason the wording in son-of-2459 goes towards not requiring a new CRL being issued, there also needs to be a fairly stern warning both in the delta CRL section and in the security considerations section saying that some users will have different views of what certificates have been revoked, and that they won't know it. --Paul Hoffman, Director --Internet Mail Consortium Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA00384 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 14:50:00 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JPVNWZF8>; Mon, 23 Apr 2001 17:49:33 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE205@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "David A. Cooper" <david.cooper@nist.gov>, ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Date: Mon, 23 Apr 2001 17:40:41 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CC3E.0B4BCE90" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CC3E.0B4BCE90 Content-Type: text/plain; charset="iso-8859-1" I think we should not try to fix the problem of rekey by further complicating the CRL. We should either let the CA issue multiple CRLs (no need for IDP) or let the clients develop two paths: one for the certificate and one for the CRL. -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Monday, April 23, 2001 5:45 PM To: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Russ, I have a problem with the idea that we need to include a critical extension in any CRL where some of the certificates covered by that CRL were signed using a different key than the one used to sign the CRL. The main problem that I see is the CA rekey issue. Suppose that a CA rekeys and then issues a single CRL, signed with its new private key, that covers all of its unexpired certificates. The older certificates issued by this CA will have been signed with the old key, but the newer certificates will have been signed with the same (new) key as the CRL. As things stand at the moment, simple clients will be able to use the CRL when validating the "new" certificates and will fail when using the CRL to validate "old" certificates. If we place a critical extension in the CRL that the simple clients can not process, then they won't be able to use the CRL to validate any certificates. So, adding a critical extension would actually reduce the functionality of simple clients. I also believe that there is already sufficient information available in the CRLs. A client can simply compare the authority key identifier in the certificate and the corresponding CRL. If they differ, the client will know that the certificate and CRL were signed using different keys and can return an "unsupported feature" error just as if the CRL contained an unrecognized critical extension. Right now, simple clients will return an error if a certificate and its corresponding CRL were signed using different keys. Simple clients that want to provide an "unsupported feature" error message instead of "signature invalid" can compare authority key identifiers in order to determine which error message to return. If we force the CRLs to include critical extensions, we will be unnecessarily increasing the number of cases in which simple clients are unable to validate CRLs. So, I think we should leave things as they are. Dave At 04:21 PM 4/23/01 -0400, Housley, Russ wrote: >I think that everyone agrees that a CA makes a commitment to provide some form of revocation information for the duration of the certificate life. When CRLs are employed, does the CA use the same key to sign the CRL as was used to sign the certificate? Clearly, the CA is permitted to use different keys -- the key usage bits are there to allow this separation. However, several clients cannot handle this situation, and they would like to see an error message that says "unsupported feature" instead of "signature invalid." > >Perhaps CA rekey will lead us to an answer. When a CA rekeys, does it are subsequent CRLs signed with the new key or the old one? A CA could generate one CRL with each key. They two CRLs could even be distributed by different distribution point to avoid the download of CRLs that cannot be employed. Alternatively, the CA could publish one CRL signed with the new key. This leads to the scenario where cert path construction must be evoked to generate validate the CRL when trying to validate a certificate signed by the old key. This is the behavior that we are trying to make SHOULD. > >Therefore, the CA MUST generate the CRL using the same key as was used to sign the certificate, or it MUST include an extension in the CRL to indicate that cert path construction might be needed to validate the CRL signature. I proposed that an Issuing Distribution Point (IDP) CRL extension might be the correct approach. The IDP extension will not be supported by the simple clients, so they can generate the "unsupported feature" error, and the more complex clients can use the information in the IDP to support path construction. They will of course, also use Authority Key Identifier extension. ------_=_NextPart_001_01C0CC3E.0B4BCE90 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: Dedicated CRL signing keys</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I think we should not try to fix the problem of rekey = by further complicating the CRL.</FONT> </P> <P><FONT SIZE=3D2>We should either let the CA issue multiple CRLs (no = need for IDP) or let the clients develop two paths: one for the = certificate and one for the CRL.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: David A. Cooper [<A = HREF=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Monday, April 23, 2001 5:45 PM</FONT> <BR><FONT SIZE=3D2>To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: Dedicated CRL signing keys</FONT> </P> <BR> <P><FONT SIZE=3D2>Russ,</FONT> </P> <P><FONT SIZE=3D2>I have a problem with the idea that we need to = include a critical extension in any CRL where some of the certificates = covered by that CRL were signed using a different key than the one used = to sign the CRL.</FONT></P> <P><FONT SIZE=3D2>The main problem that I see is the CA rekey issue. = Suppose that a CA rekeys and then issues a single CRL, signed with its = new private key, that covers all of its unexpired certificates. The = older certificates issued by this CA will have been signed with the old = key, but the newer certificates will have been signed with the same = (new) key as the CRL. As things stand at the moment, simple clients = will be able to use the CRL when validating the "new" = certificates and will fail when using the CRL to validate = "old" certificates. If we place a critical extension in the = CRL that the simple clients can not process, then they won't be able to = use the CRL to validate any certificates. So, adding a critical = extension would actually reduce the functionality of simple = clients.</FONT></P> <P><FONT SIZE=3D2>I also believe that there is already sufficient = information available in the CRLs. A client can simply compare the = authority key identifier in the certificate and the corresponding CRL. = If they differ, the client will know that the certificate and CRL were = signed using different keys and can return an "unsupported = feature" error just as if the CRL contained an unrecognized = critical extension.</FONT></P> <P><FONT SIZE=3D2>Right now, simple clients will return an error if a = certificate and its corresponding CRL were signed using different keys. = Simple clients that want to provide an "unsupported feature" = error message instead of "signature invalid" can compare = authority key identifiers in order to determine which error message to = return. If we force the CRLs to include critical extensions, we will be = unnecessarily increasing the number of cases in which simple clients = are unable to validate CRLs. So, I think we should leave things as they = are.</FONT></P> <P><FONT SIZE=3D2>Dave </FONT> </P> <P><FONT SIZE=3D2>At 04:21 PM 4/23/01 -0400, Housley, Russ = wrote:</FONT> <BR><FONT SIZE=3D2>>I think that everyone agrees that a CA makes a = commitment to provide some form of revocation information for the = duration of the certificate life. When CRLs are employed, does = the CA use the same key to sign the CRL as was used to sign the = certificate? Clearly, the CA is permitted to use different keys = -- the key usage bits are there to allow this separation. = However, several clients cannot handle this situation, and they would = like to see an error message that says "unsupported feature" = instead of "signature invalid."</FONT></P> <P><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Perhaps CA rekey will lead us to an answer. = When a CA rekeys, does it are subsequent CRLs signed with the new key = or the old one? A CA could generate one CRL with each key. = They two CRLs could even be distributed by different distribution point = to avoid the download of CRLs that cannot be employed. = Alternatively, the CA could publish one CRL signed with the new = key. This leads to the scenario where cert path construction must = be evoked to generate validate the CRL when trying to validate a = certificate signed by the old key. This is the behavior that we = are trying to make SHOULD.</FONT></P> <P><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Therefore, the CA MUST generate the CRL using = the same key as was used to sign the certificate, or it MUST include an = extension in the CRL to indicate that cert path construction might be = needed to validate the CRL signature. I proposed that an Issuing = Distribution Point (IDP) CRL extension might be the correct = approach. The IDP extension will not be supported by the simple = clients, so they can generate the "unsupported feature" = error, and the more complex clients can use the information in the IDP = to support path construction. They will of course, also use = Authority Key Identifier extension.</FONT></P> </BODY> </HTML> ------_=_NextPart_001_01C0CC3E.0B4BCE90-- Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA29924 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 14:45:38 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id RAA27920 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 17:45:37 -0400 (EDT) Message-Id: <4.2.2.20010423172038.00af8900@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 23 Apr 2001 17:45:05 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: RE: Dedicated CRL signing keys In-Reply-To: <5.0.1.4.2.20010423154916.01b7de60@exna07.securitydynamics. com> References: <8D7EC1912E25D411A32100D0B76953977CE1D5@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Russ, I have a problem with the idea that we need to include a critical extension in any CRL where some of the certificates covered by that CRL were signed using a different key than the one used to sign the CRL. The main problem that I see is the CA rekey issue. Suppose that a CA rekeys and then issues a single CRL, signed with its new private key, that covers all of its unexpired certificates. The older certificates issued by this CA will have been signed with the old key, but the newer certificates will have been signed with the same (new) key as the CRL. As things stand at the moment, simple clients will be able to use the CRL when validating the "new" certificates and will fail when using the CRL to validate "old" certificates. If we place a critical extension in the CRL that the simple clients can not process, then they won't be able to use the CRL to validate any certificates. So, adding a critical extension would actually reduce the functionality of simple clients. I also believe that there is already sufficient information available in the CRLs. A client can simply compare the authority key identifier in the certificate and the corresponding CRL. If they differ, the client will know that the certificate and CRL were signed using different keys and can return an "unsupported feature" error just as if the CRL contained an unrecognized critical extension. Right now, simple clients will return an error if a certificate and its corresponding CRL were signed using different keys. Simple clients that want to provide an "unsupported feature" error message instead of "signature invalid" can compare authority key identifiers in order to determine which error message to return. If we force the CRLs to include critical extensions, we will be unnecessarily increasing the number of cases in which simple clients are unable to validate CRLs. So, I think we should leave things as they are. Dave At 04:21 PM 4/23/01 -0400, Housley, Russ wrote: >I think that everyone agrees that a CA makes a commitment to provide some form of revocation information for the duration of the certificate life. When CRLs are employed, does the CA use the same key to sign the CRL as was used to sign the certificate? Clearly, the CA is permitted to use different keys -- the key usage bits are there to allow this separation. However, several clients cannot handle this situation, and they would like to see an error message that says "unsupported feature" instead of "signature invalid." > >Perhaps CA rekey will lead us to an answer. When a CA rekeys, does it are subsequent CRLs signed with the new key or the old one? A CA could generate one CRL with each key. They two CRLs could even be distributed by different distribution point to avoid the download of CRLs that cannot be employed. Alternatively, the CA could publish one CRL signed with the new key. This leads to the scenario where cert path construction must be evoked to generate validate the CRL when trying to validate a certificate signed by the old key. This is the behavior that we are trying to make SHOULD. > >Therefore, the CA MUST generate the CRL using the same key as was used to sign the certificate, or it MUST include an extension in the CRL to indicate that cert path construction might be needed to validate the CRL signature. I proposed that an Issuing Distribution Point (IDP) CRL extension might be the correct approach. The IDP extension will not be supported by the simple clients, so they can generate the "unsupported feature" error, and the more complex clients can use the information in the IDP to support path construction. They will of course, also use Authority Key Identifier extension. Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA29308 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 14:34:19 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JPVNWZAA>; Mon, 23 Apr 2001 17:33:52 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE204@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Date: Mon, 23 Apr 2001 17:25:01 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CC3B.DADAC100" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CC3B.DADAC100 Content-Type: text/plain; charset="iso-8859-1" Russ: See comments in line -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Monday, April 23, 2001 4:21 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Santosh: Thanks for posting your summary of the thread. I hope it will allow us to focus on the issues, and reach consensus quickly. >First, I think that the restriction that a CA who desires to issue >Indirect CRL needs to set itself up as a separate name is unduly >restrictive. There is no need for a CA to do that. A CA can issue a full >CRL as well as an Indirect CRL and populate these in the same or different >entries (i.e., CRL DP) in the directory. Please review Annex B of X.509 >for how to process CRL. So, may be Russ can explain why this requirement >comes about. I agree that the use of a separate name is overly restrictive. That portion of my suggestion was, in hind sight, a bad idea. As Tim Polk pointed out, CAs cannot change their names when they rekey. I think that everyone agrees that a CA makes a commitment to provide some form of revocation information for the duration of the certificate life. When CRLs are employed, does the CA use the same key to sign the CRL as was used to sign the certificate? Clearly, the CA is permitted to use different keys -- the key usage bits are there to allow this separation. However, several clients cannot handle this situation, and they would like to see an error message that says "unsupported feature" instead of "signature invalid." Perhaps CA rekey will lead us to an answer. When a CA rekeys, does it are subsequent CRLs signed with the new key or the old one? A CA could generate one CRL with each key. They two CRLs could even be distributed by different distribution point to avoid the download of CRLs that cannot be employed. Alternatively, the CA could publish one CRL signed with the new key. This leads to the scenario where cert path construction must be evoked to generate validate the CRL when trying to validate a certificate signed by the old key. This is the behavior that we are trying to make SHOULD. Therefore, the CA MUST generate the CRL using the same key as was used to sign the certificate, or it MUST include an extension in the CRL to indicate that cert path construction might be needed to validate the CRL signature. I proposed that an Issuing Distribution Point (IDP) CRL extension might be the correct approach. The IDP extension will not be supported by the simple clients, so they can generate the "unsupported feature" error, and the more complex clients can use the information in the IDP to support path construction. They will of course, also use Authority Key Identifier extension. {Santosh Says: Item 1 will require a change to the IDP extension syntax. Would n't that make PKIX non-compliant with X.509?) >Second, when we say that a CA may not use different keys for signing >certificates and CRLs, we are again not thinking of >operations. Operationally, a CA is going to rekey. When it does, it will >have issued the certificates using the old key and will sign CRL with new >key. There are your different keys. The simple CA could reasonably expect the CA to generate CRLs using the same key that was used to sign certificates until all of the certificates signed with that key have expired. (Santosh Says: That is what I have been advocating. But, mandating that a CA retain old private keys and issue multiple CRLs may be excessive.) >Also, I think a standard should be flexible and promote security. From >operational security viewpoint, a CA may not want to keep the certificate >signing key active all the time, but may need to keep the CRL signing key >active to help meet CRL issuance obligations. This will mean a separate >CRL signing key since compromise of that key still does not compromise >anything. The attacker needs to compromise some subscriber keys to create >a true compromise, denial-of-service notwithstanding. Thus, we should >accommodate separate keys for certificates and CRLs. We need to balance the complexity of the software that we expect the clients to handle and CA operational security. Errors in either place will lead to vulnerabilities. >In short, requiring the CA to use a different name to issue indirect CRL >is not well-grounded and should be deleted. Agree. >Requiring a CA to use different key for indirect CRL is not well-grounded >and should be deleted. I do not recall a discussion on this point. Usually, Indirect CRLs are employed to delegate CRL generation responsibility. I would expect the two authorities to have different keys. (Santosh Says: But there is nothing in X.509 that a designated CA can not issue its own regular CRL and issue an indirect CRL for its peers. The designated CA may use the same key. The requirement you are levying has marginal benefit for the directories and clients who do not do multi-valued attributes and that only if the CA does NOT use a CRL DP for the indirect CRL. There is no particular need or requirement for having a separate name or a separate key) >Requiring the same key for certificate and CRL signing may not be possible >due to rekey or operational security requirements and should be deleted. We need to be pragmatic with respect to simple clients. I hope that I made my thoughts clear above. (Santosh Says: I think the best engineering solution is for the CA to keep the old keys and sign multiple CRLs. That said, I do not want to mandate it and I for sure want the PKIX community to approve the RFC knowing this implication.) >Finally, as to Steve Farrell's question regarding client simplicity, I >wish I could answer that. The client will need intelligence to handle >rekey and secure CA who use different keys for certificate and CRL signing. Again, I hope that I made my thoughts clear above. Russ ------_=_NextPart_001_01C0CC3B.DADAC100 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: Dedicated CRL signing keys</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>Russ:</FONT> </P> <P><FONT SIZE=2>See comments in line</FONT> </P> <P><FONT SIZE=2>-----Original Message-----</FONT> <BR><FONT SIZE=2>From: Housley, Russ [<A HREF="mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com</A>]</FONT> <BR><FONT SIZE=2>Sent: Monday, April 23, 2001 4:21 PM</FONT> <BR><FONT SIZE=2>To: Santosh Chokhani</FONT> <BR><FONT SIZE=2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>Subject: RE: Dedicated CRL signing keys</FONT> </P> <BR> <P><FONT SIZE=2>Santosh:</FONT> </P> <P><FONT SIZE=2>Thanks for posting your summary of the thread. I hope it will allow us to </FONT> <BR><FONT SIZE=2>focus on the issues, and reach consensus quickly.</FONT> </P> <P><FONT SIZE=2>>First, I think that the restriction that a CA who desires to issue </FONT> <BR><FONT SIZE=2>>Indirect CRL needs to set itself up as a separate name is unduly </FONT> <BR><FONT SIZE=2>>restrictive. There is no need for a CA to do that. A CA can issue a full </FONT> <BR><FONT SIZE=2>>CRL as well as an Indirect CRL and populate these in the same or different </FONT> <BR><FONT SIZE=2>>entries (i.e., CRL DP) in the directory. Please review Annex B of X.509 </FONT> <BR><FONT SIZE=2>>for how to process CRL. So, may be Russ can explain why this requirement </FONT> <BR><FONT SIZE=2>>comes about.</FONT> </P> <P><FONT SIZE=2>I agree that the use of a separate name is overly restrictive. That </FONT> <BR><FONT SIZE=2>portion of my suggestion was, in hind sight, a bad idea. As Tim Polk </FONT> <BR><FONT SIZE=2>pointed out, CAs cannot change their names when they rekey.</FONT> </P> <P><FONT SIZE=2>I think that everyone agrees that a CA makes a commitment to provide some </FONT> <BR><FONT SIZE=2>form of revocation information for the duration of the certificate </FONT> <BR><FONT SIZE=2>life. When CRLs are employed, does the CA use the same key to sign the CRL </FONT> <BR><FONT SIZE=2>as was used to sign the certificate? Clearly, the CA is permitted to use </FONT> <BR><FONT SIZE=2>different keys -- the key usage bits are there to allow this </FONT> <BR><FONT SIZE=2>separation. However, several clients cannot handle this situation, and </FONT> <BR><FONT SIZE=2>they would like to see an error message that says "unsupported feature" </FONT> <BR><FONT SIZE=2>instead of "signature invalid."</FONT> </P> <P><FONT SIZE=2>Perhaps CA rekey will lead us to an answer. When a CA rekeys, does it are </FONT> <BR><FONT SIZE=2>subsequent CRLs signed with the new key or the old one? A CA could </FONT> <BR><FONT SIZE=2>generate one CRL with each key. They two CRLs could even be distributed by </FONT> <BR><FONT SIZE=2>different distribution point to avoid the download of CRLs that cannot be </FONT> <BR><FONT SIZE=2>employed. Alternatively, the CA could publish one CRL signed with the new </FONT> <BR><FONT SIZE=2>key. This leads to the scenario where cert path construction must be </FONT> <BR><FONT SIZE=2>evoked to generate validate the CRL when trying to validate a certificate </FONT> <BR><FONT SIZE=2>signed by the old key. This is the behavior that we are trying to make SHOULD.</FONT> </P> <P><FONT SIZE=2>Therefore, the CA MUST generate the CRL using the same key as was used to </FONT> <BR><FONT SIZE=2>sign the certificate, or it MUST include an extension in the CRL to </FONT> <BR><FONT SIZE=2>indicate that cert path construction might be needed to validate the CRL </FONT> <BR><FONT SIZE=2>signature. I proposed that an Issuing Distribution Point (IDP) CRL </FONT> <BR><FONT SIZE=2>extension might be the correct approach. The IDP extension will not be </FONT> <BR><FONT SIZE=2>supported by the simple clients, so they can generate the "unsupported </FONT> <BR><FONT SIZE=2>feature" error, and the more complex clients can use the information in the </FONT> <BR><FONT SIZE=2>IDP to support path construction. They will of course, also use Authority </FONT> <BR><FONT SIZE=2>Key Identifier extension.</FONT> </P> <P><FONT SIZE=2>{Santosh Says: Item 1 will require a change to the IDP extension syntax. Would n't that make PKIX non-compliant with X.509?)</FONT></P> <P><FONT SIZE=2>>Second, when we say that a CA may not use different keys for signing </FONT> <BR><FONT SIZE=2>>certificates and CRLs, we are again not thinking of </FONT> <BR><FONT SIZE=2>>operations. Operationally, a CA is going to rekey. When it does, it will </FONT> <BR><FONT SIZE=2>>have issued the certificates using the old key and will sign CRL with new </FONT> <BR><FONT SIZE=2>>key. There are your different keys.</FONT> </P> <P><FONT SIZE=2>The simple CA could reasonably expect the CA to generate CRLs using the </FONT> <BR><FONT SIZE=2>same key that was used to sign certificates until all of the certificates </FONT> <BR><FONT SIZE=2>signed with that key have expired.</FONT> </P> <P><FONT SIZE=2>(Santosh Says: That is what I have been advocating. But, mandating that a CA retain old private keys and issue multiple CRLs may be excessive.)</FONT></P> <P><FONT SIZE=2>>Also, I think a standard should be flexible and promote security. From </FONT> <BR><FONT SIZE=2>>operational security viewpoint, a CA may not want to keep the certificate </FONT> <BR><FONT SIZE=2>>signing key active all the time, but may need to keep the CRL signing key </FONT> <BR><FONT SIZE=2>>active to help meet CRL issuance obligations. This will mean a separate </FONT> <BR><FONT SIZE=2>>CRL signing key since compromise of that key still does not compromise </FONT> <BR><FONT SIZE=2>>anything. The attacker needs to compromise some subscriber keys to create </FONT> <BR><FONT SIZE=2>>a true compromise, denial-of-service notwithstanding. Thus, we should </FONT> <BR><FONT SIZE=2>>accommodate separate keys for certificates and CRLs.</FONT> </P> <P><FONT SIZE=2>We need to balance the complexity of the software that we expect the </FONT> <BR><FONT SIZE=2>clients to handle and CA operational security. Errors in either place will </FONT> <BR><FONT SIZE=2>lead to vulnerabilities.</FONT> </P> <P><FONT SIZE=2>>In short, requiring the CA to use a different name to issue indirect CRL </FONT> <BR><FONT SIZE=2>>is not well-grounded and should be deleted.</FONT> </P> <P><FONT SIZE=2>Agree.</FONT> </P> <P><FONT SIZE=2>>Requiring a CA to use different key for indirect CRL is not well-grounded </FONT> <BR><FONT SIZE=2>>and should be deleted.</FONT> </P> <P><FONT SIZE=2>I do not recall a discussion on this point. Usually, Indirect CRLs are </FONT> <BR><FONT SIZE=2>employed to delegate CRL generation responsibility. I would expect the two </FONT> <BR><FONT SIZE=2>authorities to have different keys.</FONT> </P> <P><FONT SIZE=2>(Santosh Says: But there is nothing in X.509 that a designated CA can not issue its own regular CRL and issue an indirect CRL for its peers. The designated CA may use the same key. The requirement you are levying has marginal benefit for the directories and clients who do not do multi-valued attributes and that only if the CA does NOT use a CRL DP for the indirect CRL. There is no particular need or requirement for having a separate name or a separate key)</FONT></P> <P><FONT SIZE=2>>Requiring the same key for certificate and CRL signing may not be possible </FONT> <BR><FONT SIZE=2>>due to rekey or operational security requirements and should be deleted.</FONT> </P> <P><FONT SIZE=2>We need to be pragmatic with respect to simple clients. I hope that I made </FONT> <BR><FONT SIZE=2>my thoughts clear above.</FONT> </P> <P><FONT SIZE=2>(Santosh Says: I think the best engineering solution is for the CA to keep the old keys and sign multiple CRLs. That said, I do not want to mandate it and I for sure want the PKIX community to approve the RFC knowing this implication.)</FONT></P> <P><FONT SIZE=2>>Finally, as to Steve Farrell's question regarding client simplicity, I </FONT> <BR><FONT SIZE=2>>wish I could answer that. The client will need intelligence to handle </FONT> <BR><FONT SIZE=2>>rekey and secure CA who use different keys for certificate and CRL signing.</FONT> </P> <P><FONT SIZE=2>Again, I hope that I made my thoughts clear above.</FONT> </P> <P><FONT SIZE=2>Russ</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CC3B.DADAC100-- Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA22910 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 13:22:39 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 23 Apr 2001 20:22:41 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA17703 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 16:22:41 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <HK1A3R00>; Mon, 23 Apr 2001 16:22:41 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.23]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id HK1A3R07; Mon, 23 Apr 2001 16:22:34 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010423154916.01b7de60@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 23 Apr 2001 16:21:19 -0400 Subject: RE: Dedicated CRL signing keys In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE1D5@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Santosh: Thanks for posting your summary of the thread. I hope it will allow us to focus on the issues, and reach consensus quickly. >First, I think that the restriction that a CA who desires to issue >Indirect CRL needs to set itself up as a separate name is unduly >restrictive. There is no need for a CA to do that. A CA can issue a full >CRL as well as an Indirect CRL and populate these in the same or different >entries (i.e., CRL DP) in the directory. Please review Annex B of X.509 >for how to process CRL. So, may be Russ can explain why this requirement >comes about. I agree that the use of a separate name is overly restrictive. That portion of my suggestion was, in hind sight, a bad idea. As Tim Polk pointed out, CAs cannot change their names when they rekey. I think that everyone agrees that a CA makes a commitment to provide some form of revocation information for the duration of the certificate life. When CRLs are employed, does the CA use the same key to sign the CRL as was used to sign the certificate? Clearly, the CA is permitted to use different keys -- the key usage bits are there to allow this separation. However, several clients cannot handle this situation, and they would like to see an error message that says "unsupported feature" instead of "signature invalid." Perhaps CA rekey will lead us to an answer. When a CA rekeys, does it are subsequent CRLs signed with the new key or the old one? A CA could generate one CRL with each key. They two CRLs could even be distributed by different distribution point to avoid the download of CRLs that cannot be employed. Alternatively, the CA could publish one CRL signed with the new key. This leads to the scenario where cert path construction must be evoked to generate validate the CRL when trying to validate a certificate signed by the old key. This is the behavior that we are trying to make SHOULD. Therefore, the CA MUST generate the CRL using the same key as was used to sign the certificate, or it MUST include an extension in the CRL to indicate that cert path construction might be needed to validate the CRL signature. I proposed that an Issuing Distribution Point (IDP) CRL extension might be the correct approach. The IDP extension will not be supported by the simple clients, so they can generate the "unsupported feature" error, and the more complex clients can use the information in the IDP to support path construction. They will of course, also use Authority Key Identifier extension. >Second, when we say that a CA may not use different keys for signing >certificates and CRLs, we are again not thinking of >operations. Operationally, a CA is going to rekey. When it does, it will >have issued the certificates using the old key and will sign CRL with new >key. There are your different keys. The simple CA could reasonably expect the CA to generate CRLs using the same key that was used to sign certificates until all of the certificates signed with that key have expired. >Also, I think a standard should be flexible and promote security. From >operational security viewpoint, a CA may not want to keep the certificate >signing key active all the time, but may need to keep the CRL signing key >active to help meet CRL issuance obligations. This will mean a separate >CRL signing key since compromise of that key still does not compromise >anything. The attacker needs to compromise some subscriber keys to create >a true compromise, denial-of-service notwithstanding. Thus, we should >accommodate separate keys for certificates and CRLs. We need to balance the complexity of the software that we expect the clients to handle and CA operational security. Errors in either place will lead to vulnerabilities. >In short, requiring the CA to use a different name to issue indirect CRL >is not well-grounded and should be deleted. Agree. >Requiring a CA to use different key for indirect CRL is not well-grounded >and should be deleted. I do not recall a discussion on this point. Usually, Indirect CRLs are employed to delegate CRL generation responsibility. I would expect the two authorities to have different keys. >Requiring the same key for certificate and CRL signing may not be possible >due to rekey or operational security requirements and should be deleted. We need to be pragmatic with respect to simple clients. I hope that I made my thoughts clear above. >Finally, as to Steve Farrell's question regarding client simplicity, I >wish I could answer that. The client will need intelligence to handle >rekey and secure CA who use different keys for certificate and CRL signing. Again, I hope that I made my thoughts clear above. Russ Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA22871 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 13:22:28 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 23 Apr 2001 20:22:30 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA17671 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 16:22:30 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <HK1A3R0W>; Mon, 23 Apr 2001 16:22:30 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.23]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id HK1A3R0S; Mon, 23 Apr 2001 16:22:26 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Carlin Covey <ccovey@cylink.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010423153043.01b84ec8@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 23 Apr 2001 15:31:38 -0400 Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) In-Reply-To: <FLEELNBJKAIIGDJJKPDGIEPGCDAA.ccovey@cylink.com> References: <5.0.1.4.2.20010423101920.01ad2470@exna07.securitydynamics.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Carlin: I was hoping to start the dialogue regarding the security considerations text. Russ At 10:28 AM 4/23/2001 -0700, Carlin Covey wrote: >Russ, > >Two obvious candidates for alternative text are (1) >substituting MAY for MUST and (2) substituting SHOULD >for MUST in the sentence: > >"A dCRL may also be an indirect CRL in that it may >contain updated revocation information related to >base CRLs issued by one or more than one authorities." > >I think that these alternative wordings have been >either stated or implied by various persons in the >course of this discussion. > >Were you asking for some alternative text to go >into the security considerations section? > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > > > >-----Original Message----- >From: Russ Housley [mailto:rhousley@rsasecurity.com] >Sent: Monday, April 23, 2001 7:27 AM >To: ietf-pkix@imc.org >Subject: RE: delta-CRLs (was Re: Last >Call:draft-ietf-pkix-new-part1-06.txt comments) > > >All: > >Trevor, Ambarish, Denis, David, and others have proposed the removal of the >requirement that CAs post a full CRL whenever a delta-CRL is >posted. Trevor's suggestion that the consequences of a CA posting a >delta-CRL without posting a full CRL could be discussed in a single >paragraph in the Security Considerations section. > >Paul and Mike have suggested that the current text is fine. > >A few people have contributed to the thread but not made their own position >clear. Perhaps they are only academically interested. Or, perhaps the >dialogue is helping them reach their own conclusion. I do not >know. Regardless, most people have been silent on this issue. > >I would like one of the proponents for removing the requirement to suggest >alternative text, and I would like to hear from more people about the >proposed revision. > >We are in Working Group Last Call. I would like to reach consensus on this >issue, make the necessary change (if any), and get the document to the >IESG. Many other working groups are waiting for our document. > >Russ Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA22188 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 13:16:24 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <2VH1ATFN>; Mon, 23 Apr 2001 16:15:54 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FC4@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Carlin Covey'" <ccovey@cylink.com>, Russ Housley <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.t xt comments) Date: Mon, 23 Apr 2001 16:10:16 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CC31.69B50A30" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CC31.69B50A30 Content-Type: text/plain Carlin, you are correct. That 'indirect delta' is a new facility added into the 4th edition X.509. One example that was used in those discussions was where there might be several CAs operating within a given domain (perhaps a large multinational organization) and each issues its own CRLs on a regular basis. Once retrieved, these CRLs may be cached at the validation step and used until their expiry. However, that multinational may want to issue a single delta CRL every minute and that CRL would contain revocation notices for all the CAs within the organization but perhaps only for the keyCompromise reason. I think you raise an interesting point because in this type of environment the CA that issues the delta could not issue any single corresponding base. However, I suspect indirectDeltas are beyond the scope of what 2459 plans to cover? Sharon > -----Original Message----- > From: Carlin Covey [mailto:ccovey@cylink.com] > Sent: Monday, April 23, 2001 1:28 PM > To: Russ Housley; ietf-pkix@imc.org > Subject: RE: delta-CRLs (was Re: Last > Call:draft-ietf-pkix-new-part1-06.txt comments) > > > Russ, > > Two obvious candidates for alternative text are (1) > substituting MAY for MUST and (2) substituting SHOULD > for MUST in the sentence: > > "A dCRL may also be an indirect CRL in that it may > contain updated revocation information related to > base CRLs issued by one or more than one authorities." > > I think that these alternative wordings have been > either stated or implied by various persons in the > course of this discussion. > > Were you asking for some alternative text to go > into the security considerations section? > > Regards, > > Carlin > > ____________________________ > > - Carlin Covey > Cylink Corporation > > > > -----Original Message----- > From: Russ Housley [mailto:rhousley@rsasecurity.com] > Sent: Monday, April 23, 2001 7:27 AM > To: ietf-pkix@imc.org > Subject: RE: delta-CRLs (was Re: Last > Call:draft-ietf-pkix-new-part1-06.txt comments) > > > All: > > Trevor, Ambarish, Denis, David, and others have proposed the > removal of the > requirement that CAs post a full CRL whenever a delta-CRL is > posted. Trevor's suggestion that the consequences of a CA posting a > delta-CRL without posting a full CRL could be discussed in a single > paragraph in the Security Considerations section. > > Paul and Mike have suggested that the current text is fine. > > A few people have contributed to the thread but not made > their own position > clear. Perhaps they are only academically interested. Or, > perhaps the > dialogue is helping them reach their own conclusion. I do not > know. Regardless, most people have been silent on this issue. > > I would like one of the proponents for removing the > requirement to suggest > alternative text, and I would like to hear from more people about the > proposed revision. > > We are in Working Group Last Call. I would like to reach > consensus on this > issue, make the necessary change (if any), and get the document to the > IESG. Many other working groups are waiting for our document. > > Russ > ------_=_NextPart_001_01C0CC31.69B50A30 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta-CRLs (was Re: Last = Call:draft-ietf-pkix-new-part1-06.txt comments)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Carlin, you are correct. That 'indirect delta' is a = new facility added into the 4th edition X.509. One example that was = used in those discussions was where there might be several CAs = operating within a given domain (perhaps a large multinational = organization) and each issues its own CRLs on a regular basis. Once = retrieved, these CRLs may be cached at the validation step and used = until their expiry. However, that multinational may want to issue a = single delta CRL every minute and that CRL would contain revocation = notices for all the CAs within the organization but perhaps only for = the keyCompromise reason. I think you raise an interesting point = because in this type of environment the CA that issues the delta could = not issue any single corresponding base. However, I suspect = indirectDeltas are beyond the scope of what 2459 plans to = cover?</FONT></P> <P><FONT SIZE=3D2>Sharon </FONT> </P> <P><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: Carlin Covey [<A = HREF=3D"mailto:ccovey@cylink.com">mailto:ccovey@cylink.com</A>]</FONT> <BR><FONT SIZE=3D2>> Sent: Monday, April 23, 2001 1:28 PM</FONT> <BR><FONT SIZE=3D2>> To: Russ Housley; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Subject: RE: delta-CRLs (was Re: Last</FONT> <BR><FONT SIZE=3D2>> Call:draft-ietf-pkix-new-part1-06.txt = comments)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Russ,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Two obvious candidates for alternative text are = (1)</FONT> <BR><FONT SIZE=3D2>> substituting MAY for MUST and (2) substituting = SHOULD</FONT> <BR><FONT SIZE=3D2>> for MUST in the sentence:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> "A dCRL may also be an indirect CRL in = that it may</FONT> <BR><FONT SIZE=3D2>> contain updated revocation information related = to</FONT> <BR><FONT SIZE=3D2>> base CRLs issued by one or more than one = authorities."</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> I think that these alternative wordings have = been</FONT> <BR><FONT SIZE=3D2>> either stated or implied by various persons in = the</FONT> <BR><FONT SIZE=3D2>> course of this discussion.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Were you asking for some alternative text to = go</FONT> <BR><FONT SIZE=3D2>> into the security considerations = section?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Regards,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Carlin</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> ____________________________</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> - Carlin Covey</FONT> <BR><FONT SIZE=3D2>> Cylink Corporation</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: Russ Housley [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>> Sent: Monday, April 23, 2001 7:27 AM</FONT> <BR><FONT SIZE=3D2>> To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Subject: RE: delta-CRLs (was Re: Last</FONT> <BR><FONT SIZE=3D2>> Call:draft-ietf-pkix-new-part1-06.txt = comments)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> All:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Trevor, Ambarish, Denis, David, and others have = proposed the </FONT> <BR><FONT SIZE=3D2>> removal of the</FONT> <BR><FONT SIZE=3D2>> requirement that CAs post a full CRL whenever a = delta-CRL is</FONT> <BR><FONT SIZE=3D2>> posted. Trevor's suggestion that the = consequences of a CA posting a</FONT> <BR><FONT SIZE=3D2>> delta-CRL without posting a full CRL could be = discussed in a single</FONT> <BR><FONT SIZE=3D2>> paragraph in the Security Considerations = section.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Paul and Mike have suggested that the current = text is fine.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> A few people have contributed to the thread but = not made </FONT> <BR><FONT SIZE=3D2>> their own position</FONT> <BR><FONT SIZE=3D2>> clear. Perhaps they are only academically = interested. Or, </FONT> <BR><FONT SIZE=3D2>> perhaps the</FONT> <BR><FONT SIZE=3D2>> dialogue is helping them reach their own = conclusion. I do not</FONT> <BR><FONT SIZE=3D2>> know. Regardless, most people have been = silent on this issue.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> I would like one of the proponents for = removing the </FONT> <BR><FONT SIZE=3D2>> requirement to suggest</FONT> <BR><FONT SIZE=3D2>> alternative text, and I would like to hear from = more people about the</FONT> <BR><FONT SIZE=3D2>> proposed revision.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> We are in Working Group Last Call. I = would like to reach </FONT> <BR><FONT SIZE=3D2>> consensus on this</FONT> <BR><FONT SIZE=3D2>> issue, make the necessary change (if any), and = get the document to the</FONT> <BR><FONT SIZE=3D2>> IESG. Many other working groups are = waiting for our document.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Russ</FONT> <BR><FONT SIZE=3D2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CC31.69B50A30-- Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA21027 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 13:04:04 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GC900D01H32Z3@ext-mail.valicert.com> for ietf-pkix@imc.org; Mon, 23 Apr 2001 13:04:14 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GC900DDGH32LL@ext-mail.valicert.com> for ietf-pkix@imc.org; Mon, 23 Apr 2001 13:04:14 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26PXYG>; Mon, 23 Apr 2001 13:02:56 -0700 Content-return: allowed Date: Mon, 23 Apr 2001 13:02:53 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) To: ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C54@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Hi Paul, Even if you are requiring clients to pull the CRLs from your directory, you still need to have enough bandwidth to and replication of the directory to support all the clients who need to pull the new CRL every time it is issued. Ambarish --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com Mountain View, CA 94043 > -----Original Message----- > From: Paul Hoffman / IMC [mailto:phoffman@imc.org] > Sent: Monday, April 23, 2001 11:51 AM > To: David P. Kemp; ietf-pkix@imc.org > Subject: Re: delta-CRLs (was Re: > LastCall:draft-ietf-pkix-new-part1-06.txt comments) > > > At 12:50 PM -0400 4/23/01, David P. Kemp wrote: > >I'll refer you to Russ' message of Jan 18 "Re: Two questions > on delta-CRL": > > > > "I think we may be splitting hairs on the term "issue". I am not > > sure that I would consider a CRL that was generated but not > > distributed to be "issued". > > I think we are splitting hairs on what "distributed" means. > > >The problem is not that it is too burdensome for a CA to > have a cron job > >that sweeps the database and signs a full CRL every time it > signs a delta. > >The problem is that once the full CRL is signed, it is > transmitted across > >the network to directory/database/repository replicas and to clients. > > "Transmitted"? The only common form of "push" on the Internet is > email, and I know of no CRL-over-email distribution schemes. Much > more common is that the CA simply puts the newly-issued CRL on its > FTP/web server and waits for people who want the CRL to come to them. > > Some people have automated jobs that mirror the CRLs every day or > even more often; these folks have already calculated the cost of > mirroring so often (and of not using delta CRLs). > > >If you are a PKI provider (as I am), and you have to provision 3.5 > >million subscribers, the cost of that provisioning with full CRLs is > >prohibitive, whereas the cost of provisioning with deltas is not. > > You do not have to provision them with the latest CRL; you simply > need to let them get the latest CRL when they feel like it. Or, > better yet, tell them to get the delta CRL; that is why you issued > it, yes? > > >If Russ (i.e. the PKIX WG) would make a clear statement that "issue" > >means "sign and place in one repository", vice "sign and distribute > >to all RPs", then I would have no problem with the current MUST > >requirement. But if a CRL is not deemed to be "issued" unless it is > >available to all, then I strongly agree with Trevor, David Cross, and > >Ambarish that the requirement to "issue" a full CRL for every delta > >must be relaxed. > > We agree here, other than I would say "issue" means "sign and place > in at least all the repositories that are pointed to in any CRL > Distribution Point URI." > > --Paul Hoffman, Director > --Internet Mail Consortium > Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA19571 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 12:46:43 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id PAA22379 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 15:46:15 -0400 (EDT) Message-Id: <200104231946.PAA22375@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Mon, 23 Apr 2001 15:44:26 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txtcomments) References: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C44@exchange.valicert.com> <p0510080eb70895081561@[192.168.1.13]> <200104231652.MAA14107@stingray.missi.ncsc.mil> <p05100802b70a28cbba9d@[165.227.249.20]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Paul Hoffman / IMC wrote: > > "Transmitted"? The only common form of "push" on the Internet is > email, and I know of no CRL-over-email distribution schemes. Much > more common is that the CA simply puts the newly-issued CRL on its > FTP/web server and waits for people who want the CRL to come to them. [dpk] Push or pull, smtp or ftp or http or ldap, the bits are carried across the net in some manner. The bits are what I'm talking about, not the protocol. > Some people have automated jobs that mirror the CRLs every day or > even more often; these folks have already calculated the cost of > mirroring so often (and of not using delta CRLs). [dpk] Great! That's what I'd like to see to reduce latency below what you'd get from a pure (client-demand-driven) pull architecture. But by "more often", do you mean every hour, for 3.5 M subscribers, 3 year certificate validity, and 22% per year revocation rate? Do the math, and you'll see what I mean. > You do not have to provision them with the latest CRL; you simply > need to let them get the latest CRL when they feel like it. Or, > better yet, tell them to get the delta CRL; that is why you issued > it, yes? [dpk] Yes, that's the point. And if clients can get delta CRLs every hour, what's the reason for PKIX requiring CAs to "issue" full CRLs every hour? I agree completely with Mike Myers - no one is suggesting getting rid of full CRLs; deltas can't work without first being initialized by a full. But PKIX should say that clients that can't handle deltas are stuck with whatever fulls are available (24 hours) instead of promising those clients that they can have 1 hour fulls regardless of the cost to the infrastructure. Dave Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA17970 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 12:25:26 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f3NJPGd16810; Mon, 23 Apr 2001 12:25:16 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Santosh Chokhani" <chokhani@cygnacom.com>, "Russ Housley" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Date: Mon, 23 Apr 2001 12:23:48 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDKEEHCAAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE1DE@scygmxs01.cygnacom.com> Importance: Normal Santosh, That is precisely what I'm proposing for the WG's consideration. But I do strongly advocate for a SHALL on full CRL production in any case. Deltas are a systems-level tuning tool. Mike -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Monday, April 23, 2001 11:44 AM To: Michael Myers; Santosh Chokhani; Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Mike: I think you are saying that delta can be produced more frequently and there need not be a full CRL issued when a delta is issued. If the above is correct paraphrasing of your statement, then I agree. Received: from mail3.microsoft.com (mail3.microsoft.com [131.107.3.123]) by above.proper.com (8.9.3/8.9.3) with SMTP id MAA17506 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 12:22:34 -0700 (PDT) Received: from 157.54.9.101 by mail3.microsoft.com (InterScan E-Mail VirusWall NT); Sun, 22 Apr 2001 19:48:34 -0700 (Pacific Daylight Time) Received: from red-msg-02.redmond.corp.microsoft.com ([157.54.12.70]) by inet-imc-01.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Sun, 22 Apr 2001 19:50:33 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) Date: Sun, 22 Apr 2001 19:44:46 -0700 Message-ID: <24A715275661C8428C00432EFCA5CB7C02A9886A@red-msg-02.redmond.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) Thread-Index: AcDLmtMLSDPxfs3sRuyqpWlK+DiLEgAA7FmA From: "David Cross" <dcross@microsoft.com> To: "Michael Myers" <myers@coastside.net>, "Paul Hoffman / IMC" <phoffman@imc.org>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 23 Apr 2001 02:50:33.0177 (UTC) FILETIME=[2A54A490:01C0CBA0] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id MAA17507 Mike: Yes, exactly, if I understand your statement correctly. With network replication and bandwidth limitations, the goal of many SHOULD be to issue a base CRL less frequently with a longer validity and more delta-CRLs with increased frequency and shorter validity. This in my mind is the orignal intent and ideal scenario for delta-CRL usage. Having a goal of making identical revocation status information to both delta-aware and non delta-aware clients may be noble, but invariably detracts from the ideal scenario described above. If all CA vendors would be compliant in issuing both, this would surely hurt implementations and deployments due to the negative consequences to an infrastructure. David B. Cross -----Original Message----- From: Michael Myers [mailto:myers@coastside.net] Dave, Recognizing broader enterprise issues, somwhere there's nonetheless a middle ground where the mandatory practice of a full CRL complements the optional practice of issuing deltas. The period of the former MAY, perhaps SHOULD, be longer than the latter in the presence of the delta practice. Your thoughts? Mike > -----Original Message----- > From: David Cross [mailto:dcross@microsoft.com] > > > It may not be a burden to a CA, but it very well likely may be burden > for the underlying replication and distribution architecture to push a > full CRL every time a delta-CRL is issued. It is the bigger picture > of the issue outside of the CA and PKI aspects. > > > David B. Cross > Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA16829 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 12:09:53 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JPVNWWWC>; Mon, 23 Apr 2001 15:09:23 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE1E0@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Carlin Covey <ccovey@cylink.com>, Russ Housley <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.t xt comments) Date: Mon, 23 Apr 2001 15:00:32 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CC27.AC1015A0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CC27.AC1015A0 Content-Type: text/plain; charset="iso-8859-1" Carlin: I did not reply to your earlier e-mail. But, I think a delta is always to a base issued by the same authority. Thus, delta being an indirect means that the same authority that is issuing the delta had issued a base CRL that happens to be an indirect CRL. Thus, delta is also an indirect and hence may contain critical crlEntry extension of issuerDN. -----Original Message----- From: Carlin Covey [mailto:ccovey@cylink.com] Sent: Monday, April 23, 2001 1:28 PM To: Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Russ, Two obvious candidates for alternative text are (1) substituting MAY for MUST and (2) substituting SHOULD for MUST in the sentence: "A dCRL may also be an indirect CRL in that it may contain updated revocation information related to base CRLs issued by one or more than one authorities." I think that these alternative wordings have been either stated or implied by various persons in the course of this discussion. Were you asking for some alternative text to go into the security considerations section? Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Russ Housley [mailto:rhousley@rsasecurity.com] Sent: Monday, April 23, 2001 7:27 AM To: ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) All: Trevor, Ambarish, Denis, David, and others have proposed the removal of the requirement that CAs post a full CRL whenever a delta-CRL is posted. Trevor's suggestion that the consequences of a CA posting a delta-CRL without posting a full CRL could be discussed in a single paragraph in the Security Considerations section. Paul and Mike have suggested that the current text is fine. A few people have contributed to the thread but not made their own position clear. Perhaps they are only academically interested. Or, perhaps the dialogue is helping them reach their own conclusion. I do not know. Regardless, most people have been silent on this issue. I would like one of the proponents for removing the requirement to suggest alternative text, and I would like to hear from more people about the proposed revision. We are in Working Group Last Call. I would like to reach consensus on this issue, make the necessary change (if any), and get the document to the IESG. Many other working groups are waiting for our document. Russ ------_=_NextPart_001_01C0CC27.AC1015A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta-CRLs (was Re: Last = Call:draft-ietf-pkix-new-part1-06.txt comments)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Carlin:</FONT> </P> <P><FONT SIZE=3D2>I did not reply to your earlier e-mail. But, I = think a delta is always to a base issued by the same authority. = Thus, delta being an indirect means that the same authority that is = issuing the delta had issued a base CRL that happens to be an indirect = CRL. Thus, delta is also an indirect and hence may contain = critical crlEntry extension of issuerDN.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Carlin Covey [<A = HREF=3D"mailto:ccovey@cylink.com">mailto:ccovey@cylink.com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Monday, April 23, 2001 1:28 PM</FONT> <BR><FONT SIZE=3D2>To: Russ Housley; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta-CRLs (was Re: Last</FONT> <BR><FONT SIZE=3D2>Call:draft-ietf-pkix-new-part1-06.txt = comments)</FONT> </P> <BR> <P><FONT SIZE=3D2>Russ,</FONT> </P> <P><FONT SIZE=3D2>Two obvious candidates for alternative text are = (1)</FONT> <BR><FONT SIZE=3D2>substituting MAY for MUST and (2) substituting = SHOULD</FONT> <BR><FONT SIZE=3D2>for MUST in the sentence:</FONT> </P> <P><FONT SIZE=3D2>"A dCRL may also be an indirect CRL in that it = may</FONT> <BR><FONT SIZE=3D2>contain updated revocation information related = to</FONT> <BR><FONT SIZE=3D2>base CRLs issued by one or more than one = authorities."</FONT> </P> <P><FONT SIZE=3D2>I think that these alternative wordings have = been</FONT> <BR><FONT SIZE=3D2>either stated or implied by various persons in = the</FONT> <BR><FONT SIZE=3D2>course of this discussion.</FONT> </P> <P><FONT SIZE=3D2>Were you asking for some alternative text to = go</FONT> <BR><FONT SIZE=3D2>into the security considerations section?</FONT> </P> <P><FONT SIZE=3D2>Regards,</FONT> </P> <P><FONT SIZE=3D2>Carlin</FONT> </P> <P><FONT SIZE=3D2>____________________________</FONT> </P> <P><FONT SIZE=3D2>- Carlin Covey</FONT> <BR><FONT SIZE=3D2> Cylink Corporation</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Russ Housley [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>Sent: Monday, April 23, 2001 7:27 AM</FONT> <BR><FONT SIZE=3D2>To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta-CRLs (was Re: Last</FONT> <BR><FONT SIZE=3D2>Call:draft-ietf-pkix-new-part1-06.txt = comments)</FONT> </P> <BR> <P><FONT SIZE=3D2>All:</FONT> </P> <P><FONT SIZE=3D2>Trevor, Ambarish, Denis, David, and others have = proposed the removal of the</FONT> <BR><FONT SIZE=3D2>requirement that CAs post a full CRL whenever a = delta-CRL is</FONT> <BR><FONT SIZE=3D2>posted. Trevor's suggestion that the = consequences of a CA posting a</FONT> <BR><FONT SIZE=3D2>delta-CRL without posting a full CRL could be = discussed in a single</FONT> <BR><FONT SIZE=3D2>paragraph in the Security Considerations = section.</FONT> </P> <P><FONT SIZE=3D2>Paul and Mike have suggested that the current text is = fine.</FONT> </P> <P><FONT SIZE=3D2>A few people have contributed to the thread but not = made their own position</FONT> <BR><FONT SIZE=3D2>clear. Perhaps they are only academically = interested. Or, perhaps the</FONT> <BR><FONT SIZE=3D2>dialogue is helping them reach their own = conclusion. I do not</FONT> <BR><FONT SIZE=3D2>know. Regardless, most people have been silent = on this issue.</FONT> </P> <P><FONT SIZE=3D2>I would like one of the proponents for removing = the requirement to suggest</FONT> <BR><FONT SIZE=3D2>alternative text, and I would like to hear from more = people about the</FONT> <BR><FONT SIZE=3D2>proposed revision.</FONT> </P> <P><FONT SIZE=3D2>We are in Working Group Last Call. I would like = to reach consensus on this</FONT> <BR><FONT SIZE=3D2>issue, make the necessary change (if any), and get = the document to the</FONT> <BR><FONT SIZE=3D2>IESG. Many other working groups are waiting = for our document.</FONT> </P> <P><FONT SIZE=3D2>Russ</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CC27.AC1015A0-- Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id MAA16554 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 12:07:43 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 23 Apr 2001 19:07:44 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id PAA10364 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 15:07:40 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2650.21) id <HK1A3QNT>; Mon, 23 Apr 2001 15:07:40 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (10.3.1.85 [10.3.1.85]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id HK1A3QNQ; Mon, 23 Apr 2001 15:07:37 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Carlin Covey <ccovey@cylink.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010423150639.01b2af98@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 23 Apr 2001 15:07:28 -0400 Subject: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) In-Reply-To: <FLEELNBJKAIIGDJJKPDGGEPJCDAA.ccovey@cylink.com> References: <200104231652.MAA14107@stingray.missi.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Carlin: By my reading of RFC 2459, the CA must generate and make publicly available a CRL every time that it generates a delta-CRL. Russ At 11:47 AM 4/23/2001 -0700, Carlin Covey wrote: >Russ, > >A CA might wish to generate a dCRL simply for the purpose of >handing it off to an OCSP responder, with no intention of the >dCRL falling into the hands of RPs. Since the CA does not >"issue" the dCRL, apparently the CA does not need to generate >a full CRL? > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > >-----Original Message----- >From: dpkemp@stingray.missi.ncsc.mil >[mailto:dpkemp@stingray.missi.ncsc.mil]On Behalf Of David P. Kemp >Sent: Monday, April 23, 2001 9:51 AM >To: ietf-pkix@imc.org >Subject: Re: delta-CRLs (was Re: >LastCall:draft-ietf-pkix-new-part1-06.txt comments) > > >Paul, > >I'll refer you to Russ' message of Jan 18 "Re: Two questions on delta-CRL": > > "I think we may be splitting hairs on the term "issue". I am not > sure that I would consider a CRL that was generated but not > distributed to be "issued". > >The problem is not that it is too burdensome for a CA to have a cron job >that sweeps the database and signs a full CRL every time it signs a delta. >The problem is that once the full CRL is signed, it is transmitted across >the network to directory/database/repository replicas and to clients. >If you are a PKI provider (as I am), and you have to provision 3.5 >million subscribers, the cost of that provisioning with full CRLs is >prohibitive, whereas the cost of provisioning with deltas is not. > >If Russ (i.e. the PKIX WG) would make a clear statement that "issue" >means "sign and place in one repository", vice "sign and distribute >to all RPs", then I would have no problem with the current MUST >requirement. But if a CRL is not deemed to be "issued" unless it is >available to all, then I strongly agree with Trevor, David Cross, and >Ambarish that the requirement to "issue" a full CRL for every delta >must be relaxed. > >Dave K > > > > >Paul Hoffman / IMC wrote: > > > > At 6:03 PM -0700 4/21/01, Ambarish Malpani wrote: > > >Russ, the problem with this is that CAs might be unwilling to issue > > >delta-CRLs because issuing a full CRL every time is too > > >burdensome. > > > > Could you describe how it is "too burdensome"? Maybe I'm being naive, > > not being a CA, but asking a CA to sign a second document (the full > > CRL) at the time that it signs the first document (the delta-CRL) > > really doesn't seem that onerous. > > > > I think the current requirement is fine. > > > > --Paul Hoffman, Director > > --Internet Mail Consortium Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA15882 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 11:52:57 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JPVNWWMQ>; Mon, 23 Apr 2001 14:52:27 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE1DE@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Michael Myers <myers@coastside.net>, Santosh Chokhani <chokhani@cygnacom.com>, Russ Housley <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) Date: Mon, 23 Apr 2001 14:43:37 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CC25.4F111630" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CC25.4F111630 Content-Type: text/plain; charset="iso-8859-1" Mike: I think you are saying that delta can be produced more frequently and there need not be a full CRL issued when a delta is issued. If the above is correct paraphrasing of your statement, then I agree. -----Original Message----- From: Michael Myers [mailto:myers@coastside.net] Sent: Monday, April 23, 2001 1:53 PM To: Santosh Chokhani; Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Santosh, Which is the core concept behind my proposal for a middle ground on this issue. Your thoughts on that? Mike -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Monday, April 23, 2001 10:35 AM To: Michael Myers; Santosh Chokhani; Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) > . . . once you got the referenced or later base and apply the delta to it, you have the current stuff. ------_=_NextPart_001_01C0CC25.4F111630 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta-CRLs (was Re: Last = Call:draft-ietf-pkix-new-part1-06.txt comments)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Mike:</FONT> </P> <P><FONT SIZE=3D2>I think you are saying that delta can be produced = more frequently and there need not be a full CRL issued when a = delta is issued.</FONT></P> <P><FONT SIZE=3D2>If the above is correct paraphrasing of your = statement, then I agree.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Michael Myers [<A = HREF=3D"mailto:myers@coastside.net">mailto:myers@coastside.net</A>]</FON= T> <BR><FONT SIZE=3D2>Sent: Monday, April 23, 2001 1:53 PM</FONT> <BR><FONT SIZE=3D2>To: Santosh Chokhani; Russ Housley; = ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta-CRLs (was Re: Last</FONT> <BR><FONT SIZE=3D2>Call:draft-ietf-pkix-new-part1-06.txt = comments)</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>Santosh,</FONT> </P> <P><FONT SIZE=3D2>Which is the core concept behind my proposal for a = middle ground on this</FONT> <BR><FONT SIZE=3D2>issue. Your thoughts on that?</FONT> </P> <P><FONT SIZE=3D2>Mike</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Santosh Chokhani [<A = HREF=3D"mailto:chokhani@cygnacom.com">mailto:chokhani@cygnacom.com</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Monday, April 23, 2001 10:35 AM</FONT> <BR><FONT SIZE=3D2>To: Michael Myers; Santosh Chokhani; Russ Housley; = ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta-CRLs (was Re: Last = Call:draft-ietf-pkix-new-part1-06.txt</FONT> <BR><FONT SIZE=3D2>comments)</FONT> </P> <BR> <P><FONT SIZE=3D2>> . . . once you got the referenced or later base = and apply the delta to it,</FONT> <BR><FONT SIZE=3D2>you have the current stuff.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CC25.4F111630-- Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA15604 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 11:52:11 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 2LAW5VBG; Mon, 23 Apr 2001 11:47:22 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) Date: Mon, 23 Apr 2001 11:47:13 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGGEPJCDAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <200104231652.MAA14107@stingray.missi.ncsc.mil> Importance: Normal Russ, A CA might wish to generate a dCRL simply for the purpose of handing it off to an OCSP responder, with no intention of the dCRL falling into the hands of RPs. Since the CA does not "issue" the dCRL, apparently the CA does not need to generate a full CRL? Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: dpkemp@stingray.missi.ncsc.mil [mailto:dpkemp@stingray.missi.ncsc.mil]On Behalf Of David P. Kemp Sent: Monday, April 23, 2001 9:51 AM To: ietf-pkix@imc.org Subject: Re: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) Paul, I'll refer you to Russ' message of Jan 18 "Re: Two questions on delta-CRL": "I think we may be splitting hairs on the term "issue". I am not sure that I would consider a CRL that was generated but not distributed to be "issued". The problem is not that it is too burdensome for a CA to have a cron job that sweeps the database and signs a full CRL every time it signs a delta. The problem is that once the full CRL is signed, it is transmitted across the network to directory/database/repository replicas and to clients. If you are a PKI provider (as I am), and you have to provision 3.5 million subscribers, the cost of that provisioning with full CRLs is prohibitive, whereas the cost of provisioning with deltas is not. If Russ (i.e. the PKIX WG) would make a clear statement that "issue" means "sign and place in one repository", vice "sign and distribute to all RPs", then I would have no problem with the current MUST requirement. But if a CRL is not deemed to be "issued" unless it is available to all, then I strongly agree with Trevor, David Cross, and Ambarish that the requirement to "issue" a full CRL for every delta must be relaxed. Dave K Paul Hoffman / IMC wrote: > > At 6:03 PM -0700 4/21/01, Ambarish Malpani wrote: > >Russ, the problem with this is that CAs might be unwilling to issue > >delta-CRLs because issuing a full CRL every time is too > >burdensome. > > Could you describe how it is "too burdensome"? Maybe I'm being naive, > not being a CA, but asking a CA to sign a second document (the full > CRL) at the time that it signs the first document (the delta-CRL) > really doesn't seem that onerous. > > I think the current requirement is fine. > > --Paul Hoffman, Director > --Internet Mail Consortium Received: from [165.227.249.20] (ip20.proper.com [165.227.249.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA15458; Mon, 23 Apr 2001 11:51:12 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org Message-Id: <p05100802b70a28cbba9d@[165.227.249.20]> In-Reply-To: <200104231652.MAA14107@stingray.missi.ncsc.mil> References: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C44@exchange.valicert.com> <p0510080eb70895081561@[192.168.1.13]> <200104231652.MAA14107@stingray.missi.ncsc.mil> Date: Mon, 23 Apr 2001 11:51:18 -0700 To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: Re: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 12:50 PM -0400 4/23/01, David P. Kemp wrote: >I'll refer you to Russ' message of Jan 18 "Re: Two questions on delta-CRL": > > "I think we may be splitting hairs on the term "issue". I am not > sure that I would consider a CRL that was generated but not > distributed to be "issued". I think we are splitting hairs on what "distributed" means. >The problem is not that it is too burdensome for a CA to have a cron job >that sweeps the database and signs a full CRL every time it signs a delta. >The problem is that once the full CRL is signed, it is transmitted across >the network to directory/database/repository replicas and to clients. "Transmitted"? The only common form of "push" on the Internet is email, and I know of no CRL-over-email distribution schemes. Much more common is that the CA simply puts the newly-issued CRL on its FTP/web server and waits for people who want the CRL to come to them. Some people have automated jobs that mirror the CRLs every day or even more often; these folks have already calculated the cost of mirroring so often (and of not using delta CRLs). >If you are a PKI provider (as I am), and you have to provision 3.5 >million subscribers, the cost of that provisioning with full CRLs is >prohibitive, whereas the cost of provisioning with deltas is not. You do not have to provision them with the latest CRL; you simply need to let them get the latest CRL when they feel like it. Or, better yet, tell them to get the delta CRL; that is why you issued it, yes? >If Russ (i.e. the PKIX WG) would make a clear statement that "issue" >means "sign and place in one repository", vice "sign and distribute >to all RPs", then I would have no problem with the current MUST >requirement. But if a CRL is not deemed to be "issued" unless it is >available to all, then I strongly agree with Trevor, David Cross, and >Ambarish that the requirement to "issue" a full CRL for every delta >must be relaxed. We agree here, other than I would say "issue" means "sign and place in at least all the repositories that are pointed to in any CRL Distribution Point URI." --Paul Hoffman, Director --Internet Mail Consortium Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA14718 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 11:32:07 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f3NIW6d13198; Mon, 23 Apr 2001 11:32:07 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) Date: Mon, 23 Apr 2001 11:30:39 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDCEEFCAAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <200104231652.MAA14107@stingray.missi.ncsc.mil> Importance: Normal Dave, But in a broader sense, isn't that precisely the problem directory replication is all about? It would be useful to hear of empirical studies establishing the extent to which PKI information management today dominates directory (X.500, LDAP) operations. I advocate that we need to know what today's ground truth tells us before we flip this parity bit; else wiggle the text as I proposed and so provide everybody the tuning knobs they want to tailor the standard to local needs. More tactically, one could produce a full CRL as a "backup" but let the delta practice take the burden of timeliness and bandwidth efficiency. But in all cases where non-repudiation becomes a true (vice theoretical) issue, there MUST be a full CRL around somewhere that cleanly establishes a context. Else one is faced with reconstituting the full context via re-accumulation of all the relevant deltas. Not an easy task either, and one prone to error. Given the ease with which a full CRL can be produced (assuming mechanisms are in place to produce deltas), just crontab two periods: a "full" production and a "delta" production, with the period of the latter shorter than the former. You don't have to push the full CRL all over the place, but at a minimum certainly have it available. A systems-level tradeoff, as always. But dumping full CRLs entirely and trusting deltas exclusively isn't something I'd advocate to any enterprise concerned about its risk management practices. Mike > -----Original Message----- > From: dpkemp@stingray.missi.ncsc.mil > . . . > The problem is that once the full CRL is signed, it is transmitted across > the network to directory/database/repository replicas and to clients. > If you are a PKI provider (as I am), and you have to provision 3.5 > million subscribers, the cost of that provisioning with full CRLs is > prohibitive, whereas the cost of provisioning with deltas is not. Received: from mail2.microsoft.com (mail2.microsoft.com [131.107.3.124]) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA14242 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 11:23:35 -0700 (PDT) Received: from 157.54.9.101 by mail2.microsoft.com (InterScan E-Mail VirusWall NT); Thu, 19 Apr 2001 06:39:18 -0700 (Pacific Daylight Time) Received: from red-msg-02.redmond.corp.microsoft.com ([157.54.12.70]) by inet-imc-01.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Thu, 19 Apr 2001 06:39:07 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Help Sought on Netscape Revocation URL causing MS Programs to hang Date: Thu, 19 Apr 2001 06:39:06 -0700 Message-ID: <24A715275661C8428C00432EFCA5CB7C02A98783@red-msg-02.redmond.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Help Sought on Netscape Revocation URL causing MS Programs to hang Thread-Index: AcDIdFtBiqL/mHnUTCenzPDH/gBAGQAYYSxg From: "David Cross" <dcross@microsoft.com> To: "Ron Segal" <ron.segal@baycorpid.com>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 19 Apr 2001 13:39:07.0303 (UTC) FILETIME=[1B4E0B70:01C0C8D6] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id LAA14243 I will pass on the job offer, but have you verified that the URLs are valid that are listed in the certificate? If the URLs are no longer valid or cannot be reached, that might explain the behaviour. If you want to send me the certificate chain (privately), we can take a look at it. David B. Cross -----Original Message----- From: Ron Segal [mailto:ron.segal@baycorpid.com] Sent: Wednesday, April 18, 2001 6:59 PM To: ietf-pkix@imc.org Subject: Help Sought on Netscape Revocation URL causing MS Programs to hang Hi Folks If an X.509 v3 certificate contains a proprietary NetscapeRevocationURL extension and a Microsoft program (eg email or browser) is configured to do automatic CRL Distribution Point Checking, then the Microsoft program will hang and timeout after about 5 minutes. Does anybody know of a fix for this problem, e.g. a registry configuration (no cynicism please!)? We are aware that if a cert has both the NetscapeRevocationURL and CRL Distribution Point extensions, then no problem. Your help would be greatly appreciated (and maybe you can get a job at Baycorp!). Very best regards Ron -------------- Ron Segal Business Development Manager Baycorp ID Services Ltd PO Box 5052, Wellington, New Zealand Mailto: ron.segal@baycorpid.com Tel: +64 (4) 499 4231 DD: +64 (4) 499 4261 Mob: +64 (21) 678 009 Fax: +64 (4) 499 4233 Web: http://www.baycorpid.com Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA13262 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 11:07:02 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f3NI4wd10709; Mon, 23 Apr 2001 11:04:58 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Sharon Boeyen" <sharon.boeyen@entrust.com>, "Santosh Chokhani" <chokhani@cygnacom.com>, "Russ Housley" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) Date: Mon, 23 Apr 2001 11:03:31 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDGEEECAAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FBF@sottmxs09.entrust.com> Importance: Normal So let's just issue them in different periods with deltas more frequent than the full. -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Monday, April 23, 2001 9:40 AM To: Santosh Chokhani; Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) I agree with Santosh. Forcing the issuance of a full CRL each time a delta is issued removes the primary value of issuing the delta in the first place. Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA12920 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 11:04:50 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 2LAW545B; Mon, 23 Apr 2001 10:59:35 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Sharon Boeyen" <sharon.boeyen@entrust.com>, "Santosh Chokhani" <chokhani@cygnacom.com>, "Russ Housley" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) Date: Mon, 23 Apr 2001 10:59:27 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGGEPICDAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0000_01C0CBE4.77139D10" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FBF@sottmxs09.entrust.com> Importance: Normal This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C0CBE4.77139D10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments)Russ and Sharon, X.509 Ed. 4 draft v6 says in section 9 "A dCRL may also be an indirect CRL in that it may contain updated revocation information related to base CRLs issued by one or more than one authorities." In this case in order to comply with the current PKIX profile requirement below, the CA that issued the dCRL would also have to issue a full indirect CRL for all the authorities whose CRLs were updated by the dCRL. That much I understand, I think. Current PKIX profile requirement: "When a conforming CA issues a delta CRL, the CA MUST also issue a CRL that is complete for the given scope." But I'm puzzled by another point. It looks to me like X.509 permits a dCRL to contain a crlScope extension that limits the scope of the certificates for which the dCRL is authoritative (using onlyContains or onlySomeReasons, for instance). In fact, it seems that different CA's could issue indirect dCRLs for various scopes (e.g. user certificate, attribute certificate, keyCompromise, certificateHold, etc.), but reference a base CRL that covers a larger scope. In that case, I suppose each of the dCRL issuers must also issue a "full CRL". But what constitutes a full "CRL that is complete for the given scope."? Is it the given scope of the dCRL, or the given scope of the base CRL? That is, does each "full CRL" cover only the scope of the dCRL, even if the dCRL's base CRL covers additional scope (e.g. additional reason codes, or additional certificate types)? Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Monday, April 23, 2001 9:40 AM To: Santosh Chokhani; Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) I agree with Santosh. Forcing the issuance of a full CRL each time a delta is issued removes the primary value of issuing the delta in the first place. ------=_NextPart_000_0000_01C0CBE4.77139D10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>RE: delta-CRLs (was Re: Last = Call:draft-ietf-pkix-new-part1-06.txt comments)</TITLE> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR></HEAD> <BODY> <DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>Russ=20 and Sharon,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>X.509=20 Ed. 4 draft v6 says in section 9 "A dCRL may also be an indirect = CRL=20 </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>in=20 that it may contain updated revocation information related to base CRLs=20 </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>issued=20 by one or more than one authorities."</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>In=20 this case in order to comply with the current PKIX profile requirement=20 below,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>the CA=20 that issued the dCRL would also have to issue a full indirect CRL=20 for</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>all=20 the authorities whose CRLs were updated by the dCRL. That much I=20 </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001>understand, I = think. </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT> </DIV> <DIV><SPAN class=3D730544716-23042001> <P><FONT size=3D2><FONT face=3DArial><FONT color=3D#0000ff><SPAN=20 class=3D730544716-23042001> &nbs= p; =20 Current PKIX profile requirement: </SPAN>"When a conforming CA=20 issues </FONT></FONT><BR><FONT color=3D#0000ff><FONT = face=3DArial><SPAN=20 class=3D730544716-23042001> &nbs= p; =20 </SPAN>a delta CRL, </FONT><FONT face=3DArial></FONT><FONT=20 color=3D#0000ff></FONT><FONT size=3D2>the CA MUST also issue a CRL that = is complete=20 for <BR><SPAN=20 class=3D730544716-23042001> &nbs= p; =20 </SPAN>the given scope."</FONT></FONT></FONT></P></SPAN></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>But=20 I'm puzzled by another point. It looks to me like X.509 = permits a=20 dCRL</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>to=20 contain a crlScope extension that limits the scope of the certificates=20 for</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>which=20 the dCRL is authoritative (using onlyContains or=20 onlySomeReasons,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>for=20 instance). In fact, it seems that different CA's could issue = indirect=20 dCRLs</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>for=20 various scopes (e.g. user certificate, attribute certificate,=20 keyCompromise,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001>certificateHold, etc.), but reference a base = CRL that=20 covers a larger scope. </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>In=20 that case, I suppose each of the dCRL issuers must</SPAN></FONT><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN class=3D730544716-23042001> = also=20 issue</SPAN></FONT><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001> a "full CRL". </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>But=20 what constitutes a full "CRL that is complete for<SPAN=20 class=3D730544716-23042001> </SPAN>the given scope."? Is=20 it</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>the=20 given scope of the dCRL, or the given scope of the base CRL? That = is,=20 does</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>each=20 "full CRL" cover only the scope of the dCRL, even if the dCRL's = base=20 CRL</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>covers=20 additional scope (e.g. additional reason codes, or additional=20 certificate</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001>types)?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001> <P><FONT=20 size=3D2>Regards,<BR><BR>Carlin<BR><BR>____________________________<BR><B= R>- =20 Carlin Covey<BR> Cylink Corporation = </FONT></P></SPAN></FONT></DIV> <DIV><SPAN class=3D730544716-23042001> <P><FONT size=3D2><FONT color=3D#0000ff><FONT face=3DArial><SPAN=20 class=3D730544716-23042001></SPAN></FONT></FONT></FONT> </P></SPAN><= /DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Sharon Boeyen=20 [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Monday, April 23, = 2001 9:40=20 AM<BR><B>To:</B> Santosh Chokhani; Russ Housley;=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta-CRLs (was Re: Last=20 Call:draft-ietf-pkix-new-part1-06.tx t comments)<BR><BR></DIV></FONT> <DIV><SPAN class=3D229484416-23042001><FONT color=3D#0000ff = face=3DArial size=3D2>I=20 agree with Santosh. Forcing the issuance of a full CRL each time a = delta is=20 issued removes the primary value of issuing the delta in the first=20 place.</FONT></SPAN></DIV></BLOCKQUOTE></DIV></BODY></HTML> ------=_NextPart_000_0000_01C0CBE4.77139D10-- Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA12143 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 10:57:01 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f3NHspd09796; Mon, 23 Apr 2001 10:54:52 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Santosh Chokhani" <chokhani@cygnacom.com>, "Russ Housley" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Date: Mon, 23 Apr 2001 10:53:25 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDGEEDCAAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE1D6@scygmxs01.cygnacom.com> Importance: Normal Santosh, Which is the core concept behind my proposal for a middle ground on this issue. Your thoughts on that? Mike -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Monday, April 23, 2001 10:35 AM To: Michael Myers; Santosh Chokhani; Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) > . . . once you got the referenced or later base and apply the delta to it, you have the current stuff. Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA11096 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 10:43:54 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JPVNWVFS>; Mon, 23 Apr 2001 13:43:24 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE1D6@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Michael Myers <myers@coastside.net>, Santosh Chokhani <chokhani@cygnacom.com>, Russ Housley <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) Date: Mon, 23 Apr 2001 13:34:34 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CC1B.A9840A00" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CC1B.A9840A00 Content-Type: text/plain; charset="iso-8859-1" Delta CRL concept is lot simpler than folks make out it to be. If a compliant client takes a delta and a base that is referenced by the delta or a later base, it has the current full picture. As Sharon said, requiring a full CRL defeats the delta purpose. Again, once you got the referenced or later base and apply the delta to it, you have the current stuff. -----Original Message----- From: Michael Myers [mailto:myers@coastside.net] Sent: Monday, April 23, 2001 12:48 PM To: Santosh Chokhani; Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Santosh, I disagree. I remain concerned about divergence from the standard database maintenance practice of producing a "full" and a set of "deltas". Towards support of non-repudiation, I would expect that most who wish to make a case on the basis of CRLs would prefer to make their case on the basis of a full CRL. At issue I believe is the notion that one MUST produce a full CRL every time a delta is produced. I suggest that this lock-step production process does indeed needlessly impact enterprise infrastructures as Trevor observed. Russ, I propose as a middle ground text establishing that: 1. full CRLs are a SHALL in all cases, thus contributing to interoperability; 2. that the periods of production of a full CRL and its corresponding deltas MAY be identical, thus yeilding the intent of the current text; but 4. when practiced, the production of deltas SHALL at a minimum be less than that of the period of production of the corresponding full CRL, thus enabling systems-level tuning to achieve a locally acceptable balance between timeliness, effective non-repudiation support, generally accepted database maintainence principles and infrastructure overhead. And of course, deltas are a MAY. I'll write this up as a drop-in to the current text depending on how consensus flows on the proposal. Mike -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Monday, April 23, 2001 8:45 AM To: Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) I have been quite on this. I am firmly in favor of NOT having the requirement (i.e., delete the requirement): "CA post a full CRL whenever a delta CRL is issued". -----Original Message----- From: Russ Housley [mailto:rhousley@rsasecurity.com] Sent: Monday, April 23, 2001 10:27 AM To: ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) All: Trevor, Ambarish, Denis, David, and others have proposed the removal of the requirement that CAs post a full CRL whenever a delta-CRL is posted. Trevor's suggestion that the consequences of a CA posting a delta-CRL without posting a full CRL could be discussed in a single paragraph in the Security Considerations section. Paul and Mike have suggested that the current text is fine. A few people have contributed to the thread but not made their own position clear. Perhaps they are only academically interested. Or, perhaps the dialogue is helping them reach their own conclusion. I do not know. Regardless, most people have been silent on this issue. I would like one of the proponents for removing the requirement to suggest alternative text, and I would like to hear from more people about the proposed revision. We are in Working Group Last Call. I would like to reach consensus on this issue, make the necessary change (if any), and get the document to the IESG. Many other working groups are waiting for our document. Russ ------_=_NextPart_001_01C0CC1B.A9840A00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta-CRLs (was Re: Last = Call:draft-ietf-pkix-new-part1-06.txt comments)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Delta CRL concept is lot simpler than folks make out = it to be. If a compliant client takes a delta and a base that is = referenced by the delta or a later base, it has the current full = picture.</FONT></P> <P><FONT SIZE=3D2>As Sharon said, requiring a full CRL defeats the = delta purpose.</FONT> </P> <P><FONT SIZE=3D2>Again, once you got the referenced or later base and = apply the delta to it, you have the current stuff.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Michael Myers [<A = HREF=3D"mailto:myers@coastside.net">mailto:myers@coastside.net</A>]</FON= T> <BR><FONT SIZE=3D2>Sent: Monday, April 23, 2001 12:48 PM</FONT> <BR><FONT SIZE=3D2>To: Santosh Chokhani; Russ Housley; = ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta-CRLs (was Re: Last</FONT> <BR><FONT SIZE=3D2>Call:draft-ietf-pkix-new-part1-06.txt = comments)</FONT> </P> <BR> <P><FONT SIZE=3D2>Santosh,</FONT> </P> <P><FONT SIZE=3D2>I disagree. I remain concerned about divergence = from the standard database</FONT> <BR><FONT SIZE=3D2>maintenance practice of producing a "full" = and a set of "deltas". Towards</FONT> <BR><FONT SIZE=3D2>support of non-repudiation, I would expect that most = who wish to make a case</FONT> <BR><FONT SIZE=3D2>on the basis of CRLs would prefer to make their case = on the basis of a full</FONT> <BR><FONT SIZE=3D2>CRL.</FONT> </P> <P><FONT SIZE=3D2>At issue I believe is the notion that one MUST = produce a full CRL every time</FONT> <BR><FONT SIZE=3D2>a delta is produced. I suggest that this = lock-step production process does</FONT> <BR><FONT SIZE=3D2>indeed needlessly impact enterprise infrastructures = as Trevor observed.</FONT> </P> <P><FONT SIZE=3D2>Russ, I propose as a middle ground text establishing = that:</FONT> </P> <P><FONT SIZE=3D2>1. full CRLs are a SHALL in all cases, thus = contributing to</FONT> <BR><FONT SIZE=3D2>interoperability;</FONT> </P> <P><FONT SIZE=3D2>2. that the periods of production of a full CRL and = its corresponding deltas</FONT> <BR><FONT SIZE=3D2>MAY be identical, thus yeilding the intent of the = current text; but</FONT> </P> <P><FONT SIZE=3D2>4. when practiced, the production of deltas SHALL at = a minimum be less than</FONT> <BR><FONT SIZE=3D2>that of the period of production of the = corresponding full CRL, thus</FONT> <BR><FONT SIZE=3D2>enabling systems-level tuning to achieve a locally = acceptable balance</FONT> <BR><FONT SIZE=3D2>between timeliness, effective non-repudiation = support, generally accepted</FONT> <BR><FONT SIZE=3D2>database maintainence principles and infrastructure = overhead.</FONT> </P> <P><FONT SIZE=3D2>And of course, deltas are a MAY.</FONT> </P> <P><FONT SIZE=3D2>I'll write this up as a drop-in to the current text = depending on how</FONT> <BR><FONT SIZE=3D2>consensus flows on the proposal.</FONT> </P> <P><FONT SIZE=3D2>Mike</FONT> </P> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Santosh Chokhani [<A = HREF=3D"mailto:chokhani@cygnacom.com">mailto:chokhani@cygnacom.com</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Monday, April 23, 2001 8:45 AM</FONT> <BR><FONT SIZE=3D2>To: Russ Housley; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta-CRLs (was Re: Last = Call:draft-ietf-pkix-new-part1-06.txt</FONT> <BR><FONT SIZE=3D2>comments)</FONT> </P> <BR> <P><FONT SIZE=3D2>I have been quite on this. I am firmly in favor = of NOT having the</FONT> <BR><FONT SIZE=3D2>requirement (i.e., delete the requirement): "CA = post a full CRL whenever a</FONT> <BR><FONT SIZE=3D2>delta CRL is issued".</FONT> <BR><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Russ Housley [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>Sent: Monday, April 23, 2001 10:27 AM</FONT> <BR><FONT SIZE=3D2>To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta-CRLs (was Re: Last</FONT> <BR><FONT SIZE=3D2>Call:draft-ietf-pkix-new-part1-06.txt = comments)</FONT> </P> <BR> <P><FONT SIZE=3D2>All:</FONT> <BR><FONT SIZE=3D2>Trevor, Ambarish, Denis, David, and others have = proposed the removal of the</FONT> <BR><FONT SIZE=3D2>requirement that CAs post a full CRL whenever a = delta-CRL is</FONT> <BR><FONT SIZE=3D2>posted. Trevor's suggestion that the = consequences of a CA posting a</FONT> <BR><FONT SIZE=3D2>delta-CRL without posting a full CRL could be = discussed in a single</FONT> <BR><FONT SIZE=3D2>paragraph in the Security Considerations = section.</FONT> <BR><FONT SIZE=3D2>Paul and Mike have suggested that the current text = is fine.</FONT> <BR><FONT SIZE=3D2>A few people have contributed to the thread but not = made their own position</FONT> <BR><FONT SIZE=3D2>clear. Perhaps they are only academically = interested. Or, perhaps the</FONT> <BR><FONT SIZE=3D2>dialogue is helping them reach their own = conclusion. I do not</FONT> <BR><FONT SIZE=3D2>know. Regardless, most people have been silent = on this issue.</FONT> <BR><FONT SIZE=3D2>I would like one of the proponents for = removing the requirement to suggest</FONT> <BR><FONT SIZE=3D2>alternative text, and I would like to hear from more = people about the</FONT> <BR><FONT SIZE=3D2>proposed revision.</FONT> <BR><FONT SIZE=3D2>We are in Working Group Last Call. I would = like to reach consensus on this</FONT> <BR><FONT SIZE=3D2>issue, make the necessary change (if any), and get = the document to the</FONT> <BR><FONT SIZE=3D2>IESG. Many other working groups are waiting = for our document.</FONT> <BR><FONT SIZE=3D2>Russ</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CC1B.A9840A00-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA10694 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 10:40:24 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JPVNWVDQ>; Mon, 23 Apr 2001 13:39:55 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE1D5@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: stephen.farrell@baltimore.ie, Trevor Freeman <trevorf@windows.microsoft.com> Cc: Russ Housley <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Date: Mon, 23 Apr 2001 13:31:04 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CC1B.2C837590" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CC1B.2C837590 Content-Type: text/plain; charset="iso-8859-1" Folks: Over the last few days, I have suppressed the urge to respond to this thread, largely because while I have a great deal of respect for the individuals debating this and know them personally, there either seems to be a general misunderstanding of the concepts, or their positions seems to be misstated, or they seem to have simply not explained themselves well enough. Also, this chain seems to imply that several issues are getting mixed. So, here is my take on it all. First, I think that the restriction that a CA who desires to issue Indirect CRL needs to set itself up as a separate name is unduly restrictive. There is no need for a CA to do that. A CA can issue a full CRL as well as an Indirect CRL and populate these in the same or different entries (i.e., CRL DP) in the directory. Please review Annex B of X.509 for how to process CRL. So, may be Russ can explain why this requirement comes about. Second, when we say that a CA may not use different keys for signing certificates and CRLs, we are again not thinking of operations. Operationally, a CA is going to rekey. When it does, it will have issued the certificates using the old key and will sign CRL with new key. There are your different keys. Also, I think a standard should be flexible and promote security. From operational security viewpoint, a CA may not want to keep the certificate signing key active all the time, but may need to keep the CRL signing key active to help meet CRL issuance obligations. This will mean a separate CRL signing key since compromise of that key still does not compromise anything. The attacker needs to compromise some subscriber keys to create a true compromise, denial-of-service notwithstanding. Thus, we should accommodate separate keys for certificates and CRLs. In short, requiring the CA to use a different name to issue indirect CRL is not well-grounded and should be deleted. Requiring a CA to use different key for indirect CRL is not well-grounded and should be deleted. Requiring the same key for certificate and CRL signing may not be possible due to rekey or operational security requirements and should be deleted. Finally, as to Steve Farrell's question regarding client simplicity, I wish I could answer that. The client will need intelligence to handle rekey and secure CA who use different keys for certificate and CRL signing. -----Original Message----- From: Stephen Farrell [mailto:stephen.farrell@baltimore.ie] Sent: Saturday, April 21, 2001 4:08 PM To: Trevor Freeman Cc: Russ Housley; ietf-pkix@imc.org Subject: Re: Dedicated CRL signing keys Hi Trevor, I'm sympathetic and would also like to see a nice solution that'd ease graceful failure for clients. However, if the proposal breaks existing CAs then its not a solution (as Tim pointed out for a different reason). Stephen. Trevor Freeman wrote: > > Stephen, > The route problem is that this is an optional feature, and the net > result with the current proposal of profile compliant clients who > encounter a CA operating with this option will simply be a signature > failure. This presents a fairly high bar to anyone trying to establish > why the revocation check is failing. The rational behind using a > critical extension in the CRL is that now the conformant client knows > that failure is by design without understanding what the problem is > since it does not understand the extension and can return a more > informative error like option not supported. > Trevor > > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@baltimore.ie] > Sent: Thursday, April 19, 2001 7:07 AM > To: Russ Housley > Cc: Trevor Freeman; ietf-pkix@imc.org > Subject: Re: Dedicated CRL signing keys > > Russ, > > That'd be a bad resolution since it would break deployed CAs who > use the same name and different cert and CRL signing keys (and > those do exist and are operating). > > Any other ideas or should we just require clients to understand > what's going on based on key usage? > > Stephen. > > Russ Housley wrote: > > > > Trevor: > > > > I propose the following solution that builds on the Indirect CRL > > capabilities that are already available. When a CA wants to employ > > separate private keys to sign certificates and CRLs, then that CA MUST > > delegate CRL signing to a separate authority. That separate authority > MUST > > have a different Distinguished Name that the CA, but it could be > operated > > by the same organization. In this way, the IDP CRL extension would > flag > > the "unusual" circumstances. Clients that do not support Indirect > CRLs can > > fail gracefully (unsupported optional feature), and clients that > support > > Indirect CRLs can happily handle the certificates and CRLs. > > > > Thoughts? > > > > Russ > > > > At 01:32 PM 4/18/2001 -0700, Trevor Freeman wrote: > > >There has been some discussion regarding the proposal to have CRLs > > >signed with CA keys which do not also sign certificates. Since this > will > > >not be a mandatory to implement feature, I am concerned about the > impact > > >on pkix compliant clients who encounter CRL signed in this way, and > how > > >we expect them to behave. What seem unacceptable with the current > > >proposal is that the signage check on the CRL will fail, and the > client > > >will have little clue as to why and if this failure is expected. The > > >information in the chain, while present, is in the CAs certificate, > is > > >difficult to find and subtle so would be easily missed by someone > > >debugging this problem. I would like to see some clearer indication > in a > > >critical extension in the CRL itself that would indicate what was > going > > >on. In expressing these semantics in a critical extension, we > maintain > > >the principal that if you don't understand the extension, the client > > >knows to fail due to its own inadequacies and that failure is by > design, > > >therefore allowing the client's to return an error unsupported option > > >rather than invalid signature. > > >Trevor > > -- > ____________________________________________________________ > Stephen Farrell > Baltimore Technologies, tel: (direct line) +353 1 881 6716 > 39 Parkgate Street, fax: +353 1 881 7000 > Dublin 8. mailto:stephen.farrell@baltimore.ie > Ireland http://www.baltimore.com -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com ------_=_NextPart_001_01C0CC1B.2C837590 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: Dedicated CRL signing keys</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Folks:</FONT> </P> <P><FONT SIZE=3D2>Over the last few days, I have suppressed the urge to = respond to this thread, largely because while I have a great deal of = respect for the individuals debating this and know them personally, = there either seems to be a general misunderstanding of the concepts, or = their positions seems to be misstated, or they seem to have simply not = explained themselves well enough.</FONT></P> <BR> <P><FONT SIZE=3D2>Also, this chain seems to imply that several issues = are getting mixed.</FONT> </P> <P><FONT SIZE=3D2>So, here is my take on it all.</FONT> </P> <P><FONT SIZE=3D2>First, I think that the restriction that a CA who = desires to issue Indirect CRL needs to set itself up as a separate name = is unduly restrictive. There is no need for a CA to do = that. A CA can issue a full CRL as well as an Indirect CRL and = populate these in the same or different entries (i.e., CRL DP) in the = directory. Please review Annex B of X.509 for how to process = CRL. So, may be Russ can explain why this requirement comes = about.</FONT></P> <P><FONT SIZE=3D2>Second, when we say that a CA may not use different = keys for signing certificates and CRLs, we are again not thinking of = operations. Operationally, a CA is going to rekey. When it = does, it will have issued the certificates using the old key and will = sign CRL with new key. There are your different keys.</FONT></P> <P><FONT SIZE=3D2>Also, I think a standard should be flexible and = promote security. From operational security viewpoint, a CA may = not want to keep the certificate signing key active all the time, but = may need to keep the CRL signing key active to help meet CRL issuance = obligations. This will mean a separate CRL signing key since = compromise of that key still does not compromise anything. The = attacker needs to compromise some subscriber keys to create a true = compromise, denial-of-service notwithstanding. Thus, we should = accommodate separate keys for certificates and CRLs.</FONT></P> <P><FONT SIZE=3D2>In short, requiring the CA to use a different name to = issue indirect CRL is not well-grounded and should be deleted. = Requiring a CA to use different key for indirect CRL is not = well-grounded and should be deleted. Requiring the same key for = certificate and CRL signing may not be possible due to rekey or = operational security requirements and should be deleted.</FONT></P> <BR> <P><FONT SIZE=3D2>Finally, as to Steve Farrell's question regarding = client simplicity, I wish I could answer that. The client will = need intelligence to handle rekey and secure CA who use different keys = for certificate and CRL signing.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Stephen Farrell [<A = HREF=3D"mailto:stephen.farrell@baltimore.ie">mailto:stephen.farrell@balt= imore.ie</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Saturday, April 21, 2001 4:08 PM</FONT> <BR><FONT SIZE=3D2>To: Trevor Freeman</FONT> <BR><FONT SIZE=3D2>Cc: Russ Housley; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: Dedicated CRL signing keys</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>Hi Trevor,</FONT> </P> <P><FONT SIZE=3D2>I'm sympathetic and would also like to see a nice = solution that'd </FONT> <BR><FONT SIZE=3D2>ease graceful failure for clients. However, if the = proposal breaks</FONT> <BR><FONT SIZE=3D2>existing CAs then its not a solution (as Tim pointed = out for a</FONT> <BR><FONT SIZE=3D2>different reason).</FONT> </P> <P><FONT SIZE=3D2>Stephen.</FONT> </P> <P><FONT SIZE=3D2>Trevor Freeman wrote:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Stephen,</FONT> <BR><FONT SIZE=3D2>> The route problem is that this is an optional = feature, and the net</FONT> <BR><FONT SIZE=3D2>> result with the current proposal of profile = compliant clients who</FONT> <BR><FONT SIZE=3D2>> encounter a CA operating with this option will = simply be a signature</FONT> <BR><FONT SIZE=3D2>> failure. This presents a fairly high bar to = anyone trying to establish</FONT> <BR><FONT SIZE=3D2>> why the revocation check is failing. The = rational behind using a</FONT> <BR><FONT SIZE=3D2>> critical extension in the CRL is that now the = conformant client knows</FONT> <BR><FONT SIZE=3D2>> that failure is by design without understanding = what the problem is</FONT> <BR><FONT SIZE=3D2>> since it does not understand the extension and = can return a more</FONT> <BR><FONT SIZE=3D2>> informative error like option not = supported.</FONT> <BR><FONT SIZE=3D2>> Trevor</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: Stephen Farrell [<A = HREF=3D"mailto:stephen.farrell@baltimore.ie">mailto:stephen.farrell@balt= imore.ie</A>]</FONT> <BR><FONT SIZE=3D2>> Sent: Thursday, April 19, 2001 7:07 AM</FONT> <BR><FONT SIZE=3D2>> To: Russ Housley</FONT> <BR><FONT SIZE=3D2>> Cc: Trevor Freeman; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Subject: Re: Dedicated CRL signing keys</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Russ,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> That'd be a bad resolution since it would break = deployed CAs who</FONT> <BR><FONT SIZE=3D2>> use the same name and different cert and CRL = signing keys (and</FONT> <BR><FONT SIZE=3D2>> those do exist and are operating).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Any other ideas or should we just require = clients to understand</FONT> <BR><FONT SIZE=3D2>> what's going on based on key usage?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Stephen.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Russ Housley wrote:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Trevor:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > I propose the following solution that = builds on the Indirect CRL</FONT> <BR><FONT SIZE=3D2>> > capabilities that are already = available. When a CA wants to employ</FONT> <BR><FONT SIZE=3D2>> > separate private keys to sign certificates = and CRLs, then that CA MUST</FONT> <BR><FONT SIZE=3D2>> > delegate CRL signing to a separate = authority. That separate authority</FONT> <BR><FONT SIZE=3D2>> MUST</FONT> <BR><FONT SIZE=3D2>> > have a different Distinguished Name that = the CA, but it could be</FONT> <BR><FONT SIZE=3D2>> operated</FONT> <BR><FONT SIZE=3D2>> > by the same organization. In this = way, the IDP CRL extension would</FONT> <BR><FONT SIZE=3D2>> flag</FONT> <BR><FONT SIZE=3D2>> > the "unusual" = circumstances. Clients that do not support Indirect</FONT> <BR><FONT SIZE=3D2>> CRLs can</FONT> <BR><FONT SIZE=3D2>> > fail gracefully (unsupported optional = feature), and clients that</FONT> <BR><FONT SIZE=3D2>> support</FONT> <BR><FONT SIZE=3D2>> > Indirect CRLs can happily handle the = certificates and CRLs.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Thoughts?</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Russ</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > At 01:32 PM 4/18/2001 -0700, Trevor = Freeman wrote:</FONT> <BR><FONT SIZE=3D2>> > >There has been some discussion = regarding the proposal to have CRLs</FONT> <BR><FONT SIZE=3D2>> > >signed with CA keys which do not also = sign certificates. Since this</FONT> <BR><FONT SIZE=3D2>> will</FONT> <BR><FONT SIZE=3D2>> > >not be a mandatory to implement = feature, I am concerned about the</FONT> <BR><FONT SIZE=3D2>> impact</FONT> <BR><FONT SIZE=3D2>> > >on pkix compliant clients who = encounter CRL signed in this way, and</FONT> <BR><FONT SIZE=3D2>> how</FONT> <BR><FONT SIZE=3D2>> > >we expect them to behave. What seem = unacceptable with the current</FONT> <BR><FONT SIZE=3D2>> > >proposal is that the signage check on = the CRL will fail, and the</FONT> <BR><FONT SIZE=3D2>> client</FONT> <BR><FONT SIZE=3D2>> > >will have little clue as to why and if = this failure is expected. The</FONT> <BR><FONT SIZE=3D2>> > >information in the chain, while = present, is in the CAs certificate,</FONT> <BR><FONT SIZE=3D2>> is</FONT> <BR><FONT SIZE=3D2>> > >difficult to find and subtle so would = be easily missed by someone</FONT> <BR><FONT SIZE=3D2>> > >debugging this problem. I would like = to see some clearer indication</FONT> <BR><FONT SIZE=3D2>> in a</FONT> <BR><FONT SIZE=3D2>> > >critical extension in the CRL itself = that would indicate what was</FONT> <BR><FONT SIZE=3D2>> going</FONT> <BR><FONT SIZE=3D2>> > >on. In expressing these semantics in a = critical extension, we</FONT> <BR><FONT SIZE=3D2>> maintain</FONT> <BR><FONT SIZE=3D2>> > >the principal that if you don't = understand the extension, the client</FONT> <BR><FONT SIZE=3D2>> > >knows to fail due to its own = inadequacies and that failure is by</FONT> <BR><FONT SIZE=3D2>> design,</FONT> <BR><FONT SIZE=3D2>> > >therefore allowing the client's to = return an error unsupported option</FONT> <BR><FONT SIZE=3D2>> > >rather than invalid signature.</FONT> <BR><FONT SIZE=3D2>> > >Trevor</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> --</FONT> <BR><FONT SIZE=3D2>> = ____________________________________________________________</FONT> <BR><FONT SIZE=3D2>> Stephen Farrell</FONT> <BR><FONT SIZE=3D2>> Baltimore Technologies, tel: = (direct line) +353 1 881 6716</FONT> <BR><FONT SIZE=3D2>> 39 Parkgate = Street,  = ; fax: +353 1 881 = 7000</FONT> <BR><FONT SIZE=3D2>> Dublin = 8. &nbs= p; <A = HREF=3D"mailto:stephen.farrell@baltimore.ie">mailto:stephen.farrell@balt= imore.ie</A></FONT> <BR><FONT SIZE=3D2>> = Ireland  = ;  = ; <A HREF=3D"http://www.baltimore.com" = TARGET=3D"_blank">http://www.baltimore.com</A></FONT> </P> <P><FONT SIZE=3D2>-- </FONT> <BR><FONT = SIZE=3D2>____________________________________________________________</F= ONT> <BR><FONT SIZE=3D2>Stephen = Farrell = = = = </FONT> <BR><FONT SIZE=3D2>Baltimore Technologies, tel: (direct = line) +353 1 881 6716</FONT> <BR><FONT SIZE=3D2>39 Parkgate = Street,  = ; fax: +353 1 881 = 7000</FONT> <BR><FONT SIZE=3D2>Dublin = 8. &nbs= p; <A = HREF=3D"mailto:stephen.farrell@baltimore.ie">mailto:stephen.farrell@balt= imore.ie</A></FONT> <BR><FONT = SIZE=3D2>Ireland &n= bsp; &n= bsp; <A = HREF=3D"http://www.baltimore.com" = TARGET=3D"_blank">http://www.baltimore.com</A></FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CC1B.2C837590-- Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA09788 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 10:33:04 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 2LAW5448; Mon, 23 Apr 2001 10:28:13 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Sharon Boeyen" <sharon.boeyen@entrust.com>, "Santosh Chokhani" <chokhani@cygnacom.com>, "Russ Housley" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) Date: Mon, 23 Apr 2001 10:28:05 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGKEPGCDAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0000_01C0CBE0.156A3A50" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FBF@sottmxs09.entrust.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C0CBE0.156A3A50 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments)Russ and Sharon, X.509 Ed. 4 draft v6 says in section 9 "A dCRL may also be an indirect CRL in that it may contain updated revocation information related to base CRLs issued by one or more than one authorities." In this case in order to comply with the current PKIX profile requirement below, the CA that issued the dCRL would also have to issue a full indirect CRL for all the authorities whose CRLs were updated by the dCRL. That much I understand, I think. Current PKIX profile requirement: "When a conforming CA issues a delta CRL, the CA MUST also issue a CRL that is complete for the given scope." But I'm puzzled by another point. It looks to me like X.509 permits a dCRL to contain a crlScope extension that limits the scope of the certificates for which the dCRL is authoritative (using onlyContains or onlySomeReasons, for instance). In fact, it seems that different CA's could issue indirect dCRLs for various scopes (e.g. user certificate, attribute certificate, keyCompromise, certificateHold, etc.), but reference a base CRL that covers a larger scope. In that case, I suppose each of the dCRL issuers must also issue a "full CRL". But what constitutes a full "CRL that is complete for the given scope."? Is it the given scope of the dCRL, or the given scope of the base CRL? That is, does each "full CRL" cover only the scope of the dCRL, even if the dCRL's base CRL covers additional scope (e.g. additional reason codes, or additional certificate types)? Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Monday, April 23, 2001 9:40 AM To: Santosh Chokhani; Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) I agree with Santosh. Forcing the issuance of a full CRL each time a delta is issued removes the primary value of issuing the delta in the first place. -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Monday, April 23, 2001 11:45 AM To: Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) I have been quite on this. I am firmly in favor of NOT having the requirement (i.e., delete the requirement): "CA post a full CRL whenever a delta CRL is issued". -----Original Message----- From: Russ Housley [mailto:rhousley@rsasecurity.com] Sent: Monday, April 23, 2001 10:27 AM To: ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) All: Trevor, Ambarish, Denis, David, and others have proposed the removal of the requirement that CAs post a full CRL whenever a delta-CRL is posted. Trevor's suggestion that the consequences of a CA posting a delta-CRL without posting a full CRL could be discussed in a single paragraph in the Security Considerations section. Paul and Mike have suggested that the current text is fine. A few people have contributed to the thread but not made their own position clear. Perhaps they are only academically interested. Or, perhaps the dialogue is helping them reach their own conclusion. I do not know. Regardless, most people have been silent on this issue. I would like one of the proponents for removing the requirement to suggest alternative text, and I would like to hear from more people about the proposed revision. We are in Working Group Last Call. I would like to reach consensus on this issue, make the necessary change (if any), and get the document to the IESG. Many other working groups are waiting for our document. Russ ------=_NextPart_000_0000_01C0CBE0.156A3A50 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>RE: delta-CRLs (was Re: Last = Call:draft-ietf-pkix-new-part1-06.txt comments)</TITLE> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>Russ=20 and Sharon,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>X.509=20 Ed. 4 draft v6 says in section 9 "A dCRL may also be an indirect = CRL=20 </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>in=20 that it may contain updated revocation information related to base CRLs=20 </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>issued=20 by one or more than one authorities."</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>In=20 this case in order to comply with the current PKIX profile requirement=20 below,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>the CA=20 that issued the dCRL would also have to issue a full indirect CRL=20 for</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>all=20 the authorities whose CRLs were updated by the dCRL. That much I=20 </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001>understand, I = think. </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT> </DIV> <DIV><SPAN class=3D730544716-23042001> <P><FONT size=3D2><FONT face=3DArial><FONT color=3D#0000ff><SPAN=20 class=3D730544716-23042001> &nbs= p; =20 Current PKIX profile requirement: </SPAN>"When a conforming CA=20 issues </FONT></FONT><BR><FONT color=3D#0000ff><FONT = face=3DArial><SPAN=20 class=3D730544716-23042001> &nbs= p; =20 </SPAN>a delta CRL, </FONT><FONT face=3DArial></FONT><FONT=20 color=3D#0000ff></FONT><FONT size=3D2>the CA MUST also issue a CRL that = is complete=20 for <BR><SPAN=20 class=3D730544716-23042001> &nbs= p; =20 </SPAN>the given scope."</FONT></FONT></FONT></P></SPAN></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>But=20 I'm puzzled by another point. It looks to me like X.509 = permits a=20 dCRL</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>to=20 contain a crlScope extension that limits the scope of the certificates=20 for</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>which=20 the dCRL is authoritative (using onlyContains or=20 onlySomeReasons,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>for=20 instance). In fact, it seems that different CA's could issue = indirect=20 dCRLs</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>for=20 various scopes (e.g. user certificate, attribute certificate,=20 keyCompromise,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001>certificateHold, etc.), but reference a base = CRL that=20 covers a larger scope. </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>In=20 that case, I suppose each of the dCRL issuers must</SPAN></FONT><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN class=3D730544716-23042001> = also=20 issue</SPAN></FONT><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001> a "full CRL". </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>But=20 what constitutes a full "CRL that is complete for<SPAN=20 class=3D730544716-23042001> </SPAN>the given scope."? Is=20 it</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>the=20 given scope of the dCRL, or the given scope of the base CRL? That = is,=20 does</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>each=20 "full CRL" cover only the scope of the dCRL, even if the dCRL's = base=20 CRL</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001>covers=20 additional scope (e.g. additional reason codes, or additional=20 certificate</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001>types)?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D730544716-23042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D730544716-23042001> <P><FONT=20 size=3D2>Regards,<BR><BR>Carlin<BR><BR>____________________________<BR><B= R>- =20 Carlin Covey<BR> Cylink Corporation = </FONT></P></SPAN></FONT></DIV> <DIV><SPAN class=3D730544716-23042001> <P><FONT size=3D2><FONT color=3D#0000ff><FONT face=3DArial><SPAN=20 class=3D730544716-23042001></SPAN></FONT></FONT></FONT> </P></SPAN><= /DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Sharon Boeyen=20 [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Monday, April 23, = 2001 9:40=20 AM<BR><B>To:</B> Santosh Chokhani; Russ Housley;=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta-CRLs (was Re: Last=20 Call:draft-ietf-pkix-new-part1-06.tx t comments)<BR><BR></DIV></FONT> <DIV><SPAN class=3D229484416-23042001><FONT color=3D#0000ff = face=3DArial size=3D2>I=20 agree with Santosh. Forcing the issuance of a full CRL each time a = delta is=20 issued removes the primary value of issuing the delta in the first=20 place.</FONT></SPAN></DIV> <BLOCKQUOTE dir=3Dltr=20 style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; = MARGIN-RIGHT: 0px; PADDING-LEFT: 5px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Santosh Chokhani = [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Monday, April 23, = 2001 11:45=20 AM<BR><B>To:</B> Russ Housley; ietf-pkix@imc.org<BR><B>Subject:</B> = RE:=20 delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t=20 comments)<BR><BR></FONT></DIV> <P><FONT size=3D2>I have been quite on this. I am firmly in = favor of NOT=20 having the requirement (i.e., delete the requirement): "CA post a = full CRL=20 whenever a delta CRL is issued".</FONT></P> <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT = size=3D2>From:=20 Russ Housley [<A=20 = href=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com<= /A>]</FONT>=20 <BR><FONT size=3D2>Sent: Monday, April 23, 2001 10:27 AM</FONT> = <BR><FONT=20 size=3D2>To: ietf-pkix@imc.org</FONT> <BR><FONT size=3D2>Subject: = RE: delta-CRLs=20 (was Re: Last</FONT> <BR><FONT = size=3D2>Call:draft-ietf-pkix-new-part1-06.txt=20 comments)</FONT> </P><BR> <P><FONT size=3D2>All:</FONT> </P> <P><FONT size=3D2>Trevor, Ambarish, Denis, David, and others have = proposed the=20 removal of the </FONT><BR><FONT size=3D2>requirement that CAs post a = full CRL=20 whenever a delta-CRL is </FONT><BR><FONT size=3D2>posted. = Trevor's=20 suggestion that the consequences of a CA posting a </FONT><BR><FONT=20 size=3D2>delta-CRL without posting a full CRL could be discussed in = a single=20 </FONT><BR><FONT size=3D2>paragraph in the Security Considerations=20 section.</FONT> </P> <P><FONT size=3D2>Paul and Mike have suggested that the current text = is=20 fine.</FONT> </P> <P><FONT size=3D2>A few people have contributed to the thread but = not made=20 their own position </FONT><BR><FONT size=3D2>clear. Perhaps = they are=20 only academically interested. Or, perhaps the </FONT><BR><FONT = size=3D2>dialogue is helping them reach their own conclusion. = I do not=20 </FONT><BR><FONT size=3D2>know. Regardless, most people have = been silent=20 on this issue.</FONT> </P> <P><FONT size=3D2>I would like one of the proponents for = removing the=20 requirement to suggest </FONT><BR><FONT size=3D2>alternative text, = and I would=20 like to hear from more people about the </FONT><BR><FONT = size=3D2>proposed=20 revision.</FONT> </P> <P><FONT size=3D2>We are in Working Group Last Call. I would = like to=20 reach consensus on this </FONT><BR><FONT size=3D2>issue, make the = necessary=20 change (if any), and get the document to the </FONT><BR><FONT=20 size=3D2>IESG. Many other working groups are waiting for our=20 document.</FONT> </P> <P><FONT size=3D2>Russ = </FONT></P></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0000_01C0CBE0.156A3A50-- Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA09751 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 10:32:59 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 2LAW5446; Mon, 23 Apr 2001 10:28:09 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Russ Housley" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Date: Mon, 23 Apr 2001 10:28:02 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGIEPGCDAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <5.0.1.4.2.20010423101920.01ad2470@exna07.securitydynamics.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Russ, Two obvious candidates for alternative text are (1) substituting MAY for MUST and (2) substituting SHOULD for MUST in the sentence: "A dCRL may also be an indirect CRL in that it may contain updated revocation information related to base CRLs issued by one or more than one authorities." I think that these alternative wordings have been either stated or implied by various persons in the course of this discussion. Were you asking for some alternative text to go into the security considerations section? Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Russ Housley [mailto:rhousley@rsasecurity.com] Sent: Monday, April 23, 2001 7:27 AM To: ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) All: Trevor, Ambarish, Denis, David, and others have proposed the removal of the requirement that CAs post a full CRL whenever a delta-CRL is posted. Trevor's suggestion that the consequences of a CA posting a delta-CRL without posting a full CRL could be discussed in a single paragraph in the Security Considerations section. Paul and Mike have suggested that the current text is fine. A few people have contributed to the thread but not made their own position clear. Perhaps they are only academically interested. Or, perhaps the dialogue is helping them reach their own conclusion. I do not know. Regardless, most people have been silent on this issue. I would like one of the proponents for removing the requirement to suggest alternative text, and I would like to hear from more people about the proposed revision. We are in Working Group Last Call. I would like to reach consensus on this issue, make the necessary change (if any), and get the document to the IESG. Many other working groups are waiting for our document. Russ Received: from mail2.microsoft.com (mail2.microsoft.com [131.107.3.124]) by above.proper.com (8.9.3/8.9.3) with SMTP id KAA09304 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 10:29:46 -0700 (PDT) Received: from 157.54.7.67 by mail2.microsoft.com (InterScan E-Mail VirusWall NT); Thu, 19 Apr 2001 16:08:40 -0700 (Pacific Daylight Time) Received: from red-imc-02.redmond.corp.microsoft.com ([157.54.9.107]) by inet-imc-04.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Thu, 19 Apr 2001 16:08:39 -0700 Received: from win-imc-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.39]) by red-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Thu, 19 Apr 2001 16:08:33 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-01.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Thu, 19 Apr 2001 16:08:14 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Help Sought on Netscape Revocation URL causing MS Programs to hang Date: Thu, 19 Apr 2001 16:08:14 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD631A92@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Help Sought on Netscape Revocation URL causing MS Programs to hang Thread-Index: AcDJGN3ODRDWl9AjS+SNpRkqttZ4WgADIGhw From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "Ron Segal" <ron.segal@baycorpid.com>, "David Cross" <dcross@microsoft.com> Cc: <ietf-pkix@imc.org> X-OriginalArrivalTime: 19 Apr 2001 23:08:14.0536 (UTC) FILETIME=[9CA44C80:01C0C925] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id KAA09305 Hi Ron Sorry for the confusion, it is fixed in Windows XP. Revocation handling is done as part of CryptoAPI which is an OS component. Trevor -----Original Message----- From: Ron Segal [mailto:ron.segal@baycorpid.com] Sent: Thursday, April 19, 2001 2:32 PM To: David Cross Cc: ietf-pkix@imc.org Subject: RE: Help Sought on Netscape Revocation URL causing MS Programs to hang Hi David Thanks for your offer to checkout the certificate chain. Actually a clear explanation has now been offered by free Microsoft support(unexpectedly rapid and knowedgable service I might add, particularly as it was a free web query). It seems that if the revocation check itself is to a secure server (https) and the server certificate itself has a Nescape revocation extension a recursive revocation process can occur. Microsoft are providing a partial fix for this in their new version of Office (XP) by detecting the recursion and halting the process. If this happens the revocation check will fail to provide revocation status. The optimum solution is to remove the Netscape revocation extension from the server certificate. I'm copying this to the list so that others will see that the problem has been 'solved', and the solution (please note server cert providers!). Hope that I did not miss any messages and personally thanked everybody who responded, at least that was the intention. Very best regards Ron -------------- Ron Segal Business Development Manager Baycorp ID Services Ltd PO Box 5052, Wellington, New Zealand Mailto: ron.segal@baycorpid.com Tel: +64 (9) 356 5801 DD: +64 (4) 499 4261 Mob: +64 (21) 678 009 Fax: +64 (9) 356 5818 Web: http://www.baycorpid.com If you received a warning on reading this email, please go to <http://www.baycorpid.com/settings/email.asp> to update your settings -----Original Message----- From: David Cross [mailto:dcross@microsoft.com] Sent: Friday, 20 April 2001 1:39 a.m. To: Ron Segal; ietf-pkix@imc.org Subject: RE: Help Sought on Netscape Revocation URL causing MS Programs to hang I will pass on the job offer, but have you verified that the URLs are valid that are listed in the certificate? If the URLs are no longer valid or cannot be reached, that might explain the behaviour. If you want to send me the certificate chain (privately), we can take a look at it. David B. Cross -----Original Message----- From: Ron Segal [mailto:ron.segal@baycorpid.com] Sent: Wednesday, April 18, 2001 6:59 PM To: ietf-pkix@imc.org Subject: Help Sought on Netscape Revocation URL causing MS Programs to hang Hi Folks If an X.509 v3 certificate contains a proprietary NetscapeRevocationURL extension and a Microsoft program (eg email or browser) is configured to do automatic CRL Distribution Point Checking, then the Microsoft program will hang and timeout after about 5 minutes. Does anybody know of a fix for this problem, e.g. a registry configuration (no cynicism please!)? We are aware that if a cert has both the NetscapeRevocationURL and CRL Distribution Point extensions, then no problem. Your help would be greatly appreciated (and maybe you can get a job at Baycorp!). Very best regards Ron -------------- Ron Segal Business Development Manager Baycorp ID Services Ltd PO Box 5052, Wellington, New Zealand Mailto: ron.segal@baycorpid.com Tel: +64 (4) 499 4231 DD: +64 (4) 499 4261 Mob: +64 (21) 678 009 Fax: +64 (4) 499 4233 Web: http://www.baycorpid.com Received: from mail4.microsoft.com (mail4.microsoft.com [131.107.3.122]) by above.proper.com (8.9.3/8.9.3) with SMTP id KAA07689 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 10:13:49 -0700 (PDT) Received: from 157.54.1.52 by mail4.microsoft.com (InterScan E-Mail VirusWall NT); Thu, 19 Apr 2001 12:05:03 -0700 (Pacific Daylight Time) Received: from red-imc-01.redmond.corp.microsoft.com ([157.54.9.102]) by inet-imc-06.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Thu, 19 Apr 2001 12:04:41 -0700 Received: from win-imc-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.39]) by red-imc-01.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Thu, 19 Apr 2001 12:04:40 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-01.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Thu, 19 Apr 2001 12:04:21 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: delta-CRLs (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Date: Thu, 19 Apr 2001 12:04:21 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD6894E6@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: delta-CRLs (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Thread-Index: AcDI8KODVvZPt6HORo+9Zb6/i68QYQAEKVLw From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "David A. Cooper" <david.cooper@nist.gov>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 19 Apr 2001 19:04:21.0620 (UTC) FILETIME=[8ABE8340:01C0C903] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id KAA07697 David, You are absolutely right that this is a mater of policy on the part of the CA operator, so why mandate this in the RFC. There is no equivalent policy that states republish a CRL if you publish new information via OCSP. OCSP client may well get more up-to-date information but I don't see a mass of protests from the CRL aware clients. We have also found that publishing a base and delta simultaneously with the same CRL number causes problems where you have replicated distribution points. With replicated distribution mechanisms, there is no guarantee that both objects replicate together, which means you end up in a race condition as to which CRL replicates to a given location. If the base makes it to a given location first, all is well, but it the delta wins, you get an error since the delta now points to a base which the client cannot obtain from the same location. Unfortunately, with bandwidth restricted networks, administers frequently allow small updates through more frequently, preferring large update to be batched to an off-peak hour typically resulting in a no-contest as to which CRL replicates first. Trevor -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Thursday, April 19, 2001 9:48 AM To: ietf-pkix@imc.org Subject: delta-CRLs (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Denis, There seems to be some confusion about the way that delta-CRLs work. I will try to clarify things with my responses in-line below. At 05:32 PM 4/19/01 +0200, Denis Pinkas wrote: >In the third paragraph the first sentence (still) says: > > When a conforming CA issues a delta CRL, the CA MUST also issue a CRL I must admit that I am not a big fan of this requirement. From my point of view, there are both advantages and disadvantages to issuing a full CRL whenever a delta-CRL is issued. The advantage is that clients that can not process delta-CRLs can always obtain the same status information as those than can process delta-CRLs. The disadvantage is that it imposes a burden of uploading full CRLs to repositories more often than may be necessary. On the other hand, just because the CA issues the full CRLs, this does not mean that clients must retrieve them. In the end, though, it is mostly a policy decision. If you want to provide the same support to clients that can not process delta-CRLs as to those that can, you must issue a full CRL whenever you issue a delta-CRL. I think the decision should be left to CRL issuers, but will not complain if PKIX remains as it is. >3) The text says: > > An application can construct a CRL that is complete for a given > scope, at the current time, in either of the following ways: > > (a) by retrieving the current delta CRL for that scope, and > combining it with an issued CRL that is complete for that scope > and that has a cRLNumber greater than or equal to the cRLNumber of > the base CRL referenced in the delta CRL; or > > (b) by retrieving the current delta CRL for that scope and > combining it with a locally constructed CRL whose cRLNumber is > greater than or equal to the cRLNumber of the base CRL referenced > in the current delta CRL. > > a) It is hard to understand in which case the base CRL may have a > cRLNumber *greater than* the cRLNumber of the base CRL referenced > in the delta CRL. I certainly miss something here. The equality case > is easy to understand. The "greater than" case is much harder. > Is it really needed ? > > b) the case of a locally constructed CRL is quite stange and it is > questionnable why this case is being mentioned. In the following fix, > that case has been deleted. If you want a detailed description on this, you could read my paper on delta-CRLs, http://csrc.nist.gov/pki/documents/sliding_window.pdf, but I'll try to briefly explain here. Suppose that delta-CRLs are issued once an hour. For example, suppose that a base CRL, CRL number 5, was issued at midnight and that every hour for the next 24 hours, delta-CRLs were issued with a BaseCRLNumber of 5. If a relying party performs its first validation at 3:10am, it would the full CRL issued at midnight and the delta-CRL issued at 3:00am (CRL number 8). It would combine these to construct full CRL number 8. In this case, the CRL number of the full CRL used in combination with the delta-CRL would be the same as the BaseCRLNumber in that delta-CRL. A few hours later, at 6:30am, the relying party performs another validation. The relying party has, in its local cache, the contents of CRL number 8 (which it constructed at 3:10am). It wants to update the information in its local case to based on the newly available revocation information. So, it obtains the latest delta-CRL. This delta-CRL has a CRL number of 11 and a BaseCRLnumber of 5. Since it has a BaseCRLNumber of 5, the delta-CRL provides status information for all certificates whose status has changed since CRL number 5 was issued. (midnight). So, clearly the delta-CRL provides status information for all certificates whose status has changed since 3:00am when CRL number 8 was issued. Thus, the relying party can combine the delta-CRL with its locally cached version of full CRL number 8 to obtain the contents of CRL number 11. This is a case where the CRL number of the complete CRL used is greater than the BaseCRLNumber specified in the delta-CRL. There are other reasons why the two numbers may not match, but I will not go into them. If you are interested, you can read my paper. >Finally we should explain what happens at the boundaries, i.e. when a CA >decides to generate a (new) base CRL. Here is a text proposal: > > When issuing a base CRL that supports a delta-CRL mechanism then the > CRL Issuer MUST at the same time issue a delta CRL that points to that > base CRL. This first delta CRL will usually be empty (or will include > last-minute additions to the base CRL). This is not acceptable. The rule is that when a base CRL is issued a delta-CRL must be issued that has the same cRLNumber. The base CRL referenced by the delta must either be the previously issued base CRL or a base CRL issued before that one. Since the new base and the delta must have the same cRLNumber, there can be no differences as a result of "last-minute additions to the base CRL". >Suppose we issue a base CRL every midnight. The question is whether we >should issue a delta and, if yes, does this delta refer to the previous >base or to the new one ? The delta must refer either to the previous base or a base issued before the previous base. >Suppose it refers to the previous one. According to the current sentence: >"The constructed CRL has the CRL number specified in the CRL number >extension found in the delta CRL used in its construction.", it is >impossible. If that was the case the delta CRL would have a CRL number equal >to the base CRL and it is not allowed for two CRLs to have the same CRL >number. I think you are confusing two different extensions. The deltaCRLIndicator extension contains a BaseCRLNumber which is used to determine against which base CRLs the delta-CRL can be applied. The cRLNumber extension specifies the CRL number of the full CRL that will be generated by applying the delta-CRL to a base CRL. The sentence above states that the CRL number of the constructed CRL is taken from the cRLNumber extension, not the BaseCRLNumber of the deltaCRLIndicator extension. Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA06292 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 09:52:50 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id MAA14111 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 12:52:22 -0400 (EDT) Message-Id: <200104231652.MAA14107@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Mon, 23 Apr 2001 12:50:32 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) References: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C44@exchange.valicert.com> <p0510080eb70895081561@[192.168.1.13]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Paul, I'll refer you to Russ' message of Jan 18 "Re: Two questions on delta-CRL": "I think we may be splitting hairs on the term "issue". I am not sure that I would consider a CRL that was generated but not distributed to be "issued". The problem is not that it is too burdensome for a CA to have a cron job that sweeps the database and signs a full CRL every time it signs a delta. The problem is that once the full CRL is signed, it is transmitted across the network to directory/database/repository replicas and to clients. If you are a PKI provider (as I am), and you have to provision 3.5 million subscribers, the cost of that provisioning with full CRLs is prohibitive, whereas the cost of provisioning with deltas is not. If Russ (i.e. the PKIX WG) would make a clear statement that "issue" means "sign and place in one repository", vice "sign and distribute to all RPs", then I would have no problem with the current MUST requirement. But if a CRL is not deemed to be "issued" unless it is available to all, then I strongly agree with Trevor, David Cross, and Ambarish that the requirement to "issue" a full CRL for every delta must be relaxed. Dave K Paul Hoffman / IMC wrote: > > At 6:03 PM -0700 4/21/01, Ambarish Malpani wrote: > >Russ, the problem with this is that CAs might be unwilling to issue > >delta-CRLs because issuing a full CRL every time is too > >burdensome. > > Could you describe how it is "too burdensome"? Maybe I'm being naive, > not being a CA, but asking a CA to sign a second document (the full > CRL) at the time that it signs the first document (the delta-CRL) > really doesn't seem that onerous. > > I think the current requirement is fine. > > --Paul Hoffman, Director > --Internet Mail Consortium Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA05856 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 09:49:28 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f3NGnNd04835; Mon, 23 Apr 2001 09:49:24 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Santosh Chokhani" <chokhani@cygnacom.com>, "Russ Housley" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Date: Mon, 23 Apr 2001 09:47:57 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDCEECCAAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE1C7@scygmxs01.cygnacom.com> Importance: Normal Santosh, I disagree. I remain concerned about divergence from the standard database maintenance practice of producing a "full" and a set of "deltas". Towards support of non-repudiation, I would expect that most who wish to make a case on the basis of CRLs would prefer to make their case on the basis of a full CRL. At issue I believe is the notion that one MUST produce a full CRL every time a delta is produced. I suggest that this lock-step production process does indeed needlessly impact enterprise infrastructures as Trevor observed. Russ, I propose as a middle ground text establishing that: 1. full CRLs are a SHALL in all cases, thus contributing to interoperability; 2. that the periods of production of a full CRL and its corresponding deltas MAY be identical, thus yeilding the intent of the current text; but 4. when practiced, the production of deltas SHALL at a minimum be less than that of the period of production of the corresponding full CRL, thus enabling systems-level tuning to achieve a locally acceptable balance between timeliness, effective non-repudiation support, generally accepted database maintainence principles and infrastructure overhead. And of course, deltas are a MAY. I'll write this up as a drop-in to the current text depending on how consensus flows on the proposal. Mike -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Monday, April 23, 2001 8:45 AM To: Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) I have been quite on this. I am firmly in favor of NOT having the requirement (i.e., delete the requirement): "CA post a full CRL whenever a delta CRL is issued". -----Original Message----- From: Russ Housley [mailto:rhousley@rsasecurity.com] Sent: Monday, April 23, 2001 10:27 AM To: ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) All: Trevor, Ambarish, Denis, David, and others have proposed the removal of the requirement that CAs post a full CRL whenever a delta-CRL is posted. Trevor's suggestion that the consequences of a CA posting a delta-CRL without posting a full CRL could be discussed in a single paragraph in the Security Considerations section. Paul and Mike have suggested that the current text is fine. A few people have contributed to the thread but not made their own position clear. Perhaps they are only academically interested. Or, perhaps the dialogue is helping them reach their own conclusion. I do not know. Regardless, most people have been silent on this issue. I would like one of the proponents for removing the requirement to suggest alternative text, and I would like to hear from more people about the proposed revision. We are in Working Group Last Call. I would like to reach consensus on this issue, make the necessary change (if any), and get the document to the IESG. Many other working groups are waiting for our document. Russ Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA05436 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 09:45:58 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JPVNW4D7>; Mon, 23 Apr 2001 12:45:29 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FBF@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: Santosh Chokhani <chokhani@cygnacom.com>, Russ Housley <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) Date: Mon, 23 Apr 2001 12:39:52 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CC14.04EFF1E0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CC14.04EFF1E0 Content-Type: text/plain; charset="iso-8859-1" I agree with Santosh. Forcing the issuance of a full CRL each time a delta is issued removes the primary value of issuing the delta in the first place. -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Monday, April 23, 2001 11:45 AM To: Russ Housley; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) I have been quite on this. I am firmly in favor of NOT having the requirement (i.e., delete the requirement): "CA post a full CRL whenever a delta CRL is issued". -----Original Message----- From: Russ Housley [ mailto:rhousley@rsasecurity.com <mailto:rhousley@rsasecurity.com> ] Sent: Monday, April 23, 2001 10:27 AM To: ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) All: Trevor, Ambarish, Denis, David, and others have proposed the removal of the requirement that CAs post a full CRL whenever a delta-CRL is posted. Trevor's suggestion that the consequences of a CA posting a delta-CRL without posting a full CRL could be discussed in a single paragraph in the Security Considerations section. Paul and Mike have suggested that the current text is fine. A few people have contributed to the thread but not made their own position clear. Perhaps they are only academically interested. Or, perhaps the dialogue is helping them reach their own conclusion. I do not know. Regardless, most people have been silent on this issue. I would like one of the proponents for removing the requirement to suggest alternative text, and I would like to hear from more people about the proposed revision. We are in Working Group Last Call. I would like to reach consensus on this issue, make the necessary change (if any), and get the document to the IESG. Many other working groups are waiting for our document. Russ ------_=_NextPart_001_01C0CC14.04EFF1E0 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments)</TITLE> <META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=229484416-23042001><FONT face=Arial color=#0000ff size=2>I agree with Santosh. Forcing the issuance of a full CRL each time a delta is issued removes the primary value of issuing the delta in the first place.</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Santosh Chokhani [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Monday, April 23, 2001 11:45 AM<BR><B>To:</B> Russ Housley; ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments)<BR><BR></FONT></DIV> <P><FONT size=2>I have been quite on this. I am firmly in favor of NOT having the requirement (i.e., delete the requirement): "CA post a full CRL whenever a delta CRL is issued".</FONT></P> <P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From: Russ Housley [<A href="mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com</A>]</FONT> <BR><FONT size=2>Sent: Monday, April 23, 2001 10:27 AM</FONT> <BR><FONT size=2>To: ietf-pkix@imc.org</FONT> <BR><FONT size=2>Subject: RE: delta-CRLs (was Re: Last</FONT> <BR><FONT size=2>Call:draft-ietf-pkix-new-part1-06.txt comments)</FONT> </P><BR> <P><FONT size=2>All:</FONT> </P> <P><FONT size=2>Trevor, Ambarish, Denis, David, and others have proposed the removal of the </FONT><BR><FONT size=2>requirement that CAs post a full CRL whenever a delta-CRL is </FONT><BR><FONT size=2>posted. Trevor's suggestion that the consequences of a CA posting a </FONT><BR><FONT size=2>delta-CRL without posting a full CRL could be discussed in a single </FONT><BR><FONT size=2>paragraph in the Security Considerations section.</FONT> </P> <P><FONT size=2>Paul and Mike have suggested that the current text is fine.</FONT> </P> <P><FONT size=2>A few people have contributed to the thread but not made their own position </FONT><BR><FONT size=2>clear. Perhaps they are only academically interested. Or, perhaps the </FONT><BR><FONT size=2>dialogue is helping them reach their own conclusion. I do not </FONT><BR><FONT size=2>know. Regardless, most people have been silent on this issue.</FONT> </P> <P><FONT size=2>I would like one of the proponents for removing the requirement to suggest </FONT><BR><FONT size=2>alternative text, and I would like to hear from more people about the </FONT><BR><FONT size=2>proposed revision.</FONT> </P> <P><FONT size=2>We are in Working Group Last Call. I would like to reach consensus on this </FONT><BR><FONT size=2>issue, make the necessary change (if any), and get the document to the </FONT><BR><FONT size=2>IESG. Many other working groups are waiting for our document.</FONT> </P> <P><FONT size=2>Russ </FONT></P></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0CC14.04EFF1E0-- Received: from mail5.microsoft.com (mail5.microsoft.com [131.107.3.121]) by above.proper.com (8.9.3/8.9.3) with SMTP id JAA05122 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 09:42:57 -0700 (PDT) Received: from 157.54.9.104 by mail5.microsoft.com (InterScan E-Mail VirusWall NT); Fri, 20 Apr 2001 09:48:03 -0700 (Pacific Daylight Time) Received: from red-imc-01.redmond.corp.microsoft.com ([157.54.9.102]) by inet-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Fri, 20 Apr 2001 09:47:52 -0700 Received: from win-imc-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.39]) by red-imc-01.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Fri, 20 Apr 2001 09:47:49 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-01.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Fri, 20 Apr 2001 09:47:29 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Dedicated CRL signing keys Date: Fri, 20 Apr 2001 09:47:29 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD6894ED@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Dedicated CRL signing keys Thread-Index: AcDJk6thX8qCXM1HQVisS3uy1oP/SgAJQhfg From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "Nada Kapidzic Cicovic" <nada@entegrity.com>, "Bengt Ohlsson" <bengt.ohlsson@smarttrust.com>, "Russ Housley" <rhousley@rsasecurity.com> Cc: <ietf-pkix@imc.org> X-OriginalArrivalTime: 20 Apr 2001 16:47:29.0989 (UTC) FILETIME=[96A4CF50:01C0C9B9] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id JAA05123 Mandating SKI and AKI changes nothing as these are just hints as to which key signed. The client are already failing since they cannot find the right public key that signed the CRL. As you not, it is possible to have CA with multiple keys, so having a different AKI in the CRL may simply indicate a problem with distribution. -----Original Message----- From: Nada Kapidzic Cicovic [mailto:nada@entegrity.com] Sent: Friday, April 20, 2001 5:13 AM To: Trevor Freeman; Bengt Ohlsson; Russ Housley Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Would it not be easier to mandate the support for Authority and Subject key identifiers, than to require the CA to use different DNs when different keys are used for issuing certificates and CRLs. As Tim noted, this problem may occur even for regular CAs (which use the same key for issuing certificates and CRLs) after a key pair rollover. At 09:29 AM 4/19/01 -0700, Trevor Freeman wrote: >Bengt, >Theorizing what could be possible, do not change that support for these >semantics is not mandatory under this profile, which means we are trying >to establish how that client fails gracefully with some kind of >meaningful error I agree with Bengt that key identifier extensions provide enough information for the client to go looking for the right cert path to perform the verification of the signature on the CRL. If the client is not able to locate the proper path it can fail with a meaningful error. Nada >Trevor >-----Original Message----- >From: Bengt Ohlsson [mailto:bengt.ohlsson@smarttrust.com] >Sent: Thursday, April 19, 2001 8:10 AM >To: Trevor Freeman; Russ Housley >Cc: ietf-pkix@imc.org >Subject: RE: Dedicated CRL signing keys > >Trevor and Russ, > >I don't see why the clients should fail to verify the signature >on the CRL. Assume a CA uses separate keys, same DN, >for certificate signing and CRL signing and sets the >AuthorityKeyIdentifier extension in both the certificates >and the CRLs. Then PKIX compliant clients should be able >to build the correct certificate chains for verifying both the >certificates and the CRLs. > >The legislation may require the CA keys to be stored in >hardware without any copies. If you lose a key due to HW >failure you will probaly want to continue to issue the CRLs >with a new key and the same DN. > >This requires the clients to handle the AKI extension to be >able to verify the signature on the new CRLs. This is a >small requirement compared to handle indirect CRLs if >you must change the DN. > >Bengt > >-----Original Message----- >From: Trevor Freeman [mailto:trevorf@windows.microsoft.com] >Sent: den 19 april 2001 01:40 >To: Russ Housley >Cc: ietf-pkix@imc.org >Subject: RE: Dedicated CRL signing keys > > >Hi Russ, >That addresses my concerns. A pkix compliant client can now be >reasonability expected to fail with a more informative error, and the >problem should be in people's faces since the CRL contains a critical >extension. >Trevor > >-----Original Message----- >From: Russ Housley [mailto:rhousley@rsasecurity.com] >Sent: Wednesday, April 18, 2001 2:08 PM >To: Trevor Freeman >Cc: ietf-pkix@imc.org >Subject: Re: Dedicated CRL signing keys > >Trevor: > >I propose the following solution that builds on the Indirect CRL >capabilities that are already available. When a CA wants to employ >separate private keys to sign certificates and CRLs, then that CA MUST >delegate CRL signing to a separate authority. That separate authority >MUST >have a different Distinguished Name that the CA, but it could be >operated >by the same organization. In this way, the IDP CRL extension would flag > >the "unusual" circumstances. Clients that do not support Indirect CRLs >can >fail gracefully (unsupported optional feature), and clients that support > >Indirect CRLs can happily handle the certificates and CRLs. > >Thoughts? > >Russ > >At 01:32 PM 4/18/2001 -0700, Trevor Freeman wrote: > >There has been some discussion regarding the proposal to have CRLs > >signed with CA keys which do not also sign certificates. Since this >will > >not be a mandatory to implement feature, I am concerned about the >impact > >on pkix compliant clients who encounter CRL signed in this way, and how > >we expect them to behave. What seem unacceptable with the current > >proposal is that the signage check on the CRL will fail, and the client > >will have little clue as to why and if this failure is expected. The > >information in the chain, while present, is in the CAs certificate, is > >difficult to find and subtle so would be easily missed by someone > >debugging this problem. I would like to see some clearer indication in >a > >critical extension in the CRL itself that would indicate what was going > >on. In expressing these semantics in a critical extension, we maintain > >the principal that if you don't understand the extension, the client > >knows to fail due to its own inadequacies and that failure is by >design, > >therefore allowing the client's to return an error unsupported option > >rather than invalid signature. > >Trevor Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA02043 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 08:54:53 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JPVNWTL8>; Mon, 23 Apr 2001 11:54:19 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE1C7@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Russ Housley <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) Date: Mon, 23 Apr 2001 11:45:29 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0CC0C.6C644B80" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0CC0C.6C644B80 Content-Type: text/plain; charset="iso-8859-1" I have been quite on this. I am firmly in favor of NOT having the requirement (i.e., delete the requirement): "CA post a full CRL whenever a delta CRL is issued". -----Original Message----- From: Russ Housley [mailto:rhousley@rsasecurity.com] Sent: Monday, April 23, 2001 10:27 AM To: ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) All: Trevor, Ambarish, Denis, David, and others have proposed the removal of the requirement that CAs post a full CRL whenever a delta-CRL is posted. Trevor's suggestion that the consequences of a CA posting a delta-CRL without posting a full CRL could be discussed in a single paragraph in the Security Considerations section. Paul and Mike have suggested that the current text is fine. A few people have contributed to the thread but not made their own position clear. Perhaps they are only academically interested. Or, perhaps the dialogue is helping them reach their own conclusion. I do not know. Regardless, most people have been silent on this issue. I would like one of the proponents for removing the requirement to suggest alternative text, and I would like to hear from more people about the proposed revision. We are in Working Group Last Call. I would like to reach consensus on this issue, make the necessary change (if any), and get the document to the IESG. Many other working groups are waiting for our document. Russ ------_=_NextPart_001_01C0CC0C.6C644B80 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta-CRLs (was Re: Last = Call:draft-ietf-pkix-new-part1-06.txt comments)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I have been quite on this. I am firmly in favor = of NOT having the requirement (i.e., delete the requirement): "CA = post a full CRL whenever a delta CRL is issued".</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Russ Housley [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>Sent: Monday, April 23, 2001 10:27 AM</FONT> <BR><FONT SIZE=3D2>To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta-CRLs (was Re: Last</FONT> <BR><FONT SIZE=3D2>Call:draft-ietf-pkix-new-part1-06.txt = comments)</FONT> </P> <BR> <P><FONT SIZE=3D2>All:</FONT> </P> <P><FONT SIZE=3D2>Trevor, Ambarish, Denis, David, and others have = proposed the removal of the </FONT> <BR><FONT SIZE=3D2>requirement that CAs post a full CRL whenever a = delta-CRL is </FONT> <BR><FONT SIZE=3D2>posted. Trevor's suggestion that the = consequences of a CA posting a </FONT> <BR><FONT SIZE=3D2>delta-CRL without posting a full CRL could be = discussed in a single </FONT> <BR><FONT SIZE=3D2>paragraph in the Security Considerations = section.</FONT> </P> <P><FONT SIZE=3D2>Paul and Mike have suggested that the current text is = fine.</FONT> </P> <P><FONT SIZE=3D2>A few people have contributed to the thread but not = made their own position </FONT> <BR><FONT SIZE=3D2>clear. Perhaps they are only academically = interested. Or, perhaps the </FONT> <BR><FONT SIZE=3D2>dialogue is helping them reach their own = conclusion. I do not </FONT> <BR><FONT SIZE=3D2>know. Regardless, most people have been silent = on this issue.</FONT> </P> <P><FONT SIZE=3D2>I would like one of the proponents for removing = the requirement to suggest </FONT> <BR><FONT SIZE=3D2>alternative text, and I would like to hear from more = people about the </FONT> <BR><FONT SIZE=3D2>proposed revision.</FONT> </P> <P><FONT SIZE=3D2>We are in Working Group Last Call. I would like = to reach consensus on this </FONT> <BR><FONT SIZE=3D2>issue, make the necessary change (if any), and get = the document to the </FONT> <BR><FONT SIZE=3D2>IESG. Many other working groups are waiting = for our document.</FONT> </P> <P><FONT SIZE=3D2>Russ </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0CC0C.6C644B80-- Received: from gonzo.aus.rsa.com (mail.rsasecurity.com.au [203.46.112.10]) by above.proper.com (8.9.3/8.9.3) with SMTP id IAA01604 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 08:52:00 -0700 (PDT) Received: from checkpoint.local.aus.rsa.com by gonzo.aus.rsa.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 23 Apr 2001 15:48:33 UT Received: (private information removed) Received: (private information removed) Received: from HOUSLEY-LAP.rsasecurity.com (10.3.1.4 [10.3.1.4]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id HK1A3MZ6; Mon, 23 Apr 2001 11:50:54 -0400 Message-Id: <5.0.1.4.2.20010423101920.01ad2470@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 23 Apr 2001 10:27:15 -0400 To: ietf-pkix@imc.org From: Russ Housley <rhousley@rsasecurity.com> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) In-Reply-To: <4AEE3169443CDD4796CA8A00B02191CD631AB6@win-msg-01.wingroup .windeploy.ntdev.microsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed All: Trevor, Ambarish, Denis, David, and others have proposed the removal of the requirement that CAs post a full CRL whenever a delta-CRL is posted. Trevor's suggestion that the consequences of a CA posting a delta-CRL without posting a full CRL could be discussed in a single paragraph in the Security Considerations section. Paul and Mike have suggested that the current text is fine. A few people have contributed to the thread but not made their own position clear. Perhaps they are only academically interested. Or, perhaps the dialogue is helping them reach their own conclusion. I do not know. Regardless, most people have been silent on this issue. I would like one of the proponents for removing the requirement to suggest alternative text, and I would like to hear from more people about the proposed revision. We are in Working Group Last Call. I would like to reach consensus on this issue, make the necessary change (if any), and get the document to the IESG. Many other working groups are waiting for our document. Russ Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA26083 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 08:29:27 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id RAA13888; Mon, 23 Apr 2001 17:29:03 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id RAA18686; Mon, 23 Apr 2001 17:28:50 +0200 Message-ID: <3AE44A38.604F97B4@bull.net> Date: Mon, 23 Apr 2001 17:28:56 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: "David A. Cooper" <david.cooper@nist.gov> CC: ietf-pkix@imc.org Subject: Re: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> <4.2.2.20010419115545.00aed3e0@email.nist.gov> <4.2.2.20010420174853.00aeebe0@email.nist.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David, This is a LONG e-mail and a last e-mail to you, before leaving for a trip that will keep me away from my e-mails during a week. So, don't think I am giving up if you do not receive a reply soon. > Denis, > > My comments are in line. > > At 06:50 PM 4/20/01 +0200, Denis Pinkas wrote: > >[Denis] This is the case I had in mind. However I would disagree to say that > >the locally contructed CRL is equal to the full CRL number 8, because there > >is no need to issue such CRL (see the first comment). It is simply the > >"freshest CRL constructed from the base CRL number 5 for 3:10 am". This > >locally contructed CRL bears no number, or if you assign one, this is a > >local matter and is not part of the standard. This also avoids the later > >confusing between CRL numbers. [David] This is simply not true. [Denis] The sentence above is technically correct: "It is simply the freshest CRL constructed from the base CRL number 5 for 3:10 am". [David] A delta-CRL can (will) contain the cRLNumber extension just as a full CRL will. [Denis] The cRLNumber extension is simply an identifier that allows you to uniquely identify it and to know whether it is earlier or later another CRL issued by the same CRL issuer. [David] If a full CRL and a delta-CRL are issued at the same time, the combination of the delta-CRL and an appropriate base CRL must be equivalent to the full CRL, and both the delta-CRL and the full CRL must have the same cRLNumber. [Denis] This is where we do not agree. The delta-CRL and the full CRL MUST NOT have the same cRLNumber because this would violate the definition of what is a CRLnumber. RFC 2459 says: 5.2.3 CRL Number The CRL number is a non-critical CRL extension which conveys a monotonically increasing sequence number for each CRL issued by a CA. This extension allows users to easily determine when a particular CRL supersedes another CRL. CAs conforming to this profile MUST include this extension in all CRLs. Maybe you are making some confusion with the deltaCRLindicator. The construction you mention is not acceptable and is no even part of the ISO X509 document. [David] If a delta-CRL is issued, and no corresponding full CRL issued, then the combination of the delta-CRL and an appropriate base CRL should be equivalent to the full CRL that would have been issued at that time, if a full CRL had been issued. [Denis] Here is the problem ! Let us take an example: A base CRL is issued at midnight. thisUpdate is set to midnight while nextUpdate is midnight for the next day. This means that there is no guarantee at all that any other base/full CRL will necessarily be seen within the next 24 hours. Certainly a base can be issued before, but once again there is no guarantee that it will ever be seen. If someone is now using the CRL as a proof to be presented later on that the certificate was not revoked, a relying party is perfectly right to use the base from midnight (if allowed by the validation policy) or the base plus a delta (if mandated by the validation policy). Now if you issue a full CRL (I did not say a base CRL) every hour at the same time you issue a delta, the problem becomes worse because at 11:30 p.m. you have now 23 full CRLs, and you cannot know which one is the right one to use (if someone purposely is blocking the transmission of the latest full CRLs), unless precisely you introduce he statement that is the cause of all this trouble: When a conforming CA issues a delta CRL, the CA MUST also issue a CRL that is complete for the given scope. Now understand better the problem: this is a stone fundation of the whole edifice. If we take it away, the whole edifice collapses. Anyway, the intention has never been that relying parties will necessarilly get the same level of information when using only base CRLs and when using base CRLs plus deltas. The question which arises now is what are the implications if a full CRL is issued at the same time a delta is issued and when we apply the modified sentence: When a conforming CA issues a delta CRL, the CA MAY also issue a full CRL that is complete for the given scope. In this case the relying pary is using the delta (*in the way I have described it*), i.e. testing thisUpdate and nextUpdate from the delta CRL, it will get a GUARANTEE to obtain either the freshest revocation information or it will know that the freshest revocation information is not available. In the case the relying pary is using not using the delta, he will have no GUARANTEE that the information he got is the freshest. [David] The delta-CRL should have the same cRLNumber as would have been assigned to a full CRL issued at the same time. [Denis] Once again, I disagree, since this would violate the definition of CRL Number given in section 5.2.3. [David] A delta-CRL is nearly the same as a full CRL. It has a thisUpdate, nextUpdate, cRLNumber, etc. just as a full CRL. It just has an incomplete list of revoked certificates. [Denis] Yes, but you have to explain detail how a relying party will use thisUpdate, nextUpdate for a base CRL and thisUpdate, nextUpdate for a delta to make sure that in both cases he got the freshest information. Remember that RFC 2459 says: The behavior of clients processing CRLs which omit nextUpdate is not specified by this profile. So, in order to be PKIX compliant, you cannot escape a sentence which tells what use is made of that field. > > > A few hours later, at 6:30am, the relying party performs another validation. The relying party has, in its local cache, the contents of CRL number 8 (which it constructed at 3:10am). It wants to update the information in its local case to based on the newly available revocation information. So, it obtains the latest delta-CRL. This delta-CRL has a CRL number of 11 and a BaseCRLnumber of 5. Since it has a BaseCRLNumber of 5, the delta-CRL provides status information for all certificates whose status has changed since CRL number 5 was issued. (midnight). So, clearly the delta-CRL provides status information for all certificates whose status has changed since 3:00am when CRL number 8 was issued. Thus, the relying party can combine the delta-CRL with its locally cached version of full CRL number 8 to obtain the contents of CRL number 11. This is a case where the CRL number of the complete CRL used is greater than the BaseCRLNumber specified in the delta-CRL. > >[Denis] This is a local matter and I would not mandate this in the document > >since there is another and simpler way to do it: you keep in the cache the > >base CRL (instead of the previously recontructed full CRL). This has the > >same end result, except that the method your recommend is not optimum: it > >will include many duplicates and deleting the duplicates is more painfull > >than making a simple addition. [David] I'm not sure what you are saying is a local matter. The contents of the delta-CRL is not a local matter and must be mandated in the certificate and CRL profile. If you prefer to always apply the delta-CRLs to the referenced base CRL instead of to a locally generated, more recent CRL, that is your choice. The document states that the delta-CRL may be combined with the referenced base CRL or a more recently issued full CRL. [Denis] As said later, your paper provides the right answer (on page 1): " A delta-CRL is a CRL that only provides information about certificates who statuses have changed since the issuance of a specific, previously issued CRL". The text says " *a* specific, previously issued CRL", it does NOT say "or any, more recently, issued CRL". Now I understand that you may get the same final result (in a less efficient way), if such a CRL has been issued and if it could have been seen by the relying party. I would propose that we describe in the text, the basic rule. I would have no problem to mention in a note that the same result COULD also be obtained, IF a full CRL were issued after the base. > >The basic algorithm is to take the base CRL and to add the delta. This is > >the standard. As soon as you get the same end result this is fine. This is > >the approach we have taken for path validation. Other ways do not need to be > >mentionned. > > > > > There are other reasons why the two numbers may not match, but I will not go into them. If you are interested, you can read my paper. > > > >[Denis] I read it (and skipped the mathematical formulas) > > > >This paper is proposing a method for over-issuing the CRLs. It omits to take > >into consideration that in PKIX-1 we mandate the CRL number extension > >(section 5.2.3) so we need to advertise the nextUpdate. If you issue a CRL > >before the next update you have no more way to know which base CRL is the > >freshest CRL. I believe this is a major security weakness and for that > >reason this mechanism should be deprecated. [David] The paper does discuss over-issuing of CRLs, but there is plenty of information about using delta-CRLs efficiently without over-issuing. Bear in mind, however, that the nextUpdate field only specifies the time by which a new CRL will be issued. Many people intend to issue a new CRL whenever a revocation occurs (or a revocation for key compromise) without waiting until the regularly scheduled time. [Denis] As said earlier, without any guarantee that the fullCRL issued before nextUpdate will be seen until the validation time has passed nextUpdate. > >BTW, the same security problem would occur as soon as a base would be used > >for every delta. Hence another good reason to delete the sentence which > >originally triggered all this discussion. > > I don't understand this at all. > > >BTW, I noticed that you have precisely deleted from my previous e-mail all > >the text dealing with this nextUpdate. :-( > > > >So I am still insisting on the major text change to make to that section: > > > > An application can construct a CRL that is the most current for > > a given scope, at the current time, by retrieving the current > > base CRL for that scope, and combining it with a delta-CRL which > > contains a Delta CRL Indicator equal to the cRLNumber of the base > > CRL and where the current date from that delta-CRL is between > > thisUpdate and nextUpdate; > > > >It is important to notice that the algorithm does NOT use the individual CRL > >numbers assigned to the delta-CRLs, but uses instead thisUpdate and > >nextUpdate. This is *very* important. [David] I thought I did respond to this. First, one should expect that delta-CRLs will always be at least as recent as base CRLs. So the first step should be to obtain the current delta-CRL. Next, one obtains a base CRL that can be used in combination with that delta-CRL. You may choose to only use the full CRL whose cRLNumber is equal to the BaseCRLNumber specified in the delta-CRL, however, any full CRL with a cRLNumber greater than or equal to the BaseCRLNumber is acceptable. [Denis] Your algorithm is looking at the CRL Numbers only. My algorithm is looking at thisUpdate and nextUpdate only. This is a major difference. In particular you do not say how "to obtain the current delta-CRL". [David] Since the cRLNumber of the base can be greater than the specified BaseCRLNumber, the document should say so. [Denis] This can be mentionned in a note (see earlier). [David] There is no need to state that the current time must be after the thisUpdate time in the delta-CRL as this will always be true by construction. [Denis] There is definitively a need to state this because the end result of the two algorithms will not be identical as soon as someone will block some of the information coming from the repository where the full/base CRLs are stored or where the delta CRLs are stored. [David] Finally, since a CRL issuer may issue "emergency" delta-CRLs, there is no guarantee that any delta-CRL whose nextUpdate time is later than the current time is the most current delta-CRL. [Denis] If you issue such "emergency" delta-CRLs then once again there is no guarantee that they will ever be seen. The "most recent delta-CRL" is any delta CRL which satisfies the following condition : " A delta-CRL which contains a Delta CRL Indicator equal to the cRLNumber of the base CRL and where the validation date (which may be the current time) is between thisUpdate and nextUpdate from that delta-CRL;" > > > >Finally we should explain what happens at the boundaries, i.e. when a CA > > > >decides to generate a (new) base CRL. Here is a text proposal: > > > > > > > > When issuing a base CRL that supports a delta-CRL mechanism then the > > > > CRL Issuer MUST at the same time issue a delta CRL that points to that > > > > base CRL. This first delta CRL will usually be empty (or will include > > > > last-minute additions to the base CRL). > > > This is not acceptable. The rule is that when a base CRL is issued a delta-CRL must be issued that has the same cRLNumber. The base CRL referenced by the delta must either be the previously issued base CRL or a base CRL issued before that one. Since the new base and the delta must have the same cRLNumber, there can be no differences as a result of "last-minute additions to the base CRL". > >[Denis] This does not work. Let me explain it differently. Suppose that > >during the week you do not generate delta-CRLs but for the week-end you > >decide to do it (e.g. more risk, more transactions done by citizens). So you > >issue a CRL with the freshest CRLindicator. You say that the delta points to > >the previous base CRL. The one from yesterday or the one from last week ? > >In either case this simply does not work. [David] Why? A delta-CRL must include a BaseCRLNumber that corresponds to a CRL that was issued at some time in the past. [Denis] A delta-CRL must include a BaseCRLNumber that corresponds to a CRL that was issued at some time in the past *or to the current time*. The above example demonstrates that the rule does not work the first time you use it since there is no such past base CRL or an ambiguity about which one is the right one. Since it is not possible to answer the question I raised (i.e. does the first delta points to one from yesterday or the one from last week ?) this is one way to demonstrate that there is a problem. > >The rule you mention, i.e. "The rule is that when a base CRL is issued a > >delta-CRL must be issued that has the same cRLNumber" is also wrong. The > >notion of a base CRL that would have the same number as a delta does not > >exist. > > > >Suppose we issue a base CRL every midnight. The question is whether we > > > >should issue a delta and, if yes, does this delta refer to the previous > > > >base or to the new one ? > > > The delta must refer either to the previous base or a base issued before the previous base. > >[Denis] Certainly not. Your paper however provides the right answer > >(on page 1): " A delta-CRL is a CRL that only provides information about > >certificates who statuses have changed since the issuance of a specific, > >previously issued CRL". [David] Where is the difference? A CRL that is referenced in the BaseCRLNumber of a delta-CRL is by definition a base CRL. [Denis] The difference lies in the fact that the sentence is using the wording "*a* specific, previously issued CRL". If it is *a* (i.e. one) specific CRL, it cannot be more than one. > > > >Suppose it refers to the previous one. According to the current sentence: > > > >"The constructed CRL has the CRL number specified in the CRL number > > > >extension found in the delta CRL used in its construction.", it is > > > >impossible. If that was the case the delta CRL would have a CRL number equal > > > >to the base CRL and it is not allowed for two CRLs to have the same CRL > > > >number. > > > > > I think you are confusing two different extensions. The deltaCRLIndicator extension contains a BaseCRLNumber which is used to determine against which base CRLs the delta-CRL can be applied. The cRLNumber extension specifies the CRL number of the full CRL that will be generated by applying the delta-CRL to a base CRL. The sentence above states that the CRL number of the constructed CRL is taken from the cRLNumber extension, not the BaseCRLNumber of the deltaCRLIndicator extension. > > > >[Denis] I do not think I make a confusion. The confusion comes from the > >numbering you introduce (see my earlier comment). > > > >Let me conclude: > > > >1) I do not have the time to spend hours of discussions on that topic. > >However the current text needs to be corrected and I have provided text > >for this. Please take again a look at it in the light of the following. > > > >2) In your paper you advertise the "traditional delta-CRLs". Let us stay in > >the tradition and let us mandate the implementation of the "tradition" if > >someone wans to support the delta-CRL mechanism. > > > >Any other method would first need to be proven to be secure (over-issuing > >CRLs and sliding window delta-CRLs have security problems) and should > >*anyway* fall in the MAY category, so that noone needs to implement to claim > >conformance with the delta CRL mechanism. Standard track documents need to > >make choices among multiple methods, otherwise two different implementations > >will never interoperate. [David] you say that you want to stick with "traditional" delta-CRLs, however you are proposing changes to the text that would not result in "traditional" delta-CRLs but would result in broken implementations. [Denis] You have provided no evidence of what you say just above. Tell me precisely what is wrong in the text I propose that would not allow the support of the "traditional" delta-CRLs. If something is wrong, we can fix it. [David] We do not prevent people from implementing "traditional" delta-CRLs, but we should not force them to either. [Denis] We disagree here. Standards are there to support at least one (simple) method that all implementations have to support( if they support delta). In addition, implementations may support additional methods and it will be up to the final customer to decide which one to use. We MAY describe these additional methods, but MUST clearly indicate the difference. [David] There are no security problems with sliding window delta-CRLs and they do not add any complexity for those who choose not to implement them. [Denis] There ARE security problems with sliding window delta-CRLs. I have descibed at length what the problems are. However, this does not mean that this technique cannot be supported as an OPTIO and IF we indicate in the text what are their security problems. The current text places the two techniques at the same level. The traditional way offers a guarantee while the other does not. There is indedd added complexity for building the software from the relying party. [David] I want to be sure that the delta-CRL text is correct just as you do, [Denis] At least one point on which we both agree. :-) [David] ... but I still feel that many of your comments are based on a misunderstanding and are not based on actual problems in the text. [Denis] I do hope that after this response you will think differently. Regards, Denis > Dave Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA13830 for <ietf-pkix@imc.org>; Mon, 23 Apr 2001 06:06:30 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id PAA16908; Mon, 23 Apr 2001 15:06:07 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id PAA06038; Mon, 23 Apr 2001 15:05:50 +0200 Message-ID: <3AE428B6.AA6F5C7B@bull.net> Date: Mon, 23 Apr 2001 15:05:58 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Steve Hanna <steve.hanna@sun.com> CC: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> <3ADF0833.61D9049F@bull.net> <3ADF119B.8FAC92D9@sun.com> <3ADF1A47.232CF904@bull.net> <3ADF25A0.779BA239@sun.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Steve, > > > However, I object to adding support for limits on trust anchors to > > > section 6.1. The algorithm in section 6.1 is the "basic" algorithm that > > > everyone MUST implement. Section 6.2 describes various ways to extend > > > that algorithm. Multiple trust anchors is one. Limits on trust anchors > > > is a second. PEM compatible processing is a third. If one argues that > > > limits on trust anchors should be described in section 6.1, one could > > > equally argue that PEM compatible processing should be described in > > > section 6.1. > > > > I agree with the intent, but this is NOT what the text says. :-( > > > > In particular section 6.1 only says " This text describes an algorithm for > > X.509 path processing". It does not qualifies it as basic nor says that it > > is a set of minimum conditions. > > Section 6 (third paragraph) says "In section 6.1, the text describes > basic path validation." OK. One point for you for the use of the word "basic", but ... one point for me because the text does not say that it is a set of minimum conditions. :-) > A few paragraphs later, it says "Section 6.2 > describes methods for using the path validation algorithm in specific > implementations. Two specific cases are discussed: the case where paths > may begin with one of several trusted CAs; and where compatibility with > the PEM architecture is required." > Section 6.1 (first paragraph) says "A conformant implementation MUST > include an X.509 path processing procedure that is functionally > equivalent to the external behavior of this algorithm." And section 6.1 > is titled "Basic Path Validation", while section 6.2 is titled "Using > the Path Validation Algorithm". > That's why I said that section 6.1 is the "basic" algorithm that > everyone MUST implement and section 6.2 describes various ways to extend > that algorithm. .. but the text does not say that it is a set of minimum conditions. > > Section 6.2 says " The path validation algorithm describes the process of > > validating a single certification path". .. but the text frpom section 6.1. does not say that other constraints may be applied even when there is a single trust anchor. > > "An implementation that supports multiple trust anchors may augment the > > algorithm presented in section 6.1 to further limit the set of valid paths > > which begin with a particular trust anchor." > This is one of several variations included in section 6.2. PEM > compatible processing is also included in section 6.2. Section 6.2 is > clearly not limited to variations which employ multiple trust anchors. The only other case is PEM: It is also possible to specify an extended version of the above certification path processing procedure which results in default behavior identical to the rules of PEM [RFC 1422]. > > You are proposing that the text from section 6.1 describes the "basic" > > algorithm, while the text from section 6.2. describes enhancements to the > > basic algorihm. I would not be opposed to your proposal, ... but many text > > changes would be required. > I don't think so. I think the text at the start of section 6 is clear. > Perhaps an introductory paragraph at the start of section 6.2 would make > it even clearer, but I don't see any other changes that would be > required. The case of a single anchor with additional constraints is still not covered by the current text. Regards, Denis > -Steve Received: from mail4.microsoft.com (mail4.microsoft.com [131.107.3.122]) by above.proper.com (8.9.3/8.9.3) with SMTP id TAA20904 for <ietf-pkix@imc.org>; Sun, 22 Apr 2001 19:40:58 -0700 (PDT) Received: from 157.54.7.67 by mail4.microsoft.com (InterScan E-Mail VirusWall NT); Sun, 22 Apr 2001 19:35:00 -0700 (Pacific Daylight Time) Received: from red-imc-01.redmond.corp.microsoft.com ([157.54.9.102]) by inet-imc-04.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Sun, 22 Apr 2001 19:34:15 -0700 Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.82]) by red-imc-01.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Sun, 22 Apr 2001 19:34:10 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Sun, 22 Apr 2001 19:33:44 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) Date: Sun, 22 Apr 2001 19:33:41 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD631AB8@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) Thread-Index: AcDLlCEFtrXlwHfOTlOu9OL6OSn78QACINIg From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "EKR" <ekr@rtfm.com>, "Ambarish Malpani" <ambarish@valicert.com> Cc: "Housley, Russ" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 23 Apr 2001 02:33:44.0037 (UTC) FILETIME=[D0D61950:01C0CB9D] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id TAA20905 It is not the cost associated with generating the base CRL but the over all system cost which is in question, e.g. the cost associated with the distribution of the CRL with replicated distribution mechanisms. If you publish a CRL to a directory, and that directory has multiple replicas, then there is a knock on effect when one instance of the directory is updated. The update is then replicated to all other instances. If you are not using a replicated directory, you may be using a replicated web server, which will have the same problem. Then there are bandwidth implications. Even in this day and age, bandwidth may be limited, and downloading a full CRL has a cost associated with it. -----Original Message----- From: Eric Rescorla [mailto:ekr@speedy.rtfm.com] Sent: Sunday, April 22, 2001 6:20 PM To: Ambarish Malpani Cc: 'Housley, Russ'; ietf-pkix@imc.org Subject: Re: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) Ambarish Malpani <ambarish@valicert.com> writes: > Russ, the problem with this is that CAs might be unwilling to issue > delta-CRLs because issuing a full CRL every time is too > burdensome. Ambarish, could you explain why the cost of issuing a full CRL is too burdensome? Surely it's not the cost of the signature itself you're concerned with. -Ekr Received: from mail4.microsoft.com (mail4.microsoft.com [131.107.3.122]) by above.proper.com (8.9.3/8.9.3) with SMTP id TAA20845 for <ietf-pkix@imc.org>; Sun, 22 Apr 2001 19:40:49 -0700 (PDT) Received: from 157.54.7.67 by mail4.microsoft.com (InterScan E-Mail VirusWall NT); Sun, 22 Apr 2001 19:35:00 -0700 (Pacific Daylight Time) Received: from red-imc-01.redmond.corp.microsoft.com ([157.54.9.102]) by inet-imc-04.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Sun, 22 Apr 2001 19:34:15 -0700 Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.82]) by red-imc-01.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Sun, 22 Apr 2001 19:34:11 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Sun, 22 Apr 2001 19:33:44 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Date: Sun, 22 Apr 2001 19:33:43 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD631AB9@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Thread-Index: AcDLk3DHBs5oUjStQQaDeFEru0nH6AACOqjg From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "Michael Myers" <myers@coastside.net>, "Housley, Russ" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 23 Apr 2001 02:33:44.0256 (UTC) FILETIME=[D0F78400:01C0CB9D] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id TAA20846 Yes, If a CA has not updated its CRL, the OCSP client may be aware of a revocation that the CRL client is not - which h is the reason put forward by Russ for publishing base and delta at the same time. Trevor -----Original Message----- From: Michael Myers [mailto:myers@coastside.net] Sent: Sunday, April 22, 2001 6:18 PM To: Trevor Freeman; Housley, Russ; ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Trevor, Is your differentiator timeliness? Mike > -----Original Message----- > From: Trevor Freeman [mailto:trevorf@windows.microsoft.com] > Sent: Sunday, April 22, 2001 5:28 PM > > . . . > An OCSP aware client may have a different answer to CRL > aware clients to the revocation status of a certificate. > . . . Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id TAA19750; Sun, 22 Apr 2001 19:11:56 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f3N2Bxd09502; Sun, 22 Apr 2001 19:11:59 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "David Cross" <dcross@microsoft.com>, "Paul Hoffman / IMC" <phoffman@imc.org>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) Date: Sun, 22 Apr 2001 19:10:32 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDKEDNCAAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <24A715275661C8428C00432EFCA5CB7C02A98866@red-msg-02.redmond.corp.microsoft.com> Importance: Normal Dave, Recognizing broader enterprise issues, somwhere there's nonetheless a middle ground where the mandatory practice of a full CRL complements the optional practice of issuing deltas. The period of the former MAY, perhaps SHOULD, be longer than the latter in the presence of the delta practice. Your thoughts? Mike > -----Original Message----- > From: David Cross [mailto:dcross@microsoft.com] > Sent: Sunday, April 22, 2001 5:58 PM > To: Paul Hoffman / IMC; ietf-pkix@imc.org > Subject: RE: delta-CRLs (was Re: > LastCall:draft-ietf-pkix-new-part1-06.txt comments) > > > It may not be a burden to a CA, but it very well likely may be burden > for the underlying replication and distribution architecture to push a > full CRL every time a delta-CRL is issued. It is the bigger picture of > the issue outside of the CA and PKI aspects. > > > David B. Cross > > > > > -----Original Message----- > From: Paul Hoffman / IMC [mailto:phoffman@imc.org] > Sent: Sunday, April 22, 2001 7:06 AM > To: ietf-pkix@imc.org > Subject: RE: delta-CRLs (was Re: > LastCall:draft-ietf-pkix-new-part1-06.txt comments) > > > At 6:03 PM -0700 4/21/01, Ambarish Malpani wrote: > >Russ, the problem with this is that CAs might be unwilling to issue > >delta-CRLs because issuing a full CRL every time is too burdensome. > > Could you describe how it is "too burdensome"? Maybe I'm being naive, > not being a CA, but asking a CA to sign a second document (the full > CRL) at the time that it signs the first document (the delta-CRL) > really doesn't seem that onerous. > > I think the current requirement is fine. > > --Paul Hoffman, Director > --Internet Mail Consortium > Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA18949 for <ietf-pkix@imc.org>; Sun, 22 Apr 2001 18:37:42 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GC8008011V5UK@ext-mail.valicert.com> for ietf-pkix@imc.org; Sun, 22 Apr 2001 18:37:53 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GC8008EG1V4GB@ext-mail.valicert.com>; Sun, 22 Apr 2001 18:37:52 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26PT66>; Sun, 22 Apr 2001 18:36:36 -0700 Content-return: allowed Date: Sun, 22 Apr 2001 18:36:29 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) To: "'EKR'" <ekr@rtfm.com>, Ambarish Malpani <ambarish@valicert.com> Cc: "'Housley, Russ'" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C47@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Hi Eric, I don't have any problems with issuing new CRLs every few seconds - unfortunately, some of the CA vendors do :-) Anyway, the problem people have with issuing full CRLs at every revocation is the amount of extra processing they do with the CRL - e.g. back it up in their database, create some kind of audit trail, lookup all the revoked certificates in their database, etc. I have heard more than 1 CA vendor balk at the idea of issuing a new CRL for every revocation event, so I must believe that this is a pretty expensive operation. Regards, Ambarish --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com Mountain View, CA 94043 > -----Original Message----- > From: Eric Rescorla [mailto:ekr@speedy.rtfm.com] > Sent: Sunday, April 22, 2001 6:20 PM > To: Ambarish Malpani > Cc: 'Housley, Russ'; ietf-pkix@imc.org > Subject: Re: delta-CRLs (was Re: Last > Call:draft-ietf-pkix-new-part1-06.tx t comments) > > > Ambarish Malpani <ambarish@valicert.com> writes: > > > Russ, the problem with this is that CAs might be unwilling to issue > > delta-CRLs because issuing a full CRL every time is too > > burdensome. > Ambarish, could you explain why the cost of issuing a full > CRL is too burdensome? Surely it's not the cost of the signature > itself you're concerned with. > > -Ekr > Received: from mail4.microsoft.com (mail4.microsoft.com [131.107.3.122]) by above.proper.com (8.9.3/8.9.3) with SMTP id SAA17625 for <ietf-pkix@imc.org>; Sun, 22 Apr 2001 18:21:43 -0700 (PDT) Received: from 157.54.9.104 by mail4.microsoft.com (InterScan E-Mail VirusWall NT); Sun, 22 Apr 2001 18:06:25 -0700 (Pacific Daylight Time) Received: from red-msg-02.redmond.corp.microsoft.com ([157.54.12.70]) by inet-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Sun, 22 Apr 2001 18:06:22 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) Date: Sun, 22 Apr 2001 17:57:51 -0700 Message-ID: <24A715275661C8428C00432EFCA5CB7C02A98866@red-msg-02.redmond.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) Thread-Index: AcDLjnhPZVtrDFXoQZyGbX+yOEWT3AAAbJFQ From: "David Cross" <dcross@microsoft.com> To: "Paul Hoffman / IMC" <phoffman@imc.org>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 23 Apr 2001 01:06:22.0268 (UTC) FILETIME=[9C7F9FC0:01C0CB91] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id SAA17627 It may not be a burden to a CA, but it very well likely may be burden for the underlying replication and distribution architecture to push a full CRL every time a delta-CRL is issued. It is the bigger picture of the issue outside of the CA and PKI aspects. David B. Cross -----Original Message----- From: Paul Hoffman / IMC [mailto:phoffman@imc.org] Sent: Sunday, April 22, 2001 7:06 AM To: ietf-pkix@imc.org Subject: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments) At 6:03 PM -0700 4/21/01, Ambarish Malpani wrote: >Russ, the problem with this is that CAs might be unwilling to issue >delta-CRLs because issuing a full CRL every time is too burdensome. Could you describe how it is "too burdensome"? Maybe I'm being naive, not being a CA, but asking a CA to sign a second document (the full CRL) at the time that it signs the first document (the delta-CRL) really doesn't seem that onerous. I think the current requirement is fine. --Paul Hoffman, Director --Internet Mail Consortium Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA17292 for <ietf-pkix@imc.org>; Sun, 22 Apr 2001 18:19:39 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f3N1Jed07872; Sun, 22 Apr 2001 18:19:40 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Trevor Freeman" <trevorf@windows.microsoft.com>, "Housley, Russ" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Date: Sun, 22 Apr 2001 18:18:14 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDIEDMCAAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <4AEE3169443CDD4796CA8A00B02191CD631AB6@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> Importance: Normal Trevor, Is your differentiator timeliness? Mike > -----Original Message----- > From: Trevor Freeman [mailto:trevorf@windows.microsoft.com] > Sent: Sunday, April 22, 2001 5:28 PM > > . . . > An OCSP aware client may have a different answer to CRL > aware clients to the revocation status of a certificate. > . . . Received: from romeo.rtfm.com ([198.144.203.242]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA16362 for <ietf-pkix@imc.org>; Sun, 22 Apr 2001 18:14:50 -0700 (PDT) Received: (ekr@localhost) by romeo.rtfm.com (8.9.3/8.6.4) id SAA11280; Sun, 22 Apr 2001 18:20:12 -0700 (PDT) Sender: ekr@rtfm.com To: Ambarish Malpani <ambarish@valicert.com> Cc: "'Housley, Russ'" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: Re: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) References: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C44@exchange.valicert.com> Reply-to: EKR <ekr@rtfm.com> Mime-Version: 1.0 (generated by tm-edit 7.108) Content-Type: text/plain; charset=US-ASCII From: Eric Rescorla <ekr@speedy.rtfm.com> Date: 22 Apr 2001 18:20:12 -0700 In-Reply-To: Ambarish Malpani's message of "Sat, 21 Apr 2001 18:03:06 -0700" Message-ID: <kjbspotnsj.fsf@romeo.rtfm.com> Lines: 11 X-Mailer: Gnus v5.6.45/XEmacs 20.4 - "Emerald" Ambarish Malpani <ambarish@valicert.com> writes: > Russ, the problem with this is that CAs might be unwilling to issue > delta-CRLs because issuing a full CRL every time is too > burdensome. Ambarish, could you explain why the cost of issuing a full CRL is too burdensome? Surely it's not the cost of the signature itself you're concerned with. -Ekr Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA16360; Sun, 22 Apr 2001 18:14:50 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f3N1Erd07710; Sun, 22 Apr 2001 18:14:53 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Paul Hoffman / IMC" <phoffman@imc.org>, <ietf-pkix@imc.org> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Date: Sun, 22 Apr 2001 18:13:27 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDOEDLCAAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <p0510080eb70895081561@[192.168.1.13]> Importance: Normal Ambarish, Paul: I must second Paul's concern. If you work through what it takes for to implement both "full" and "delta" CRL capabilities (i.e. CRON-driven sweeps across a database, formatting the relevant info into 2459-compliant syntax, signing the result and pushing it out to wherever or whomever) the software-level requirements to produce a delta are pretty close to identical to those for a full. Basically, it's just another crontab entry with perhaps a different period. But another thing bothers me in this dialog. The notion of a full backup/baseline in conjunction with (perhaps) more frequent deltas is a very well known and highly advised practice, for an obvious set of reasons. We should be thinking more about how this general principle applies in this instance. PKI is not so unique in its nature that this standard database maintenance practice does not apply. Mike > -----Original Message----- > From: Paul Hoffman / IMC [mailto:phoffman@imc.org] > Sent: Sunday, April 22, 2001 7:06 AM > To: ietf-pkix@imc.org > Subject: RE: delta-CRLs (was Re: Last > Call:draft-ietf-pkix-new-part1-06.txt comments) > > > At 6:03 PM -0700 4/21/01, Ambarish Malpani wrote: > >Russ, the problem with this is that CAs might be unwilling to issue > >delta-CRLs because issuing a full CRL every time is too > >burdensome. > > Could you describe how it is "too burdensome"? Maybe I'm being naive, > not being a CA, but asking a CA to sign a second document (the full > CRL) at the time that it signs the first document (the delta-CRL) > really doesn't seem that onerous. > > I think the current requirement is fine. > > --Paul Hoffman, Director > --Internet Mail Consortium > Received: from [165.227.249.20] (ip20.proper.com [165.227.249.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA13818 for <ietf-pkix@imc.org>; Sun, 22 Apr 2001 17:42:57 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org (Unverified) Message-Id: <p0510080eb70895081561@[192.168.1.13]> In-Reply-To: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C44@exchange.valicert.com> References: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C44@exchange.valicert.com> Date: Sun, 22 Apr 2001 07:06:07 -0700 To: ietf-pkix@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 6:03 PM -0700 4/21/01, Ambarish Malpani wrote: >Russ, the problem with this is that CAs might be unwilling to issue >delta-CRLs because issuing a full CRL every time is too >burdensome. Could you describe how it is "too burdensome"? Maybe I'm being naive, not being a CA, but asking a CA to sign a second document (the full CRL) at the time that it signs the first document (the delta-CRL) really doesn't seem that onerous. I think the current requirement is fine. --Paul Hoffman, Director --Internet Mail Consortium Received: from mail2.microsoft.com (mail2.microsoft.com [131.107.3.124]) by above.proper.com (8.9.3/8.9.3) with SMTP id RAA13407 for <ietf-pkix@imc.org>; Sun, 22 Apr 2001 17:38:17 -0700 (PDT) Received: from 157.54.7.67 by mail2.microsoft.com (InterScan E-Mail VirusWall NT); Sun, 22 Apr 2001 17:29:56 -0700 (Pacific Daylight Time) Received: from red-imc-02.redmond.corp.microsoft.com ([157.54.9.107]) by inet-imc-04.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Sun, 22 Apr 2001 17:28:52 -0700 Received: from win-imc-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.39]) by red-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Sun, 22 Apr 2001 17:28:48 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-01.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Sun, 22 Apr 2001 17:28:21 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Date: Sun, 22 Apr 2001 17:28:05 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD631AB6@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Thread-Index: AcDKq8B8myafCq05SxKHo1RrqERPlwA3290g From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 23 Apr 2001 00:28:21.0903 (UTC) FILETIME=[4D4B89F0:01C0CB8C] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id RAA13408 Russ, This level of concern for simple vs. complex was never raised when OCSP was discussed. An OCSP aware client may have a different answer to CRL aware clients to the revocation status of a certificate. Having established a precedent like that, it's too late to put the cat back in the bag now. What you have expressed is a policy, which is better left to the security consideration section rather than a must clause in the standard. It also ignores the reason why delta CRLS are viewed as attractive. A CA can today publish a full CRL whenever it likes. The reality is that publication of CRLs comes at a cost to the infrastructure, and many organisations are not prepared to pay that cost for full CRL publication, but would be prepared to publish smaller delta CRLs more frequently. Trevor -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Friday, April 20, 2001 1:26 PM To: ietf-pkix@imc.org Subject: Re: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) > >In the third paragraph the first sentence (still) says: > > > > > When a conforming CA issues a delta CRL, the CA MUST also issue a CRL Originally, this sentence was placed in RFC 2459 to ensure that simple clients are able to get the best possible revocation information. We did not want to require CAs or clients to support delta-CRLs, but if a CA chose to support delta-CRLs, we did not want to penalize clients. I do not see that either of these desires has changed. Russ Received: from mail4.microsoft.com (mail4.microsoft.com [131.107.3.122]) by above.proper.com (8.9.3/8.9.3) with SMTP id OAA02875 for <ietf-pkix@imc.org>; Sun, 22 Apr 2001 14:51:06 -0700 (PDT) Received: from 157.54.9.104 by mail4.microsoft.com (InterScan E-Mail VirusWall NT); Sat, 21 Apr 2001 16:07:46 -0700 (Pacific Daylight Time) Received: from red-msg-02.redmond.corp.microsoft.com ([157.54.12.70]) by inet-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Sat, 21 Apr 2001 16:07:07 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Date: Sat, 21 Apr 2001 16:07:07 -0700 Message-ID: <24A715275661C8428C00432EFCA5CB7C02A98861@red-msg-02.redmond.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Thread-Index: AcDKq8td/2vWwmoTRKmmIAi2MrNVqQAC7a0g From: "David Cross" <dcross@microsoft.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 21 Apr 2001 23:07:07.0308 (UTC) FILETIME=[C9659EC0:01C0CAB7] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id OAA02876 Understood - however, you may be penalizing the CA and the supporting infrastructure to replicate a full base CRL versus a smaller delta-CRL only. That is why so many people would like it to be a MAY. David B. Cross > >In the third paragraph the first sentence (still) says: > > > > > When a conforming CA issues a delta CRL, the CA MUST also issue > > > a CRL Originally, this sentence was placed in RFC 2459 to ensure that simple clients are able to get the best possible revocation information. We did not want to require CAs or clients to support delta-CRLs, but if a CA chose to support delta-CRLs, we did not want to penalize clients. I do not see that either of these desires has changed. Russ Received: from balinese.baltimore.ie (firewall-user@pc215-8.indigo.ie [194.125.215.8]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA24973 for <ietf-pkix@imc.org>; Sun, 22 Apr 2001 12:54:20 -0700 (PDT) Received: by balinese.baltimore.ie; id UAA08628; Sun, 22 Apr 2001 20:25:13 +0100 (GMT/IST) Received: from emeairlsw1.ie.baltimore.com(10.153.25.53) by balinese.baltimore.ie via smap (V4.2) id xma015979; Sat, 21 Apr 01 21:07:50 +0100 Received: from bobcat.baltimore.ie (bobcat.ie.baltimore.com) by emeairlsw1.baltimore.com (Content Technologies SMTPRS 4.2.1) with ESMTP id <T530f12e9150a99193519e@emeairlsw1.baltimore.com>; Sat, 21 Apr 2001 21:06:23 +0100 Received: from baltimore.ie (wks114-25.ie.baltimore.com [10.153.25.114]) by bobcat.baltimore.ie (8.9.3/8.9.3) with ESMTP id VAA25778; Sat, 21 Apr 2001 21:11:02 +0100 Message-ID: <3AE1E885.D1AFDE02@baltimore.ie> Date: Sat, 21 Apr 2001 21:07:33 +0100 From: Stephen Farrell <stephen.farrell@baltimore.ie> Reply-To: stephen.farrell@baltimore.ie Organization: Baltimore Technologies Ltd. X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Trevor Freeman <trevorf@windows.microsoft.com> CC: Russ Housley <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: Re: Dedicated CRL signing keys References: <4AEE3169443CDD4796CA8A00B02191CD6894E4@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi Trevor, I'm sympathetic and would also like to see a nice solution that'd ease graceful failure for clients. However, if the proposal breaks existing CAs then its not a solution (as Tim pointed out for a different reason). Stephen. Trevor Freeman wrote: > > Stephen, > The route problem is that this is an optional feature, and the net > result with the current proposal of profile compliant clients who > encounter a CA operating with this option will simply be a signature > failure. This presents a fairly high bar to anyone trying to establish > why the revocation check is failing. The rational behind using a > critical extension in the CRL is that now the conformant client knows > that failure is by design without understanding what the problem is > since it does not understand the extension and can return a more > informative error like option not supported. > Trevor > > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@baltimore.ie] > Sent: Thursday, April 19, 2001 7:07 AM > To: Russ Housley > Cc: Trevor Freeman; ietf-pkix@imc.org > Subject: Re: Dedicated CRL signing keys > > Russ, > > That'd be a bad resolution since it would break deployed CAs who > use the same name and different cert and CRL signing keys (and > those do exist and are operating). > > Any other ideas or should we just require clients to understand > what's going on based on key usage? > > Stephen. > > Russ Housley wrote: > > > > Trevor: > > > > I propose the following solution that builds on the Indirect CRL > > capabilities that are already available. When a CA wants to employ > > separate private keys to sign certificates and CRLs, then that CA MUST > > delegate CRL signing to a separate authority. That separate authority > MUST > > have a different Distinguished Name that the CA, but it could be > operated > > by the same organization. In this way, the IDP CRL extension would > flag > > the "unusual" circumstances. Clients that do not support Indirect > CRLs can > > fail gracefully (unsupported optional feature), and clients that > support > > Indirect CRLs can happily handle the certificates and CRLs. > > > > Thoughts? > > > > Russ > > > > At 01:32 PM 4/18/2001 -0700, Trevor Freeman wrote: > > >There has been some discussion regarding the proposal to have CRLs > > >signed with CA keys which do not also sign certificates. Since this > will > > >not be a mandatory to implement feature, I am concerned about the > impact > > >on pkix compliant clients who encounter CRL signed in this way, and > how > > >we expect them to behave. What seem unacceptable with the current > > >proposal is that the signage check on the CRL will fail, and the > client > > >will have little clue as to why and if this failure is expected. The > > >information in the chain, while present, is in the CAs certificate, > is > > >difficult to find and subtle so would be easily missed by someone > > >debugging this problem. I would like to see some clearer indication > in a > > >critical extension in the CRL itself that would indicate what was > going > > >on. In expressing these semantics in a critical extension, we > maintain > > >the principal that if you don't understand the extension, the client > > >knows to fail due to its own inadequacies and that failure is by > design, > > >therefore allowing the client's to return an error unsupported option > > >rather than invalid signature. > > >Trevor > > -- > ____________________________________________________________ > Stephen Farrell > Baltimore Technologies, tel: (direct line) +353 1 881 6716 > 39 Parkgate Street, fax: +353 1 881 7000 > Dublin 8. mailto:stephen.farrell@baltimore.ie > Ireland http://www.baltimore.com -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA00417 for <ietf-pkix@imc.org>; Sat, 21 Apr 2001 18:04:15 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GC6006015N8RK@ext-mail.valicert.com> for ietf-pkix@imc.org; Sat, 21 Apr 2001 18:04:20 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GC60067Z5N8KR@ext-mail.valicert.com>; Sat, 21 Apr 2001 18:04:20 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26PSSX>; Sat, 21 Apr 2001 18:03:06 -0700 Content-return: allowed Date: Sat, 21 Apr 2001 18:03:06 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments) To: "'Housley, Russ'" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C44@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Russ, the problem with this is that CAs might be unwilling to issue delta-CRLs because issuing a full CRL every time is too burdensome. The net result is that *nobody* has access to the latest revocation information - not even the smart clients who can understand delta CRLs. I would prefer that we drop that requirement that a full CRL be published whenever a new delta CRL is published. Regards, Ambarish --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com Mountain View, CA 94043 > -----Original Message----- > From: Housley, Russ [mailto:rhousley@rsasecurity.com] > Sent: Friday, April 20, 2001 1:26 PM > To: ietf-pkix@imc.org > Subject: Re: delta-CRLs (was Re: Last > Call:draft-ietf-pkix-new-part1-06.txt comments) > > > > > >In the third paragraph the first sentence (still) says: > > > > > > > When a conforming CA issues a delta CRL, the CA MUST > also issue a CRL > > > Originally, this sentence was placed in RFC 2459 to ensure > that simple > clients are able to get the best possible revocation > information. We did > not want to require CAs or clients to support delta-CRLs, but > if a CA chose > to support delta-CRLs, we did not want to penalize clients. > > I do not see that either of these desires has changed. > > Russ > > Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id OAA18205 for <ietf-pkix@imc.org>; Sat, 21 Apr 2001 14:33:47 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 21 Apr 2001 21:33:51 UT Received: from exno01.securitydynamics.com (exno01.securitydynamics.com [10.129.1.41]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id RAA28703 for <ietf-pkix@imc.org>; Sat, 21 Apr 2001 17:33:49 -0400 (EDT) Received: by exno01.dynas.se with Internet Mail Service (5.5.2650.21) id <2YZRT0CK>; Sat, 21 Apr 2001 23:33:49 +0200 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.13]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id HK1A3DGC; Sat, 21 Apr 2001 17:33:40 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010420161937.00b0acb0@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Fri, 20 Apr 2001 16:25:57 -0400 Subject: Re: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) In-Reply-To: <3AE068BE.BDB61B4A@bull.net> References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> <4.2.2.20010419115545.00aed3e0@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed > >In the third paragraph the first sentence (still) says: > > > > > When a conforming CA issues a delta CRL, the CA MUST also issue a CRL Originally, this sentence was placed in RFC 2459 to ensure that simple clients are able to get the best possible revocation information. We did not want to require CAs or clients to support delta-CRLs, but if a CA chose to support delta-CRLs, we did not want to penalize clients. I do not see that either of these desires has changed. Russ Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA26436 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 18:36:53 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GC400401CHRJL@ext-mail.valicert.com> for ietf-pkix@imc.org; Fri, 20 Apr 2001 18:37:03 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GC400483CHQ4G@ext-mail.valicert.com>; Fri, 20 Apr 2001 18:37:03 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26PR2N>; Fri, 20 Apr 2001 18:35:51 -0700 Content-return: allowed Date: Fri, 20 Apr 2001 18:35:51 -0700 From: Peter Williams <peterw@valicert.com> Subject: RE: Meaning of Non-repudiation To: "'Tom Gindin'" <tgindin@us.ibm.com> Cc: ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E182C41@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: multipart/alternative; boundary="Boundary_(ID_SfLmk2uDh9TAn0Z2MPBRvw)" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --Boundary_(ID_SfLmk2uDh9TAn0Z2MPBRvw) Content-type: text/plain; charset="iso-8859-1" <http://www.itsec.gov.uk/docs/pdfs/sectarg/EntAuth51.pdf> http://www.itsec.gov.uk/docs/pdfs/sectarg/EntAuth51.pdf <http://www.itsec.gov.uk/docs/pdfs/certreps/crp153.pdf> http://www.itsec.gov.uk/docs/pdfs/certreps/crp153.pdf Further to my memo earlier today, I inspected the security target for Entrust/RA and Entrust/Authority for which the UK Certification Body recently issued certification report P.153. The target claims 9.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> Q.QRIGIN FCO_NRO.2 This requirement ensures that the TOE generates evidence of origin fortransmitted public key The TOE must generate evidence of certificates: origin for transmitted public key certificates. FCO_NRO.2 ensures that evidence of origin is generated for certificates, CRLs, and ARLs so the identity of the originator can be related to the information. 10. Q.RECEIPT FCO_NRR.2 This requirement ensures that the TOE generates evidence of receipt for transmitted public key The TOE must generate evidence of certificates: receipt fortransmitted public key certificates. FCO_NRR.2 ensures that evidence of receipt is generated automatically for public key certificates received via SEP or PKIX-CMP. The certification report indicates that Entrust/RA provides both SFRs: FCO_NRO(2) and SFR_NRR(2) (Section O). This implies, given the criteria, that 'the sub-protocol in PKIX-CMP for returning the necessary evidence of receipt of a public-key certificate' is "correct". This implies that, should any "user data" be attached to the message that delivers the certificate via PKIX-CMP, and the automatic receipt is generated, then there is now, a citable method for NR for arbitrary data. Any protocol using receipt-evidentary methods compatible with PKIX-CMP can now realistically get certified as doing "proof of receipt with non-repudiation." It would be fascinating to know if the PKIX-CMP certificates involved have the NR bit set, in practice. Perhaps the Entrust ITSEC engineers will tell us. Set or not set, there are interesting implications of the certification report due to the design of PKIX-CMP "receipt-oriented" security services. The CC do say, in informational annexes that: "The PP/ST author must specify the conditions that must be met to be able to verify the validity of the evidence. An example of a condition which could be specified is where the verification of evidence must occur within 24 hours. These conditions, therefore, allow the tailoring of the non-repudiation to legal requirements, such as being able to provide evidence for several years." I have not found the words in the Entrust ST which satisfy this requirement, yet. When we do, we can see some of the legal implications. We seem to be making some concrete progress on NR, both technical and legal, thanks to the world of public disclosure of STs. Peter. -----Original Message----- From: Peter Williams [ <mailto:peterw@valicert.com> mailto:peterw@valicert.com] Sent: Friday, April 20, 2001 12:06 PM To: 'Tom Gindin' Cc: ietf-pkix@imc.org Subject: RE: Meaning of Non-repudiation When NIST?NSA folk evaluate a US network product/system, formally, they must, traditionally, use the following conceptions of NR. (Steve's notions of subject intent, and presumptions of signature binding, are not relevant to a formal evaluation of a product/system claiming to provide NR.) It would be useful for some of our friends from NCSC/NIST to perhaps find an actual evaluation/certification report that certified an actual network product/system as meeting the evaluation criteria for NR. This would provide us with an example protocol under the Red Book that was deemed "correct", as required by the criteria. --Boundary_(ID_SfLmk2uDh9TAn0Z2MPBRvw) Content-type: text/html; charset="iso-8859-1" Content-transfer-encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <TITLE></TITLE> <META content=3D"MSHTML 5.50.4522.1800" name=3DGENERATOR></HEAD> <BODY> <DIV><A target=3D_blank=20 href=3D"http://www.itsec.gov.uk/docs/pdfs/sectarg/EntAuth51.pdf"><FONT = face=3DArial=20 color=3D#000000>http://www.itsec.gov.uk/docs/pdfs/sectarg/EntAuth51.pdf<= /FONT></A><BR><A=20 target=3D_blank = href=3D"http://www.itsec.gov.uk/docs/pdfs/certreps/crp153.pdf"><FONT=20 face=3DArial=20 color=3D#000000>http://www.itsec.gov.uk/docs/pdfs/certreps/crp153.pdf</F= ONT></A><BR><BR><FONT=20 face=3DArial>Further to my memo earlier today, I inspected = the<BR>security target=20 for Entrust/RA and Entrust/Authority for which the UK = Certification<BR>Body=20 recently issued certification report P.153.<BR></FONT></DIV> <DIV><FONT face=3DArial>The target claims</FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV> <DIV> <TABLE=20 style=3D"BORDER-RIGHT: medium none; BORDER-TOP: medium none; = BORDER-LEFT: medium none; BORDER-BOTTOM: medium none; BORDER-COLLAPSE: = collapse; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in = 5.4pt 0in 5.4pt"=20 cellSpacing=3D0 cellPadding=3D0 border=3D1> <TBODY> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: windowtext 0.5pt solid; PADDING-LEFT: 5.4pt; = PADDING-BOTTOM: 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: = 0in; BORDER-BOTTOM: windowtext 0.5pt solid"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>9.<?xml:namespace prefix =3D o ns =3D=20 "urn:schemas-microsoft-com:office:office"=20 /><o:p></o:p></FONT></FONT></SPAN></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: windowtext 0.5pt solid; PADDING-LEFT: 5.4pt; = PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-left-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly"><B=20 style=3D"mso-bidi-font-weight: normal"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>Q.QRIGIN<o:p></o:p></FONT></FONT></SPAN></B></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: windowtext 0.5pt solid; PADDING-LEFT: 5.4pt; = PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-left-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>FCO_NRO.2<o:p></o:p></FONT></FONT></SPAN></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: windowtext 0.5pt solid; PADDING-LEFT: 5.4pt; = PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-left-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>This requirement ensures that the TOE=20 generates<o:p></o:p></FONT></FONT></SPAN></DIV></TD></TR> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-top-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>evidence of origin fortransmitted public=20 key<o:p></o:p></FONT></FONT></SPAN></DIV></TD></TR> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-top-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>The TOE must generate evidence=20 of<o:p></o:p></FONT></FONT></SPAN></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 = size=3D2>certificates:<o:p></o:p></FONT></FONT></SPAN></DIV></TD></TR> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-top-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>origin for transmitted public=20 key<o:p></o:p></FONT></FONT></SPAN></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD></TR> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-top-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>certificates.<o:p></o:p></FONT></FONT></SPAN></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2><B style=3D"mso-bidi-font-weight: = normal"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt">FCO_NRO.2=20 </SPAN></B><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt">ensures that = evidence=20 of origin is<o:p></o:p></SPAN></FONT></FONT></DIV></TD></TR> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-top-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>generated for certificates, CRLs, and ARLs so=20 the<o:p></o:p></FONT></FONT></SPAN></DIV></TD></TR> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-top-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>identity of the originator can be related to=20 the<o:p></o:p></FONT></FONT></SPAN></DIV></TD></TR> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-top-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 = size=3D2>information.<o:p></o:p></FONT></FONT></SPAN></DIV></TD></TR> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-top-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>10.<o:p></o:p></FONT></FONT></SPAN></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly"><B=20 style=3D"mso-bidi-font-weight: normal"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>Q.RECEIPT<o:p></o:p></FONT></FONT></SPAN></B></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>FCO_NRR.2<o:p></o:p></FONT></FONT></SPAN></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>This requirement ensures that the TOE=20 generates<o:p></o:p></FONT></FONT></SPAN></DIV></TD></TR> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-top-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>evidence of receipt for transmitted public=20 key<o:p></o:p></FONT></FONT></SPAN></DIV></TD></TR> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-top-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>The TOE must generate evidence=20 of<o:p></o:p></FONT></FONT></SPAN></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 = size=3D2>certificates:<o:p></o:p></FONT></FONT></SPAN></DIV></TD></TR> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-top-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>receipt fortransmitted public=20 key<o:p></o:p></FONT></FONT></SPAN></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD></TR> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-top-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>certificates.<o:p></o:p></FONT></FONT></SPAN></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2><B style=3D"mso-bidi-font-weight: = normal"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt">FCO_NRR.2=20 </SPAN></B><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt">ensures that = evidence=20 of receipt is<o:p></o:p></SPAN></FONT></FONT></DIV></TD></TR> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-top-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>generated automatically for public key=20 certificates<o:p></o:p></FONT></FONT></SPAN></DIV></TD></TR> <TR> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: windowtext 0.5pt solid; PADDING-TOP: 0in; = BORDER-BOTTOM: windowtext 0.5pt solid; mso-border-top-alt: solid = windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: exactly; = tab-stops: decimal 78.5pt"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><FONT=20 face=3DArial><FONT size=3D2> <SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: = 12.0pt"><o:p></o:p></SPAN></FONT></FONT></DIV></TD> <TD=20 style=3D"BORDER-RIGHT: windowtext 0.5pt solid; PADDING-RIGHT: = 5.4pt; BORDER-TOP: medium none; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: = 0in; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: = windowtext 0.5pt solid; mso-border-left-alt: solid windowtext .5pt; = mso-border-top-alt: solid windowtext .5pt"=20 vAlign=3Dtop> <DIV class=3Dt4=20 style=3D"LINE-HEIGHT: 11.05pt; mso-line-height-rule: = exactly"><SPAN=20 style=3D"FONT-SIZE: 9pt; mso-bidi-font-size: 12.0pt"><FONT = face=3DArial><FONT=20 size=3D2>received via SEP or=20 = PKIX-CMP.<o:p></o:p></FONT></FONT></SPAN></DIV></TD></TR></TBODY></TABLE= ></DIV> <DIV><FONT size=3D2><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial size=3D3>The certification report indicates = that Entrust/RA=20 provides both SFRs: FCO_NRO(2) and</FONT></DIV> <DIV><FONT face=3DArial size=3D3>SFR_NRR(2) (Section O).</FONT></DIV> <DIV><FONT face=3DArial size=3D3></FONT> </DIV> <DIV><FONT face=3DArial size=3D3>This implies, given the criteria, that = 'the=20 sub-protocol in PKIX-CMP for returning the</FONT></DIV> <DIV><FONT size=3D3><FONT face=3DArial>necessary </FONT><FONT = face=3DArial>evidence of=20 receipt of a public-key certificate' is "correct".=20 </FONT></FONT></DIV> <DIV><FONT face=3DArial size=3D3></FONT> </DIV> <DIV><FONT face=3DArial size=3D3>This implies that, should any "user = data" be=20 attached to the message that</FONT></DIV> <DIV><FONT face=3DArial size=3D3>delivers the certificate via PKIX-CMP, = and the=20 automatic receipt is</FONT></DIV> <DIV><FONT size=3D3><FONT face=3DArial>generated, then there is now, a = citable=20 method for NR for arbitrary data.</FONT></FONT></DIV> <DIV><FONT size=3D3><FONT face=3DArial>Any protocol using = receipt-evidentary methods=20 compatible with PKIX-CMP can </FONT></FONT></DIV> <DIV><FONT size=3D3><FONT face=3DArial>now realistically get = </FONT></FONT><FONT=20 size=3D3><FONT face=3DArial>certified as doing "proof of receipt with=20 non-repudiation."</FONT><BR></DIV></FONT> <DIV><FONT face=3DArial size=3D3>It would be fascinating to know if the = PKIX-CMP=20 certificates involved have the</FONT></DIV> <DIV><FONT color=3D#0000ff><FONT face=3DArial color=3D#000000 = size=3D3>NR bit set, in=20 practice. Perhaps the Entrust ITSEC engineers will tell=20 us.</FONT><BR></FONT></DIV> <DIV><FONT face=3DArial size=3D3>Set or not set, there are interesting = implications=20 of the certification</FONT></DIV> <DIV><FONT face=3DArial size=3D3>report due to the design of = </FONT><FONT=20 color=3D#0000ff><FONT color=3D#000000><FONT face=3DArial = size=3D3>PKIX-CMP=20 "receipt-oriented" security services.</FONT></FONT></FONT></DIV> <DIV><FONT color=3D#0000ff><FONT color=3D#000000><FONT face=3DArial = size=3D3><FONT=20 face=3D"Times New Roman" = size=3D3></FONT></FONT></FONT></FONT> </DIV> <DIV><FONT face=3DArial size=3D3>The CC do say, in informational = annexes that:=20 </FONT></DIV> <DIV><FONT face=3DArial size=3D3></FONT> </DIV> <DIV><FONT face=3DArial size=3D3>"The PP/ST author must specify the = conditions that=20 must be met to be able to verify</FONT></DIV> <DIV><FONT face=3DArial size=3D3>the validity of the evidence. An = example of a=20 condition which could be specified is</FONT></DIV> <DIV><FONT face=3DArial size=3D3>where the verification of evidence = must occur=20 within 24 hours. These conditions,</FONT></DIV> <DIV><FONT face=3DArial size=3D3>therefore, allow the tailoring of the=20 non-repudiation to legal requirements, such as</FONT></DIV> <DIV><FONT face=3DArial size=3D3>being able to provide evidence for = several=20 years."</FONT></DIV> <DIV><FONT face=3DArial size=3D3></FONT> </DIV> <DIV><FONT face=3DArial size=3D3>I have not found the words in the = Entrust ST which=20 satisfy this requirement,</FONT></DIV> <DIV><FONT face=3DArial size=3D3>yet. When we do, we can see some = of the legal=20 implications.</FONT></DIV> <DIV><FONT face=3DArial size=3D3></FONT> </DIV> <DIV><FONT face=3DArial size=3D3>We seem to be making some concrete = progress on NR,=20 both technical</FONT></DIV> <DIV><FONT face=3DArial size=3D3>and legal, thanks to the world of = public disclosure=20 of STs.</FONT></DIV> <DIV><FONT face=3DArial size=3D3></FONT> </DIV> <DIV><FONT face=3DArial size=3D3>Peter.</FONT></DIV> <DIV><FONT face=3DArial size=3D3></FONT> </DIV> <DIV><FONT face=3DArial size=3D3></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff>-----Original = Message-----<BR>From: Peter=20 Williams [</FONT><A href=3D"mailto:peterw@valicert.com"><FONT=20 face=3DArial>mailto:peterw@valicert.com</FONT></A><FONT face=3DArial=20 color=3D#0000ff>]<BR>Sent: Friday, April 20, 2001 12:06 PM<BR>To: 'Tom=20 Gindin'<BR>Cc: ietf-pkix@imc.org<BR>Subject: RE: Meaning of=20 Non-repudiation<BR><BR><BR>When NIST?NSA folk evaluate a US network=20 product/system, formally,<BR>they must, traditionally, use the = following=20 conceptions of NR.<BR>(Steve's notions of subject intent, and = presumptions of=20 signature<BR>binding, are not relevant to a formal evaluation of a=20 product/system<BR>claiming to provide NR.)<BR><BR>It would be useful = for some of=20 our friends from NCSC/NIST<BR>to perhaps find an actual = evaluation/certification=20 report<BR>that certified an actual network product/system as meeting=20 the<BR>evaluation criteria for NR. This would provide us<BR>with an = example=20 protocol under the Red Book<BR>that was deemed "correct", as required = by the=20 criteria.<BR><BR> </FONT><FONT face=3DArial=20 color=3D#0000ff></DIV></FONT></FONT></BODY></HTML> --Boundary_(ID_SfLmk2uDh9TAn0Z2MPBRvw)-- Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA14893 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 15:22:29 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id SAA03884; Fri, 20 Apr 2001 18:22:27 -0400 (EDT) Message-Id: <4.2.2.20010420174853.00aeebe0@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 20 Apr 2001 18:22:22 -0400 To: Denis Pinkas <Denis.Pinkas@bull.net> From: "David A. Cooper" <david.cooper@nist.gov> Subject: Re: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) Cc: ietf-pkix@imc.org In-Reply-To: <3AE068BE.BDB61B4A@bull.net> References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> <4.2.2.20010419115545.00aed3e0@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Denis, My comments are in line. At 06:50 PM 4/20/01 +0200, Denis Pinkas wrote: >[Denis] This is the case I had in mind. However I would disagree to say that >the locally contructed CRL is equal to the full CRL number 8, because there >is no need to issue such CRL (see the first comment). It is simply the >"freshest CRL constructed from the base CRL number 5 for 3:10 am". This >locally contructed CRL bears no number, or if you assign one, this is a >local matter and is not part of the standard. This also avoids the later >confusing between CRL numbers. This is simply not true. A delta-CRL can (will) contain the cRLNumber extension just as a full CRL will. If a full CRL and a delta-CRL are issued at the same time, the combination of the delta-CRL and an appropriate base CRL must be equivalent to the full CRL, and both the delta-CRL and the full CRL must have the same cRLNumber. If a delta-CRL is issued, and no corresponding full CRL issued, then the combination of the delta-CRL and an appropriate base CRL should be equivalent to the full CRL that would have been issued at that time, if a full CRL had been issued. The delta-CRL should have the same cRLNumber as would have been assigned to a full CRL issued at the same time. A delta-CRL is nearly the same as a full CRL. It has a thisUpdate, nextUpdate, cRLNumber, etc. just as a full CRL. It just has an incomplete list of revoked certificates. > > A few hours later, at 6:30am, the relying party performs another validation. The relying party has, in its local cache, the contents of CRL number 8 (which it constructed at 3:10am). It wants to update the information in its local case to based on the newly available revocation information. So, it obtains the latest delta-CRL. This delta-CRL has a CRL number of 11 and a BaseCRLnumber of 5. Since it has a BaseCRLNumber of 5, the delta-CRL provides status information for all certificates whose status has changed since CRL number 5 was issued. (midnight). So, clearly the delta-CRL provides status information for all certificates whose status has changed since 3:00am when CRL number 8 was issued. Thus, the relying party can combine the delta-CRL with its locally cached version of full CRL number 8 to obtain the contents of CRL number 11. This is a case where the CRL number of the complete CRL used is greater than the BaseCRLNumber specified in the delta-CRL. > >[Denis] This is a local matter and I would not mandate this in the document >since there is another and simpler way to do it: you keep in the cache the >base CRL (instead of the previously recontructed full CRL). This has the >same end result, except that the method your recommend is not optimum: it >will include many duplicates and deleting the duplicates is more painfull >than making a simple addition. I'm not sure what you are saying is a local matter. The contents of the delta-CRL is not a local matter and must be mandated in the certificate and CRL profile. If you prefer to always apply the delta-CRLs to the referenced base CRL instead of to a locally generated, more recent CRL, that is your choice. The document states that the delta-CRL may be combined with the referenced base CRL or a more recently issued full CRL. >The basic algorithm is to take the base CRL and to add the delta. This is >the standard. As soon as you get the same end result this is fine. This is >the approach we have taken for path validation. Other ways do not need to be >mentionned. > > > There are other reasons why the two numbers may not match, but I will not go into them. If you are interested, you can read my paper. > >[Denis] I read it (and skipped the mathematical formulas) > >This paper is proposing a method for over-issuing the CRLs. It omits to take >into consideration that in PKIX-1 we mandate the CRL number extension >(section 5.2.3) so we need to advertise the nextUpdate. If you issue a CRL >before the next update you have no more way to know which base CRL is the >freshest CRL. I believe this is a major security weakness and for that >reason this mechanism should be deprecated. The paper does discuss over-issuing of CRLs, but there is plenty of information about using delta-CRLs efficiently without over-issuing. Bear in mind, however, that the nextUpdate field only specifies the time by which a new CRL will be issued. Many people intend to issue a new CRL whenever a revocation occurs (or a revocation for key compromise) without waiting until the regularly scheduled time. >BTW, the same security problem would occur as soon as a base would be used >for every delta. Hence another good reason to delete the sentence which >originally triggered all this discussion. I don't understand this at all. >BTW, I noticed that you have precisely deleted from my previous e-mail all >the text dealing with this nextUpdate. :-( > >So I am still insisting on the major text change to make to that section: > > An application can construct a CRL that is the most current for > a given scope, at the current time, by retrieving the current > base CRL for that scope, and combining it with a delta-CRL which > contains a Delta CRL Indicator equal to the cRLNumber of the base > CRL and where the current date from that delta-CRL is between > thisUpdate and nextUpdate; > >It is important to notice that the algorithm does NOT use the individual CRL >numbers assigned to the delta-CRLs, but uses instead thisUpdate and >nextUpdate. This is *very* important. I thought I did respond to this. First, one should expect that delta-CRLs will always be at least as recent as base CRLs. So the first step should be to obtain the current delta-CRL. Next, one obtains a base CRL that can be used in combination with that delta-CRL. You may choose to only use the full CRL whose cRLNumber is equal to the BaseCRLNumber specified in the delta-CRL, however, any full CRL with a cRLNumber greater than or equal to the BaseCRLNumber is acceptable. Since the cRLNumber of the base can be greater than the specified BaseCRLNumber, the document should say so. There is no need to state that the current time must be after the thisUpdate time in the delta-CRL as this will always be true by construction. Finally, since a CRL issuer may issue "emergency" delta-CRLs, there is no guarantee that any delta-CRL whose nextUpdate time is later than the current time is the most current delta-CRL. > > >Finally we should explain what happens at the boundaries, i.e. when a CA > > >decides to generate a (new) base CRL. Here is a text proposal: > > > > > > When issuing a base CRL that supports a delta-CRL mechanism then the > > > CRL Issuer MUST at the same time issue a delta CRL that points to that > > > base CRL. This first delta CRL will usually be empty (or will include > > > last-minute additions to the base CRL). > > > > This is not acceptable. The rule is that when a base CRL is issued a delta-CRL must be issued that has the same cRLNumber. The base CRL referenced by the delta must either be the previously issued base CRL or a base CRL issued before that one. Since the new base and the delta must have the same cRLNumber, there can be no differences as a result of "last-minute additions to the base CRL". > >[Denis] This does not work. Let me explain it differently. Suppose that >during the week you do not generate delta-CRLs but for the week-end you >decide to do it (e.g. more risk, more transactions done by citizens). So you >issue a CRL with the freshest CRLindicator. You say that the delta points to >the previous base CRL. The one from yesterday or the one from last week ? >In either case this simply does not work. Why? A delta-CRL must include a BaseCRLNumber that corresponds to a CRL that was issued at some time in the past. >The rule you mention, i.e. "The rule is that when a base CRL is issued a >delta-CRL must be issued that has the same cRLNumber" is also wrong. The >notion of a base CRL that would have the same number as a delta does not >exist. > > > >Suppose we issue a base CRL every midnight. The question is whether we > > >should issue a delta and, if yes, does this delta refer to the previous > > >base or to the new one ? > > > > The delta must refer either to the previous base or a base issued before the previous base. > >[Denis] Certainly not. Your paper however provides the right answer >(on page 1): " A delta-CRL is a CRL that only provides information about >certificates who statuses have changed since the issuance of a specific, >previously issued CRL". Where is the difference? A CRL that is referenced in the BaseCRLNumber of a delta-CRL is by definition a base CRL. > > >Suppose it refers to the previous one. According to the current sentence: > > >"The constructed CRL has the CRL number specified in the CRL number > > >extension found in the delta CRL used in its construction.", it is > > >impossible. If that was the case the delta CRL would have a CRL number equal > > >to the base CRL and it is not allowed for two CRLs to have the same CRL > > >number. > > > I think you are confusing two different extensions. The deltaCRLIndicator extension contains a BaseCRLNumber which is used to determine against which base CRLs the delta-CRL can be applied. The cRLNumber extension specifies the CRL number of the full CRL that will be generated by applying the delta-CRL to a base CRL. The sentence above states that the CRL number of the constructed CRL is taken from the cRLNumber extension, not the BaseCRLNumber of the deltaCRLIndicator extension. > >[Denis] I do not think I make a confusion. The confusion comes from the >numbering you introduce (see my earlier comment). > >Let me conclude: > >1) I do not have the time to spend hours of discussions on that topic. >However the current text needs to be corrected and I have provided text >for this. Please take again a look at it in the light of the following. > >2) In your paper you advertise the "traditional delta-CRLs". Let us stay in >the tradition and let us mandate the implementation of the "tradition" if >someone wans to support the delta-CRL mechanism. > >Any other method would first need to be proven to be secure (over-issuing >CRLs and sliding window delta-CRLs have security problems) and should >*anyway* fall in the MAY category, so that noone needs to implement to claim >conformance with the delta CRL mechanism. Standard track documents need to >make choices among multiple methods, otherwise two different implementations >will never interoperate. you say that you want to stick with "traditional" delta-CRLs, however you are proposing changes to the text that would not result in "tradtional" delta-CRLs but would result in broken implementations. We do not prevent people from implementing "traditional" delta-CRLs, but we should not force them to either. There are no security problems with sliding window delta-CRLs and they do not add any complexity for those who choose not to implement them. I want to be sure that the delta-CRL text is correct just as you do, but I still feel that many of your comments are based on a misunderstanding and are not based on actual problems in the text. Dave Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA12055 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 14:32:17 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JJPVT1HQ>; Fri, 20 Apr 2001 17:31:49 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD02389AC4@sottmxs09.entrust.com> From: Carlisle Adams <carlisle.adams@entrust.com> To: "'Frank Balluffi'" <frankb@valicert.com> Cc: "'stephen.farrell@baltimore.ie'" <stephen.farrell@baltimore.ie>, "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: RE: Use of PKIMessages Date: Fri, 20 Apr 2001 17:26:23 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C9E0.8C8BE6D0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C9E0.8C8BE6D0 Content-Type: text/plain Hi Frank, Yes, Section 5.4 of RFC 2510 and Appendix G of rfc2510bis-03 are used to carry a single PKIMessage at a time. Carlisle. > ---------- > From: Frank Balluffi[SMTP:frankb@valicert.com] > Sent: Wednesday, April 18, 2001 1:05 PM > To: 'cadams@entrust.com'; 'stephen.farrell@baltimore.ie' > Subject: CMP: Use of PKIMessages > > Carlisle and Stephen, > > draft-ietf-pkix-rfc2510bis-03.txt defines PKIMessages as: > > PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage > > whereas RFC 2510 uses PKIMessages within its text, but does not define the > type. > > Am I correct in assuming that section 5.4 of RFC 2510 and Appendix G of > draft-ietf-pkix-rfc2510bis-03.txt describe methods for transporting > PKIMessage, not PKIMessages. Thanks. > > Frank > ------_=_NextPart_001_01C0C9E0.8C8BE6D0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: Use of PKIMessages</TITLE> </HEAD> <BODY> <P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Times New Roman">Hi = Frank,</FONT> </P> <P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Times New Roman">Yes, = Section 5.4 of RFC 2510 and Appendix G of rfc2510bis-03 are used to = carry a single PKIMessage at a time.</FONT> </P> <P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Times New = Roman">Carlisle.</FONT> </P> <BR> <UL> <P><FONT SIZE=3D2 FACE=3D"MS Sans Serif">----------</FONT> <BR><B><FONT SIZE=3D2 FACE=3D"MS Sans Serif">From:</FONT></B> = <FONT SIZE=3D2 FACE=3D"MS Sans Serif">Frank = Balluffi[SMTP:frankb@valicert.com]</FONT> <BR><B><FONT SIZE=3D2 FACE=3D"MS Sans Serif">Sent:</FONT></B> = <FONT SIZE=3D2 FACE=3D"MS Sans Serif">Wednesday, April 18, 2001 1:05 = PM</FONT> <BR><B><FONT SIZE=3D2 FACE=3D"MS Sans Serif">To:</FONT></B> = <FONT SIZE=3D2 FACE=3D"MS Sans = Serif">'cadams@entrust.com'; 'stephen.farrell@baltimore.ie'</FONT> <BR><B><FONT SIZE=3D2 FACE=3D"MS Sans Serif">Subject:</FONT></B> = <FONT SIZE=3D2 FACE=3D"MS Sans = Serif">CMP: Use of PKIMessages</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Carlisle and Stephen,</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">draft-ietf-pkix-rfc2510bis-03.txt = defines PKIMessages as:</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">PKIMessages ::=3D SEQUENCE SIZE = (1..MAX) OF PKIMessage</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">whereas RFC 2510 uses PKIMessages = within its text, but does not define the</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">type.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Am I correct in assuming that section = 5.4 of RFC 2510 and Appendix G of</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">draft-ietf-pkix-rfc2510bis-03.txt = describe methods for transporting</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">PKIMessage, not PKIMessages. = Thanks.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Frank</FONT> </P> </UL> </BODY> </HTML> ------_=_NextPart_001_01C0C9E0.8C8BE6D0-- Received: from femail3.sdc1.sfba.home.com (femail3.sdc1.sfba.home.com [24.0.95.83]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA07281 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 13:34:34 -0700 (PDT) Received: from revelation ([65.4.166.11]) by femail3.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010420203201.ZPPP26961.femail3.sdc1.sfba.home.com@revelation>; Fri, 20 Apr 2001 13:32:01 -0700 Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch5@home.com> To: "'Sharon Boeyen'" <sharon.boeyen@entrust.com>, <ietf-pkix@imc.org> Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Date: Fri, 20 Apr 2001 13:37:19 -0700 Message-ID: <002601c0c9d9$b2979a60$0d00a8c0@soaringhawk.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0027_01C0C99F.0638C260" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FB7@sottmxs09.entrust.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal This is a multi-part message in MIME format. ------=_NextPart_000_0027_01C0C99F.0638C260 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments)Sharon, I actually completely agree with the basic point here. Once I (a CA) have issued a certificate to an entity, I cannot control anything about how they will use it. All I can do is try and put hints in for relying parties to catch it when that entity is doing "un-approved" things. Just to verify the basic answer. X.509 has a set of extensions that the PKIX group did not adopt for dealing with attribute certificates. PKI certs use basicContraints, AC certs use basicAttConstraints to control the "a think that the entity ought to..." type statements. This means that the arguement here, in the PKIX group, does not have a similar arguement in the X.509 group. jim -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Friday, April 20, 2001 12:57 PM To: 'jimsch@exmsft.com'; ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Jim, I forgot one point that might help understand my view on the basicConstraints extension. I don't believe that any CA can actually prevent another entity from issuing certificates purely through technical tools such as cert extensions. However, a CA can prevent relying parties from trusting certificates issued by such entities specifically through the business controls extensions defined in the standards. Cheers, Sharon -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Friday, April 20, 2001 3:05 PM To: 'jimsch@exmsft.com'; Sharon Boeyen; ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) The point that I think is a bit different is the use of the CA bit in basic constraints. This is one of many 'business controls' that a CA can put into a certificate that it issues to another CA to restrict the set of paths (including that certificate) that can be successfully validated. In my mind this extension exists so that a relying party can know whether the certificate they are processing is one that certifies a key that can be used to verify the signature of the next cert in the path. Full stop. It isn't an 'authorization' of any entity to issue certificates but a signal to the relying party that the certified key can be used for verifying the next signature. The pathLengthConstraint component of that extension, along with all the other business control extensions (policy stuff, name constraints etc) further retrict a relying party with respect to the certification paths (and contained certificates) that can be successfully validated using the certificate that contains the extensions. Each issuer has the ability to place such restrictions and the complete validation of the path depends, in part on those constraints. When we look at the two basic trust models (hierarchical and distributed), then this does get muddled somewhat, because in a hierarchy there is sort of a sense of 'authorization' of subordinate CAs. The same is not true in a distributed trust model. A CA is any entity that issues public-key certificates regardless of whether some other CA happens to have issued it a certificate containing the basic constraints extension with the CA bit set to true. The extension really only matters when one tries to validate a certification path and needs to be sure that the issuer of a particular certificate 'trusts' certificates signed with the key corresponding to that certified in the current certificate. Consider the above 2 paragraphs my personal opinion on basicConstraints. As for attribute certificates and attribute authorities, in some environments there is absolutely no need to tie the PMI to the PKI. The verifiers may import one or more trust anchors for SOAs, similar to how they do today for PKI trust anchors. However, in other environments, there was a requirement to have a single trust anchor and be able to validate both public key and attribute certificates. For this reason, X.509 added the sOAIdentifier extension. Its syntax is NULL. Its only purpose in life is to support this requirement of binding a PMI to a PKI. As for the attribute certificate 'equivalent' of a certification path, this is a delegation path. There are completely different extensions defined to ensure that a delegationPath is valid (although you will recognize similarities). basicAttConstraints inidicates whether or not the assigned privilege can be further delegated by the subject of the containing certificate. 'Business controls' extensions include delegatedNameConstraints, acceptableCertPolicies, authorityAttributeIdentifier (to ensure that the delegating authority actually holds sufficicient privilege to delegate it) etc). Don't try to shoehorn the PKI extensions into the PMI model. The only real overlap is that we reused the basic CRL structure. Hope that helps and doesn't confuse the issues further :-) Sharon -----Original Message----- From: Jim Schaad [mailto:jimsch5@home.com] Sent: Friday, April 20, 2001 2:08 PM To: 'Sharon Boeyen'; ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Sharon, Much of this question arose from how to deal with AC "authorities". I don't have access at the moment to the X. version of the AC draft (yes I know I can now get it), but do you believe that AC issuers and "revokers" need to be authorities in that the CA bit should be set for them? jim -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Friday, April 20, 2001 9:57 AM To: 'David A. Cooper'; ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Just to be clear, lets not confuse what I may happen to want as an individual contributor to PKIX or any other list, with what I state as 509 editor (they're not necessarily always the same :-) My comments were purely from the editor's perspective and yes, the current 509 text is quite clear that the CA that issues a certificate is responsible for stating whether or not that certificate can be revoked, and if so, what mechanism is used to inform relying parties. If that mechanism is CRLs, these are issued by the certificate issuer or by another authority delegated that task by the certificate issuer (that doesn't necessarily mean that 509 requires a cert to be issued to that authority, nor that the cert contain the basic constraints extension though, that is the job of profile groups to determine and incidentally I don't believe they'll all adopt the same solution so I would want 509 to remain flexible). My own personal view is that industry has moved to a point where there probably isn't any real requirement for a CRL issuer to also be a cert issuer as long as that CRL issuer is delegated that responsibility by the cert issuer and there is a cryptographic way to ensure that binding for relying parties. To achieve that, I believe some changes are required in 509. On the separate keys for cert and CRL signing (by the same authority), my personal opinion is that anything you read into 509 text on that specific topic would be accidental as I don't recall any specific discussion on it. However, since that is a real world requirement, I would want to be sure that 509 did not prohibit it. Hope that clarifies where my comments are coming from :-) > -----Original Message----- > From: David A. Cooper [mailto:david.cooper@nist.gov] > Sent: Friday, April 20, 2001 11:44 AM > To: ietf-pkix@imc.org > Subject: RE: cA flag and CRL issuers (was Re: Last Call: > draft-ietf-pkix-n ew-part1-06.txt comments) > > > Sharon, > > Are you suggesting that in order for an entity to issue CRLs > on behalf of a certificate issuer, that CRL issuer would need > to issue certificates as well (so that it can qualify as an > authority)? I don't think there should be such a > requirement, but even if there were it wouldn't settle the issue. > > Even if only authorities can issue CRLs, there is nothing to > prevent that authority from using different keys to sign > certificates and CRLs. X.509 states that "[t]he cA component > indicates if the certified public key may be used to verify > certificate signatures." So, the proper value of the cA bit > is determined by the allowable uses of the subject public > key, not by the type of entity the subject is. So, even if > the certificate subject is a CA, and issues certificates > under some key, the cA bit should not be set unless the > particular subject public key in the certificate can be used > to verify certificate signatures. If an authority is the > subject of a certificate and the particular public key of > that authority that is being certified is only to be used to > verify signatures on CRLs, then the cA bit should not be set. > > Dave > > At 10:48 AM 4/20/01 -0400, Sharon Boeyen wrote: > > >David, sorry but I disagree with your assertions about X.509's > >position on this issue. Either by design or by accident, > X.509 requires that if CRLs are being issued, they are issued > by an 'authority'. Remember that the definition of > "authority" is "An entity responsible > > > >for the issuance of certificates". Much of the text in X.509 > predates OCSP or the concept of a validation authority, but I > do know that the quotes below are new text added within the > past couple of years with the intent of clarifying the role > of CAs with respect to CRLs. > > > >Clause 7.3 says: > > > >"An authority that issues certificates is required to state, > possibly through a published statement of their practices, > through the certificates themselves, or through some other > identified means, whether: > > > >- The certificates cannot be revoked; or > >- The certificates may be revoked by the same > certificate-issuing authority directly; or > >- The certificate-issuing authority authorizes a > different authority to perform revocation." > > > >further down in the same clause is the text: > > > >" > >An authority that issues and subsequently revokes certificates: > >a) may be required to maintain an audit record of its > revocation events for all certificate types issued by that > authority (e.g. public-key certificates, attribute > certificates issued to end-entities as well as other authorities); > > > >b) shall provide revocation status information to > relying parties using CRLs, on-line certificate status > protocol or some other mechanism for the publication of > revocation status information; > > > >c) if using CRLs, shall maintain and publish CRLs even > if the lists of revoked certificates are empty." > > > >The quotes that you included in your message tie in with > this base text, since the authority that issued the > certificates has these responsibilities around revocation, > there was no need for X.509 to state anything specific to CRL > issuance. In the indirect CRL case, this was envisioned to be > another CA or AA, that combined revocation notices from > several CAs/AAs. > > > >Having said that (with my X.509 editor's hat on), if there > is a requirement to have entities that are not CAs or AAs be > authorized to issue CRLs on behalf of the certificate issuer > (because remember that a CRL is an indication that a > certificate is no longer considered valid "by its > issuer")changes to X.509 would be needed. I'm not necessarily > opposed to such changes, I'm just clarifying, in this > message, that they would be needed in order for such > implementations to be conformant. This, as usual could be > done through the enhancements work or could be proposed > through the defect process. One way to enable that kind of > change might be to redefine authority and to talk about 3 > types rather than two. However, it would take some careful > review to ensure that the set of changes was thorough and complete. > > > >Sharon > > > > > -----Original Message----- > > > From: David A. Cooper > [<mailto:david.cooper@nist.gov>mailto:david.cooper@nist.gov] > > > Sent: Thursday, April 19, 2001 5:08 PM > > > To: ietf-pkix@imc.org > > > Subject: cA flag and CRL issuers (was Re: Last Call: > > > draft-ietf-pkix-new-part1-06.txt comments) > > > > > > > > > At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: > > > >Dave Cooper, > > > > > > > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: > > > >>I see no basis in X.509 for setting the cA flag in > > > basicConstraints for certificate subjects that can issue CRLs > > > but not certificates. The current discussion about how to > > > deal with CRLs for attribute certificates vs. public key > > > certificates just further goes to show that it was a mistake > > > to suddenly change the rules at the last IETF meeting. > > > > > > > >We disagree on this point. Nowhere in X.509 or in previous > > > PKIX documents has there ever been text to suggest that other > > > than a CA can sign a CRL for a public key certificate. So, > > > the rules were not changed at the last meeting, they were > > > reasserted and clarified. > > > > > > Steve, > > > > > > You may say that X.509 and PKIX do not suggest that entities > > > other than CAs can sign CRLs. However, I think we all agree > > > that both X.509 and PKIX allow for a CRL to be signed with a > > > different key than the key used to sign the certificates that > > > are covered by that CRL. This may be a result of the CA that > > > issued the certificates signing the corresponding CRLs with a > > > different key or the CA that issued the certificates > > > delegating the CRL issuing to another entity (via the > > > distribution points extension). There is no requirement that > > > the key used to sign the CRL also be used to sign > > > certificates. So, I think we agree that there will be times > > > where we will be issuing certificates to entities (whether > > > those entities are CAs or not) where the intent is to specify > > > that the public keys in the certificates may be used to > > > verify signatures on CRLs but not on certificates. > > > > > > The only place we seem to disagree is on the contents of the > > > certificates issued in such circumstances. In particular, > > > should the certificates contain a basicConstraints extension > > > with the cA bit set? On this point, both X.509 and the > > > previous PKIX documents are quite clear that the cA bit > > > should not be set. Why? Because a CA is defined as an entity > > > that issues public-key certificates and both documents > > > similarly state that the cA bit is used to specify whether > > > the certificate subject can issue certificates. There is no > > > similar connection made between being a CA and issuing CRLs. > > > > > > > > > The following are some quotes from X.509 and pkix-new-part1-05: > > > > > > In X.509 a CA is defined as "[a]n authority trusted by one or > > > more users to create and assign public-key certificates." > > > > > > Section 7 of X.509 states that "[a] CA-certificate is a > > > certificate issued by a CA to a subject that is itself a CA > > > and therefore is capable of issuing public-key certificates." > > > > > > > > > The description of basic constraints in X.509 further > > > supports the idea that the cA bit is used to specify > > > certificate issuing, not certificate and/or CRL issuing: > > > > > > "This field indicates if the subject may act as a CA, with > > > the certified public key being used to verify certificate > > > signatures. ... The cA component indicates if the certified > > > public key may be used to verify certificate signatures. ... if > > > the value of cA is not set to true then the certified public > > > key shall not be used to verify a certificate signature" > > > > > > > > > pkix-new-part1-05 states something similar: > > > > > > "The cA bit indicates if the certified public key may be used > > > to verify signatures on other certificates. If the cA bit is > > > asserted, then the keyCertSign bit in the key usage extension > > > (see 4.2.1.3) MUST also be asserted. If the cA bit is not > > > asserted, then the keyCertSign bit in the key usage extension > > > MUST NOT be asserted." > > > > > > > > > The description of the key usage bits are consistent with > > > this as well. > > > > > > X.509: > > > "The bit keyCertSign is for use in CA-certificates only. If > > > KeyUsage is set to keyCertSign and the basic constraints > > > extension is present in the same certificate, the value of > > > the cA component of that extension shall be set to TRUE." > > > > > > pkix-new-part1-05: > > > "The keyCertSign bit is asserted when the subject public key > > > is used for verifying a signature on certificates. This bit > > > may only be asserted in CA certificates. If the keyCertSign > > > bit is asserted, then the cA bit in the basic constraints > > > extension (see 4.2.1.10) MUST also be asserted. If the > > > keyCertSign bit is not asserted, then the cA bit in the basic > > > constraints extension MUST NOT be asserted. > > > > > > The cRLSign bit is asserted when the subject public key is > > > used for verifying a signature on revocation information > > > (e.g., a CRL)." > > > > > > > > > > > > So, both X.509 and pkix-new-part1-05 go to great lengths to > > > clearly state that only CAs can issue certificates and that > > > basicConstraints with the cA bit set to true must be present > > > in the certificates where the public key is to be used to > > > verify signatures on certificates. There are no similar > > > statements about CRLs. In fact, both documents are quite > > > clear that the cA bit must not be set when the subject public > > > key can not be used to verify certificates. So, if the > > > subject public key can be used to verify CRLs, but not > > > certificates, the cA bit must not be set. > > > > > > X.509 is also careful not to preclude the public keys of > > > non-CAs from being used to verify signatures on CRLs. For > > > instance, an end entity is defined as "[a] certificate > > > subject that uses its private key for purposes other than > > > signing certificates or an entity that is a relying party." > > > This leaves room for an end entity to use its private key to > > > sign CRLs. > > > > > > > > > So, if PKIX wants to require that the cA bit be set whenever > > > the subject public key can be used to verify CRLs and also > > > wants to maintain consistency with X.509, PKIX would have to > > > require that any certificate authorizing the use of a public > > > key for verifying CRL signatures also authorize the use of > > > that public key for verifying certificate signatures. Since > > > we are in agreement that we do not want to impose such a > > > restriction and that we do want to maintain consistency with > > > X.509, we can not require that the cA bit be set when the > > > subject public key can only be used to verify CRL signatures. > > > > > > Dave > > > > > > > > ------=_NextPart_000_0027_01C0C99F.0638C260 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <TITLE>RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n = ew-part1-06.txt comments)</TITLE> <META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D681373220-20042001>Sharon,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D681373220-20042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D681373220-20042001>I=20 actually completely agree with the basic point here. Once I (a CA) = have=20 issued a certificate to an entity, I cannot control anything about how = they will=20 use it. All I can do is try and put hints in for relying parties = to catch=20 it when that entity is doing "un-approved" things.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D681373220-20042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D681373220-20042001>Just=20 to verify the basic answer. X.509 has a set of extensions that the = PKIX=20 group did not adopt for dealing with attribute certificates. = PKI=20 certs use basicContraints, AC certs use basicAttConstraints to control = the "a=20 think that the entity ought to..." type statements. This means = that the=20 arguement here, in the PKIX group, does not have a similar arguement in = the=20 X.509 group.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D681373220-20042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D681373220-20042001>jim</SPAN></FONT></DIV> <BLOCKQUOTE dir=3Dltr=20 style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: = 0px; PADDING-LEFT: 5px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Sharon Boeyen=20 [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Friday, April 20, = 2001=20 12:57 PM<BR><B>To:</B> 'jimsch@exmsft.com';=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: cA flag and CRL issuers (was = Re: Last=20 Call: draft-ietf-pkix-n ew-part1-06.txt comments)<BR><BR></DIV></FONT> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D176595919-20042001>Jim,=20 I forgot one point that might help understand my view on the = basicConstraints=20 extension. I don't believe that any CA can actually prevent another = entity=20 from issuing certificates purely through technical tools such as cert=20 extensions. However, a CA can prevent relying parties from trusting=20 certificates issued by such entities specifically through the business = controls extensions defined in the standards. </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D176595919-20042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D176595919-20042001>Cheers,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D176595919-20042001>Sharon</SPAN></FONT></DIV> <DIV><SPAN class=3D176595919-20042001></SPAN><FONT face=3DTahoma><FONT = size=3D2><SPAN class=3D176595919-20042001><FONT color=3D#0000ff=20 face=3DArial> </FONT></SPAN></FONT></FONT></DIV> <DIV><FONT face=3DTahoma><FONT size=3D2><SPAN=20 class=3D176595919-20042001> </SPAN>-----Original=20 Message-----<BR><B>From:</B> Sharon Boeyen=20 [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Friday, April 20, = 2001 3:05=20 PM<BR><B>To:</B> 'jimsch@exmsft.com'; Sharon Boeyen;=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: cA flag and CRL issuers (was = Re: Last=20 Call: draft-ietf-pkix-n ew-part1-06.txt = comments)<BR><BR></DIV></FONT></FONT> <BLOCKQUOTE dir=3Dltr=20 style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; = MARGIN-RIGHT: 0px; PADDING-LEFT: 5px"> <DIV><SPAN class=3D934173718-20042001><FONT color=3D#0000ff = face=3DArial=20 size=3D2>The point that I think is a bit different is the use of the = CA bit in=20 basic constraints. This is one of many 'business controls' that a CA = can put=20 into a certificate that it issues to another CA to restrict the set = of paths=20 (including that certificate) that can be successfully validated. In = my mind=20 this extension exists so that a relying party can know whether the=20 certificate they are processing is one that certifies a key that can = be used=20 to verify the signature of the next cert in the path. Full stop. It = isn't an=20 'authorization' of any entity to issue certificates but a signal to = the=20 relying party that the certified key can be used for verifying the = next=20 signature. The pathLengthConstraint component of that extension, = along with=20 all the other business control extensions (policy stuff, name = constraints=20 etc) further retrict a relying party with respect to the = certification paths=20 (and contained certificates) that can be successfully validated = using the=20 certificate that contains the extensions. Each issuer has the = ability to=20 place such restrictions and the complete validation of the path = depends, in=20 part on those constraints. </FONT></SPAN></DIV> <DIV><SPAN class=3D934173718-20042001></SPAN> </DIV> <DIV><SPAN class=3D934173718-20042001><FONT color=3D#0000ff = face=3DArial=20 size=3D2>When we look at the two basic trust models (hierarchical = and=20 distributed), then this does get muddled somewhat, because in a = hierarchy=20 there is sort of a sense of 'authorization' of subordinate CAs. The = same is=20 not true in a distributed trust model. A CA is any entity that = issues=20 public-key certificates regardless of whether some other CA happens = to have=20 issued it a certificate containing the basic constraints extension = with the=20 CA bit set to true. The extension really only matters when one tries = to=20 validate a certification path and needs to be sure that the issuer = of a=20 particular certificate 'trusts' certificates signed with the key=20 corresponding to that certified in the current certificate.=20 </FONT></SPAN></DIV> <DIV><SPAN class=3D934173718-20042001><FONT color=3D#0000ff = face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D934173718-20042001><FONT color=3D#0000ff = face=3DArial=20 size=3D2>Consider the above 2 paragraphs my personal opinion on=20 basicConstraints. </FONT></SPAN></DIV> <DIV><SPAN class=3D934173718-20042001><FONT color=3D#0000ff = face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D934173718-20042001><FONT color=3D#0000ff = face=3DArial size=3D2>As=20 for attribute certificates and attribute authorities, in some = environments=20 there is absolutely no need to tie the PMI to the PKI. The verifiers = may=20 import one or more trust anchors for SOAs, similar to how they do = today for=20 PKI trust anchors. However, in other environments, there was a = requirement=20 to have a single trust anchor and be able to validate both public = key and=20 attribute certificates. For this reason, X.509 added the=20 sOAIdentifier extension. Its syntax is NULL. Its only purpose = in life=20 is to support this requirement of binding a PMI to a PKI. As = for the=20 attribute certificate 'equivalent' of a certification path, this is = a=20 delegation path. There are completely different extensions defined = to ensure=20 that a delegationPath is valid (although you will recognize = similarities).=20 basicAttConstraints inidicates whether or not the assigned privilege = can be=20 further delegated by the subject of the containing certificate. = 'Business=20 controls' extensions include delegatedNameConstraints,=20 acceptableCertPolicies, authorityAttributeIdentifier (to ensure that = the=20 delegating authority actually holds sufficicient privilege to = delegate it)=20 etc). Don't try to shoehorn the PKI extensions into the PMI model. = The only=20 real overlap is that we reused the basic CRL structure. = </FONT></SPAN></DIV> <DIV><SPAN class=3D934173718-20042001><FONT color=3D#0000ff = face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D934173718-20042001><FONT color=3D#0000ff = face=3DArial=20 size=3D2>Hope that helps and doesn't confuse the issues further=20 :-)</FONT></SPAN></DIV> <DIV><SPAN class=3D934173718-20042001><FONT color=3D#0000ff = face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D934173718-20042001><FONT color=3D#0000ff = face=3DArial=20 size=3D2>Sharon</FONT></SPAN></DIV> <DIV><SPAN class=3D934173718-20042001></SPAN><FONT = face=3DTahoma><FONT=20 size=3D2><SPAN class=3D934173718-20042001><FONT color=3D#0000ff=20 face=3DArial></FONT></SPAN></FONT></FONT> </DIV> <DIV><FONT face=3DTahoma><FONT size=3D2><SPAN=20 class=3D934173718-20042001> </SPAN>-----Original=20 Message-----<BR><B>From:</B> Jim Schaad=20 [mailto:jimsch5@home.com]<BR><B>Sent:</B> Friday, April 20, 2001 = 2:08=20 PM<BR><B>To:</B> 'Sharon Boeyen'; = ietf-pkix@imc.org<BR><B>Subject:</B> RE:=20 cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n=20 ew-part1-06.txt comments)<BR><BR></DIV></FONT></FONT> <BLOCKQUOTE dir=3Dltr=20 style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; = MARGIN-RIGHT: 0px; PADDING-LEFT: 5px"> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D128290618-20042001>Sharon,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D128290618-20042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D128290618-20042001>Much of this question arose from how to = deal with=20 AC "authorities". I don't have access at the moment to the = X.=20 version of the AC draft (yes I know I can now get it), but do you = believe=20 that AC issuers and "revokers" need to be authorities in that the = CA bit=20 should be set for them?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D128290618-20042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D128290618-20042001>jim</SPAN></FONT></DIV> <BLOCKQUOTE=20 style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; = MARGIN-RIGHT: 0px; PADDING-LEFT: 5px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Sharon = Boeyen=20 [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Friday, April = 20,=20 2001 9:57 AM<BR><B>To:</B> 'David A. Cooper';=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: cA flag and CRL issuers = (was=20 Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt=20 comments)<BR><BR></DIV></FONT> <P><FONT size=3D2>Just to be clear, lets not confuse what I may = happen to=20 want as </FONT><BR><FONT size=3D2>an individual contributor to = PKIX or any=20 other list, with what </FONT><BR><FONT size=3D2>I state as 509 = editor=20 (they're not necessarily always the same :-)</FONT> </P> <P><FONT size=3D2>My comments were purely from the editor's = perspective=20 and yes, </FONT><BR><FONT size=3D2>the current 509 text is quite = clear=20 that the CA that issues a </FONT><BR><FONT size=3D2>certificate = is=20 responsible for stating whether or not that certificate</FONT> = <BR><FONT=20 size=3D2>can be revoked, and if so, what mechanism is used to = inform=20 </FONT><BR><FONT size=3D2>relying parties. If that mechanism is = CRLs,=20 these are issued by </FONT><BR><FONT size=3D2>the certificate = issuer or by=20 another authority delegated that </FONT><BR><FONT size=3D2>task = by the=20 certificate issuer (that doesn't necessarily mean that = </FONT><BR><FONT=20 size=3D2>509 requires a cert to be issued to that authority, nor = that the=20 cert </FONT><BR><FONT size=3D2>contain the basic constraints = extension=20 though, that is the job of </FONT><BR><FONT size=3D2>profile = groups to=20 determine and incidentally I don't believe they'll = </FONT><BR><FONT=20 size=3D2>all adopt the same solution so I would want 509 to = remain=20 flexible). </FONT></P> <P><FONT size=3D2>My own personal view is that industry has = moved to a=20 point where there </FONT><BR><FONT size=3D2>probably isn't any = real=20 requirement for a CRL issuer to also be a cert</FONT> <BR><FONT=20 size=3D2>issuer as long as that CRL issuer is delegated that=20 responsibility </FONT><BR><FONT size=3D2>by the cert issuer and = there is a=20 cryptographic way to ensure that </FONT><BR><FONT = size=3D2>binding for=20 relying parties. To achieve that, I believe some changes=20 </FONT><BR><FONT size=3D2>are required in 509. </FONT></P> <P><FONT size=3D2>On the separate keys for cert and CRL signing = (by the=20 same authority), my </FONT><BR><FONT size=3D2>personal opinion = is that=20 anything you read into 509 text on that specific = </FONT><BR><FONT=20 size=3D2>topic would be accidental as I don't recall any = specific=20 discussion on it. </FONT><BR><FONT size=3D2>However, since that = is a real=20 world requirement, I would want to be sure </FONT><BR><FONT = size=3D2>that=20 509 did not prohibit it.</FONT> </P> <P><FONT size=3D2>Hope that clarifies where my comments are = coming from=20 :-) </FONT><BR><FONT size=3D2> </FONT></P> <P><FONT size=3D2>> -----Original Message-----</FONT> = <BR><FONT=20 size=3D2>> From: David A. Cooper [<A=20 = href=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]</= FONT>=20 <BR><FONT size=3D2>> Sent: Friday, April 20, 2001 11:44 = AM</FONT>=20 <BR><FONT size=3D2>> To: ietf-pkix@imc.org</FONT> <BR><FONT = size=3D2>>=20 Subject: RE: cA flag and CRL issuers (was Re: Last Call:</FONT>=20 <BR><FONT size=3D2>> draft-ietf-pkix-n ew-part1-06.txt = comments)</FONT>=20 <BR><FONT size=3D2>> </FONT><BR><FONT size=3D2>> = </FONT><BR><FONT=20 size=3D2>> Sharon,</FONT> <BR><FONT size=3D2>> = </FONT><BR><FONT=20 size=3D2>> Are you suggesting that in order for an entity to = issue CRLs=20 </FONT><BR><FONT size=3D2>> on behalf of a certificate = issuer, that CRL=20 issuer would need </FONT><BR><FONT size=3D2>> to issue = certificates as=20 well (so that it can qualify as an </FONT><BR><FONT = size=3D2>>=20 authority)? I don't think there should be such a = </FONT><BR><FONT=20 size=3D2>> requirement, but even if there were it wouldn't = settle the=20 issue.</FONT> <BR><FONT size=3D2>> </FONT><BR><FONT = size=3D2>> Even if=20 only authorities can issue CRLs, there is nothing to = </FONT><BR><FONT=20 size=3D2>> prevent that authority from using different keys = to sign=20 </FONT><BR><FONT size=3D2>> certificates and CRLs. = X.509 states=20 that "[t]he cA component </FONT><BR><FONT size=3D2>> = indicates if the=20 certified public key may be used to verify </FONT><BR><FONT = size=3D2>>=20 certificate signatures." So, the proper value of the cA = bit=20 </FONT><BR><FONT size=3D2>> is determined by the allowable = uses of the=20 subject public </FONT><BR><FONT size=3D2>> key, not by the = type of=20 entity the subject is. So, even if </FONT><BR><FONT = size=3D2>>=20 the certificate subject is a CA, and issues certificates=20 </FONT><BR><FONT size=3D2>> under some key, the cA bit should = not be=20 set unless the </FONT><BR><FONT size=3D2>> particular subject = public=20 key in the certificate can be used </FONT><BR><FONT = size=3D2>> to=20 verify certificate signatures. If an authority is the = </FONT><BR><FONT=20 size=3D2>> subject of a certificate and the particular public = key of=20 </FONT><BR><FONT size=3D2>> that authority that is being = certified is=20 only to be used to </FONT><BR><FONT size=3D2>> verify = signatures on=20 CRLs, then the cA bit should not be set.</FONT> <BR><FONT = size=3D2>>=20 </FONT><BR><FONT size=3D2>> Dave</FONT> <BR><FONT = size=3D2>>=20 </FONT><BR><FONT size=3D2>> At 10:48 AM 4/20/01 -0400, Sharon = Boeyen=20 wrote:</FONT> <BR><FONT size=3D2>> </FONT><BR><FONT = size=3D2>>=20 >David, sorry but I disagree with your assertions about = X.509's=20 </FONT><BR><FONT size=3D2>> >position on this issue. = Either by=20 design or by accident, </FONT><BR><FONT size=3D2>> X.509 = requires that=20 if CRLs are being issued, they are issued </FONT><BR><FONT = size=3D2>>=20 by an 'authority'. Remember that the definition of = </FONT><BR><FONT=20 size=3D2>> "authority" is "An entity responsible = </FONT><BR><FONT=20 size=3D2>> ></FONT> <BR><FONT size=3D2>> >for the = issuance of=20 certificates". Much of the text in X.509 </FONT><BR><FONT = size=3D2>>=20 predates OCSP or the concept of a validation authority, but I=20 </FONT><BR><FONT size=3D2>> do know that the quotes below are = new text=20 added within the </FONT><BR><FONT size=3D2>> past couple of = years with=20 the intent of clarifying the role </FONT><BR><FONT size=3D2>> = of CAs=20 with respect to CRLs.</FONT> <BR><FONT size=3D2>> ></FONT> = <BR><FONT=20 size=3D2>> >Clause 7.3 says: </FONT><BR><FONT = size=3D2>>=20 ></FONT> <BR><FONT size=3D2>> >"An authority that = issues=20 certificates is required to state, </FONT><BR><FONT = size=3D2>> possibly=20 through a published statement of their practices, = </FONT><BR><FONT=20 size=3D2>> through the certificates themselves, or through = some other=20 </FONT><BR><FONT size=3D2>> identified means, whether:</FONT> = <BR><FONT=20 size=3D2>> ></FONT> <BR><FONT size=3D2>>=20 >- The certificates = cannot be=20 revoked; or </FONT><BR><FONT size=3D2>>=20 >- The certificates may = be=20 revoked by the same </FONT><BR><FONT size=3D2>> = certificate-issuing=20 authority directly; or </FONT><BR><FONT size=3D2>>=20 >- The = certificate-issuing=20 authority authorizes a </FONT><BR><FONT size=3D2>> different = authority=20 to perform revocation." </FONT><BR><FONT size=3D2>> = ></FONT>=20 <BR><FONT size=3D2>> >further down in the same clause is = the text:=20 </FONT><BR><FONT size=3D2>> ></FONT> <BR><FONT = size=3D2>> >"=20 </FONT><BR><FONT size=3D2>> >An authority that issues and=20 subsequently revokes certificates: </FONT><BR><FONT = size=3D2>>=20 >a) may be required to maintain = an=20 audit record of its </FONT><BR><FONT size=3D2>> revocation = events for=20 all certificate types issued by that </FONT><BR><FONT = size=3D2>>=20 authority (e.g. public-key certificates, attribute = </FONT><BR><FONT=20 size=3D2>> certificates issued to end-entities as well as = other=20 authorities);</FONT> <BR><FONT size=3D2>> ></FONT> = <BR><FONT=20 size=3D2>> >b) shall provide = revocation status information to </FONT><BR><FONT size=3D2>> = relying=20 parties using CRLs, on-line certificate status </FONT><BR><FONT=20 size=3D2>> protocol or some other mechanism for the = publication of=20 </FONT><BR><FONT size=3D2>> revocation status = information;</FONT>=20 <BR><FONT size=3D2>> ></FONT> <BR><FONT size=3D2>>=20 >c) if using CRLs, shall = maintain and=20 publish CRLs even </FONT><BR><FONT size=3D2>> if the lists of = revoked=20 certificates are empty." </FONT><BR><FONT size=3D2>> = ></FONT>=20 <BR><FONT size=3D2>> >The quotes that you included in your = message=20 tie in with </FONT><BR><FONT size=3D2>> this base text, since = the=20 authority that issued the </FONT><BR><FONT size=3D2>> = certificates has=20 these responsibilities around revocation, </FONT><BR><FONT = size=3D2>>=20 there was no need for X.509 to state anything specific to CRL=20 </FONT><BR><FONT size=3D2>> issuance. In the indirect CRL = case, this=20 was envisioned to be </FONT><BR><FONT size=3D2>> another CA = or AA, that=20 combined revocation notices from </FONT><BR><FONT size=3D2>> = several=20 CAs/AAs. </FONT><BR><FONT size=3D2>> ></FONT> <BR><FONT = size=3D2>>=20 >Having said that (with my X.509 editor's hat on), if there=20 </FONT><BR><FONT size=3D2>> is a requirement to have entities = that are=20 not CAs or AAs be </FONT><BR><FONT size=3D2>> authorized to = issue CRLs=20 on behalf of the certificate issuer </FONT><BR><FONT = size=3D2>>=20 (because remember that a CRL is an indication that a = </FONT><BR><FONT=20 size=3D2>> certificate is no longer considered valid "by its=20 </FONT><BR><FONT size=3D2>> issuer")changes to X.509 would be = needed.=20 I'm not necessarily </FONT><BR><FONT size=3D2>> opposed to = such=20 changes, I'm just clarifying, in this </FONT><BR><FONT = size=3D2>>=20 message, that they would be needed in order for such = </FONT><BR><FONT=20 size=3D2>> implementations to be conformant. This, as usual = could be=20 </FONT><BR><FONT size=3D2>> done through the enhancements = work or could=20 be proposed </FONT><BR><FONT size=3D2>> through the defect = process. One=20 way to enable that kind of </FONT><BR><FONT size=3D2>> change = might be=20 to redefine authority and to talk about 3 </FONT><BR><FONT = size=3D2>>=20 types rather than two. However, it would take some careful=20 </FONT><BR><FONT size=3D2>> review to ensure that the set of = changes=20 was thorough and complete.</FONT> <BR><FONT size=3D2>> = ></FONT>=20 <BR><FONT size=3D2>> >Sharon </FONT><BR><FONT = size=3D2>>=20 ></FONT> <BR><FONT size=3D2>> > > -----Original = Message-----=20 </FONT><BR><FONT size=3D2>> > > From: David A. Cooper=20 </FONT><BR><FONT size=3D2>> [<<A=20 = href=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>>= ;<A=20 = href=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]=20 </FONT><BR><FONT size=3D2>> > > Sent: Thursday, April = 19, 2001=20 5:08 PM </FONT><BR><FONT size=3D2>> > > To: = ietf-pkix@imc.org=20 </FONT><BR><FONT size=3D2>> > > Subject: cA flag and = CRL issuers=20 (was Re: Last Call: </FONT><BR><FONT size=3D2>> > >=20 draft-ietf-pkix-new-part1-06.txt comments) </FONT><BR><FONT = size=3D2>>=20 > > </FONT><BR><FONT size=3D2>> > > = </FONT><BR><FONT=20 size=3D2>> > > At 07:17 PM 4/18/01 -0400, Stephen Kent = wrote:=20 </FONT><BR><FONT size=3D2>> > > >Dave Cooper, = </FONT><BR><FONT=20 size=3D2>> > > > </FONT><BR><FONT size=3D2>> > = >=20 >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote:=20 </FONT><BR><FONT size=3D2>> > > >>I see no basis = in X.509=20 for setting the cA flag in </FONT><BR><FONT size=3D2>> > = >=20 basicConstraints for certificate subjects that can issue CRLs=20 </FONT><BR><FONT size=3D2>> > > but not certificates. = The current=20 discussion about how to </FONT><BR><FONT size=3D2>> > > = deal with=20 CRLs for attribute certificates vs. public key </FONT><BR><FONT=20 size=3D2>> > > certificates just further goes to show = that it was=20 a mistake </FONT><BR><FONT size=3D2>> > > to suddenly = change the=20 rules at the last IETF meeting. </FONT><BR><FONT size=3D2>> = > >=20 > </FONT><BR><FONT size=3D2>> > > >We disagree on = this=20 point. Nowhere in X.509 or in previous </FONT><BR><FONT = size=3D2>> >=20 > PKIX documents has there ever been text to suggest that = other=20 </FONT><BR><FONT size=3D2>> > > than a CA can sign a = CRL for a=20 public key certificate. So, </FONT><BR><FONT size=3D2>> > = > the=20 rules were not changed at the last meeting, they were = </FONT><BR><FONT=20 size=3D2>> > > reasserted and clarified. = </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> > > = Steve,=20 </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>> >=20 > You may say that X.509 and PKIX do not suggest that = entities=20 </FONT><BR><FONT size=3D2>> > > other than CAs can sign = CRLs.=20 However, I think we all agree </FONT><BR><FONT size=3D2>> = > >=20 that both X.509 and PKIX allow for a CRL to be signed with a=20 </FONT><BR><FONT size=3D2>> > > different key than the = key used=20 to sign the certificates that </FONT><BR><FONT size=3D2>> = > > are=20 covered by that CRL. This may be a result of the CA that=20 </FONT><BR><FONT size=3D2>> > > issued the certificates = signing=20 the corresponding CRLs with a </FONT><BR><FONT size=3D2>> = > >=20 different key or the CA that issued the certificates = </FONT><BR><FONT=20 size=3D2>> > > delegating the CRL issuing to another = entity (via=20 the </FONT><BR><FONT size=3D2>> > > distribution points = extension). There is no requirement that </FONT><BR><FONT = size=3D2>>=20 > > the key used to sign the CRL also be used to sign=20 </FONT><BR><FONT size=3D2>> > > certificates. So, I = think we=20 agree that there will be times </FONT><BR><FONT size=3D2>> = > >=20 where we will be issuing certificates to entities (whether=20 </FONT><BR><FONT size=3D2>> > > those entities are CAs = or not)=20 where the intent is to specify </FONT><BR><FONT size=3D2>> = > >=20 that the public keys in the certificates may be used to = </FONT><BR><FONT=20 size=3D2>> > > verify signatures on CRLs but not on = certificates.=20 </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>> >=20 > The only place we seem to disagree is on the contents of = the=20 </FONT><BR><FONT size=3D2>> > > certificates issued in = such=20 circumstances. In particular, </FONT><BR><FONT size=3D2>> = > >=20 should the certificates contain a basicConstraints extension=20 </FONT><BR><FONT size=3D2>> > > with the cA bit set? On = this=20 point, both X.509 and the </FONT><BR><FONT size=3D2>> > = >=20 previous PKIX documents are quite clear that the cA bit = </FONT><BR><FONT=20 size=3D2>> > > should not be set. Why? Because a CA is = defined as=20 an entity </FONT><BR><FONT size=3D2>> > > that issues = public-key=20 certificates and both documents </FONT><BR><FONT size=3D2>> = > >=20 similarly state that the cA bit is used to specify whether=20 </FONT><BR><FONT size=3D2>> > > the certificate subject = can issue=20 certificates. There is no </FONT><BR><FONT size=3D2>> > = > similar=20 connection made between being a CA and issuing CRLs. = </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> > > = </FONT><BR><FONT size=3D2>> > > The following are some = quotes=20 from X.509 and pkix-new-part1-05: </FONT><BR><FONT size=3D2>> = > >=20 </FONT><BR><FONT size=3D2>> > > In X.509 a CA is = defined as "[a]n=20 authority trusted by one or </FONT><BR><FONT size=3D2>> > = > more=20 users to create and assign public-key certificates." = </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> > > = Section 7=20 of X.509 states that "[a] CA-certificate is a </FONT><BR><FONT=20 size=3D2>> > > certificate issued by a CA to a subject = that is=20 itself a CA </FONT><BR><FONT size=3D2>> > > and = therefore is=20 capable of issuing public-key certificates." </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> > > = </FONT><BR><FONT size=3D2>> > > The description of = basic=20 constraints in X.509 further </FONT><BR><FONT size=3D2>> > = >=20 supports the idea that the cA bit is used to specify = </FONT><BR><FONT=20 size=3D2>> > > certificate issuing, not certificate = and/or CRL=20 issuing: </FONT><BR><FONT size=3D2>> > > = </FONT><BR><FONT=20 size=3D2>> > > "This field indicates if the subject may = act as a=20 CA, with </FONT><BR><FONT size=3D2>> > > the certified = public key=20 being used to verify certificate </FONT><BR><FONT size=3D2>> = > >=20 signatures. ... The cA component indicates if the certified=20 </FONT><BR><FONT size=3D2>> > > public key may be used = to verify=20 certificate signatures. ... if </FONT><BR><FONT size=3D2>> = > >=20 the value of cA is not set to true then the certified public=20 </FONT><BR><FONT size=3D2>> > > key shall not be used = to verify a=20 certificate signature" </FONT><BR><FONT size=3D2>> > >=20 </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>> >=20 > pkix-new-part1-05 states something similar: = </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> > > = "The cA bit=20 indicates if the certified public key may be used = </FONT><BR><FONT=20 size=3D2>> > > to verify signatures on other = certificates. If the=20 cA bit is </FONT><BR><FONT size=3D2>> > > asserted, = then the=20 keyCertSign bit in the key usage extension </FONT><BR><FONT = size=3D2>>=20 > > (see 4.2.1.3) MUST also be asserted. If the cA bit is = not=20 </FONT><BR><FONT size=3D2>> > > asserted, then the = keyCertSign=20 bit in the key usage extension </FONT><BR><FONT size=3D2>> = > >=20 MUST NOT be asserted." </FONT><BR><FONT size=3D2>> > >=20 </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>> >=20 > The description of the key usage bits are consistent with=20 </FONT><BR><FONT size=3D2>> > > this as well. = </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> > > = X.509:=20 </FONT><BR><FONT size=3D2>> > > "The bit keyCertSign is = for use=20 in CA-certificates only. If </FONT><BR><FONT size=3D2>> > = >=20 KeyUsage is set to keyCertSign and the basic constraints=20 </FONT><BR><FONT size=3D2>> > > extension is present in = the same=20 certificate, the value of </FONT><BR><FONT size=3D2>> > = > the cA=20 component of that extension shall be set to TRUE." = </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> > > = pkix-new-part1-05: </FONT><BR><FONT size=3D2>> > > "The = keyCertSign bit is asserted when the subject public key = </FONT><BR><FONT=20 size=3D2>> > > is used for verifying a signature on=20 certificates. This bit </FONT><BR><FONT size=3D2>> > = > may=20 only be asserted in CA certificates. If the keyCertSign=20 </FONT><BR><FONT size=3D2>> > > bit is asserted, then = the cA bit=20 in the basic constraints </FONT><BR><FONT size=3D2>> > = >=20 extension (see 4.2.1.10) MUST also be asserted. If the = </FONT><BR><FONT=20 size=3D2>> > > keyCertSign bit is not asserted, then = the cA bit=20 in the basic </FONT><BR><FONT size=3D2>> > > = constraints=20 extension MUST NOT be asserted. </FONT><BR><FONT size=3D2>> = > >=20 </FONT><BR><FONT size=3D2>> > > The cRLSign bit is = asserted when=20 the subject public key is </FONT><BR><FONT size=3D2>> > = > used=20 for verifying a signature on revocation information = </FONT><BR><FONT=20 size=3D2>> > > (e.g., a CRL)." </FONT><BR><FONT = size=3D2>> >=20 > </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>>=20 > > </FONT><BR><FONT size=3D2>> > > So, both = X.509 and=20 pkix-new-part1-05 go to great lengths to </FONT><BR><FONT = size=3D2>>=20 > > clearly state that only CAs can issue certificates and = that=20 </FONT><BR><FONT size=3D2>> > > basicConstraints with = the cA bit=20 set to true must be present </FONT><BR><FONT size=3D2>> > = > in=20 the certificates where the public key is to be used to = </FONT><BR><FONT=20 size=3D2>> > > verify signatures on certificates. There = are no=20 similar </FONT><BR><FONT size=3D2>> > > statements = about CRLs. In=20 fact, both documents are quite </FONT><BR><FONT size=3D2>> = > >=20 clear that the cA bit must not be set when the subject public=20 </FONT><BR><FONT size=3D2>> > > key can not be used to = verify=20 certificates. So, if the </FONT><BR><FONT size=3D2>> > = > subject=20 public key can be used to verify CRLs, but not </FONT><BR><FONT=20 size=3D2>> > > certificates, the cA bit must not be = set.=20 </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>> >=20 > X.509 is also careful not to preclude the public keys of=20 </FONT><BR><FONT size=3D2>> > > non-CAs from being used = to verify=20 signatures on CRLs. For </FONT><BR><FONT size=3D2>> > > = instance,=20 an end entity is defined as "[a] certificate </FONT><BR><FONT=20 size=3D2>> > > subject that uses its private key for = purposes=20 other than </FONT><BR><FONT size=3D2>> > > signing = certificates=20 or an entity that is a relying party." </FONT><BR><FONT = size=3D2>> >=20 > This leaves room for an end entity to use its private key = to=20 </FONT><BR><FONT size=3D2>> > > sign CRLs. = </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> > > = </FONT><BR><FONT size=3D2>> > > So, if PKIX wants to = require that=20 the cA bit be set whenever </FONT><BR><FONT size=3D2>> > = > the=20 subject public key can be used to verify CRLs and also = </FONT><BR><FONT=20 size=3D2>> > > wants to maintain consistency with = X.509, PKIX=20 would have to </FONT><BR><FONT size=3D2>> > > require = that any=20 certificate authorizing the use of a public </FONT><BR><FONT = size=3D2>>=20 > > key for verifying CRL signatures also authorize the = use of=20 </FONT><BR><FONT size=3D2>> > > that public key for = verifying=20 certificate signatures. Since </FONT><BR><FONT size=3D2>> = > > we=20 are in agreement that we do not want to impose such a = </FONT><BR><FONT=20 size=3D2>> > > restriction and that we do want to = maintain=20 consistency with </FONT><BR><FONT size=3D2>> > > X.509, = we can=20 not require that the cA bit be set when the </FONT><BR><FONT = size=3D2>>=20 > > subject public key can only be used to verify CRL = signatures.=20 </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>> >=20 > Dave </FONT><BR><FONT size=3D2>> > > = </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> = </FONT><BR><FONT=20 size=3D2>>=20 </FONT></P></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></H= TML> ------=_NextPart_000_0027_01C0C99F.0638C260-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA05031 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 13:02:56 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JJPVTDA2>; Fri, 20 Apr 2001 16:02:27 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FB7@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'jimsch@exmsft.com'" <jimsch@exmsft.com>, ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Date: Fri, 20 Apr 2001 15:57:00 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C9D4.0FD1C7B0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C9D4.0FD1C7B0 Content-Type: text/plain; charset="iso-8859-1" Jim, I forgot one point that might help understand my view on the basicConstraints extension. I don't believe that any CA can actually prevent another entity from issuing certificates purely through technical tools such as cert extensions. However, a CA can prevent relying parties from trusting certificates issued by such entities specifically through the business controls extensions defined in the standards. Cheers, Sharon -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Friday, April 20, 2001 3:05 PM To: 'jimsch@exmsft.com'; Sharon Boeyen; ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) The point that I think is a bit different is the use of the CA bit in basic constraints. This is one of many 'business controls' that a CA can put into a certificate that it issues to another CA to restrict the set of paths (including that certificate) that can be successfully validated. In my mind this extension exists so that a relying party can know whether the certificate they are processing is one that certifies a key that can be used to verify the signature of the next cert in the path. Full stop. It isn't an 'authorization' of any entity to issue certificates but a signal to the relying party that the certified key can be used for verifying the next signature. The pathLengthConstraint component of that extension, along with all the other business control extensions (policy stuff, name constraints etc) further retrict a relying party with respect to the certification paths (and contained certificates) that can be successfully validated using the certificate that contains the extensions. Each issuer has the ability to place such restrictions and the complete validation of the path depends, in part on those constraints. When we look at the two basic trust models (hierarchical and distributed), then this does get muddled somewhat, because in a hierarchy there is sort of a sense of 'authorization' of subordinate CAs. The same is not true in a distributed trust model. A CA is any entity that issues public-key certificates regardless of whether some other CA happens to have issued it a certificate containing the basic constraints extension with the CA bit set to true. The extension really only matters when one tries to validate a certification path and needs to be sure that the issuer of a particular certificate 'trusts' certificates signed with the key corresponding to that certified in the current certificate. Consider the above 2 paragraphs my personal opinion on basicConstraints. As for attribute certificates and attribute authorities, in some environments there is absolutely no need to tie the PMI to the PKI. The verifiers may import one or more trust anchors for SOAs, similar to how they do today for PKI trust anchors. However, in other environments, there was a requirement to have a single trust anchor and be able to validate both public key and attribute certificates. For this reason, X.509 added the sOAIdentifier extension. Its syntax is NULL. Its only purpose in life is to support this requirement of binding a PMI to a PKI. As for the attribute certificate 'equivalent' of a certification path, this is a delegation path. There are completely different extensions defined to ensure that a delegationPath is valid (although you will recognize similarities). basicAttConstraints inidicates whether or not the assigned privilege can be further delegated by the subject of the containing certificate. 'Business controls' extensions include delegatedNameConstraints, acceptableCertPolicies, authorityAttributeIdentifier (to ensure that the delegating authority actually holds sufficicient privilege to delegate it) etc). Don't try to shoehorn the PKI extensions into the PMI model. The only real overlap is that we reused the basic CRL structure. Hope that helps and doesn't confuse the issues further :-) Sharon -----Original Message----- From: Jim Schaad [mailto:jimsch5@home.com] Sent: Friday, April 20, 2001 2:08 PM To: 'Sharon Boeyen'; ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Sharon, Much of this question arose from how to deal with AC "authorities". I don't have access at the moment to the X. version of the AC draft (yes I know I can now get it), but do you believe that AC issuers and "revokers" need to be authorities in that the CA bit should be set for them? jim -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Friday, April 20, 2001 9:57 AM To: 'David A. Cooper'; ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Just to be clear, lets not confuse what I may happen to want as an individual contributor to PKIX or any other list, with what I state as 509 editor (they're not necessarily always the same :-) My comments were purely from the editor's perspective and yes, the current 509 text is quite clear that the CA that issues a certificate is responsible for stating whether or not that certificate can be revoked, and if so, what mechanism is used to inform relying parties. If that mechanism is CRLs, these are issued by the certificate issuer or by another authority delegated that task by the certificate issuer (that doesn't necessarily mean that 509 requires a cert to be issued to that authority, nor that the cert contain the basic constraints extension though, that is the job of profile groups to determine and incidentally I don't believe they'll all adopt the same solution so I would want 509 to remain flexible). My own personal view is that industry has moved to a point where there probably isn't any real requirement for a CRL issuer to also be a cert issuer as long as that CRL issuer is delegated that responsibility by the cert issuer and there is a cryptographic way to ensure that binding for relying parties. To achieve that, I believe some changes are required in 509. On the separate keys for cert and CRL signing (by the same authority), my personal opinion is that anything you read into 509 text on that specific topic would be accidental as I don't recall any specific discussion on it. However, since that is a real world requirement, I would want to be sure that 509 did not prohibit it. Hope that clarifies where my comments are coming from :-) > -----Original Message----- > From: David A. Cooper [ mailto:david.cooper@nist.gov <mailto:david.cooper@nist.gov> ] > Sent: Friday, April 20, 2001 11:44 AM > To: ietf-pkix@imc.org > Subject: RE: cA flag and CRL issuers (was Re: Last Call: > draft-ietf-pkix-n ew-part1-06.txt comments) > > > Sharon, > > Are you suggesting that in order for an entity to issue CRLs > on behalf of a certificate issuer, that CRL issuer would need > to issue certificates as well (so that it can qualify as an > authority)? I don't think there should be such a > requirement, but even if there were it wouldn't settle the issue. > > Even if only authorities can issue CRLs, there is nothing to > prevent that authority from using different keys to sign > certificates and CRLs. X.509 states that "[t]he cA component > indicates if the certified public key may be used to verify > certificate signatures." So, the proper value of the cA bit > is determined by the allowable uses of the subject public > key, not by the type of entity the subject is. So, even if > the certificate subject is a CA, and issues certificates > under some key, the cA bit should not be set unless the > particular subject public key in the certificate can be used > to verify certificate signatures. If an authority is the > subject of a certificate and the particular public key of > that authority that is being certified is only to be used to > verify signatures on CRLs, then the cA bit should not be set. > > Dave > > At 10:48 AM 4/20/01 -0400, Sharon Boeyen wrote: > > >David, sorry but I disagree with your assertions about X.509's > >position on this issue. Either by design or by accident, > X.509 requires that if CRLs are being issued, they are issued > by an 'authority'. Remember that the definition of > "authority" is "An entity responsible > > > >for the issuance of certificates". Much of the text in X.509 > predates OCSP or the concept of a validation authority, but I > do know that the quotes below are new text added within the > past couple of years with the intent of clarifying the role > of CAs with respect to CRLs. > > > >Clause 7.3 says: > > > >"An authority that issues certificates is required to state, > possibly through a published statement of their practices, > through the certificates themselves, or through some other > identified means, whether: > > > >- The certificates cannot be revoked; or > >- The certificates may be revoked by the same > certificate-issuing authority directly; or > >- The certificate-issuing authority authorizes a > different authority to perform revocation." > > > >further down in the same clause is the text: > > > >" > >An authority that issues and subsequently revokes certificates: > >a) may be required to maintain an audit record of its > revocation events for all certificate types issued by that > authority (e.g. public-key certificates, attribute > certificates issued to end-entities as well as other authorities); > > > >b) shall provide revocation status information to > relying parties using CRLs, on-line certificate status > protocol or some other mechanism for the publication of > revocation status information; > > > >c) if using CRLs, shall maintain and publish CRLs even > if the lists of revoked certificates are empty." > > > >The quotes that you included in your message tie in with > this base text, since the authority that issued the > certificates has these responsibilities around revocation, > there was no need for X.509 to state anything specific to CRL > issuance. In the indirect CRL case, this was envisioned to be > another CA or AA, that combined revocation notices from > several CAs/AAs. > > > >Having said that (with my X.509 editor's hat on), if there > is a requirement to have entities that are not CAs or AAs be > authorized to issue CRLs on behalf of the certificate issuer > (because remember that a CRL is an indication that a > certificate is no longer considered valid "by its > issuer")changes to X.509 would be needed. I'm not necessarily > opposed to such changes, I'm just clarifying, in this > message, that they would be needed in order for such > implementations to be conformant. This, as usual could be > done through the enhancements work or could be proposed > through the defect process. One way to enable that kind of > change might be to redefine authority and to talk about 3 > types rather than two. However, it would take some careful > review to ensure that the set of changes was thorough and complete. > > > >Sharon > > > > > -----Original Message----- > > > From: David A. Cooper > [< mailto:david.cooper@nist.gov <mailto:david.cooper@nist.gov> > mailto:david.cooper@nist.gov <mailto:david.cooper@nist.gov> ] > > > Sent: Thursday, April 19, 2001 5:08 PM > > > To: ietf-pkix@imc.org > > > Subject: cA flag and CRL issuers (was Re: Last Call: > > > draft-ietf-pkix-new-part1-06.txt comments) > > > > > > > > > At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: > > > >Dave Cooper, > > > > > > > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: > > > >>I see no basis in X.509 for setting the cA flag in > > > basicConstraints for certificate subjects that can issue CRLs > > > but not certificates. The current discussion about how to > > > deal with CRLs for attribute certificates vs. public key > > > certificates just further goes to show that it was a mistake > > > to suddenly change the rules at the last IETF meeting. > > > > > > > >We disagree on this point. Nowhere in X.509 or in previous > > > PKIX documents has there ever been text to suggest that other > > > than a CA can sign a CRL for a public key certificate. So, > > > the rules were not changed at the last meeting, they were > > > reasserted and clarified. > > > > > > Steve, > > > > > > You may say that X.509 and PKIX do not suggest that entities > > > other than CAs can sign CRLs. However, I think we all agree > > > that both X.509 and PKIX allow for a CRL to be signed with a > > > different key than the key used to sign the certificates that > > > are covered by that CRL. This may be a result of the CA that > > > issued the certificates signing the corresponding CRLs with a > > > different key or the CA that issued the certificates > > > delegating the CRL issuing to another entity (via the > > > distribution points extension). There is no requirement that > > > the key used to sign the CRL also be used to sign > > > certificates. So, I think we agree that there will be times > > > where we will be issuing certificates to entities (whether > > > those entities are CAs or not) where the intent is to specify > > > that the public keys in the certificates may be used to > > > verify signatures on CRLs but not on certificates. > > > > > > The only place we seem to disagree is on the contents of the > > > certificates issued in such circumstances. In particular, > > > should the certificates contain a basicConstraints extension > > > with the cA bit set? On this point, both X.509 and the > > > previous PKIX documents are quite clear that the cA bit > > > should not be set. Why? Because a CA is defined as an entity > > > that issues public-key certificates and both documents > > > similarly state that the cA bit is used to specify whether > > > the certificate subject can issue certificates. There is no > > > similar connection made between being a CA and issuing CRLs. > > > > > > > > > The following are some quotes from X.509 and pkix-new-part1-05: > > > > > > In X.509 a CA is defined as "[a]n authority trusted by one or > > > more users to create and assign public-key certificates." > > > > > > Section 7 of X.509 states that "[a] CA-certificate is a > > > certificate issued by a CA to a subject that is itself a CA > > > and therefore is capable of issuing public-key certificates." > > > > > > > > > The description of basic constraints in X.509 further > > > supports the idea that the cA bit is used to specify > > > certificate issuing, not certificate and/or CRL issuing: > > > > > > "This field indicates if the subject may act as a CA, with > > > the certified public key being used to verify certificate > > > signatures. ... The cA component indicates if the certified > > > public key may be used to verify certificate signatures. ... if > > > the value of cA is not set to true then the certified public > > > key shall not be used to verify a certificate signature" > > > > > > > > > pkix-new-part1-05 states something similar: > > > > > > "The cA bit indicates if the certified public key may be used > > > to verify signatures on other certificates. If the cA bit is > > > asserted, then the keyCertSign bit in the key usage extension > > > (see 4.2.1.3) MUST also be asserted. If the cA bit is not > > > asserted, then the keyCertSign bit in the key usage extension > > > MUST NOT be asserted." > > > > > > > > > The description of the key usage bits are consistent with > > > this as well. > > > > > > X.509: > > > "The bit keyCertSign is for use in CA-certificates only. If > > > KeyUsage is set to keyCertSign and the basic constraints > > > extension is present in the same certificate, the value of > > > the cA component of that extension shall be set to TRUE." > > > > > > pkix-new-part1-05: > > > "The keyCertSign bit is asserted when the subject public key > > > is used for verifying a signature on certificates. This bit > > > may only be asserted in CA certificates. If the keyCertSign > > > bit is asserted, then the cA bit in the basic constraints > > > extension (see 4.2.1.10) MUST also be asserted. If the > > > keyCertSign bit is not asserted, then the cA bit in the basic > > > constraints extension MUST NOT be asserted. > > > > > > The cRLSign bit is asserted when the subject public key is > > > used for verifying a signature on revocation information > > > (e.g., a CRL)." > > > > > > > > > > > > So, both X.509 and pkix-new-part1-05 go to great lengths to > > > clearly state that only CAs can issue certificates and that > > > basicConstraints with the cA bit set to true must be present > > > in the certificates where the public key is to be used to > > > verify signatures on certificates. There are no similar > > > statements about CRLs. In fact, both documents are quite > > > clear that the cA bit must not be set when the subject public > > > key can not be used to verify certificates. So, if the > > > subject public key can be used to verify CRLs, but not > > > certificates, the cA bit must not be set. > > > > > > X.509 is also careful not to preclude the public keys of > > > non-CAs from being used to verify signatures on CRLs. For > > > instance, an end entity is defined as "[a] certificate > > > subject that uses its private key for purposes other than > > > signing certificates or an entity that is a relying party." > > > This leaves room for an end entity to use its private key to > > > sign CRLs. > > > > > > > > > So, if PKIX wants to require that the cA bit be set whenever > > > the subject public key can be used to verify CRLs and also > > > wants to maintain consistency with X.509, PKIX would have to > > > require that any certificate authorizing the use of a public > > > key for verifying CRL signatures also authorize the use of > > > that public key for verifying certificate signatures. Since > > > we are in agreement that we do not want to impose such a > > > restriction and that we do want to maintain consistency with > > > X.509, we can not require that the cA bit be set when the > > > subject public key can only be used to verify CRL signatures. > > > > > > Dave > > > > > > > > ------_=_NextPart_001_01C0C9D4.0FD1C7B0 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments)</TITLE> <META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD> <BODY> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=176595919-20042001>Jim, I forgot one point that might help understand my view on the basicConstraints extension. I don't believe that any CA can actually prevent another entity from issuing certificates purely through technical tools such as cert extensions. However, a CA can prevent relying parties from trusting certificates issued by such entities specifically through the business controls extensions defined in the standards. </SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=176595919-20042001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=176595919-20042001>Cheers,</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=176595919-20042001>Sharon</SPAN></FONT></DIV> <DIV><SPAN class=176595919-20042001></SPAN><FONT face=Tahoma><FONT size=2><SPAN class=176595919-20042001><FONT face=Arial color=#0000ff> </FONT></SPAN></FONT></FONT></DIV> <DIV><FONT face=Tahoma><FONT size=2><SPAN class=176595919-20042001> </SPAN>-----Original Message-----<BR><B>From:</B> Sharon Boeyen [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Friday, April 20, 2001 3:05 PM<BR><B>To:</B> 'jimsch@exmsft.com'; Sharon Boeyen; ietf-pkix@imc.org<BR><B>Subject:</B> RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments)<BR><BR></DIV></FONT></FONT> <BLOCKQUOTE dir=ltr style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2>The point that I think is a bit different is the use of the CA bit in basic constraints. This is one of many 'business controls' that a CA can put into a certificate that it issues to another CA to restrict the set of paths (including that certificate) that can be successfully validated. In my mind this extension exists so that a relying party can know whether the certificate they are processing is one that certifies a key that can be used to verify the signature of the next cert in the path. Full stop. It isn't an 'authorization' of any entity to issue certificates but a signal to the relying party that the certified key can be used for verifying the next signature. The pathLengthConstraint component of that extension, along with all the other business control extensions (policy stuff, name constraints etc) further retrict a relying party with respect to the certification paths (and contained certificates) that can be successfully validated using the certificate that contains the extensions. Each issuer has the ability to place such restrictions and the complete validation of the path depends, in part on those constraints. </FONT></SPAN></DIV> <DIV><SPAN class=934173718-20042001></SPAN> </DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2>When we look at the two basic trust models (hierarchical and distributed), then this does get muddled somewhat, because in a hierarchy there is sort of a sense of 'authorization' of subordinate CAs. The same is not true in a distributed trust model. A CA is any entity that issues public-key certificates regardless of whether some other CA happens to have issued it a certificate containing the basic constraints extension with the CA bit set to true. The extension really only matters when one tries to validate a certification path and needs to be sure that the issuer of a particular certificate 'trusts' certificates signed with the key corresponding to that certified in the current certificate. </FONT></SPAN></DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2>Consider the above 2 paragraphs my personal opinion on basicConstraints. </FONT></SPAN></DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2>As for attribute certificates and attribute authorities, in some environments there is absolutely no need to tie the PMI to the PKI. The verifiers may import one or more trust anchors for SOAs, similar to how they do today for PKI trust anchors. However, in other environments, there was a requirement to have a single trust anchor and be able to validate both public key and attribute certificates. For this reason, X.509 added the sOAIdentifier extension. Its syntax is NULL. Its only purpose in life is to support this requirement of binding a PMI to a PKI. As for the attribute certificate 'equivalent' of a certification path, this is a delegation path. There are completely different extensions defined to ensure that a delegationPath is valid (although you will recognize similarities). basicAttConstraints inidicates whether or not the assigned privilege can be further delegated by the subject of the containing certificate. 'Business controls' extensions include delegatedNameConstraints, acceptableCertPolicies, authorityAttributeIdentifier (to ensure that the delegating authority actually holds sufficicient privilege to delegate it) etc). Don't try to shoehorn the PKI extensions into the PMI model. The only real overlap is that we reused the basic CRL structure. </FONT></SPAN></DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2>Hope that helps and doesn't confuse the issues further :-)</FONT></SPAN></DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2>Sharon</FONT></SPAN></DIV> <DIV><SPAN class=934173718-20042001></SPAN><FONT face=Tahoma><FONT size=2><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff></FONT></SPAN></FONT></FONT> </DIV> <DIV><FONT face=Tahoma><FONT size=2><SPAN class=934173718-20042001> </SPAN>-----Original Message-----<BR><B>From:</B> Jim Schaad [mailto:jimsch5@home.com]<BR><B>Sent:</B> Friday, April 20, 2001 2:08 PM<BR><B>To:</B> 'Sharon Boeyen'; ietf-pkix@imc.org<BR><B>Subject:</B> RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments)<BR><BR></DIV></FONT></FONT> <BLOCKQUOTE dir=ltr style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=128290618-20042001>Sharon,</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=128290618-20042001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=128290618-20042001>Much of this question arose from how to deal with AC "authorities". I don't have access at the moment to the X. version of the AC draft (yes I know I can now get it), but do you believe that AC issuers and "revokers" need to be authorities in that the CA bit should be set for them?</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=128290618-20042001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=128290618-20042001>jim</SPAN></FONT></DIV> <BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Sharon Boeyen [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Friday, April 20, 2001 9:57 AM<BR><B>To:</B> 'David A. Cooper'; ietf-pkix@imc.org<BR><B>Subject:</B> RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments)<BR><BR></DIV></FONT> <P><FONT size=2>Just to be clear, lets not confuse what I may happen to want as </FONT><BR><FONT size=2>an individual contributor to PKIX or any other list, with what </FONT><BR><FONT size=2>I state as 509 editor (they're not necessarily always the same :-)</FONT> </P> <P><FONT size=2>My comments were purely from the editor's perspective and yes, </FONT><BR><FONT size=2>the current 509 text is quite clear that the CA that issues a </FONT><BR><FONT size=2>certificate is responsible for stating whether or not that certificate</FONT> <BR><FONT size=2>can be revoked, and if so, what mechanism is used to inform </FONT><BR><FONT size=2>relying parties. If that mechanism is CRLs, these are issued by </FONT><BR><FONT size=2>the certificate issuer or by another authority delegated that </FONT><BR><FONT size=2>task by the certificate issuer (that doesn't necessarily mean that </FONT><BR><FONT size=2>509 requires a cert to be issued to that authority, nor that the cert </FONT><BR><FONT size=2>contain the basic constraints extension though, that is the job of </FONT><BR><FONT size=2>profile groups to determine and incidentally I don't believe they'll </FONT><BR><FONT size=2>all adopt the same solution so I would want 509 to remain flexible). </FONT></P> <P><FONT size=2>My own personal view is that industry has moved to a point where there </FONT><BR><FONT size=2>probably isn't any real requirement for a CRL issuer to also be a cert</FONT> <BR><FONT size=2>issuer as long as that CRL issuer is delegated that responsibility </FONT><BR><FONT size=2>by the cert issuer and there is a cryptographic way to ensure that </FONT><BR><FONT size=2>binding for relying parties. To achieve that, I believe some changes </FONT><BR><FONT size=2>are required in 509. </FONT></P> <P><FONT size=2>On the separate keys for cert and CRL signing (by the same authority), my </FONT><BR><FONT size=2>personal opinion is that anything you read into 509 text on that specific </FONT><BR><FONT size=2>topic would be accidental as I don't recall any specific discussion on it. </FONT><BR><FONT size=2>However, since that is a real world requirement, I would want to be sure </FONT><BR><FONT size=2>that 509 did not prohibit it.</FONT> </P> <P><FONT size=2>Hope that clarifies where my comments are coming from :-) </FONT><BR><FONT size=2> </FONT></P> <P><FONT size=2>> -----Original Message-----</FONT> <BR><FONT size=2>> From: David A. Cooper [<A href="mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]</FONT> <BR><FONT size=2>> Sent: Friday, April 20, 2001 11:44 AM</FONT> <BR><FONT size=2>> To: ietf-pkix@imc.org</FONT> <BR><FONT size=2>> Subject: RE: cA flag and CRL issuers (was Re: Last Call:</FONT> <BR><FONT size=2>> draft-ietf-pkix-n ew-part1-06.txt comments)</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> Sharon,</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> Are you suggesting that in order for an entity to issue CRLs </FONT><BR><FONT size=2>> on behalf of a certificate issuer, that CRL issuer would need </FONT><BR><FONT size=2>> to issue certificates as well (so that it can qualify as an </FONT><BR><FONT size=2>> authority)? I don't think there should be such a </FONT><BR><FONT size=2>> requirement, but even if there were it wouldn't settle the issue.</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> Even if only authorities can issue CRLs, there is nothing to </FONT><BR><FONT size=2>> prevent that authority from using different keys to sign </FONT><BR><FONT size=2>> certificates and CRLs. X.509 states that "[t]he cA component </FONT><BR><FONT size=2>> indicates if the certified public key may be used to verify </FONT><BR><FONT size=2>> certificate signatures." So, the proper value of the cA bit </FONT><BR><FONT size=2>> is determined by the allowable uses of the subject public </FONT><BR><FONT size=2>> key, not by the type of entity the subject is. So, even if </FONT><BR><FONT size=2>> the certificate subject is a CA, and issues certificates </FONT><BR><FONT size=2>> under some key, the cA bit should not be set unless the </FONT><BR><FONT size=2>> particular subject public key in the certificate can be used </FONT><BR><FONT size=2>> to verify certificate signatures. If an authority is the </FONT><BR><FONT size=2>> subject of a certificate and the particular public key of </FONT><BR><FONT size=2>> that authority that is being certified is only to be used to </FONT><BR><FONT size=2>> verify signatures on CRLs, then the cA bit should not be set.</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> Dave</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> At 10:48 AM 4/20/01 -0400, Sharon Boeyen wrote:</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> >David, sorry but I disagree with your assertions about X.509's </FONT><BR><FONT size=2>> >position on this issue. Either by design or by accident, </FONT><BR><FONT size=2>> X.509 requires that if CRLs are being issued, they are issued </FONT><BR><FONT size=2>> by an 'authority'. Remember that the definition of </FONT><BR><FONT size=2>> "authority" is "An entity responsible </FONT><BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >for the issuance of certificates". Much of the text in X.509 </FONT><BR><FONT size=2>> predates OCSP or the concept of a validation authority, but I </FONT><BR><FONT size=2>> do know that the quotes below are new text added within the </FONT><BR><FONT size=2>> past couple of years with the intent of clarifying the role </FONT><BR><FONT size=2>> of CAs with respect to CRLs.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >Clause 7.3 says: </FONT><BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >"An authority that issues certificates is required to state, </FONT><BR><FONT size=2>> possibly through a published statement of their practices, </FONT><BR><FONT size=2>> through the certificates themselves, or through some other </FONT><BR><FONT size=2>> identified means, whether:</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >- The certificates cannot be revoked; or </FONT><BR><FONT size=2>> >- The certificates may be revoked by the same </FONT><BR><FONT size=2>> certificate-issuing authority directly; or </FONT><BR><FONT size=2>> >- The certificate-issuing authority authorizes a </FONT><BR><FONT size=2>> different authority to perform revocation." </FONT><BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >further down in the same clause is the text: </FONT><BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >" </FONT><BR><FONT size=2>> >An authority that issues and subsequently revokes certificates: </FONT><BR><FONT size=2>> >a) may be required to maintain an audit record of its </FONT><BR><FONT size=2>> revocation events for all certificate types issued by that </FONT><BR><FONT size=2>> authority (e.g. public-key certificates, attribute </FONT><BR><FONT size=2>> certificates issued to end-entities as well as other authorities);</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >b) shall provide revocation status information to </FONT><BR><FONT size=2>> relying parties using CRLs, on-line certificate status </FONT><BR><FONT size=2>> protocol or some other mechanism for the publication of </FONT><BR><FONT size=2>> revocation status information;</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >c) if using CRLs, shall maintain and publish CRLs even </FONT><BR><FONT size=2>> if the lists of revoked certificates are empty." </FONT><BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >The quotes that you included in your message tie in with </FONT><BR><FONT size=2>> this base text, since the authority that issued the </FONT><BR><FONT size=2>> certificates has these responsibilities around revocation, </FONT><BR><FONT size=2>> there was no need for X.509 to state anything specific to CRL </FONT><BR><FONT size=2>> issuance. In the indirect CRL case, this was envisioned to be </FONT><BR><FONT size=2>> another CA or AA, that combined revocation notices from </FONT><BR><FONT size=2>> several CAs/AAs. </FONT><BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >Having said that (with my X.509 editor's hat on), if there </FONT><BR><FONT size=2>> is a requirement to have entities that are not CAs or AAs be </FONT><BR><FONT size=2>> authorized to issue CRLs on behalf of the certificate issuer </FONT><BR><FONT size=2>> (because remember that a CRL is an indication that a </FONT><BR><FONT size=2>> certificate is no longer considered valid "by its </FONT><BR><FONT size=2>> issuer")changes to X.509 would be needed. I'm not necessarily </FONT><BR><FONT size=2>> opposed to such changes, I'm just clarifying, in this </FONT><BR><FONT size=2>> message, that they would be needed in order for such </FONT><BR><FONT size=2>> implementations to be conformant. This, as usual could be </FONT><BR><FONT size=2>> done through the enhancements work or could be proposed </FONT><BR><FONT size=2>> through the defect process. One way to enable that kind of </FONT><BR><FONT size=2>> change might be to redefine authority and to talk about 3 </FONT><BR><FONT size=2>> types rather than two. However, it would take some careful </FONT><BR><FONT size=2>> review to ensure that the set of changes was thorough and complete.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >Sharon </FONT><BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > > -----Original Message----- </FONT><BR><FONT size=2>> > > From: David A. Cooper </FONT><BR><FONT size=2>> [<<A href="mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>><A href="mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>] </FONT><BR><FONT size=2>> > > Sent: Thursday, April 19, 2001 5:08 PM </FONT><BR><FONT size=2>> > > To: ietf-pkix@imc.org </FONT><BR><FONT size=2>> > > Subject: cA flag and CRL issuers (was Re: Last Call: </FONT><BR><FONT size=2>> > > draft-ietf-pkix-new-part1-06.txt comments) </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: </FONT><BR><FONT size=2>> > > >Dave Cooper, </FONT><BR><FONT size=2>> > > > </FONT><BR><FONT size=2>> > > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: </FONT><BR><FONT size=2>> > > >>I see no basis in X.509 for setting the cA flag in </FONT><BR><FONT size=2>> > > basicConstraints for certificate subjects that can issue CRLs </FONT><BR><FONT size=2>> > > but not certificates. The current discussion about how to </FONT><BR><FONT size=2>> > > deal with CRLs for attribute certificates vs. public key </FONT><BR><FONT size=2>> > > certificates just further goes to show that it was a mistake </FONT><BR><FONT size=2>> > > to suddenly change the rules at the last IETF meeting. </FONT><BR><FONT size=2>> > > > </FONT><BR><FONT size=2>> > > >We disagree on this point. Nowhere in X.509 or in previous </FONT><BR><FONT size=2>> > > PKIX documents has there ever been text to suggest that other </FONT><BR><FONT size=2>> > > than a CA can sign a CRL for a public key certificate. So, </FONT><BR><FONT size=2>> > > the rules were not changed at the last meeting, they were </FONT><BR><FONT size=2>> > > reasserted and clarified. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > Steve, </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > You may say that X.509 and PKIX do not suggest that entities </FONT><BR><FONT size=2>> > > other than CAs can sign CRLs. However, I think we all agree </FONT><BR><FONT size=2>> > > that both X.509 and PKIX allow for a CRL to be signed with a </FONT><BR><FONT size=2>> > > different key than the key used to sign the certificates that </FONT><BR><FONT size=2>> > > are covered by that CRL. This may be a result of the CA that </FONT><BR><FONT size=2>> > > issued the certificates signing the corresponding CRLs with a </FONT><BR><FONT size=2>> > > different key or the CA that issued the certificates </FONT><BR><FONT size=2>> > > delegating the CRL issuing to another entity (via the </FONT><BR><FONT size=2>> > > distribution points extension). There is no requirement that </FONT><BR><FONT size=2>> > > the key used to sign the CRL also be used to sign </FONT><BR><FONT size=2>> > > certificates. So, I think we agree that there will be times </FONT><BR><FONT size=2>> > > where we will be issuing certificates to entities (whether </FONT><BR><FONT size=2>> > > those entities are CAs or not) where the intent is to specify </FONT><BR><FONT size=2>> > > that the public keys in the certificates may be used to </FONT><BR><FONT size=2>> > > verify signatures on CRLs but not on certificates. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > The only place we seem to disagree is on the contents of the </FONT><BR><FONT size=2>> > > certificates issued in such circumstances. In particular, </FONT><BR><FONT size=2>> > > should the certificates contain a basicConstraints extension </FONT><BR><FONT size=2>> > > with the cA bit set? On this point, both X.509 and the </FONT><BR><FONT size=2>> > > previous PKIX documents are quite clear that the cA bit </FONT><BR><FONT size=2>> > > should not be set. Why? Because a CA is defined as an entity </FONT><BR><FONT size=2>> > > that issues public-key certificates and both documents </FONT><BR><FONT size=2>> > > similarly state that the cA bit is used to specify whether </FONT><BR><FONT size=2>> > > the certificate subject can issue certificates. There is no </FONT><BR><FONT size=2>> > > similar connection made between being a CA and issuing CRLs. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > The following are some quotes from X.509 and pkix-new-part1-05: </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > In X.509 a CA is defined as "[a]n authority trusted by one or </FONT><BR><FONT size=2>> > > more users to create and assign public-key certificates." </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > Section 7 of X.509 states that "[a] CA-certificate is a </FONT><BR><FONT size=2>> > > certificate issued by a CA to a subject that is itself a CA </FONT><BR><FONT size=2>> > > and therefore is capable of issuing public-key certificates." </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > The description of basic constraints in X.509 further </FONT><BR><FONT size=2>> > > supports the idea that the cA bit is used to specify </FONT><BR><FONT size=2>> > > certificate issuing, not certificate and/or CRL issuing: </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > "This field indicates if the subject may act as a CA, with </FONT><BR><FONT size=2>> > > the certified public key being used to verify certificate </FONT><BR><FONT size=2>> > > signatures. ... The cA component indicates if the certified </FONT><BR><FONT size=2>> > > public key may be used to verify certificate signatures. ... if </FONT><BR><FONT size=2>> > > the value of cA is not set to true then the certified public </FONT><BR><FONT size=2>> > > key shall not be used to verify a certificate signature" </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > pkix-new-part1-05 states something similar: </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > "The cA bit indicates if the certified public key may be used </FONT><BR><FONT size=2>> > > to verify signatures on other certificates. If the cA bit is </FONT><BR><FONT size=2>> > > asserted, then the keyCertSign bit in the key usage extension </FONT><BR><FONT size=2>> > > (see 4.2.1.3) MUST also be asserted. If the cA bit is not </FONT><BR><FONT size=2>> > > asserted, then the keyCertSign bit in the key usage extension </FONT><BR><FONT size=2>> > > MUST NOT be asserted." </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > The description of the key usage bits are consistent with </FONT><BR><FONT size=2>> > > this as well. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > X.509: </FONT><BR><FONT size=2>> > > "The bit keyCertSign is for use in CA-certificates only. If </FONT><BR><FONT size=2>> > > KeyUsage is set to keyCertSign and the basic constraints </FONT><BR><FONT size=2>> > > extension is present in the same certificate, the value of </FONT><BR><FONT size=2>> > > the cA component of that extension shall be set to TRUE." </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > pkix-new-part1-05: </FONT><BR><FONT size=2>> > > "The keyCertSign bit is asserted when the subject public key </FONT><BR><FONT size=2>> > > is used for verifying a signature on certificates. This bit </FONT><BR><FONT size=2>> > > may only be asserted in CA certificates. If the keyCertSign </FONT><BR><FONT size=2>> > > bit is asserted, then the cA bit in the basic constraints </FONT><BR><FONT size=2>> > > extension (see 4.2.1.10) MUST also be asserted. If the </FONT><BR><FONT size=2>> > > keyCertSign bit is not asserted, then the cA bit in the basic </FONT><BR><FONT size=2>> > > constraints extension MUST NOT be asserted. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > The cRLSign bit is asserted when the subject public key is </FONT><BR><FONT size=2>> > > used for verifying a signature on revocation information </FONT><BR><FONT size=2>> > > (e.g., a CRL)." </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > So, both X.509 and pkix-new-part1-05 go to great lengths to </FONT><BR><FONT size=2>> > > clearly state that only CAs can issue certificates and that </FONT><BR><FONT size=2>> > > basicConstraints with the cA bit set to true must be present </FONT><BR><FONT size=2>> > > in the certificates where the public key is to be used to </FONT><BR><FONT size=2>> > > verify signatures on certificates. There are no similar </FONT><BR><FONT size=2>> > > statements about CRLs. In fact, both documents are quite </FONT><BR><FONT size=2>> > > clear that the cA bit must not be set when the subject public </FONT><BR><FONT size=2>> > > key can not be used to verify certificates. So, if the </FONT><BR><FONT size=2>> > > subject public key can be used to verify CRLs, but not </FONT><BR><FONT size=2>> > > certificates, the cA bit must not be set. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > X.509 is also careful not to preclude the public keys of </FONT><BR><FONT size=2>> > > non-CAs from being used to verify signatures on CRLs. For </FONT><BR><FONT size=2>> > > instance, an end entity is defined as "[a] certificate </FONT><BR><FONT size=2>> > > subject that uses its private key for purposes other than </FONT><BR><FONT size=2>> > > signing certificates or an entity that is a relying party." </FONT><BR><FONT size=2>> > > This leaves room for an end entity to use its private key to </FONT><BR><FONT size=2>> > > sign CRLs. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > So, if PKIX wants to require that the cA bit be set whenever </FONT><BR><FONT size=2>> > > the subject public key can be used to verify CRLs and also </FONT><BR><FONT size=2>> > > wants to maintain consistency with X.509, PKIX would have to </FONT><BR><FONT size=2>> > > require that any certificate authorizing the use of a public </FONT><BR><FONT size=2>> > > key for verifying CRL signatures also authorize the use of </FONT><BR><FONT size=2>> > > that public key for verifying certificate signatures. Since </FONT><BR><FONT size=2>> > > we are in agreement that we do not want to impose such a </FONT><BR><FONT size=2>> > > restriction and that we do want to maintain consistency with </FONT><BR><FONT size=2>> > > X.509, we can not require that the cA bit be set when the </FONT><BR><FONT size=2>> > > subject public key can only be used to verify CRL signatures. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > Dave </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT></P></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0C9D4.0FD1C7B0-- Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA02637 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 12:11:07 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <2VH1APQA>; Fri, 20 Apr 2001 15:10:33 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FB0@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'jimsch@exmsft.com'" <jimsch@exmsft.com>, Sharon Boeyen <sharon.boeyen@entrust.com>, ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Date: Fri, 20 Apr 2001 15:05:07 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C9CC.D034B380" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C9CC.D034B380 Content-Type: text/plain; charset="iso-8859-1" The point that I think is a bit different is the use of the CA bit in basic constraints. This is one of many 'business controls' that a CA can put into a certificate that it issues to another CA to restrict the set of paths (including that certificate) that can be successfully validated. In my mind this extension exists so that a relying party can know whether the certificate they are processing is one that certifies a key that can be used to verify the signature of the next cert in the path. Full stop. It isn't an 'authorization' of any entity to issue certificates but a signal to the relying party that the certified key can be used for verifying the next signature. The pathLengthConstraint component of that extension, along with all the other business control extensions (policy stuff, name constraints etc) further retrict a relying party with respect to the certification paths (and contained certificates) that can be successfully validated using the certificate that contains the extensions. Each issuer has the ability to place such restrictions and the complete validation of the path depends, in part on those constraints. When we look at the two basic trust models (hierarchical and distributed), then this does get muddled somewhat, because in a hierarchy there is sort of a sense of 'authorization' of subordinate CAs. The same is not true in a distributed trust model. A CA is any entity that issues public-key certificates regardless of whether some other CA happens to have issued it a certificate containing the basic constraints extension with the CA bit set to true. The extension really only matters when one tries to validate a certification path and needs to be sure that the issuer of a particular certificate 'trusts' certificates signed with the key corresponding to that certified in the current certificate. Consider the above 2 paragraphs my personal opinion on basicConstraints. As for attribute certificates and attribute authorities, in some environments there is absolutely no need to tie the PMI to the PKI. The verifiers may import one or more trust anchors for SOAs, similar to how they do today for PKI trust anchors. However, in other environments, there was a requirement to have a single trust anchor and be able to validate both public key and attribute certificates. For this reason, X.509 added the sOAIdentifier extension. Its syntax is NULL. Its only purpose in life is to support this requirement of binding a PMI to a PKI. As for the attribute certificate 'equivalent' of a certification path, this is a delegation path. There are completely different extensions defined to ensure that a delegationPath is valid (although you will recognize similarities). basicAttConstraints inidicates whether or not the assigned privilege can be further delegated by the subject of the containing certificate. 'Business controls' extensions include delegatedNameConstraints, acceptableCertPolicies, authorityAttributeIdentifier (to ensure that the delegating authority actually holds sufficicient privilege to delegate it) etc). Don't try to shoehorn the PKI extensions into the PMI model. The only real overlap is that we reused the basic CRL structure. Hope that helps and doesn't confuse the issues further :-) Sharon -----Original Message----- From: Jim Schaad [mailto:jimsch5@home.com] Sent: Friday, April 20, 2001 2:08 PM To: 'Sharon Boeyen'; ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Sharon, Much of this question arose from how to deal with AC "authorities". I don't have access at the moment to the X. version of the AC draft (yes I know I can now get it), but do you believe that AC issuers and "revokers" need to be authorities in that the CA bit should be set for them? jim -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Friday, April 20, 2001 9:57 AM To: 'David A. Cooper'; ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Just to be clear, lets not confuse what I may happen to want as an individual contributor to PKIX or any other list, with what I state as 509 editor (they're not necessarily always the same :-) My comments were purely from the editor's perspective and yes, the current 509 text is quite clear that the CA that issues a certificate is responsible for stating whether or not that certificate can be revoked, and if so, what mechanism is used to inform relying parties. If that mechanism is CRLs, these are issued by the certificate issuer or by another authority delegated that task by the certificate issuer (that doesn't necessarily mean that 509 requires a cert to be issued to that authority, nor that the cert contain the basic constraints extension though, that is the job of profile groups to determine and incidentally I don't believe they'll all adopt the same solution so I would want 509 to remain flexible). My own personal view is that industry has moved to a point where there probably isn't any real requirement for a CRL issuer to also be a cert issuer as long as that CRL issuer is delegated that responsibility by the cert issuer and there is a cryptographic way to ensure that binding for relying parties. To achieve that, I believe some changes are required in 509. On the separate keys for cert and CRL signing (by the same authority), my personal opinion is that anything you read into 509 text on that specific topic would be accidental as I don't recall any specific discussion on it. However, since that is a real world requirement, I would want to be sure that 509 did not prohibit it. Hope that clarifies where my comments are coming from :-) > -----Original Message----- > From: David A. Cooper [ mailto:david.cooper@nist.gov <mailto:david.cooper@nist.gov> ] > Sent: Friday, April 20, 2001 11:44 AM > To: ietf-pkix@imc.org > Subject: RE: cA flag and CRL issuers (was Re: Last Call: > draft-ietf-pkix-n ew-part1-06.txt comments) > > > Sharon, > > Are you suggesting that in order for an entity to issue CRLs > on behalf of a certificate issuer, that CRL issuer would need > to issue certificates as well (so that it can qualify as an > authority)? I don't think there should be such a > requirement, but even if there were it wouldn't settle the issue. > > Even if only authorities can issue CRLs, there is nothing to > prevent that authority from using different keys to sign > certificates and CRLs. X.509 states that "[t]he cA component > indicates if the certified public key may be used to verify > certificate signatures." So, the proper value of the cA bit > is determined by the allowable uses of the subject public > key, not by the type of entity the subject is. So, even if > the certificate subject is a CA, and issues certificates > under some key, the cA bit should not be set unless the > particular subject public key in the certificate can be used > to verify certificate signatures. If an authority is the > subject of a certificate and the particular public key of > that authority that is being certified is only to be used to > verify signatures on CRLs, then the cA bit should not be set. > > Dave > > At 10:48 AM 4/20/01 -0400, Sharon Boeyen wrote: > > >David, sorry but I disagree with your assertions about X.509's > >position on this issue. Either by design or by accident, > X.509 requires that if CRLs are being issued, they are issued > by an 'authority'. Remember that the definition of > "authority" is "An entity responsible > > > >for the issuance of certificates". Much of the text in X.509 > predates OCSP or the concept of a validation authority, but I > do know that the quotes below are new text added within the > past couple of years with the intent of clarifying the role > of CAs with respect to CRLs. > > > >Clause 7.3 says: > > > >"An authority that issues certificates is required to state, > possibly through a published statement of their practices, > through the certificates themselves, or through some other > identified means, whether: > > > >- The certificates cannot be revoked; or > >- The certificates may be revoked by the same > certificate-issuing authority directly; or > >- The certificate-issuing authority authorizes a > different authority to perform revocation." > > > >further down in the same clause is the text: > > > >" > >An authority that issues and subsequently revokes certificates: > >a) may be required to maintain an audit record of its > revocation events for all certificate types issued by that > authority (e.g. public-key certificates, attribute > certificates issued to end-entities as well as other authorities); > > > >b) shall provide revocation status information to > relying parties using CRLs, on-line certificate status > protocol or some other mechanism for the publication of > revocation status information; > > > >c) if using CRLs, shall maintain and publish CRLs even > if the lists of revoked certificates are empty." > > > >The quotes that you included in your message tie in with > this base text, since the authority that issued the > certificates has these responsibilities around revocation, > there was no need for X.509 to state anything specific to CRL > issuance. In the indirect CRL case, this was envisioned to be > another CA or AA, that combined revocation notices from > several CAs/AAs. > > > >Having said that (with my X.509 editor's hat on), if there > is a requirement to have entities that are not CAs or AAs be > authorized to issue CRLs on behalf of the certificate issuer > (because remember that a CRL is an indication that a > certificate is no longer considered valid "by its > issuer")changes to X.509 would be needed. I'm not necessarily > opposed to such changes, I'm just clarifying, in this > message, that they would be needed in order for such > implementations to be conformant. This, as usual could be > done through the enhancements work or could be proposed > through the defect process. One way to enable that kind of > change might be to redefine authority and to talk about 3 > types rather than two. However, it would take some careful > review to ensure that the set of changes was thorough and complete. > > > >Sharon > > > > > -----Original Message----- > > > From: David A. Cooper > [< mailto:david.cooper@nist.gov <mailto:david.cooper@nist.gov> > mailto:david.cooper@nist.gov <mailto:david.cooper@nist.gov> ] > > > Sent: Thursday, April 19, 2001 5:08 PM > > > To: ietf-pkix@imc.org > > > Subject: cA flag and CRL issuers (was Re: Last Call: > > > draft-ietf-pkix-new-part1-06.txt comments) > > > > > > > > > At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: > > > >Dave Cooper, > > > > > > > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: > > > >>I see no basis in X.509 for setting the cA flag in > > > basicConstraints for certificate subjects that can issue CRLs > > > but not certificates. The current discussion about how to > > > deal with CRLs for attribute certificates vs. public key > > > certificates just further goes to show that it was a mistake > > > to suddenly change the rules at the last IETF meeting. > > > > > > > >We disagree on this point. Nowhere in X.509 or in previous > > > PKIX documents has there ever been text to suggest that other > > > than a CA can sign a CRL for a public key certificate. So, > > > the rules were not changed at the last meeting, they were > > > reasserted and clarified. > > > > > > Steve, > > > > > > You may say that X.509 and PKIX do not suggest that entities > > > other than CAs can sign CRLs. However, I think we all agree > > > that both X.509 and PKIX allow for a CRL to be signed with a > > > different key than the key used to sign the certificates that > > > are covered by that CRL. This may be a result of the CA that > > > issued the certificates signing the corresponding CRLs with a > > > different key or the CA that issued the certificates > > > delegating the CRL issuing to another entity (via the > > > distribution points extension). There is no requirement that > > > the key used to sign the CRL also be used to sign > > > certificates. So, I think we agree that there will be times > > > where we will be issuing certificates to entities (whether > > > those entities are CAs or not) where the intent is to specify > > > that the public keys in the certificates may be used to > > > verify signatures on CRLs but not on certificates. > > > > > > The only place we seem to disagree is on the contents of the > > > certificates issued in such circumstances. In particular, > > > should the certificates contain a basicConstraints extension > > > with the cA bit set? On this point, both X.509 and the > > > previous PKIX documents are quite clear that the cA bit > > > should not be set. Why? Because a CA is defined as an entity > > > that issues public-key certificates and both documents > > > similarly state that the cA bit is used to specify whether > > > the certificate subject can issue certificates. There is no > > > similar connection made between being a CA and issuing CRLs. > > > > > > > > > The following are some quotes from X.509 and pkix-new-part1-05: > > > > > > In X.509 a CA is defined as "[a]n authority trusted by one or > > > more users to create and assign public-key certificates." > > > > > > Section 7 of X.509 states that "[a] CA-certificate is a > > > certificate issued by a CA to a subject that is itself a CA > > > and therefore is capable of issuing public-key certificates." > > > > > > > > > The description of basic constraints in X.509 further > > > supports the idea that the cA bit is used to specify > > > certificate issuing, not certificate and/or CRL issuing: > > > > > > "This field indicates if the subject may act as a CA, with > > > the certified public key being used to verify certificate > > > signatures. ... The cA component indicates if the certified > > > public key may be used to verify certificate signatures. ... if > > > the value of cA is not set to true then the certified public > > > key shall not be used to verify a certificate signature" > > > > > > > > > pkix-new-part1-05 states something similar: > > > > > > "The cA bit indicates if the certified public key may be used > > > to verify signatures on other certificates. If the cA bit is > > > asserted, then the keyCertSign bit in the key usage extension > > > (see 4.2.1.3) MUST also be asserted. If the cA bit is not > > > asserted, then the keyCertSign bit in the key usage extension > > > MUST NOT be asserted." > > > > > > > > > The description of the key usage bits are consistent with > > > this as well. > > > > > > X.509: > > > "The bit keyCertSign is for use in CA-certificates only. If > > > KeyUsage is set to keyCertSign and the basic constraints > > > extension is present in the same certificate, the value of > > > the cA component of that extension shall be set to TRUE." > > > > > > pkix-new-part1-05: > > > "The keyCertSign bit is asserted when the subject public key > > > is used for verifying a signature on certificates. This bit > > > may only be asserted in CA certificates. If the keyCertSign > > > bit is asserted, then the cA bit in the basic constraints > > > extension (see 4.2.1.10) MUST also be asserted. If the > > > keyCertSign bit is not asserted, then the cA bit in the basic > > > constraints extension MUST NOT be asserted. > > > > > > The cRLSign bit is asserted when the subject public key is > > > used for verifying a signature on revocation information > > > (e.g., a CRL)." > > > > > > > > > > > > So, both X.509 and pkix-new-part1-05 go to great lengths to > > > clearly state that only CAs can issue certificates and that > > > basicConstraints with the cA bit set to true must be present > > > in the certificates where the public key is to be used to > > > verify signatures on certificates. There are no similar > > > statements about CRLs. In fact, both documents are quite > > > clear that the cA bit must not be set when the subject public > > > key can not be used to verify certificates. So, if the > > > subject public key can be used to verify CRLs, but not > > > certificates, the cA bit must not be set. > > > > > > X.509 is also careful not to preclude the public keys of > > > non-CAs from being used to verify signatures on CRLs. For > > > instance, an end entity is defined as "[a] certificate > > > subject that uses its private key for purposes other than > > > signing certificates or an entity that is a relying party." > > > This leaves room for an end entity to use its private key to > > > sign CRLs. > > > > > > > > > So, if PKIX wants to require that the cA bit be set whenever > > > the subject public key can be used to verify CRLs and also > > > wants to maintain consistency with X.509, PKIX would have to > > > require that any certificate authorizing the use of a public > > > key for verifying CRL signatures also authorize the use of > > > that public key for verifying certificate signatures. Since > > > we are in agreement that we do not want to impose such a > > > restriction and that we do want to maintain consistency with > > > X.509, we can not require that the cA bit be set when the > > > subject public key can only be used to verify CRL signatures. > > > > > > Dave > > > > > > > > ------_=_NextPart_001_01C0C9CC.D034B380 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments)</TITLE> <META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2>The point that I think is a bit different is the use of the CA bit in basic constraints. This is one of many 'business controls' that a CA can put into a certificate that it issues to another CA to restrict the set of paths (including that certificate) that can be successfully validated. In my mind this extension exists so that a relying party can know whether the certificate they are processing is one that certifies a key that can be used to verify the signature of the next cert in the path. Full stop. It isn't an 'authorization' of any entity to issue certificates but a signal to the relying party that the certified key can be used for verifying the next signature. The pathLengthConstraint component of that extension, along with all the other business control extensions (policy stuff, name constraints etc) further retrict a relying party with respect to the certification paths (and contained certificates) that can be successfully validated using the certificate that contains the extensions. Each issuer has the ability to place such restrictions and the complete validation of the path depends, in part on those constraints. </FONT></SPAN></DIV> <DIV><SPAN class=934173718-20042001></SPAN> </DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2>When we look at the two basic trust models (hierarchical and distributed), then this does get muddled somewhat, because in a hierarchy there is sort of a sense of 'authorization' of subordinate CAs. The same is not true in a distributed trust model. A CA is any entity that issues public-key certificates regardless of whether some other CA happens to have issued it a certificate containing the basic constraints extension with the CA bit set to true. The extension really only matters when one tries to validate a certification path and needs to be sure that the issuer of a particular certificate 'trusts' certificates signed with the key corresponding to that certified in the current certificate. </FONT></SPAN></DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2>Consider the above 2 paragraphs my personal opinion on basicConstraints. </FONT></SPAN></DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2>As for attribute certificates and attribute authorities, in some environments there is absolutely no need to tie the PMI to the PKI. The verifiers may import one or more trust anchors for SOAs, similar to how they do today for PKI trust anchors. However, in other environments, there was a requirement to have a single trust anchor and be able to validate both public key and attribute certificates. For this reason, X.509 added the sOAIdentifier extension. Its syntax is NULL. Its only purpose in life is to support this requirement of binding a PMI to a PKI. As for the attribute certificate 'equivalent' of a certification path, this is a delegation path. There are completely different extensions defined to ensure that a delegationPath is valid (although you will recognize similarities). basicAttConstraints inidicates whether or not the assigned privilege can be further delegated by the subject of the containing certificate. 'Business controls' extensions include delegatedNameConstraints, acceptableCertPolicies, authorityAttributeIdentifier (to ensure that the delegating authority actually holds sufficicient privilege to delegate it) etc). Don't try to shoehorn the PKI extensions into the PMI model. The only real overlap is that we reused the basic CRL structure. </FONT></SPAN></DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2>Hope that helps and doesn't confuse the issues further :-)</FONT></SPAN></DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff size=2>Sharon</FONT></SPAN></DIV> <DIV><SPAN class=934173718-20042001></SPAN><FONT face=Tahoma><FONT size=2><SPAN class=934173718-20042001><FONT face=Arial color=#0000ff> </FONT></SPAN></FONT></FONT></DIV> <DIV><FONT face=Tahoma><FONT size=2><SPAN class=934173718-20042001> </SPAN>-----Original Message-----<BR><B>From:</B> Jim Schaad [mailto:jimsch5@home.com]<BR><B>Sent:</B> Friday, April 20, 2001 2:08 PM<BR><B>To:</B> 'Sharon Boeyen'; ietf-pkix@imc.org<BR><B>Subject:</B> RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments)<BR><BR></DIV></FONT></FONT> <BLOCKQUOTE dir=ltr style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=128290618-20042001>Sharon,</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=128290618-20042001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=128290618-20042001>Much of this question arose from how to deal with AC "authorities". I don't have access at the moment to the X. version of the AC draft (yes I know I can now get it), but do you believe that AC issuers and "revokers" need to be authorities in that the CA bit should be set for them?</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=128290618-20042001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=128290618-20042001>jim</SPAN></FONT></DIV> <BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Sharon Boeyen [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Friday, April 20, 2001 9:57 AM<BR><B>To:</B> 'David A. Cooper'; ietf-pkix@imc.org<BR><B>Subject:</B> RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments)<BR><BR></DIV></FONT> <P><FONT size=2>Just to be clear, lets not confuse what I may happen to want as </FONT><BR><FONT size=2>an individual contributor to PKIX or any other list, with what </FONT><BR><FONT size=2>I state as 509 editor (they're not necessarily always the same :-)</FONT> </P> <P><FONT size=2>My comments were purely from the editor's perspective and yes, </FONT><BR><FONT size=2>the current 509 text is quite clear that the CA that issues a </FONT><BR><FONT size=2>certificate is responsible for stating whether or not that certificate</FONT> <BR><FONT size=2>can be revoked, and if so, what mechanism is used to inform </FONT><BR><FONT size=2>relying parties. If that mechanism is CRLs, these are issued by </FONT><BR><FONT size=2>the certificate issuer or by another authority delegated that </FONT><BR><FONT size=2>task by the certificate issuer (that doesn't necessarily mean that </FONT><BR><FONT size=2>509 requires a cert to be issued to that authority, nor that the cert </FONT><BR><FONT size=2>contain the basic constraints extension though, that is the job of </FONT><BR><FONT size=2>profile groups to determine and incidentally I don't believe they'll </FONT><BR><FONT size=2>all adopt the same solution so I would want 509 to remain flexible). </FONT></P> <P><FONT size=2>My own personal view is that industry has moved to a point where there </FONT><BR><FONT size=2>probably isn't any real requirement for a CRL issuer to also be a cert</FONT> <BR><FONT size=2>issuer as long as that CRL issuer is delegated that responsibility </FONT><BR><FONT size=2>by the cert issuer and there is a cryptographic way to ensure that </FONT><BR><FONT size=2>binding for relying parties. To achieve that, I believe some changes </FONT><BR><FONT size=2>are required in 509. </FONT></P> <P><FONT size=2>On the separate keys for cert and CRL signing (by the same authority), my </FONT><BR><FONT size=2>personal opinion is that anything you read into 509 text on that specific </FONT><BR><FONT size=2>topic would be accidental as I don't recall any specific discussion on it. </FONT><BR><FONT size=2>However, since that is a real world requirement, I would want to be sure </FONT><BR><FONT size=2>that 509 did not prohibit it.</FONT> </P> <P><FONT size=2>Hope that clarifies where my comments are coming from :-) </FONT><BR><FONT size=2> </FONT></P> <P><FONT size=2>> -----Original Message-----</FONT> <BR><FONT size=2>> From: David A. Cooper [<A href="mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]</FONT> <BR><FONT size=2>> Sent: Friday, April 20, 2001 11:44 AM</FONT> <BR><FONT size=2>> To: ietf-pkix@imc.org</FONT> <BR><FONT size=2>> Subject: RE: cA flag and CRL issuers (was Re: Last Call:</FONT> <BR><FONT size=2>> draft-ietf-pkix-n ew-part1-06.txt comments)</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> Sharon,</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> Are you suggesting that in order for an entity to issue CRLs </FONT><BR><FONT size=2>> on behalf of a certificate issuer, that CRL issuer would need </FONT><BR><FONT size=2>> to issue certificates as well (so that it can qualify as an </FONT><BR><FONT size=2>> authority)? I don't think there should be such a </FONT><BR><FONT size=2>> requirement, but even if there were it wouldn't settle the issue.</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> Even if only authorities can issue CRLs, there is nothing to </FONT><BR><FONT size=2>> prevent that authority from using different keys to sign </FONT><BR><FONT size=2>> certificates and CRLs. X.509 states that "[t]he cA component </FONT><BR><FONT size=2>> indicates if the certified public key may be used to verify </FONT><BR><FONT size=2>> certificate signatures." So, the proper value of the cA bit </FONT><BR><FONT size=2>> is determined by the allowable uses of the subject public </FONT><BR><FONT size=2>> key, not by the type of entity the subject is. So, even if </FONT><BR><FONT size=2>> the certificate subject is a CA, and issues certificates </FONT><BR><FONT size=2>> under some key, the cA bit should not be set unless the </FONT><BR><FONT size=2>> particular subject public key in the certificate can be used </FONT><BR><FONT size=2>> to verify certificate signatures. If an authority is the </FONT><BR><FONT size=2>> subject of a certificate and the particular public key of </FONT><BR><FONT size=2>> that authority that is being certified is only to be used to </FONT><BR><FONT size=2>> verify signatures on CRLs, then the cA bit should not be set.</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> Dave</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> At 10:48 AM 4/20/01 -0400, Sharon Boeyen wrote:</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> >David, sorry but I disagree with your assertions about X.509's </FONT><BR><FONT size=2>> >position on this issue. Either by design or by accident, </FONT><BR><FONT size=2>> X.509 requires that if CRLs are being issued, they are issued </FONT><BR><FONT size=2>> by an 'authority'. Remember that the definition of </FONT><BR><FONT size=2>> "authority" is "An entity responsible </FONT><BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >for the issuance of certificates". Much of the text in X.509 </FONT><BR><FONT size=2>> predates OCSP or the concept of a validation authority, but I </FONT><BR><FONT size=2>> do know that the quotes below are new text added within the </FONT><BR><FONT size=2>> past couple of years with the intent of clarifying the role </FONT><BR><FONT size=2>> of CAs with respect to CRLs.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >Clause 7.3 says: </FONT><BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >"An authority that issues certificates is required to state, </FONT><BR><FONT size=2>> possibly through a published statement of their practices, </FONT><BR><FONT size=2>> through the certificates themselves, or through some other </FONT><BR><FONT size=2>> identified means, whether:</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >- The certificates cannot be revoked; or </FONT><BR><FONT size=2>> >- The certificates may be revoked by the same </FONT><BR><FONT size=2>> certificate-issuing authority directly; or </FONT><BR><FONT size=2>> >- The certificate-issuing authority authorizes a </FONT><BR><FONT size=2>> different authority to perform revocation." </FONT><BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >further down in the same clause is the text: </FONT><BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >" </FONT><BR><FONT size=2>> >An authority that issues and subsequently revokes certificates: </FONT><BR><FONT size=2>> >a) may be required to maintain an audit record of its </FONT><BR><FONT size=2>> revocation events for all certificate types issued by that </FONT><BR><FONT size=2>> authority (e.g. public-key certificates, attribute </FONT><BR><FONT size=2>> certificates issued to end-entities as well as other authorities);</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >b) shall provide revocation status information to </FONT><BR><FONT size=2>> relying parties using CRLs, on-line certificate status </FONT><BR><FONT size=2>> protocol or some other mechanism for the publication of </FONT><BR><FONT size=2>> revocation status information;</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >c) if using CRLs, shall maintain and publish CRLs even </FONT><BR><FONT size=2>> if the lists of revoked certificates are empty." </FONT><BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >The quotes that you included in your message tie in with </FONT><BR><FONT size=2>> this base text, since the authority that issued the </FONT><BR><FONT size=2>> certificates has these responsibilities around revocation, </FONT><BR><FONT size=2>> there was no need for X.509 to state anything specific to CRL </FONT><BR><FONT size=2>> issuance. In the indirect CRL case, this was envisioned to be </FONT><BR><FONT size=2>> another CA or AA, that combined revocation notices from </FONT><BR><FONT size=2>> several CAs/AAs. </FONT><BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >Having said that (with my X.509 editor's hat on), if there </FONT><BR><FONT size=2>> is a requirement to have entities that are not CAs or AAs be </FONT><BR><FONT size=2>> authorized to issue CRLs on behalf of the certificate issuer </FONT><BR><FONT size=2>> (because remember that a CRL is an indication that a </FONT><BR><FONT size=2>> certificate is no longer considered valid "by its </FONT><BR><FONT size=2>> issuer")changes to X.509 would be needed. I'm not necessarily </FONT><BR><FONT size=2>> opposed to such changes, I'm just clarifying, in this </FONT><BR><FONT size=2>> message, that they would be needed in order for such </FONT><BR><FONT size=2>> implementations to be conformant. This, as usual could be </FONT><BR><FONT size=2>> done through the enhancements work or could be proposed </FONT><BR><FONT size=2>> through the defect process. One way to enable that kind of </FONT><BR><FONT size=2>> change might be to redefine authority and to talk about 3 </FONT><BR><FONT size=2>> types rather than two. However, it would take some careful </FONT><BR><FONT size=2>> review to ensure that the set of changes was thorough and complete.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >Sharon </FONT><BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > > -----Original Message----- </FONT><BR><FONT size=2>> > > From: David A. Cooper </FONT><BR><FONT size=2>> [<<A href="mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>><A href="mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>] </FONT><BR><FONT size=2>> > > Sent: Thursday, April 19, 2001 5:08 PM </FONT><BR><FONT size=2>> > > To: ietf-pkix@imc.org </FONT><BR><FONT size=2>> > > Subject: cA flag and CRL issuers (was Re: Last Call: </FONT><BR><FONT size=2>> > > draft-ietf-pkix-new-part1-06.txt comments) </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: </FONT><BR><FONT size=2>> > > >Dave Cooper, </FONT><BR><FONT size=2>> > > > </FONT><BR><FONT size=2>> > > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: </FONT><BR><FONT size=2>> > > >>I see no basis in X.509 for setting the cA flag in </FONT><BR><FONT size=2>> > > basicConstraints for certificate subjects that can issue CRLs </FONT><BR><FONT size=2>> > > but not certificates. The current discussion about how to </FONT><BR><FONT size=2>> > > deal with CRLs for attribute certificates vs. public key </FONT><BR><FONT size=2>> > > certificates just further goes to show that it was a mistake </FONT><BR><FONT size=2>> > > to suddenly change the rules at the last IETF meeting. </FONT><BR><FONT size=2>> > > > </FONT><BR><FONT size=2>> > > >We disagree on this point. Nowhere in X.509 or in previous </FONT><BR><FONT size=2>> > > PKIX documents has there ever been text to suggest that other </FONT><BR><FONT size=2>> > > than a CA can sign a CRL for a public key certificate. So, </FONT><BR><FONT size=2>> > > the rules were not changed at the last meeting, they were </FONT><BR><FONT size=2>> > > reasserted and clarified. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > Steve, </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > You may say that X.509 and PKIX do not suggest that entities </FONT><BR><FONT size=2>> > > other than CAs can sign CRLs. However, I think we all agree </FONT><BR><FONT size=2>> > > that both X.509 and PKIX allow for a CRL to be signed with a </FONT><BR><FONT size=2>> > > different key than the key used to sign the certificates that </FONT><BR><FONT size=2>> > > are covered by that CRL. This may be a result of the CA that </FONT><BR><FONT size=2>> > > issued the certificates signing the corresponding CRLs with a </FONT><BR><FONT size=2>> > > different key or the CA that issued the certificates </FONT><BR><FONT size=2>> > > delegating the CRL issuing to another entity (via the </FONT><BR><FONT size=2>> > > distribution points extension). There is no requirement that </FONT><BR><FONT size=2>> > > the key used to sign the CRL also be used to sign </FONT><BR><FONT size=2>> > > certificates. So, I think we agree that there will be times </FONT><BR><FONT size=2>> > > where we will be issuing certificates to entities (whether </FONT><BR><FONT size=2>> > > those entities are CAs or not) where the intent is to specify </FONT><BR><FONT size=2>> > > that the public keys in the certificates may be used to </FONT><BR><FONT size=2>> > > verify signatures on CRLs but not on certificates. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > The only place we seem to disagree is on the contents of the </FONT><BR><FONT size=2>> > > certificates issued in such circumstances. In particular, </FONT><BR><FONT size=2>> > > should the certificates contain a basicConstraints extension </FONT><BR><FONT size=2>> > > with the cA bit set? On this point, both X.509 and the </FONT><BR><FONT size=2>> > > previous PKIX documents are quite clear that the cA bit </FONT><BR><FONT size=2>> > > should not be set. Why? Because a CA is defined as an entity </FONT><BR><FONT size=2>> > > that issues public-key certificates and both documents </FONT><BR><FONT size=2>> > > similarly state that the cA bit is used to specify whether </FONT><BR><FONT size=2>> > > the certificate subject can issue certificates. There is no </FONT><BR><FONT size=2>> > > similar connection made between being a CA and issuing CRLs. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > The following are some quotes from X.509 and pkix-new-part1-05: </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > In X.509 a CA is defined as "[a]n authority trusted by one or </FONT><BR><FONT size=2>> > > more users to create and assign public-key certificates." </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > Section 7 of X.509 states that "[a] CA-certificate is a </FONT><BR><FONT size=2>> > > certificate issued by a CA to a subject that is itself a CA </FONT><BR><FONT size=2>> > > and therefore is capable of issuing public-key certificates." </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > The description of basic constraints in X.509 further </FONT><BR><FONT size=2>> > > supports the idea that the cA bit is used to specify </FONT><BR><FONT size=2>> > > certificate issuing, not certificate and/or CRL issuing: </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > "This field indicates if the subject may act as a CA, with </FONT><BR><FONT size=2>> > > the certified public key being used to verify certificate </FONT><BR><FONT size=2>> > > signatures. ... The cA component indicates if the certified </FONT><BR><FONT size=2>> > > public key may be used to verify certificate signatures. ... if </FONT><BR><FONT size=2>> > > the value of cA is not set to true then the certified public </FONT><BR><FONT size=2>> > > key shall not be used to verify a certificate signature" </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > pkix-new-part1-05 states something similar: </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > "The cA bit indicates if the certified public key may be used </FONT><BR><FONT size=2>> > > to verify signatures on other certificates. If the cA bit is </FONT><BR><FONT size=2>> > > asserted, then the keyCertSign bit in the key usage extension </FONT><BR><FONT size=2>> > > (see 4.2.1.3) MUST also be asserted. If the cA bit is not </FONT><BR><FONT size=2>> > > asserted, then the keyCertSign bit in the key usage extension </FONT><BR><FONT size=2>> > > MUST NOT be asserted." </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > The description of the key usage bits are consistent with </FONT><BR><FONT size=2>> > > this as well. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > X.509: </FONT><BR><FONT size=2>> > > "The bit keyCertSign is for use in CA-certificates only. If </FONT><BR><FONT size=2>> > > KeyUsage is set to keyCertSign and the basic constraints </FONT><BR><FONT size=2>> > > extension is present in the same certificate, the value of </FONT><BR><FONT size=2>> > > the cA component of that extension shall be set to TRUE." </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > pkix-new-part1-05: </FONT><BR><FONT size=2>> > > "The keyCertSign bit is asserted when the subject public key </FONT><BR><FONT size=2>> > > is used for verifying a signature on certificates. This bit </FONT><BR><FONT size=2>> > > may only be asserted in CA certificates. If the keyCertSign </FONT><BR><FONT size=2>> > > bit is asserted, then the cA bit in the basic constraints </FONT><BR><FONT size=2>> > > extension (see 4.2.1.10) MUST also be asserted. If the </FONT><BR><FONT size=2>> > > keyCertSign bit is not asserted, then the cA bit in the basic </FONT><BR><FONT size=2>> > > constraints extension MUST NOT be asserted. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > The cRLSign bit is asserted when the subject public key is </FONT><BR><FONT size=2>> > > used for verifying a signature on revocation information </FONT><BR><FONT size=2>> > > (e.g., a CRL)." </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > So, both X.509 and pkix-new-part1-05 go to great lengths to </FONT><BR><FONT size=2>> > > clearly state that only CAs can issue certificates and that </FONT><BR><FONT size=2>> > > basicConstraints with the cA bit set to true must be present </FONT><BR><FONT size=2>> > > in the certificates where the public key is to be used to </FONT><BR><FONT size=2>> > > verify signatures on certificates. There are no similar </FONT><BR><FONT size=2>> > > statements about CRLs. In fact, both documents are quite </FONT><BR><FONT size=2>> > > clear that the cA bit must not be set when the subject public </FONT><BR><FONT size=2>> > > key can not be used to verify certificates. So, if the </FONT><BR><FONT size=2>> > > subject public key can be used to verify CRLs, but not </FONT><BR><FONT size=2>> > > certificates, the cA bit must not be set. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > X.509 is also careful not to preclude the public keys of </FONT><BR><FONT size=2>> > > non-CAs from being used to verify signatures on CRLs. For </FONT><BR><FONT size=2>> > > instance, an end entity is defined as "[a] certificate </FONT><BR><FONT size=2>> > > subject that uses its private key for purposes other than </FONT><BR><FONT size=2>> > > signing certificates or an entity that is a relying party." </FONT><BR><FONT size=2>> > > This leaves room for an end entity to use its private key to </FONT><BR><FONT size=2>> > > sign CRLs. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > So, if PKIX wants to require that the cA bit be set whenever </FONT><BR><FONT size=2>> > > the subject public key can be used to verify CRLs and also </FONT><BR><FONT size=2>> > > wants to maintain consistency with X.509, PKIX would have to </FONT><BR><FONT size=2>> > > require that any certificate authorizing the use of a public </FONT><BR><FONT size=2>> > > key for verifying CRL signatures also authorize the use of </FONT><BR><FONT size=2>> > > that public key for verifying certificate signatures. Since </FONT><BR><FONT size=2>> > > we are in agreement that we do not want to impose such a </FONT><BR><FONT size=2>> > > restriction and that we do want to maintain consistency with </FONT><BR><FONT size=2>> > > X.509, we can not require that the cA bit be set when the </FONT><BR><FONT size=2>> > > subject public key can only be used to verify CRL signatures. </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > Dave </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> > > </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT></P></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0C9CC.D034B380-- Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA02340 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 12:06:38 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GC300201UFAD0@ext-mail.valicert.com> for ietf-pkix@imc.org; Fri, 20 Apr 2001 12:06:46 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GC30025RUFA26@ext-mail.valicert.com>; Fri, 20 Apr 2001 12:06:46 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26PPWB>; Fri, 20 Apr 2001 12:05:35 -0700 Content-return: allowed Date: Fri, 20 Apr 2001 12:05:30 -0700 From: Peter Williams <peterw@valicert.com> Subject: RE: Meaning of Non-repudiation To: "'Tom Gindin'" <tgindin@us.ibm.com> Cc: ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E182C40@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" When NIST?NSA folk evaluate a US network product/system, formally, they must, traditionally, use the following conceptions of NR. (Steve's notions of subject intent, and presumptions of signature binding, are not relevant to a formal evaluation of a product/system claiming to provide NR.) It would be useful for some of our friends from NCSC/NIST to perhaps find an actual evaluation/certification report that certified an actual network product/system as meeting the evaluation criteria for NR. This would provide us with an example protocol under the Red Book that was deemed "correct", as required by the criteria. Nothing in this NCSC criteria require (X.509) certs be used, or particular bits be present in said certs. Modern form of the criteria (CC 2.1) do not differ in the criteria definition, though they remove the material about digital signatures in favor of requirements on evidence. They make no statements about certificates. http://csrc.nist.gov/cc/ccv20/ccv2list.htm#ISO Neither NCSC nor CC criteria deviate from NR being (a) a network-based service that is semantically tied to assertions of sending/receving messages, and (b) an assurance of identity during an exchange process, versus intent upon using a key. "4 Class FCO: Communication 137 This class provides two families specifically concerned with assuring the identity of a party participating in a data exchange. These families are related to assuring the identity of the originator of transmitted information (proof of origin) and assuring the identity of the recipient of transmitted information (proof of receipt). These families ensure that an originator cannot deny having sent the message, nor can the recipient deny having received it." Peter. --------------- http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-005.pdf 9.1.3. Non-repudiation _ _ _ ___ ___________ + Functionality _____________ Non-repudiation service provides unforgeable proof of shipment and/or receipt of data. This service prevents the sender from disavowing a leg-itimate message or the recipient from denying receipt. The network may provide either or both of the following two forms: 1. The recipient of data is provided with proof of origin of data that will protect against any attempt by the sender to falsely deny sending the data or its contents. 2. The sender is provided with proof of delivery of data such that the recipient cannot later deny receiving the data or its contents. Basis for Rating: Presence or absence of each of the two forms. Evaluation Range: None or present. Discussion: Digital signatures are available techniques that may be applied to non-repudiation mechanisms. Digital signature mechanisms define two procedures: 1. Signing a data unit 2. Verifying a signed data unit The signing process typically employs either an enci-pherment of the data unit or the production of a crypto-graphic checkfunction of the data unit, using the signer's private information as a private key. The verification process involves using the public pro-cedure and information to determine whether the signature was produced with the signer's private key. It is essential that the signature mechanism be unforgeable and adjudicable. This means that the signature can only be produced using the signer's private information, and in case the signer should disavow signing the message, it must be possible for a judge or arbitrator to resolve a dispute arising between the signer and the recipient of the message. Digital signature schemes are usually classified into one of two categories: true signatures or arbitrated signa-tures. In a true signature scheme, signed messages produced by the sender are transmitted directly to the receiver who verifies their validity and authenticity. In an arbitrated signature scheme, all signed messages are transmitted from the sender to the receiver via an arbitrator who serves as a notary public. In the latter case, a notarization mechanism is needed. Both public-key and conventional private-key cryptosys-tems can be utilized to generate digital signatures. When a message M is to be signed by a private-key cryptosystem, the signature is a computed quantity catenated to M and sent along with it. In a public-key implementation, when a mes-sage M is to be signed, a transformation using the secret key is applied to M before transmitting it. Thus, the signa-ture is presented by the resulting transformed message. + Strength of Mechanism ________ __ _________ Basis for Rating: The strength and trustworthiness given to non-repudiation service is bounded by the trust in the underlying cryptography implementing digital signature mechanism, the correctness of the protocol logic, and the adequacy of protocol implementation. Additional information may be found in the separate sections addressing these sub-jects. Evaluation Range: None to good. + Assurance _________ Basis for Rating: Assurance is concerned with guaran-teeing or providing confidence that features to provide non-repudiation service have been implemented correctly and that the control objectives of each feature have been actu- ally and accurately achieved. This assurance is addressed by analysis of the logic of the protocols and the implementation of the digital signa-ture mechanisms to show correctness and effectiveness by formal methods where possible (i.e., where tools exist) and informal ones otherwise. The information in the General Assurance, Encryption Mechanisms, and Protocols sections also applies. Evaluation Range: None to good. -----Original Message----- From: Tom Gindin [mailto:tgindin@us.ibm.com] Sent: Wednesday, April 11, 2001 3:51 PM To: Stephen Kent Cc: David P. Kemp; ietf-pkix@imc.org Subject: Re: Meaning of Non-repudiation IMHO, if X.509 had not been calling the bit in KeyUsage "non-repudiation" for some years, I would prefer to put "Persistent Data Authentication" into KeyUsage and define several different flavors of non-repudiation in ExtendedKeyUsage, profiling non-repudiation services in parallel with those ExtendedKeyUsage values. This would also allow us to define different levels of NR and put them into certificates in a natural way. However, they have been calling the bit "non-repudiation", and I'm not sure we can change its meaning on the installed base of certificates and on the X.509 group without an unusual level of unanimity and near-certainty that it won't break anything. Tom Gindin Received: from femail3.sdc1.sfba.home.com (femail3.sdc1.sfba.home.com [24.0.95.83]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA00313 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 11:05:30 -0700 (PDT) Received: from revelation ([65.4.166.11]) by femail3.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010420180253.ZFGV26961.femail3.sdc1.sfba.home.com@revelation>; Fri, 20 Apr 2001 11:02:53 -0700 Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch5@home.com> To: "'Sharon Boeyen'" <sharon.boeyen@entrust.com>, <ietf-pkix@imc.org> Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Date: Fri, 20 Apr 2001 11:08:10 -0700 Message-ID: <001701c0c9c4$dd846bf0$0d00a8c0@soaringhawk.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0018_01C0C98A.313376A0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FAF@sottmxs09.entrust.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal This is a multi-part message in MIME format. ------=_NextPart_000_0018_01C0C98A.313376A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments)Sharon, Much of this question arose from how to deal with AC "authorities". I don't have access at the moment to the X. version of the AC draft (yes I know I can now get it), but do you believe that AC issuers and "revokers" need to be authorities in that the CA bit should be set for them? jim -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Friday, April 20, 2001 9:57 AM To: 'David A. Cooper'; ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Just to be clear, lets not confuse what I may happen to want as an individual contributor to PKIX or any other list, with what I state as 509 editor (they're not necessarily always the same :-) My comments were purely from the editor's perspective and yes, the current 509 text is quite clear that the CA that issues a certificate is responsible for stating whether or not that certificate can be revoked, and if so, what mechanism is used to inform relying parties. If that mechanism is CRLs, these are issued by the certificate issuer or by another authority delegated that task by the certificate issuer (that doesn't necessarily mean that 509 requires a cert to be issued to that authority, nor that the cert contain the basic constraints extension though, that is the job of profile groups to determine and incidentally I don't believe they'll all adopt the same solution so I would want 509 to remain flexible). My own personal view is that industry has moved to a point where there probably isn't any real requirement for a CRL issuer to also be a cert issuer as long as that CRL issuer is delegated that responsibility by the cert issuer and there is a cryptographic way to ensure that binding for relying parties. To achieve that, I believe some changes are required in 509. On the separate keys for cert and CRL signing (by the same authority), my personal opinion is that anything you read into 509 text on that specific topic would be accidental as I don't recall any specific discussion on it. However, since that is a real world requirement, I would want to be sure that 509 did not prohibit it. Hope that clarifies where my comments are coming from :-) > -----Original Message----- > From: David A. Cooper [mailto:david.cooper@nist.gov] > Sent: Friday, April 20, 2001 11:44 AM > To: ietf-pkix@imc.org > Subject: RE: cA flag and CRL issuers (was Re: Last Call: > draft-ietf-pkix-n ew-part1-06.txt comments) > > > Sharon, > > Are you suggesting that in order for an entity to issue CRLs > on behalf of a certificate issuer, that CRL issuer would need > to issue certificates as well (so that it can qualify as an > authority)? I don't think there should be such a > requirement, but even if there were it wouldn't settle the issue. > > Even if only authorities can issue CRLs, there is nothing to > prevent that authority from using different keys to sign > certificates and CRLs. X.509 states that "[t]he cA component > indicates if the certified public key may be used to verify > certificate signatures." So, the proper value of the cA bit > is determined by the allowable uses of the subject public > key, not by the type of entity the subject is. So, even if > the certificate subject is a CA, and issues certificates > under some key, the cA bit should not be set unless the > particular subject public key in the certificate can be used > to verify certificate signatures. If an authority is the > subject of a certificate and the particular public key of > that authority that is being certified is only to be used to > verify signatures on CRLs, then the cA bit should not be set. > > Dave > > At 10:48 AM 4/20/01 -0400, Sharon Boeyen wrote: > > >David, sorry but I disagree with your assertions about X.509's > >position on this issue. Either by design or by accident, > X.509 requires that if CRLs are being issued, they are issued > by an 'authority'. Remember that the definition of > "authority" is "An entity responsible > > > >for the issuance of certificates". Much of the text in X.509 > predates OCSP or the concept of a validation authority, but I > do know that the quotes below are new text added within the > past couple of years with the intent of clarifying the role > of CAs with respect to CRLs. > > > >Clause 7.3 says: > > > >"An authority that issues certificates is required to state, > possibly through a published statement of their practices, > through the certificates themselves, or through some other > identified means, whether: > > > >- The certificates cannot be revoked; or > >- The certificates may be revoked by the same > certificate-issuing authority directly; or > >- The certificate-issuing authority authorizes a > different authority to perform revocation." > > > >further down in the same clause is the text: > > > >" > >An authority that issues and subsequently revokes certificates: > >a) may be required to maintain an audit record of its > revocation events for all certificate types issued by that > authority (e.g. public-key certificates, attribute > certificates issued to end-entities as well as other authorities); > > > >b) shall provide revocation status information to > relying parties using CRLs, on-line certificate status > protocol or some other mechanism for the publication of > revocation status information; > > > >c) if using CRLs, shall maintain and publish CRLs even > if the lists of revoked certificates are empty." > > > >The quotes that you included in your message tie in with > this base text, since the authority that issued the > certificates has these responsibilities around revocation, > there was no need for X.509 to state anything specific to CRL > issuance. In the indirect CRL case, this was envisioned to be > another CA or AA, that combined revocation notices from > several CAs/AAs. > > > >Having said that (with my X.509 editor's hat on), if there > is a requirement to have entities that are not CAs or AAs be > authorized to issue CRLs on behalf of the certificate issuer > (because remember that a CRL is an indication that a > certificate is no longer considered valid "by its > issuer")changes to X.509 would be needed. I'm not necessarily > opposed to such changes, I'm just clarifying, in this > message, that they would be needed in order for such > implementations to be conformant. This, as usual could be > done through the enhancements work or could be proposed > through the defect process. One way to enable that kind of > change might be to redefine authority and to talk about 3 > types rather than two. However, it would take some careful > review to ensure that the set of changes was thorough and complete. > > > >Sharon > > > > > -----Original Message----- > > > From: David A. Cooper > [<mailto:david.cooper@nist.gov>mailto:david.cooper@nist.gov] > > > Sent: Thursday, April 19, 2001 5:08 PM > > > To: ietf-pkix@imc.org > > > Subject: cA flag and CRL issuers (was Re: Last Call: > > > draft-ietf-pkix-new-part1-06.txt comments) > > > > > > > > > At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: > > > >Dave Cooper, > > > > > > > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: > > > >>I see no basis in X.509 for setting the cA flag in > > > basicConstraints for certificate subjects that can issue CRLs > > > but not certificates. The current discussion about how to > > > deal with CRLs for attribute certificates vs. public key > > > certificates just further goes to show that it was a mistake > > > to suddenly change the rules at the last IETF meeting. > > > > > > > >We disagree on this point. Nowhere in X.509 or in previous > > > PKIX documents has there ever been text to suggest that other > > > than a CA can sign a CRL for a public key certificate. So, > > > the rules were not changed at the last meeting, they were > > > reasserted and clarified. > > > > > > Steve, > > > > > > You may say that X.509 and PKIX do not suggest that entities > > > other than CAs can sign CRLs. However, I think we all agree > > > that both X.509 and PKIX allow for a CRL to be signed with a > > > different key than the key used to sign the certificates that > > > are covered by that CRL. This may be a result of the CA that > > > issued the certificates signing the corresponding CRLs with a > > > different key or the CA that issued the certificates > > > delegating the CRL issuing to another entity (via the > > > distribution points extension). There is no requirement that > > > the key used to sign the CRL also be used to sign > > > certificates. So, I think we agree that there will be times > > > where we will be issuing certificates to entities (whether > > > those entities are CAs or not) where the intent is to specify > > > that the public keys in the certificates may be used to > > > verify signatures on CRLs but not on certificates. > > > > > > The only place we seem to disagree is on the contents of the > > > certificates issued in such circumstances. In particular, > > > should the certificates contain a basicConstraints extension > > > with the cA bit set? On this point, both X.509 and the > > > previous PKIX documents are quite clear that the cA bit > > > should not be set. Why? Because a CA is defined as an entity > > > that issues public-key certificates and both documents > > > similarly state that the cA bit is used to specify whether > > > the certificate subject can issue certificates. There is no > > > similar connection made between being a CA and issuing CRLs. > > > > > > > > > The following are some quotes from X.509 and pkix-new-part1-05: > > > > > > In X.509 a CA is defined as "[a]n authority trusted by one or > > > more users to create and assign public-key certificates." > > > > > > Section 7 of X.509 states that "[a] CA-certificate is a > > > certificate issued by a CA to a subject that is itself a CA > > > and therefore is capable of issuing public-key certificates." > > > > > > > > > The description of basic constraints in X.509 further > > > supports the idea that the cA bit is used to specify > > > certificate issuing, not certificate and/or CRL issuing: > > > > > > "This field indicates if the subject may act as a CA, with > > > the certified public key being used to verify certificate > > > signatures. ... The cA component indicates if the certified > > > public key may be used to verify certificate signatures. ... if > > > the value of cA is not set to true then the certified public > > > key shall not be used to verify a certificate signature" > > > > > > > > > pkix-new-part1-05 states something similar: > > > > > > "The cA bit indicates if the certified public key may be used > > > to verify signatures on other certificates. If the cA bit is > > > asserted, then the keyCertSign bit in the key usage extension > > > (see 4.2.1.3) MUST also be asserted. If the cA bit is not > > > asserted, then the keyCertSign bit in the key usage extension > > > MUST NOT be asserted." > > > > > > > > > The description of the key usage bits are consistent with > > > this as well. > > > > > > X.509: > > > "The bit keyCertSign is for use in CA-certificates only. If > > > KeyUsage is set to keyCertSign and the basic constraints > > > extension is present in the same certificate, the value of > > > the cA component of that extension shall be set to TRUE." > > > > > > pkix-new-part1-05: > > > "The keyCertSign bit is asserted when the subject public key > > > is used for verifying a signature on certificates. This bit > > > may only be asserted in CA certificates. If the keyCertSign > > > bit is asserted, then the cA bit in the basic constraints > > > extension (see 4.2.1.10) MUST also be asserted. If the > > > keyCertSign bit is not asserted, then the cA bit in the basic > > > constraints extension MUST NOT be asserted. > > > > > > The cRLSign bit is asserted when the subject public key is > > > used for verifying a signature on revocation information > > > (e.g., a CRL)." > > > > > > > > > > > > So, both X.509 and pkix-new-part1-05 go to great lengths to > > > clearly state that only CAs can issue certificates and that > > > basicConstraints with the cA bit set to true must be present > > > in the certificates where the public key is to be used to > > > verify signatures on certificates. There are no similar > > > statements about CRLs. In fact, both documents are quite > > > clear that the cA bit must not be set when the subject public > > > key can not be used to verify certificates. So, if the > > > subject public key can be used to verify CRLs, but not > > > certificates, the cA bit must not be set. > > > > > > X.509 is also careful not to preclude the public keys of > > > non-CAs from being used to verify signatures on CRLs. For > > > instance, an end entity is defined as "[a] certificate > > > subject that uses its private key for purposes other than > > > signing certificates or an entity that is a relying party." > > > This leaves room for an end entity to use its private key to > > > sign CRLs. > > > > > > > > > So, if PKIX wants to require that the cA bit be set whenever > > > the subject public key can be used to verify CRLs and also > > > wants to maintain consistency with X.509, PKIX would have to > > > require that any certificate authorizing the use of a public > > > key for verifying CRL signatures also authorize the use of > > > that public key for verifying certificate signatures. Since > > > we are in agreement that we do not want to impose such a > > > restriction and that we do want to maintain consistency with > > > X.509, we can not require that the cA bit be set when the > > > subject public key can only be used to verify CRL signatures. > > > > > > Dave > > > > > > > > ------=_NextPart_000_0018_01C0C98A.313376A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <TITLE>RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n = ew-part1-06.txt comments)</TITLE> <META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D128290618-20042001>Sharon,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D128290618-20042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D128290618-20042001>Much=20 of this question arose from how to deal with AC "authorities". I = don't=20 have access at the moment to the X. version of the AC draft (yes I know = I can=20 now get it), but do you believe that AC issuers and "revokers" need to = be=20 authorities in that the CA bit should be set for = them?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D128290618-20042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D128290618-20042001>jim</SPAN></FONT></DIV> <BLOCKQUOTE=20 style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: = 0px; PADDING-LEFT: 5px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Sharon Boeyen=20 [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Friday, April 20, = 2001 9:57=20 AM<BR><B>To:</B> 'David A. Cooper'; = ietf-pkix@imc.org<BR><B>Subject:</B> RE:=20 cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n = ew-part1-06.txt=20 comments)<BR><BR></DIV></FONT> <P><FONT size=3D2>Just to be clear, lets not confuse what I may happen = to want=20 as </FONT><BR><FONT size=3D2>an individual contributor to PKIX or any = other=20 list, with what </FONT><BR><FONT size=3D2>I state as 509 editor = (they're not=20 necessarily always the same :-)</FONT> </P> <P><FONT size=3D2>My comments were purely from the editor's = perspective and yes,=20 </FONT><BR><FONT size=3D2>the current 509 text is quite clear that the = CA that=20 issues a </FONT><BR><FONT size=3D2>certificate is responsible for = stating=20 whether or not that certificate</FONT> <BR><FONT size=3D2>can be = revoked, and if=20 so, what mechanism is used to inform </FONT><BR><FONT size=3D2>relying = parties.=20 If that mechanism is CRLs, these are issued by </FONT><BR><FONT = size=3D2>the=20 certificate issuer or by another authority delegated that = </FONT><BR><FONT=20 size=3D2>task by the certificate issuer (that doesn't necessarily mean = that=20 </FONT><BR><FONT size=3D2>509 requires a cert to be issued to that = authority,=20 nor that the cert </FONT><BR><FONT size=3D2>contain the basic = constraints=20 extension though, that is the job of </FONT><BR><FONT size=3D2>profile = groups to=20 determine and incidentally I don't believe they'll </FONT><BR><FONT = size=3D2>all=20 adopt the same solution so I would want 509 to remain flexible). = </FONT></P> <P><FONT size=3D2>My own personal view is that industry has moved to a = point=20 where there </FONT><BR><FONT size=3D2>probably isn't any real = requirement for a=20 CRL issuer to also be a cert</FONT> <BR><FONT size=3D2>issuer as long = as that=20 CRL issuer is delegated that responsibility </FONT><BR><FONT = size=3D2>by the=20 cert issuer and there is a cryptographic way to ensure that = </FONT><BR><FONT=20 size=3D2>binding for relying parties. To achieve that, I believe some = changes=20 </FONT><BR><FONT size=3D2>are required in 509. </FONT></P> <P><FONT size=3D2>On the separate keys for cert and CRL signing (by = the same=20 authority), my </FONT><BR><FONT size=3D2>personal opinion is that = anything you=20 read into 509 text on that specific </FONT><BR><FONT size=3D2>topic = would be=20 accidental as I don't recall any specific discussion on it. = </FONT><BR><FONT=20 size=3D2>However, since that is a real world requirement, I would want = to be=20 sure </FONT><BR><FONT size=3D2>that 509 did not prohibit it.</FONT> = </P> <P><FONT size=3D2>Hope that clarifies where my comments are coming = from :-)=20 </FONT><BR><FONT size=3D2> </FONT></P> <P><FONT size=3D2>> -----Original Message-----</FONT> <BR><FONT = size=3D2>>=20 From: David A. Cooper [<A=20 = href=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]</= FONT>=20 <BR><FONT size=3D2>> Sent: Friday, April 20, 2001 11:44 AM</FONT> = <BR><FONT=20 size=3D2>> To: ietf-pkix@imc.org</FONT> <BR><FONT size=3D2>> = Subject: RE: cA=20 flag and CRL issuers (was Re: Last Call:</FONT> <BR><FONT = size=3D2>>=20 draft-ietf-pkix-n ew-part1-06.txt comments)</FONT> <BR><FONT = size=3D2>>=20 </FONT><BR><FONT size=3D2>> </FONT><BR><FONT size=3D2>> = Sharon,</FONT>=20 <BR><FONT size=3D2>> </FONT><BR><FONT size=3D2>> Are you = suggesting that in=20 order for an entity to issue CRLs </FONT><BR><FONT size=3D2>> on = behalf of a=20 certificate issuer, that CRL issuer would need </FONT><BR><FONT = size=3D2>> to=20 issue certificates as well (so that it can qualify as an = </FONT><BR><FONT=20 size=3D2>> authority)? I don't think there should be such a=20 </FONT><BR><FONT size=3D2>> requirement, but even if there were it = wouldn't=20 settle the issue.</FONT> <BR><FONT size=3D2>> </FONT><BR><FONT = size=3D2>>=20 Even if only authorities can issue CRLs, there is nothing to = </FONT><BR><FONT=20 size=3D2>> prevent that authority from using different keys to sign = </FONT><BR><FONT size=3D2>> certificates and CRLs. X.509 = states that=20 "[t]he cA component </FONT><BR><FONT size=3D2>> indicates if the = certified=20 public key may be used to verify </FONT><BR><FONT size=3D2>> = certificate=20 signatures." So, the proper value of the cA bit </FONT><BR><FONT = size=3D2>> is determined by the allowable uses of the subject = public=20 </FONT><BR><FONT size=3D2>> key, not by the type of entity the = subject=20 is. So, even if </FONT><BR><FONT size=3D2>> the certificate = subject is=20 a CA, and issues certificates </FONT><BR><FONT size=3D2>> under = some key, the=20 cA bit should not be set unless the </FONT><BR><FONT size=3D2>> = particular=20 subject public key in the certificate can be used </FONT><BR><FONT = size=3D2>>=20 to verify certificate signatures. If an authority is the = </FONT><BR><FONT=20 size=3D2>> subject of a certificate and the particular public key = of=20 </FONT><BR><FONT size=3D2>> that authority that is being certified = is only to=20 be used to </FONT><BR><FONT size=3D2>> verify signatures on CRLs, = then the cA=20 bit should not be set.</FONT> <BR><FONT size=3D2>> </FONT><BR><FONT = size=3D2>> Dave</FONT> <BR><FONT size=3D2>> </FONT><BR><FONT = size=3D2>> At=20 10:48 AM 4/20/01 -0400, Sharon Boeyen wrote:</FONT> <BR><FONT = size=3D2>>=20 </FONT><BR><FONT size=3D2>> >David, sorry but I disagree with = your=20 assertions about X.509's </FONT><BR><FONT size=3D2>> >position = on this=20 issue. Either by design or by accident, </FONT><BR><FONT size=3D2>> = X.509=20 requires that if CRLs are being issued, they are issued = </FONT><BR><FONT=20 size=3D2>> by an 'authority'. Remember that the definition of=20 </FONT><BR><FONT size=3D2>> "authority" is "An entity responsible=20 </FONT><BR><FONT size=3D2>> ></FONT> <BR><FONT size=3D2>> = >for the=20 issuance of certificates". Much of the text in X.509 </FONT><BR><FONT=20 size=3D2>> predates OCSP or the concept of a validation authority, = but I=20 </FONT><BR><FONT size=3D2>> do know that the quotes below are new = text added=20 within the </FONT><BR><FONT size=3D2>> past couple of years with = the intent=20 of clarifying the role </FONT><BR><FONT size=3D2>> of CAs with = respect to=20 CRLs.</FONT> <BR><FONT size=3D2>> ></FONT> <BR><FONT = size=3D2>>=20 >Clause 7.3 says: </FONT><BR><FONT size=3D2>> ></FONT> = <BR><FONT=20 size=3D2>> >"An authority that issues certificates is required = to state,=20 </FONT><BR><FONT size=3D2>> possibly through a published statement = of their=20 practices, </FONT><BR><FONT size=3D2>> through the certificates = themselves,=20 or through some other </FONT><BR><FONT size=3D2>> identified means, = whether:</FONT> <BR><FONT size=3D2>> ></FONT> <BR><FONT = size=3D2>>=20 >- The certificates cannot be = revoked;=20 or </FONT><BR><FONT size=3D2>> = >- The=20 certificates may be revoked by the same </FONT><BR><FONT size=3D2>> = certificate-issuing authority directly; or </FONT><BR><FONT = size=3D2>>=20 >- The certificate-issuing = authority=20 authorizes a </FONT><BR><FONT size=3D2>> different authority to = perform=20 revocation." </FONT><BR><FONT size=3D2>> ></FONT> <BR><FONT = size=3D2>>=20 >further down in the same clause is the text: </FONT><BR><FONT = size=3D2>>=20 ></FONT> <BR><FONT size=3D2>> >" </FONT><BR><FONT = size=3D2>> >An=20 authority that issues and subsequently revokes certificates: = </FONT><BR><FONT=20 size=3D2>> >a) may be required to = maintain=20 an audit record of its </FONT><BR><FONT size=3D2>> revocation = events for all=20 certificate types issued by that </FONT><BR><FONT size=3D2>> = authority (e.g.=20 public-key certificates, attribute </FONT><BR><FONT size=3D2>> = certificates=20 issued to end-entities as well as other authorities);</FONT> <BR><FONT = size=3D2>> ></FONT> <BR><FONT size=3D2>>=20 >b) shall provide revocation status=20 information to </FONT><BR><FONT size=3D2>> relying parties using = CRLs,=20 on-line certificate status </FONT><BR><FONT size=3D2>> protocol or = some other=20 mechanism for the publication of </FONT><BR><FONT size=3D2>> = revocation=20 status information;</FONT> <BR><FONT size=3D2>> ></FONT> = <BR><FONT=20 size=3D2>> >c) if using CRLs, = shall maintain=20 and publish CRLs even </FONT><BR><FONT size=3D2>> if the lists of = revoked=20 certificates are empty." </FONT><BR><FONT size=3D2>> ></FONT> = <BR><FONT=20 size=3D2>> >The quotes that you included in your message tie in = with=20 </FONT><BR><FONT size=3D2>> this base text, since the authority = that issued=20 the </FONT><BR><FONT size=3D2>> certificates has these = responsibilities=20 around revocation, </FONT><BR><FONT size=3D2>> there was no need = for X.509 to=20 state anything specific to CRL </FONT><BR><FONT size=3D2>> = issuance. In the=20 indirect CRL case, this was envisioned to be </FONT><BR><FONT = size=3D2>>=20 another CA or AA, that combined revocation notices from = </FONT><BR><FONT=20 size=3D2>> several CAs/AAs. </FONT><BR><FONT size=3D2>> = ></FONT>=20 <BR><FONT size=3D2>> >Having said that (with my X.509 editor's = hat on), if=20 there </FONT><BR><FONT size=3D2>> is a requirement to have entities = that are=20 not CAs or AAs be </FONT><BR><FONT size=3D2>> authorized to issue = CRLs on=20 behalf of the certificate issuer </FONT><BR><FONT size=3D2>> = (because=20 remember that a CRL is an indication that a </FONT><BR><FONT = size=3D2>>=20 certificate is no longer considered valid "by its </FONT><BR><FONT = size=3D2>>=20 issuer")changes to X.509 would be needed. I'm not necessarily = </FONT><BR><FONT=20 size=3D2>> opposed to such changes, I'm just clarifying, in this=20 </FONT><BR><FONT size=3D2>> message, that they would be needed in = order for=20 such </FONT><BR><FONT size=3D2>> implementations to be conformant. = This, as=20 usual could be </FONT><BR><FONT size=3D2>> done through the = enhancements work=20 or could be proposed </FONT><BR><FONT size=3D2>> through the defect = process.=20 One way to enable that kind of </FONT><BR><FONT size=3D2>> change = might be to=20 redefine authority and to talk about 3 </FONT><BR><FONT size=3D2>> = types=20 rather than two. However, it would take some careful </FONT><BR><FONT=20 size=3D2>> review to ensure that the set of changes was thorough = and=20 complete.</FONT> <BR><FONT size=3D2>> ></FONT> <BR><FONT = size=3D2>>=20 >Sharon </FONT><BR><FONT size=3D2>> ></FONT> <BR><FONT = size=3D2>> >=20 > -----Original Message----- </FONT><BR><FONT size=3D2>> > = > From:=20 David A. Cooper </FONT><BR><FONT size=3D2>> [<<A=20 = href=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>>= ;<A=20 = href=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]=20 </FONT><BR><FONT size=3D2>> > > Sent: Thursday, April 19, = 2001 5:08 PM=20 </FONT><BR><FONT size=3D2>> > > To: ietf-pkix@imc.org = </FONT><BR><FONT=20 size=3D2>> > > Subject: cA flag and CRL issuers (was Re: Last = Call:=20 </FONT><BR><FONT size=3D2>> > > = draft-ietf-pkix-new-part1-06.txt=20 comments) </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>>=20 > > </FONT><BR><FONT size=3D2>> > > At 07:17 PM 4/18/01 = -0400,=20 Stephen Kent wrote: </FONT><BR><FONT size=3D2>> > > >Dave = Cooper,=20 </FONT><BR><FONT size=3D2>> > > > </FONT><BR><FONT = size=3D2>> >=20 > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote:=20 </FONT><BR><FONT size=3D2>> > > >>I see no basis in = X.509 for=20 setting the cA flag in </FONT><BR><FONT size=3D2>> > > = basicConstraints=20 for certificate subjects that can issue CRLs </FONT><BR><FONT = size=3D2>> >=20 > but not certificates. The current discussion about how to=20 </FONT><BR><FONT size=3D2>> > > deal with CRLs for attribute=20 certificates vs. public key </FONT><BR><FONT size=3D2>> > >=20 certificates just further goes to show that it was a mistake = </FONT><BR><FONT=20 size=3D2>> > > to suddenly change the rules at the last IETF = meeting.=20 </FONT><BR><FONT size=3D2>> > > > </FONT><BR><FONT = size=3D2>> >=20 > >We disagree on this point. Nowhere in X.509 or in previous=20 </FONT><BR><FONT size=3D2>> > > PKIX documents has there ever = been text=20 to suggest that other </FONT><BR><FONT size=3D2>> > > than a = CA can=20 sign a CRL for a public key certificate. So, </FONT><BR><FONT = size=3D2>> >=20 > the rules were not changed at the last meeting, they were=20 </FONT><BR><FONT size=3D2>> > > reasserted and clarified.=20 </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>> > >=20 Steve, </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>>=20 > > You may say that X.509 and PKIX do not suggest that entities = </FONT><BR><FONT size=3D2>> > > other than CAs can sign CRLs. = However,=20 I think we all agree </FONT><BR><FONT size=3D2>> > > that = both X.509=20 and PKIX allow for a CRL to be signed with a </FONT><BR><FONT = size=3D2>> >=20 > different key than the key used to sign the certificates that=20 </FONT><BR><FONT size=3D2>> > > are covered by that CRL. This = may be a=20 result of the CA that </FONT><BR><FONT size=3D2>> > > issued = the=20 certificates signing the corresponding CRLs with a </FONT><BR><FONT=20 size=3D2>> > > different key or the CA that issued the = certificates=20 </FONT><BR><FONT size=3D2>> > > delegating the CRL issuing to = another=20 entity (via the </FONT><BR><FONT size=3D2>> > > distribution = points=20 extension). There is no requirement that </FONT><BR><FONT = size=3D2>> >=20 > the key used to sign the CRL also be used to sign = </FONT><BR><FONT=20 size=3D2>> > > certificates. So, I think we agree that there = will be=20 times </FONT><BR><FONT size=3D2>> > > where we will be = issuing=20 certificates to entities (whether </FONT><BR><FONT size=3D2>> > = > those=20 entities are CAs or not) where the intent is to specify = </FONT><BR><FONT=20 size=3D2>> > > that the public keys in the certificates may = be used to=20 </FONT><BR><FONT size=3D2>> > > verify signatures on CRLs but = not on=20 certificates. </FONT><BR><FONT size=3D2>> > > = </FONT><BR><FONT=20 size=3D2>> > > The only place we seem to disagree is on the = contents of=20 the </FONT><BR><FONT size=3D2>> > > certificates issued in = such=20 circumstances. In particular, </FONT><BR><FONT size=3D2>> > > = should=20 the certificates contain a basicConstraints extension </FONT><BR><FONT = size=3D2>> > > with the cA bit set? On this point, both X.509 = and the=20 </FONT><BR><FONT size=3D2>> > > previous PKIX documents are = quite clear=20 that the cA bit </FONT><BR><FONT size=3D2>> > > should not be = set. Why?=20 Because a CA is defined as an entity </FONT><BR><FONT size=3D2>> = > >=20 that issues public-key certificates and both documents = </FONT><BR><FONT=20 size=3D2>> > > similarly state that the cA bit is used to = specify=20 whether </FONT><BR><FONT size=3D2>> > > the certificate = subject can=20 issue certificates. There is no </FONT><BR><FONT size=3D2>> > = > similar=20 connection made between being a CA and issuing CRLs. </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> > > = </FONT><BR><FONT=20 size=3D2>> > > The following are some quotes from X.509 and=20 pkix-new-part1-05: </FONT><BR><FONT size=3D2>> > > = </FONT><BR><FONT=20 size=3D2>> > > In X.509 a CA is defined as "[a]n authority = trusted by=20 one or </FONT><BR><FONT size=3D2>> > > more users to create = and assign=20 public-key certificates." </FONT><BR><FONT size=3D2>> > >=20 </FONT><BR><FONT size=3D2>> > > Section 7 of X.509 states = that "[a]=20 CA-certificate is a </FONT><BR><FONT size=3D2>> > > = certificate issued=20 by a CA to a subject that is itself a CA </FONT><BR><FONT = size=3D2>> >=20 > and therefore is capable of issuing public-key certificates."=20 </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>> > >=20 </FONT><BR><FONT size=3D2>> > > The description of basic = constraints in=20 X.509 further </FONT><BR><FONT size=3D2>> > > supports the = idea that=20 the cA bit is used to specify </FONT><BR><FONT size=3D2>> > > = certificate issuing, not certificate and/or CRL issuing: = </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> > > "This = field=20 indicates if the subject may act as a CA, with </FONT><BR><FONT = size=3D2>>=20 > > the certified public key being used to verify certificate=20 </FONT><BR><FONT size=3D2>> > > signatures. ... The cA = component=20 indicates if the certified </FONT><BR><FONT size=3D2>> > > = public key=20 may be used to verify certificate signatures. ... if </FONT><BR><FONT=20 size=3D2>> > > the value of cA is not set to true then the = certified=20 public </FONT><BR><FONT size=3D2>> > > key shall not be used = to verify=20 a certificate signature" </FONT><BR><FONT size=3D2>> > >=20 </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>> > >=20 pkix-new-part1-05 states something similar: </FONT><BR><FONT = size=3D2>> >=20 > </FONT><BR><FONT size=3D2>> > > "The cA bit indicates if = the=20 certified public key may be used </FONT><BR><FONT size=3D2>> > = > to=20 verify signatures on other certificates. If the cA bit is = </FONT><BR><FONT=20 size=3D2>> > > asserted, then the keyCertSign bit in the key = usage=20 extension </FONT><BR><FONT size=3D2>> > > (see 4.2.1.3) MUST = also be=20 asserted. If the cA bit is not </FONT><BR><FONT size=3D2>> > = >=20 asserted, then the keyCertSign bit in the key usage extension = </FONT><BR><FONT=20 size=3D2>> > > MUST NOT be asserted." </FONT><BR><FONT = size=3D2>> >=20 > </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>> >=20 > The description of the key usage bits are consistent with=20 </FONT><BR><FONT size=3D2>> > > this as well. = </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> > > = X.509:=20 </FONT><BR><FONT size=3D2>> > > "The bit keyCertSign is for = use in=20 CA-certificates only. If </FONT><BR><FONT size=3D2>> > > = KeyUsage is=20 set to keyCertSign and the basic constraints </FONT><BR><FONT = size=3D2>> >=20 > extension is present in the same certificate, the value of=20 </FONT><BR><FONT size=3D2>> > > the cA component of that = extension=20 shall be set to TRUE." </FONT><BR><FONT size=3D2>> > > = </FONT><BR><FONT=20 size=3D2>> > > pkix-new-part1-05: </FONT><BR><FONT = size=3D2>> >=20 > "The keyCertSign bit is asserted when the subject public key=20 </FONT><BR><FONT size=3D2>> > > is used for verifying a = signature on=20 certificates. This bit </FONT><BR><FONT size=3D2>> > > = may only=20 be asserted in CA certificates. If the keyCertSign = </FONT><BR><FONT=20 size=3D2>> > > bit is asserted, then the cA bit in the basic=20 constraints </FONT><BR><FONT size=3D2>> > > extension (see = 4.2.1.10)=20 MUST also be asserted. If the </FONT><BR><FONT size=3D2>> > > = keyCertSign bit is not asserted, then the cA bit in the basic = </FONT><BR><FONT=20 size=3D2>> > > constraints extension MUST NOT be asserted.=20 </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>> > >=20 The cRLSign bit is asserted when the subject public key is = </FONT><BR><FONT=20 size=3D2>> > > used for verifying a signature on revocation = information=20 </FONT><BR><FONT size=3D2>> > > (e.g., a CRL)." = </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> > > = </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> > > So, = both X.509=20 and pkix-new-part1-05 go to great lengths to </FONT><BR><FONT = size=3D2>> >=20 > clearly state that only CAs can issue certificates and that=20 </FONT><BR><FONT size=3D2>> > > basicConstraints with the cA = bit set to=20 true must be present </FONT><BR><FONT size=3D2>> > > in the=20 certificates where the public key is to be used to </FONT><BR><FONT=20 size=3D2>> > > verify signatures on certificates. There are = no similar=20 </FONT><BR><FONT size=3D2>> > > statements about CRLs. In = fact, both=20 documents are quite </FONT><BR><FONT size=3D2>> > > clear = that the cA=20 bit must not be set when the subject public </FONT><BR><FONT = size=3D2>> >=20 > key can not be used to verify certificates. So, if the = </FONT><BR><FONT=20 size=3D2>> > > subject public key can be used to verify CRLs, = but not=20 </FONT><BR><FONT size=3D2>> > > certificates, the cA bit must = not be=20 set. </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>> >=20 > X.509 is also careful not to preclude the public keys of = </FONT><BR><FONT=20 size=3D2>> > > non-CAs from being used to verify signatures = on CRLs.=20 For </FONT><BR><FONT size=3D2>> > > instance, an end entity = is defined=20 as "[a] certificate </FONT><BR><FONT size=3D2>> > > subject = that uses=20 its private key for purposes other than </FONT><BR><FONT size=3D2>> = > >=20 signing certificates or an entity that is a relying party." = </FONT><BR><FONT=20 size=3D2>> > > This leaves room for an end entity to use its = private=20 key to </FONT><BR><FONT size=3D2>> > > sign CRLs. = </FONT><BR><FONT=20 size=3D2>> > > </FONT><BR><FONT size=3D2>> > > = </FONT><BR><FONT=20 size=3D2>> > > So, if PKIX wants to require that the cA bit = be set=20 whenever </FONT><BR><FONT size=3D2>> > > the subject public = key can be=20 used to verify CRLs and also </FONT><BR><FONT size=3D2>> > > = wants to=20 maintain consistency with X.509, PKIX would have to </FONT><BR><FONT=20 size=3D2>> > > require that any certificate authorizing the = use of a=20 public </FONT><BR><FONT size=3D2>> > > key for verifying CRL = signatures=20 also authorize the use of </FONT><BR><FONT size=3D2>> > > = that public=20 key for verifying certificate signatures. Since </FONT><BR><FONT = size=3D2>>=20 > > we are in agreement that we do not want to impose such a=20 </FONT><BR><FONT size=3D2>> > > restriction and that we do = want to=20 maintain consistency with </FONT><BR><FONT size=3D2>> > > = X.509, we can=20 not require that the cA bit be set when the </FONT><BR><FONT = size=3D2>> >=20 > subject public key can only be used to verify CRL signatures.=20 </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>> > >=20 Dave </FONT><BR><FONT size=3D2>> > > </FONT><BR><FONT = size=3D2>> >=20 > </FONT><BR><FONT size=3D2>> </FONT><BR><FONT size=3D2>>=20 </FONT></P></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0018_01C0C98A.313376A0-- Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA28541 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 10:39:00 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 2LAW53F4; Fri, 20 Apr 2001 10:34:20 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Denis Pinkas" <Denis.Pinkas@bull.net>, "Sharon Boeyen" <sharon.boeyen@entrust.com> Cc: <ietf-pkix@imc.org> Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Date: Fri, 20 Apr 2001 10:37:58 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGKEONCDAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <3AE06FBB.347085FA@bull.net> Denis said: "In an open architecture where clients do not know where to fetch the revocation information unless using "out-of-bands" means, if a CA wants to revoke the authorities in charge of revocation status information (i.e. CRL Issuers or OCSP responders) they is no other way than using directly the issuing CA key." [Carlin]: I agree. But now that the CRL Issuer's or OCSP responder's certificate has been revoked, what do the Relying Parties do? It seems that they should now look for a CRL issued by the CA, but I haven't found any document that mandates this behavior on the part of the Relying Parties. Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA27745 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 10:29:01 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id NAA19911; Fri, 20 Apr 2001 13:28:44 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010410b7051d55d9b1@[128.33.4.39]> In-Reply-To: <4.2.2.20010419092845.00ae0920@email.nist.gov> References: <4.2.2.20010418133051.00addb60@email.nist.gov> <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> Date: Fri, 20 Apr 2001 13:31:19 -0400 To: "David A. Cooper" <david.cooper@nist.gov> From: Stephen Kent <kent@bbn.com> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="iso-8859-1" ; format="flowed" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id KAA27746 At 5:08 PM -0400 4/19/01, David A. Cooper wrote: >At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: >>Dave Cooper, >> >>>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: >>>I see no basis in X.509 for setting the cA flag in >>>basicConstraints for certificate subjects that can issue CRLs but >>>not certificates. The current discussion about how to deal with >>>CRLs for attribute certificates vs. public key certificates just >>>further goes to show that it was a mistake to suddenly change the >>>rules at the last IETF meeting. >> >>We disagree on this point. Nowhere in X.509 or in previous PKIX >>documents has there ever been text to suggest that other than a CA >>can sign a CRL for a public key certificate. So, the rules were not >>changed at the last meeting, they were reasserted and clarified. > >Steve, > >You may say that X.509 and PKIX do not suggest that entities other >than CAs can sign CRLs. Sharon has explained what X.509 stated re this topic and it is clear, although the wording might be improved. PKIX had the same notion, but was too concise and a bit oblique in its wording. >However, I think we all agree that both X.509 and PKIX allow for a >CRL to be signed with a different key than the key used to sign the >certificates that are covered by that CRL. yes. >This may be a result of the CA that issued the certificates signing >the corresponding CRLs with a different key or the CA that issued >the certificates delegating the CRL issuing to another entity (via >the distribution points extension). yes. >There is no requirement that the key used to sign the CRL also be >used to sign certificates. So, I think we agree that there will be >times where we will be issuing certificates to entities (whether >those entities are CAs or not) where the intent is to specify that >the public keys in the certificates may be used to verify signatures >on CRLs but not on certificates. yes. >The only place we seem to disagree is on the contents of the >certificates issued in such circumstances. In particular, should the >certificates contain a basicConstraints extension with the cA bit >set? On this point, both X.509 and the previous PKIX documents are >quite clear that the cA bit should not be set. Why? Because a CA is >defined as an entity that issues public-key certificates and both >documents similarly state that the cA bit is used to specify whether >the certificate subject can issue certificates. There is no similar >connection made between being a CA and issuing CRLs. We disagree here. >The following are some quotes from X.509 and pkix-new-part1-05: > >In X.509 a CA is defined as "[a]n authority trusted by one or more >users to create and assign public-key certificates." > >Section 7 of X.509 states that "[a] CA-certificate is a certificate >issued by a CA to a subject that is itself a CA and therefore is >capable of issuing public-key certificates." These definitions address the cert issuing aspect of a CA, but the fact that they don't address the revocation responsibilities of a CA does not mean that other than a CA issues CRLs. Prior to the introduction of CRL DPs and indirect CRLs, there was no way for other than a CA to issue a CRL. I have seen no text introduced along with v3 certs and v2 CRLs to suggest the existence of a non-CA entity that signs CRLs, and that suggests that CRL signing is still the province of CAs, not of some other class of as yet unnamed entities. >The description of basic constraints in X.509 further supports the >idea that the cA bit is used to specify certificate issuing, not >certificate and/or CRL issuing: > >"This field indicates if the subject may act as a CA, with the >certified public key being used to verify certificate signatures. Â… >The cA component indicates if the certified public key may be used >to verify certificate signatures. Â… if the value of cA is not set to >true then the certified public key shall not be used to verify a >certificate signature" > > >pkix-new-part1-05 states something similar: > >"The cA bit indicates if the certified public key may be used to >verify signatures on other certificates. If the cA bit is asserted, >then the keyCertSign bit in the key usage extension (see 4.2.1.3) >MUST also be asserted. If the cA bit is not asserted, then the >keyCertSign bit in the key usage extension MUST NOT be asserted." again, this supports the notion that a CA signs certs, but it says nothing about whether a CA or some other entity signs CRLs. We have uncovered a number of instances where less than perfect wording has lead to confusion and our recent dialogue suggests that some of the quotes you cite are examples of this. >The description of the key usage bits are consistent with this as well. > >X.509: >"The bit keyCertSign is for use in CA-certificates only. If KeyUsage >is set to keyCertSign and the basic constraints extension is present >in the same certificate, the value of the cA component of that >extension shall be set to TRUE." > >pkix-new-part1-05: >"The keyCertSign bit is asserted when the subject public key is used >for verifying a signature on certificates. This bit may only be >asserted in CA certificates. If the keyCertSign bit is asserted, >then the cA bit in the basic constraints extension (see 4.2.1.10) >MUST also be asserted. If the keyCertSign bit is not asserted, then >the cA bit in the basic constraints extension MUST NOT be asserted. > >The cRLSign bit is asserted when the subject public key is used for >verifying a signature on revocation information (e.g., a CRL)." You have conveniently omitted the various parts of the 2459 and 2459 bis text that refer to what a CA must do to comply with the RFC when it signs CRLs, quotes that have been distributed on this list earlier but which do not support your position. >So, both X.509 and pkix-new-part1-05 go to great lengths to clearly >state that only CAs can issue certificates and that basicConstraints >with the cA bit set to true must be present in the certificates >where the public key is to be used to verify signatures on >certificates. There are no similar statements about CRLs. In fact, >both documents are quite clear that the cA bit must not be set when >the subject public key can not be used to verify certificates. So, >if the subject public key can be used to verify CRLs, but not >certificates, the cA bit must not be set. The text was inconsistent in this regard and we are fixing it. >X.509 is also careful not to preclude the public keys of non-CAs >from being used to verify signatures on CRLs. For instance, an end >entity is defined as "[a] certificate subject that uses its private >key for purposes other than signing certificates or an entity that >is a relying party." This leaves room for an end entity to use its >private key to sign CRLs. True, the quoted text does not prohibit an EE from signing a CRL, but that is far from supporting the notion that other than CAs do sign CRLs. The fact that CRL signing is in no way mentioned here undermines the argument I think you are trying to make. >So, if PKIX wants to require that the cA bit be set whenever the >subject public key can be used to verify CRLs and also wants to >maintain consistency with X.509, PKIX would have to require that any >certificate authorizing the use of a public key for verifying CRL >signatures also authorize the use of that public key for verifying >certificate signatures. Since we are in agreement that we do not >want to impose such a restriction and that we do want to maintain >consistency with X.509, we can not require that the cA bit be set >when the subject public key can only be used to verify CRL >signatures. Dave, as Sharon pointed out, this is NOT just a PKIX issue; it would require changes to X.509 as well. Like Sharon, I am not opposed to making such changes, if folks want to delay 2459 bis for this, and if there is a consensus, but there is ample evidence that neither X.509 nor PKIX has ever envisioned EEs signing CRLs. You've heard this from both editors in previous messages. Steve Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA27053 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 10:20:25 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id TAA28374; Fri, 20 Apr 2001 19:20:04 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id TAA16586; Fri, 20 Apr 2001 19:19:51 +0200 Message-ID: <3AE06FBB.347085FA@bull.net> Date: Fri, 20 Apr 2001 19:19:55 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Sharon Boeyen <sharon.boeyen@entrust.com> CC: ietf-pkix@imc.org Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FAF@sottmxs09.entrust.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sharon, > Just to be clear, lets not confuse what I may happen to want as > an individual contributor to PKIX or any other list, with what > I state as 509 editor (they're not necessarily always the same :-) :-) > My comments were purely from the editor's perspective and yes, > the current 509 text is quite clear that the CA that issues a > certificate is responsible for stating whether or not that certificate > can be revoked, and if so, what mechanism is used to inform > relying parties. If that mechanism is CRLs, these are issued by > the certificate issuer or by another authority delegated that > task by the certificate issuer (that doesn't necessarily mean that > 509 requires a cert to be issued to that authority, nor that the cert > contain the basic constraints extension though, that is the job of > profile groups to determine and incidentally I don't believe they'll > all adopt the same solution so I would want 509 to remain flexible). > > My own personal view is that industry has moved to a point where there > probably isn't any real requirement for a CRL issuer to also be a cert > issuer as long as that CRL issuer is delegated that responsibility > by the cert issuer and there is a cryptographic way to ensure that > binding for relying parties. To achieve that, I believe some changes > are required in 509. Since I now understand that "CRL" is the generic term to designate any type of CRL and would like to moderate your statement. As I have explained yesterday while replying to Russ (I know that you cannot look at every message), I would make an exception for ARLs. By ARLs I mean an Authority Revocation List where the authorities are not only CAs but more important CRL Issuers and OCSP responders. In an open architecture where clients do not know where to fetch the revocation information unless using "out-of-bands" means, if a CA wants to revoke the authorities in charge of revocation status information (i.e. CRL Issuers or OCSP responders) they is no other way than using directly the issuing CA key. I would like to make sure that the text from "son-of-RFC2459" takes care of that aspect. Now, if X509 can also take care of this aspect, this would be nice as well. :-) Regards, Denis > On the separate keys for cert and CRL signing (by the same authority), my > personal opinion is that anything you read into 509 text on that specific > topic would be accidental as I don't recall any specific discussion on it. > > However, since that is a real world requirement, I would want to be sure > that 509 did not prohibit it. > > Hope that clarifies where my comments are coming from :-) > > > > -----Original Message----- > > From: David A. Cooper [mailto:david.cooper@nist.gov] > > Sent: Friday, April 20, 2001 11:44 AM > > To: ietf-pkix@imc.org > > Subject: RE: cA flag and CRL issuers (was Re: Last Call: > > draft-ietf-pkix-n ew-part1-06.txt comments) > > > > > > Sharon, > > > > Are you suggesting that in order for an entity to issue CRLs > > on behalf of a certificate issuer, that CRL issuer would need > > to issue certificates as well (so that it can qualify as an > > authority)? I don't think there should be such a > > requirement, but even if there were it wouldn't settle the issue. > > > > Even if only authorities can issue CRLs, there is nothing to > > prevent that authority from using different keys to sign > > certificates and CRLs. X.509 states that "[t]he cA component > > indicates if the certified public key may be used to verify > > certificate signatures." So, the proper value of the cA bit > > is determined by the allowable uses of the subject public > > key, not by the type of entity the subject is. So, even if > > the certificate subject is a CA, and issues certificates > > under some key, the cA bit should not be set unless the > > particular subject public key in the certificate can be used > > to verify certificate signatures. If an authority is the > > subject of a certificate and the particular public key of > > that authority that is being certified is only to be used to > > verify signatures on CRLs, then the cA bit should not be set. > > > > Dave > > > > At 10:48 AM 4/20/01 -0400, Sharon Boeyen wrote: > > > > >David, sorry but I disagree with your assertions about X.509's > > >position on this issue. Either by design or by accident, > > X.509 requires that if CRLs are being issued, they are issued > > by an 'authority'. Remember that the definition of > > "authority" is "An entity responsible > > > > > >for the issuance of certificates". Much of the text in X.509 > > predates OCSP or the concept of a validation authority, but I > > do know that the quotes below are new text added within the > > past couple of years with the intent of clarifying the role > > of CAs with respect to CRLs. > > > > > >Clause 7.3 says: > > > > > >"An authority that issues certificates is required to state, > > possibly through a published statement of their practices, > > through the certificates themselves, or through some other > > identified means, whether: > > > > > >- The certificates cannot be revoked; or > > >- The certificates may be revoked by the same > > certificate-issuing authority directly; or > > >- The certificate-issuing authority authorizes a > > different authority to perform revocation." > > > > > >further down in the same clause is the text: > > > > > >" > > >An authority that issues and subsequently revokes certificates: > > >a) may be required to maintain an audit record of its > > revocation events for all certificate types issued by that > > authority (e.g. public-key certificates, attribute > > certificates issued to end-entities as well as other authorities); > > > > > >b) shall provide revocation status information to > > relying parties using CRLs, on-line certificate status > > protocol or some other mechanism for the publication of > > revocation status information; > > > > > >c) if using CRLs, shall maintain and publish CRLs even > > if the lists of revoked certificates are empty." > > > > > >The quotes that you included in your message tie in with > > this base text, since the authority that issued the > > certificates has these responsibilities around revocation, > > there was no need for X.509 to state anything specific to CRL > > issuance. In the indirect CRL case, this was envisioned to be > > another CA or AA, that combined revocation notices from > > several CAs/AAs. > > > > > >Having said that (with my X.509 editor's hat on), if there > > is a requirement to have entities that are not CAs or AAs be > > authorized to issue CRLs on behalf of the certificate issuer > > (because remember that a CRL is an indication that a > > certificate is no longer considered valid "by its > > issuer")changes to X.509 would be needed. I'm not necessarily > > opposed to such changes, I'm just clarifying, in this > > message, that they would be needed in order for such > > implementations to be conformant. This, as usual could be > > done through the enhancements work or could be proposed > > through the defect process. One way to enable that kind of > > change might be to redefine authority and to talk about 3 > > types rather than two. However, it would take some careful > > review to ensure that the set of changes was thorough and complete. > > > > > >Sharon > > > > > > > -----Original Message----- > > > > From: David A. Cooper > > [<mailto:david.cooper@nist.gov>mailto:david.cooper@nist.gov] > > > > Sent: Thursday, April 19, 2001 5:08 PM > > > > To: ietf-pkix@imc.org > > > > Subject: cA flag and CRL issuers (was Re: Last Call: > > > > draft-ietf-pkix-new-part1-06.txt comments) > > > > > > > > > > > > At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: > > > > >Dave Cooper, > > > > > > > > > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: > > > > >>I see no basis in X.509 for setting the cA flag in > > > > basicConstraints for certificate subjects that can issue CRLs > > > > but not certificates. The current discussion about how to > > > > deal with CRLs for attribute certificates vs. public key > > > > certificates just further goes to show that it was a mistake > > > > to suddenly change the rules at the last IETF meeting. > > > > > > > > > >We disagree on this point. Nowhere in X.509 or in previous > > > > PKIX documents has there ever been text to suggest that other > > > > than a CA can sign a CRL for a public key certificate. So, > > > > the rules were not changed at the last meeting, they were > > > > reasserted and clarified. > > > > > > > > Steve, > > > > > > > > You may say that X.509 and PKIX do not suggest that entities > > > > other than CAs can sign CRLs. However, I think we all agree > > > > that both X.509 and PKIX allow for a CRL to be signed with a > > > > different key than the key used to sign the certificates that > > > > are covered by that CRL. This may be a result of the CA that > > > > issued the certificates signing the corresponding CRLs with a > > > > different key or the CA that issued the certificates > > > > delegating the CRL issuing to another entity (via the > > > > distribution points extension). There is no requirement that > > > > the key used to sign the CRL also be used to sign > > > > certificates. So, I think we agree that there will be times > > > > where we will be issuing certificates to entities (whether > > > > those entities are CAs or not) where the intent is to specify > > > > that the public keys in the certificates may be used to > > > > verify signatures on CRLs but not on certificates. > > > > > > > > The only place we seem to disagree is on the contents of the > > > > certificates issued in such circumstances. In particular, > > > > should the certificates contain a basicConstraints extension > > > > with the cA bit set? On this point, both X.509 and the > > > > previous PKIX documents are quite clear that the cA bit > > > > should not be set. Why? Because a CA is defined as an entity > > > > that issues public-key certificates and both documents > > > > similarly state that the cA bit is used to specify whether > > > > the certificate subject can issue certificates. There is no > > > > similar connection made between being a CA and issuing CRLs. > > > > > > > > > > > > The following are some quotes from X.509 and pkix-new-part1-05: > > > > > > > > In X.509 a CA is defined as "[a]n authority trusted by one or > > > > more users to create and assign public-key certificates." > > > > > > > > Section 7 of X.509 states that "[a] CA-certificate is a > > > > certificate issued by a CA to a subject that is itself a CA > > > > and therefore is capable of issuing public-key certificates." > > > > > > > > > > > > The description of basic constraints in X.509 further > > > > supports the idea that the cA bit is used to specify > > > > certificate issuing, not certificate and/or CRL issuing: > > > > > > > > "This field indicates if the subject may act as a CA, with > > > > the certified public key being used to verify certificate > > > > signatures. ... The cA component indicates if the certified > > > > public key may be used to verify certificate signatures. ... if > > > > the value of cA is not set to true then the certified public > > > > key shall not be used to verify a certificate signature" > > > > > > > > > > > > pkix-new-part1-05 states something similar: > > > > > > > > "The cA bit indicates if the certified public key may be used > > > > to verify signatures on other certificates. If the cA bit is > > > > asserted, then the keyCertSign bit in the key usage extension > > > > (see 4.2.1.3) MUST also be asserted. If the cA bit is not > > > > asserted, then the keyCertSign bit in the key usage extension > > > > MUST NOT be asserted." > > > > > > > > > > > > The description of the key usage bits are consistent with > > > > this as well. > > > > > > > > X.509: > > > > "The bit keyCertSign is for use in CA-certificates only. If > > > > KeyUsage is set to keyCertSign and the basic constraints > > > > extension is present in the same certificate, the value of > > > > the cA component of that extension shall be set to TRUE." > > > > > > > > pkix-new-part1-05: > > > > "The keyCertSign bit is asserted when the subject public key > > > > is used for verifying a signature on certificates. This bit > > > > may only be asserted in CA certificates. If the keyCertSign > > > > bit is asserted, then the cA bit in the basic constraints > > > > extension (see 4.2.1.10) MUST also be asserted. If the > > > > keyCertSign bit is not asserted, then the cA bit in the basic > > > > constraints extension MUST NOT be asserted. > > > > > > > > The cRLSign bit is asserted when the subject public key is > > > > used for verifying a signature on revocation information > > > > (e.g., a CRL)." > > > > > > > > > > > > > > > > So, both X.509 and pkix-new-part1-05 go to great lengths to > > > > clearly state that only CAs can issue certificates and that > > > > basicConstraints with the cA bit set to true must be present > > > > in the certificates where the public key is to be used to > > > > verify signatures on certificates. There are no similar > > > > statements about CRLs. In fact, both documents are quite > > > > clear that the cA bit must not be set when the subject public > > > > key can not be used to verify certificates. So, if the > > > > subject public key can be used to verify CRLs, but not > > > > certificates, the cA bit must not be set. > > > > > > > > X.509 is also careful not to preclude the public keys of > > > > non-CAs from being used to verify signatures on CRLs. For > > > > instance, an end entity is defined as "[a] certificate > > > > subject that uses its private key for purposes other than > > > > signing certificates or an entity that is a relying party." > > > > This leaves room for an end entity to use its private key to > > > > sign CRLs. > > > > > > > > > > > > So, if PKIX wants to require that the cA bit be set whenever > > > > the subject public key can be used to verify CRLs and also > > > > wants to maintain consistency with X.509, PKIX would have to > > > > require that any certificate authorizing the use of a public > > > > key for verifying CRL signatures also authorize the use of > > > > that public key for verifying certificate signatures. Since > > > > we are in agreement that we do not want to impose such a > > > > restriction and that we do want to maintain consistency with > > > > X.509, we can not require that the cA bit be set when the > > > > subject public key can only be used to verify CRL signatures. > > > > > > > > Dave > > > > > > > > > > > > Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA25662 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 10:03:11 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JJPVS08P>; Fri, 20 Apr 2001 13:02:39 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FAF@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'David A. Cooper'" <david.cooper@nist.gov>, ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Date: Fri, 20 Apr 2001 12:57:13 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C9BA.F27185C0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C9BA.F27185C0 Content-Type: text/plain Just to be clear, lets not confuse what I may happen to want as an individual contributor to PKIX or any other list, with what I state as 509 editor (they're not necessarily always the same :-) My comments were purely from the editor's perspective and yes, the current 509 text is quite clear that the CA that issues a certificate is responsible for stating whether or not that certificate can be revoked, and if so, what mechanism is used to inform relying parties. If that mechanism is CRLs, these are issued by the certificate issuer or by another authority delegated that task by the certificate issuer (that doesn't necessarily mean that 509 requires a cert to be issued to that authority, nor that the cert contain the basic constraints extension though, that is the job of profile groups to determine and incidentally I don't believe they'll all adopt the same solution so I would want 509 to remain flexible). My own personal view is that industry has moved to a point where there probably isn't any real requirement for a CRL issuer to also be a cert issuer as long as that CRL issuer is delegated that responsibility by the cert issuer and there is a cryptographic way to ensure that binding for relying parties. To achieve that, I believe some changes are required in 509. On the separate keys for cert and CRL signing (by the same authority), my personal opinion is that anything you read into 509 text on that specific topic would be accidental as I don't recall any specific discussion on it. However, since that is a real world requirement, I would want to be sure that 509 did not prohibit it. Hope that clarifies where my comments are coming from :-) > -----Original Message----- > From: David A. Cooper [mailto:david.cooper@nist.gov] > Sent: Friday, April 20, 2001 11:44 AM > To: ietf-pkix@imc.org > Subject: RE: cA flag and CRL issuers (was Re: Last Call: > draft-ietf-pkix-n ew-part1-06.txt comments) > > > Sharon, > > Are you suggesting that in order for an entity to issue CRLs > on behalf of a certificate issuer, that CRL issuer would need > to issue certificates as well (so that it can qualify as an > authority)? I don't think there should be such a > requirement, but even if there were it wouldn't settle the issue. > > Even if only authorities can issue CRLs, there is nothing to > prevent that authority from using different keys to sign > certificates and CRLs. X.509 states that "[t]he cA component > indicates if the certified public key may be used to verify > certificate signatures." So, the proper value of the cA bit > is determined by the allowable uses of the subject public > key, not by the type of entity the subject is. So, even if > the certificate subject is a CA, and issues certificates > under some key, the cA bit should not be set unless the > particular subject public key in the certificate can be used > to verify certificate signatures. If an authority is the > subject of a certificate and the particular public key of > that authority that is being certified is only to be used to > verify signatures on CRLs, then the cA bit should not be set. > > Dave > > At 10:48 AM 4/20/01 -0400, Sharon Boeyen wrote: > > >David, sorry but I disagree with your assertions about X.509's > >position on this issue. Either by design or by accident, > X.509 requires that if CRLs are being issued, they are issued > by an 'authority'. Remember that the definition of > "authority" is "An entity responsible > > > >for the issuance of certificates". Much of the text in X.509 > predates OCSP or the concept of a validation authority, but I > do know that the quotes below are new text added within the > past couple of years with the intent of clarifying the role > of CAs with respect to CRLs. > > > >Clause 7.3 says: > > > >"An authority that issues certificates is required to state, > possibly through a published statement of their practices, > through the certificates themselves, or through some other > identified means, whether: > > > >- The certificates cannot be revoked; or > >- The certificates may be revoked by the same > certificate-issuing authority directly; or > >- The certificate-issuing authority authorizes a > different authority to perform revocation." > > > >further down in the same clause is the text: > > > >" > >An authority that issues and subsequently revokes certificates: > >a) may be required to maintain an audit record of its > revocation events for all certificate types issued by that > authority (e.g. public-key certificates, attribute > certificates issued to end-entities as well as other authorities); > > > >b) shall provide revocation status information to > relying parties using CRLs, on-line certificate status > protocol or some other mechanism for the publication of > revocation status information; > > > >c) if using CRLs, shall maintain and publish CRLs even > if the lists of revoked certificates are empty." > > > >The quotes that you included in your message tie in with > this base text, since the authority that issued the > certificates has these responsibilities around revocation, > there was no need for X.509 to state anything specific to CRL > issuance. In the indirect CRL case, this was envisioned to be > another CA or AA, that combined revocation notices from > several CAs/AAs. > > > >Having said that (with my X.509 editor's hat on), if there > is a requirement to have entities that are not CAs or AAs be > authorized to issue CRLs on behalf of the certificate issuer > (because remember that a CRL is an indication that a > certificate is no longer considered valid "by its > issuer")changes to X.509 would be needed. I'm not necessarily > opposed to such changes, I'm just clarifying, in this > message, that they would be needed in order for such > implementations to be conformant. This, as usual could be > done through the enhancements work or could be proposed > through the defect process. One way to enable that kind of > change might be to redefine authority and to talk about 3 > types rather than two. However, it would take some careful > review to ensure that the set of changes was thorough and complete. > > > >Sharon > > > > > -----Original Message----- > > > From: David A. Cooper > [<mailto:david.cooper@nist.gov>mailto:david.cooper@nist.gov] > > > Sent: Thursday, April 19, 2001 5:08 PM > > > To: ietf-pkix@imc.org > > > Subject: cA flag and CRL issuers (was Re: Last Call: > > > draft-ietf-pkix-new-part1-06.txt comments) > > > > > > > > > At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: > > > >Dave Cooper, > > > > > > > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: > > > >>I see no basis in X.509 for setting the cA flag in > > > basicConstraints for certificate subjects that can issue CRLs > > > but not certificates. The current discussion about how to > > > deal with CRLs for attribute certificates vs. public key > > > certificates just further goes to show that it was a mistake > > > to suddenly change the rules at the last IETF meeting. > > > > > > > >We disagree on this point. Nowhere in X.509 or in previous > > > PKIX documents has there ever been text to suggest that other > > > than a CA can sign a CRL for a public key certificate. So, > > > the rules were not changed at the last meeting, they were > > > reasserted and clarified. > > > > > > Steve, > > > > > > You may say that X.509 and PKIX do not suggest that entities > > > other than CAs can sign CRLs. However, I think we all agree > > > that both X.509 and PKIX allow for a CRL to be signed with a > > > different key than the key used to sign the certificates that > > > are covered by that CRL. This may be a result of the CA that > > > issued the certificates signing the corresponding CRLs with a > > > different key or the CA that issued the certificates > > > delegating the CRL issuing to another entity (via the > > > distribution points extension). There is no requirement that > > > the key used to sign the CRL also be used to sign > > > certificates. So, I think we agree that there will be times > > > where we will be issuing certificates to entities (whether > > > those entities are CAs or not) where the intent is to specify > > > that the public keys in the certificates may be used to > > > verify signatures on CRLs but not on certificates. > > > > > > The only place we seem to disagree is on the contents of the > > > certificates issued in such circumstances. In particular, > > > should the certificates contain a basicConstraints extension > > > with the cA bit set? On this point, both X.509 and the > > > previous PKIX documents are quite clear that the cA bit > > > should not be set. Why? Because a CA is defined as an entity > > > that issues public-key certificates and both documents > > > similarly state that the cA bit is used to specify whether > > > the certificate subject can issue certificates. There is no > > > similar connection made between being a CA and issuing CRLs. > > > > > > > > > The following are some quotes from X.509 and pkix-new-part1-05: > > > > > > In X.509 a CA is defined as "[a]n authority trusted by one or > > > more users to create and assign public-key certificates." > > > > > > Section 7 of X.509 states that "[a] CA-certificate is a > > > certificate issued by a CA to a subject that is itself a CA > > > and therefore is capable of issuing public-key certificates." > > > > > > > > > The description of basic constraints in X.509 further > > > supports the idea that the cA bit is used to specify > > > certificate issuing, not certificate and/or CRL issuing: > > > > > > "This field indicates if the subject may act as a CA, with > > > the certified public key being used to verify certificate > > > signatures. ... The cA component indicates if the certified > > > public key may be used to verify certificate signatures. ... if > > > the value of cA is not set to true then the certified public > > > key shall not be used to verify a certificate signature" > > > > > > > > > pkix-new-part1-05 states something similar: > > > > > > "The cA bit indicates if the certified public key may be used > > > to verify signatures on other certificates. If the cA bit is > > > asserted, then the keyCertSign bit in the key usage extension > > > (see 4.2.1.3) MUST also be asserted. If the cA bit is not > > > asserted, then the keyCertSign bit in the key usage extension > > > MUST NOT be asserted." > > > > > > > > > The description of the key usage bits are consistent with > > > this as well. > > > > > > X.509: > > > "The bit keyCertSign is for use in CA-certificates only. If > > > KeyUsage is set to keyCertSign and the basic constraints > > > extension is present in the same certificate, the value of > > > the cA component of that extension shall be set to TRUE." > > > > > > pkix-new-part1-05: > > > "The keyCertSign bit is asserted when the subject public key > > > is used for verifying a signature on certificates. This bit > > > may only be asserted in CA certificates. If the keyCertSign > > > bit is asserted, then the cA bit in the basic constraints > > > extension (see 4.2.1.10) MUST also be asserted. If the > > > keyCertSign bit is not asserted, then the cA bit in the basic > > > constraints extension MUST NOT be asserted. > > > > > > The cRLSign bit is asserted when the subject public key is > > > used for verifying a signature on revocation information > > > (e.g., a CRL)." > > > > > > > > > > > > So, both X.509 and pkix-new-part1-05 go to great lengths to > > > clearly state that only CAs can issue certificates and that > > > basicConstraints with the cA bit set to true must be present > > > in the certificates where the public key is to be used to > > > verify signatures on certificates. There are no similar > > > statements about CRLs. In fact, both documents are quite > > > clear that the cA bit must not be set when the subject public > > > key can not be used to verify certificates. So, if the > > > subject public key can be used to verify CRLs, but not > > > certificates, the cA bit must not be set. > > > > > > X.509 is also careful not to preclude the public keys of > > > non-CAs from being used to verify signatures on CRLs. For > > > instance, an end entity is defined as "[a] certificate > > > subject that uses its private key for purposes other than > > > signing certificates or an entity that is a relying party." > > > This leaves room for an end entity to use its private key to > > > sign CRLs. > > > > > > > > > So, if PKIX wants to require that the cA bit be set whenever > > > the subject public key can be used to verify CRLs and also > > > wants to maintain consistency with X.509, PKIX would have to > > > require that any certificate authorizing the use of a public > > > key for verifying CRL signatures also authorize the use of > > > that public key for verifying certificate signatures. Since > > > we are in agreement that we do not want to impose such a > > > restriction and that we do want to maintain consistency with > > > X.509, we can not require that the cA bit be set when the > > > subject public key can only be used to verify CRL signatures. > > > > > > Dave > > > > > > > > ------_=_NextPart_001_01C0C9BA.F27185C0 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments)</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>Just to be clear, lets not confuse what I may happen to want as </FONT> <BR><FONT SIZE=2>an individual contributor to PKIX or any other list, with what </FONT> <BR><FONT SIZE=2>I state as 509 editor (they're not necessarily always the same :-)</FONT> </P> <P><FONT SIZE=2>My comments were purely from the editor's perspective and yes, </FONT> <BR><FONT SIZE=2>the current 509 text is quite clear that the CA that issues a </FONT> <BR><FONT SIZE=2>certificate is responsible for stating whether or not that certificate</FONT> <BR><FONT SIZE=2>can be revoked, and if so, what mechanism is used to inform </FONT> <BR><FONT SIZE=2>relying parties. If that mechanism is CRLs, these are issued by </FONT> <BR><FONT SIZE=2>the certificate issuer or by another authority delegated that </FONT> <BR><FONT SIZE=2>task by the certificate issuer (that doesn't necessarily mean that </FONT> <BR><FONT SIZE=2>509 requires a cert to be issued to that authority, nor that the cert </FONT> <BR><FONT SIZE=2>contain the basic constraints extension though, that is the job of </FONT> <BR><FONT SIZE=2>profile groups to determine and incidentally I don't believe they'll </FONT> <BR><FONT SIZE=2>all adopt the same solution so I would want 509 to remain flexible). </FONT> </P> <P><FONT SIZE=2>My own personal view is that industry has moved to a point where there </FONT> <BR><FONT SIZE=2>probably isn't any real requirement for a CRL issuer to also be a cert</FONT> <BR><FONT SIZE=2>issuer as long as that CRL issuer is delegated that responsibility </FONT> <BR><FONT SIZE=2>by the cert issuer and there is a cryptographic way to ensure that </FONT> <BR><FONT SIZE=2>binding for relying parties. To achieve that, I believe some changes </FONT> <BR><FONT SIZE=2>are required in 509. </FONT> </P> <P><FONT SIZE=2>On the separate keys for cert and CRL signing (by the same authority), my </FONT> <BR><FONT SIZE=2>personal opinion is that anything you read into 509 text on that specific </FONT> <BR><FONT SIZE=2>topic would be accidental as I don't recall any specific discussion on it. </FONT> <BR><FONT SIZE=2>However, since that is a real world requirement, I would want to be sure </FONT> <BR><FONT SIZE=2>that 509 did not prohibit it.</FONT> </P> <P><FONT SIZE=2>Hope that clarifies where my comments are coming from :-) </FONT> <BR><FONT SIZE=2> </FONT> </P> <P><FONT SIZE=2>> -----Original Message-----</FONT> <BR><FONT SIZE=2>> From: David A. Cooper [<A HREF="mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]</FONT> <BR><FONT SIZE=2>> Sent: Friday, April 20, 2001 11:44 AM</FONT> <BR><FONT SIZE=2>> To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>> Subject: RE: cA flag and CRL issuers (was Re: Last Call:</FONT> <BR><FONT SIZE=2>> draft-ietf-pkix-n ew-part1-06.txt comments)</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Sharon,</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Are you suggesting that in order for an entity to issue CRLs </FONT> <BR><FONT SIZE=2>> on behalf of a certificate issuer, that CRL issuer would need </FONT> <BR><FONT SIZE=2>> to issue certificates as well (so that it can qualify as an </FONT> <BR><FONT SIZE=2>> authority)? I don't think there should be such a </FONT> <BR><FONT SIZE=2>> requirement, but even if there were it wouldn't settle the issue.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Even if only authorities can issue CRLs, there is nothing to </FONT> <BR><FONT SIZE=2>> prevent that authority from using different keys to sign </FONT> <BR><FONT SIZE=2>> certificates and CRLs. X.509 states that "[t]he cA component </FONT> <BR><FONT SIZE=2>> indicates if the certified public key may be used to verify </FONT> <BR><FONT SIZE=2>> certificate signatures." So, the proper value of the cA bit </FONT> <BR><FONT SIZE=2>> is determined by the allowable uses of the subject public </FONT> <BR><FONT SIZE=2>> key, not by the type of entity the subject is. So, even if </FONT> <BR><FONT SIZE=2>> the certificate subject is a CA, and issues certificates </FONT> <BR><FONT SIZE=2>> under some key, the cA bit should not be set unless the </FONT> <BR><FONT SIZE=2>> particular subject public key in the certificate can be used </FONT> <BR><FONT SIZE=2>> to verify certificate signatures. If an authority is the </FONT> <BR><FONT SIZE=2>> subject of a certificate and the particular public key of </FONT> <BR><FONT SIZE=2>> that authority that is being certified is only to be used to </FONT> <BR><FONT SIZE=2>> verify signatures on CRLs, then the cA bit should not be set.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Dave</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> At 10:48 AM 4/20/01 -0400, Sharon Boeyen wrote:</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> >David, sorry but I disagree with your assertions about X.509's </FONT> <BR><FONT SIZE=2>> >position on this issue. Either by design or by accident, </FONT> <BR><FONT SIZE=2>> X.509 requires that if CRLs are being issued, they are issued </FONT> <BR><FONT SIZE=2>> by an 'authority'. Remember that the definition of </FONT> <BR><FONT SIZE=2>> "authority" is "An entity responsible </FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >for the issuance of certificates". Much of the text in X.509 </FONT> <BR><FONT SIZE=2>> predates OCSP or the concept of a validation authority, but I </FONT> <BR><FONT SIZE=2>> do know that the quotes below are new text added within the </FONT> <BR><FONT SIZE=2>> past couple of years with the intent of clarifying the role </FONT> <BR><FONT SIZE=2>> of CAs with respect to CRLs.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >Clause 7.3 says: </FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >"An authority that issues certificates is required to state, </FONT> <BR><FONT SIZE=2>> possibly through a published statement of their practices, </FONT> <BR><FONT SIZE=2>> through the certificates themselves, or through some other </FONT> <BR><FONT SIZE=2>> identified means, whether:</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >- The certificates cannot be revoked; or </FONT> <BR><FONT SIZE=2>> >- The certificates may be revoked by the same </FONT> <BR><FONT SIZE=2>> certificate-issuing authority directly; or </FONT> <BR><FONT SIZE=2>> >- The certificate-issuing authority authorizes a </FONT> <BR><FONT SIZE=2>> different authority to perform revocation." </FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >further down in the same clause is the text: </FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >" </FONT> <BR><FONT SIZE=2>> >An authority that issues and subsequently revokes certificates: </FONT> <BR><FONT SIZE=2>> >a) may be required to maintain an audit record of its </FONT> <BR><FONT SIZE=2>> revocation events for all certificate types issued by that </FONT> <BR><FONT SIZE=2>> authority (e.g. public-key certificates, attribute </FONT> <BR><FONT SIZE=2>> certificates issued to end-entities as well as other authorities);</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >b) shall provide revocation status information to </FONT> <BR><FONT SIZE=2>> relying parties using CRLs, on-line certificate status </FONT> <BR><FONT SIZE=2>> protocol or some other mechanism for the publication of </FONT> <BR><FONT SIZE=2>> revocation status information;</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >c) if using CRLs, shall maintain and publish CRLs even </FONT> <BR><FONT SIZE=2>> if the lists of revoked certificates are empty." </FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >The quotes that you included in your message tie in with </FONT> <BR><FONT SIZE=2>> this base text, since the authority that issued the </FONT> <BR><FONT SIZE=2>> certificates has these responsibilities around revocation, </FONT> <BR><FONT SIZE=2>> there was no need for X.509 to state anything specific to CRL </FONT> <BR><FONT SIZE=2>> issuance. In the indirect CRL case, this was envisioned to be </FONT> <BR><FONT SIZE=2>> another CA or AA, that combined revocation notices from </FONT> <BR><FONT SIZE=2>> several CAs/AAs. </FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >Having said that (with my X.509 editor's hat on), if there </FONT> <BR><FONT SIZE=2>> is a requirement to have entities that are not CAs or AAs be </FONT> <BR><FONT SIZE=2>> authorized to issue CRLs on behalf of the certificate issuer </FONT> <BR><FONT SIZE=2>> (because remember that a CRL is an indication that a </FONT> <BR><FONT SIZE=2>> certificate is no longer considered valid "by its </FONT> <BR><FONT SIZE=2>> issuer")changes to X.509 would be needed. I'm not necessarily </FONT> <BR><FONT SIZE=2>> opposed to such changes, I'm just clarifying, in this </FONT> <BR><FONT SIZE=2>> message, that they would be needed in order for such </FONT> <BR><FONT SIZE=2>> implementations to be conformant. This, as usual could be </FONT> <BR><FONT SIZE=2>> done through the enhancements work or could be proposed </FONT> <BR><FONT SIZE=2>> through the defect process. One way to enable that kind of </FONT> <BR><FONT SIZE=2>> change might be to redefine authority and to talk about 3 </FONT> <BR><FONT SIZE=2>> types rather than two. However, it would take some careful </FONT> <BR><FONT SIZE=2>> review to ensure that the set of changes was thorough and complete.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >Sharon </FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > > -----Original Message----- </FONT> <BR><FONT SIZE=2>> > > From: David A. Cooper </FONT> <BR><FONT SIZE=2>> [<<A HREF="mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>><A HREF="mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>] </FONT> <BR><FONT SIZE=2>> > > Sent: Thursday, April 19, 2001 5:08 PM </FONT> <BR><FONT SIZE=2>> > > To: ietf-pkix@imc.org </FONT> <BR><FONT SIZE=2>> > > Subject: cA flag and CRL issuers (was Re: Last Call: </FONT> <BR><FONT SIZE=2>> > > draft-ietf-pkix-new-part1-06.txt comments) </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: </FONT> <BR><FONT SIZE=2>> > > >Dave Cooper, </FONT> <BR><FONT SIZE=2>> > > > </FONT> <BR><FONT SIZE=2>> > > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: </FONT> <BR><FONT SIZE=2>> > > >>I see no basis in X.509 for setting the cA flag in </FONT> <BR><FONT SIZE=2>> > > basicConstraints for certificate subjects that can issue CRLs </FONT> <BR><FONT SIZE=2>> > > but not certificates. The current discussion about how to </FONT> <BR><FONT SIZE=2>> > > deal with CRLs for attribute certificates vs. public key </FONT> <BR><FONT SIZE=2>> > > certificates just further goes to show that it was a mistake </FONT> <BR><FONT SIZE=2>> > > to suddenly change the rules at the last IETF meeting. </FONT> <BR><FONT SIZE=2>> > > > </FONT> <BR><FONT SIZE=2>> > > >We disagree on this point. Nowhere in X.509 or in previous </FONT> <BR><FONT SIZE=2>> > > PKIX documents has there ever been text to suggest that other </FONT> <BR><FONT SIZE=2>> > > than a CA can sign a CRL for a public key certificate. So, </FONT> <BR><FONT SIZE=2>> > > the rules were not changed at the last meeting, they were </FONT> <BR><FONT SIZE=2>> > > reasserted and clarified. </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > Steve, </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > You may say that X.509 and PKIX do not suggest that entities </FONT> <BR><FONT SIZE=2>> > > other than CAs can sign CRLs. However, I think we all agree </FONT> <BR><FONT SIZE=2>> > > that both X.509 and PKIX allow for a CRL to be signed with a </FONT> <BR><FONT SIZE=2>> > > different key than the key used to sign the certificates that </FONT> <BR><FONT SIZE=2>> > > are covered by that CRL. This may be a result of the CA that </FONT> <BR><FONT SIZE=2>> > > issued the certificates signing the corresponding CRLs with a </FONT> <BR><FONT SIZE=2>> > > different key or the CA that issued the certificates </FONT> <BR><FONT SIZE=2>> > > delegating the CRL issuing to another entity (via the </FONT> <BR><FONT SIZE=2>> > > distribution points extension). There is no requirement that </FONT> <BR><FONT SIZE=2>> > > the key used to sign the CRL also be used to sign </FONT> <BR><FONT SIZE=2>> > > certificates. So, I think we agree that there will be times </FONT> <BR><FONT SIZE=2>> > > where we will be issuing certificates to entities (whether </FONT> <BR><FONT SIZE=2>> > > those entities are CAs or not) where the intent is to specify </FONT> <BR><FONT SIZE=2>> > > that the public keys in the certificates may be used to </FONT> <BR><FONT SIZE=2>> > > verify signatures on CRLs but not on certificates. </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > The only place we seem to disagree is on the contents of the </FONT> <BR><FONT SIZE=2>> > > certificates issued in such circumstances. In particular, </FONT> <BR><FONT SIZE=2>> > > should the certificates contain a basicConstraints extension </FONT> <BR><FONT SIZE=2>> > > with the cA bit set? On this point, both X.509 and the </FONT> <BR><FONT SIZE=2>> > > previous PKIX documents are quite clear that the cA bit </FONT> <BR><FONT SIZE=2>> > > should not be set. Why? Because a CA is defined as an entity </FONT> <BR><FONT SIZE=2>> > > that issues public-key certificates and both documents </FONT> <BR><FONT SIZE=2>> > > similarly state that the cA bit is used to specify whether </FONT> <BR><FONT SIZE=2>> > > the certificate subject can issue certificates. There is no </FONT> <BR><FONT SIZE=2>> > > similar connection made between being a CA and issuing CRLs. </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > The following are some quotes from X.509 and pkix-new-part1-05: </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > In X.509 a CA is defined as "[a]n authority trusted by one or </FONT> <BR><FONT SIZE=2>> > > more users to create and assign public-key certificates." </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > Section 7 of X.509 states that "[a] CA-certificate is a </FONT> <BR><FONT SIZE=2>> > > certificate issued by a CA to a subject that is itself a CA </FONT> <BR><FONT SIZE=2>> > > and therefore is capable of issuing public-key certificates." </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > The description of basic constraints in X.509 further </FONT> <BR><FONT SIZE=2>> > > supports the idea that the cA bit is used to specify </FONT> <BR><FONT SIZE=2>> > > certificate issuing, not certificate and/or CRL issuing: </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > "This field indicates if the subject may act as a CA, with </FONT> <BR><FONT SIZE=2>> > > the certified public key being used to verify certificate </FONT> <BR><FONT SIZE=2>> > > signatures. ... The cA component indicates if the certified </FONT> <BR><FONT SIZE=2>> > > public key may be used to verify certificate signatures. ... if </FONT> <BR><FONT SIZE=2>> > > the value of cA is not set to true then the certified public </FONT> <BR><FONT SIZE=2>> > > key shall not be used to verify a certificate signature" </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > pkix-new-part1-05 states something similar: </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > "The cA bit indicates if the certified public key may be used </FONT> <BR><FONT SIZE=2>> > > to verify signatures on other certificates. If the cA bit is </FONT> <BR><FONT SIZE=2>> > > asserted, then the keyCertSign bit in the key usage extension </FONT> <BR><FONT SIZE=2>> > > (see 4.2.1.3) MUST also be asserted. If the cA bit is not </FONT> <BR><FONT SIZE=2>> > > asserted, then the keyCertSign bit in the key usage extension </FONT> <BR><FONT SIZE=2>> > > MUST NOT be asserted." </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > The description of the key usage bits are consistent with </FONT> <BR><FONT SIZE=2>> > > this as well. </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > X.509: </FONT> <BR><FONT SIZE=2>> > > "The bit keyCertSign is for use in CA-certificates only. If </FONT> <BR><FONT SIZE=2>> > > KeyUsage is set to keyCertSign and the basic constraints </FONT> <BR><FONT SIZE=2>> > > extension is present in the same certificate, the value of </FONT> <BR><FONT SIZE=2>> > > the cA component of that extension shall be set to TRUE." </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > pkix-new-part1-05: </FONT> <BR><FONT SIZE=2>> > > "The keyCertSign bit is asserted when the subject public key </FONT> <BR><FONT SIZE=2>> > > is used for verifying a signature on certificates. This bit </FONT> <BR><FONT SIZE=2>> > > may only be asserted in CA certificates. If the keyCertSign </FONT> <BR><FONT SIZE=2>> > > bit is asserted, then the cA bit in the basic constraints </FONT> <BR><FONT SIZE=2>> > > extension (see 4.2.1.10) MUST also be asserted. If the </FONT> <BR><FONT SIZE=2>> > > keyCertSign bit is not asserted, then the cA bit in the basic </FONT> <BR><FONT SIZE=2>> > > constraints extension MUST NOT be asserted. </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > The cRLSign bit is asserted when the subject public key is </FONT> <BR><FONT SIZE=2>> > > used for verifying a signature on revocation information </FONT> <BR><FONT SIZE=2>> > > (e.g., a CRL)." </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > So, both X.509 and pkix-new-part1-05 go to great lengths to </FONT> <BR><FONT SIZE=2>> > > clearly state that only CAs can issue certificates and that </FONT> <BR><FONT SIZE=2>> > > basicConstraints with the cA bit set to true must be present </FONT> <BR><FONT SIZE=2>> > > in the certificates where the public key is to be used to </FONT> <BR><FONT SIZE=2>> > > verify signatures on certificates. There are no similar </FONT> <BR><FONT SIZE=2>> > > statements about CRLs. In fact, both documents are quite </FONT> <BR><FONT SIZE=2>> > > clear that the cA bit must not be set when the subject public </FONT> <BR><FONT SIZE=2>> > > key can not be used to verify certificates. So, if the </FONT> <BR><FONT SIZE=2>> > > subject public key can be used to verify CRLs, but not </FONT> <BR><FONT SIZE=2>> > > certificates, the cA bit must not be set. </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > X.509 is also careful not to preclude the public keys of </FONT> <BR><FONT SIZE=2>> > > non-CAs from being used to verify signatures on CRLs. For </FONT> <BR><FONT SIZE=2>> > > instance, an end entity is defined as "[a] certificate </FONT> <BR><FONT SIZE=2>> > > subject that uses its private key for purposes other than </FONT> <BR><FONT SIZE=2>> > > signing certificates or an entity that is a relying party." </FONT> <BR><FONT SIZE=2>> > > This leaves room for an end entity to use its private key to </FONT> <BR><FONT SIZE=2>> > > sign CRLs. </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > So, if PKIX wants to require that the cA bit be set whenever </FONT> <BR><FONT SIZE=2>> > > the subject public key can be used to verify CRLs and also </FONT> <BR><FONT SIZE=2>> > > wants to maintain consistency with X.509, PKIX would have to </FONT> <BR><FONT SIZE=2>> > > require that any certificate authorizing the use of a public </FONT> <BR><FONT SIZE=2>> > > key for verifying CRL signatures also authorize the use of </FONT> <BR><FONT SIZE=2>> > > that public key for verifying certificate signatures. Since </FONT> <BR><FONT SIZE=2>> > > we are in agreement that we do not want to impose such a </FONT> <BR><FONT SIZE=2>> > > restriction and that we do want to maintain consistency with </FONT> <BR><FONT SIZE=2>> > > X.509, we can not require that the cA bit be set when the </FONT> <BR><FONT SIZE=2>> > > subject public key can only be used to verify CRL signatures. </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > Dave </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0C9BA.F27185C0-- Received: from 164.105.201.155 (cnrf1000.cnrf.nola.navy.mil [164.105.201.155]) by above.proper.com (8.9.3/8.9.3) with SMTP id JAA25165 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 09:56:04 -0700 (PDT) Received: from CNRFHQ-Message_Server by 164.105.201.155 with Novell_GroupWise; Fri, 20 Apr 2001 11:56:31 -0500 Message-Id: <sae023ef.065@164.105.201.155> X-Mailer: Novell GroupWise Internet Agent 5.5.3.1 Date: Fri, 20 Apr 2001 11:56:00 -0500 From: "Ms Linda Goodwin" <GOODWILI@cnrf.nola.navy.mil> To: <ietf-pkix@imc.org> Subject: unsubscribe Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id JAA25167 unsubscribe Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA24458 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 09:50:35 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id SAA31938; Fri, 20 Apr 2001 18:50:14 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id SAA15768; Fri, 20 Apr 2001 18:50:01 +0200 Message-ID: <3AE068BE.BDB61B4A@bull.net> Date: Fri, 20 Apr 2001 18:50:06 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: "David A. Cooper" <david.cooper@nist.gov> CC: ietf-pkix@imc.org Subject: Re: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments) References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> <4.2.2.20010419115545.00aed3e0@email.nist.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > Denis, > > There seems to be some confusion about the way that delta-CRLs work. I will try to clarify things with my responses in-line below. > > At 05:32 PM 4/19/01 +0200, Denis Pinkas wrote: > >In the third paragraph the first sentence (still) says: > > > > When a conforming CA issues a delta CRL, the CA MUST also issue a CRL > > I must admit that I am not a big fan of this requirement. From my point of view, there are both advantages and disadvantages to issuing a full CRL whenever a delta-CRL is issued. The advantage is that clients that can not process delta-CRLs can always obtain the same status information as those than can process delta-CRLs. The disadvantage is that it imposes a burden of uploading full CRLs to repositories more often than may be necessary. On the other hand, just because the CA issues the full CRLs, this does not mean that clients must retrieve them. [Denis] Since you are "not a big fan of this requirement" and no other fan has been found up to now, let us suppress that sentence. > In the end, though, it is mostly a policy decision. If you want to provide the same support to clients that can not process delta-CRLs as to those that can, you must issue a full CRL whenever you issue a delta-CRL. I think the decision should be left to CRL issuers, but will not complain if PKIX remains as it is. > >3) The text says: > > > > An application can construct a CRL that is complete for a given > > scope, at the current time, in either of the following ways: > > > > (a) by retrieving the current delta CRL for that scope, and > > combining it with an issued CRL that is complete for that scope > > and that has a cRLNumber greater than or equal to the cRLNumber of > > the base CRL referenced in the delta CRL; or > > > > (b) by retrieving the current delta CRL for that scope and > > combining it with a locally constructed CRL whose cRLNumber is > > greater than or equal to the cRLNumber of the base CRL referenced > > in the current delta CRL. > > > > a) It is hard to understand in which case the base CRL may have a > > cRLNumber *greater than* the cRLNumber of the base CRL referenced > > in the delta CRL. I certainly miss something here. The equality case > > is easy to understand. The "greater than" case is much harder. > > Is it really needed ? > > > > b) the case of a locally constructed CRL is quite stange and it is > > questionnable why this case is being mentioned. In the following fix, > > that case has been deleted. > > If you want a detailed description on this, you could read my paper on delta-CRLs, http://csrc.nist.gov/pki/documents/sliding_window.pdf, but I'll try to briefly explain here. > Suppose that delta-CRLs are issued once an hour. For example, suppose that a base CRL, CRL number 5, was issued at midnight and that every hour for the next 24 hours, delta-CRLs were issued with a BaseCRLNumber of 5. If a relying party performs its first validation at 3:10am, it would the full CRL issued at midnight and the delta-CRL issued at 3:00am (CRL number 8). It would combine these to construct full CRL number 8. In this case, the CRL number of the full CRL used in combination with the delta-CRL would be the same as the BaseCRLNumber in that delta-CRL. [Denis] This is the case I had in mind. However I would disagree to say that the locally contructed CRL is equal to the full CRL number 8, because there is no need to issue such CRL (see the first comment). It is simply the "freshest CRL constructed from the base CRL number 5 for 3:10 am". This locally contructed CRL bears no number, or if you assign one, this is a local matter and is not part of the standard. This also avoids the later confusing between CRL numbers. > A few hours later, at 6:30am, the relying party performs another validation. The relying party has, in its local cache, the contents of CRL number 8 (which it constructed at 3:10am). It wants to update the information in its local case to based on the newly available revocation information. So, it obtains the latest delta-CRL. This delta-CRL has a CRL number of 11 and a BaseCRLnumber of 5. Since it has a BaseCRLNumber of 5, the delta-CRL provides status information for all certificates whose status has changed since CRL number 5 was issued. (midnight). So, clearly the delta-CRL provides status information for all certificates whose status has changed since 3:00am when CRL number 8 was issued. Thus, the relying party can combine the delta-CRL with its locally cached version of full CRL number 8 to obtain the contents of CRL number 11. This is a case where the CRL number of the complete CRL used is greater than the BaseCRLNumber specified in the delta-CRL. [Denis] This is a local matter and I would not mandate this in the document since there is another and simpler way to do it: you keep in the cache the base CRL (instead of the previously recontructed full CRL). This has the same end result, except that the method your recommend is not optimum: it will include many duplicates and deleting the duplicates is more painfull than making a simple addition. The basic algorithm is to take the base CRL and to add the delta. This is the standard. As soon as you get the same end result this is fine. This is the approach we have taken for path validation. Other ways do not need to be mentionned. > There are other reasons why the two numbers may not match, but I will not go into them. If you are interested, you can read my paper. [Denis] I read it (and skipped the mathematical formulas) This paper is proposing a method for over-issuing the CRLs. It omits to take into consideration that in PKIX-1 we mandate the CRL number extension (section 5.2.3) so we need to advertise the nextUpdate. If you issue a CRL before the next update you have no more way to know which base CRL is the freshest CRL. I believe this is a major security weakness and for that reason this mechanism should be deprecated. BTW, the same security problem would occur as soon as a base would be used for every delta. Hence another good reason to delete the sentence which originally triggered all this discussion. BTW, I noticed that you have precisely deleted from my previous e-mail all the text dealing with this nextUpdate. :-( So I am still insisting on the major text change to make to that section: An application can construct a CRL that is the most current for a given scope, at the current time, by retrieving the current base CRL for that scope, and combining it with a delta-CRL which contains a Delta CRL Indicator equal to the cRLNumber of the base CRL and where the current date from that delta-CRL is between thisUpdate and nextUpdate; It is important to notice that the algorithm does NOT use the individual CRL numbers assigned to the delta-CRLs, but uses instead thisUpdate and nextUpdate. This is *very* important. > >Finally we should explain what happens at the boundaries, i.e. when a CA > >decides to generate a (new) base CRL. Here is a text proposal: > > > > When issuing a base CRL that supports a delta-CRL mechanism then the > > CRL Issuer MUST at the same time issue a delta CRL that points to that > > base CRL. This first delta CRL will usually be empty (or will include > > last-minute additions to the base CRL). > > This is not acceptable. The rule is that when a base CRL is issued a delta-CRL must be issued that has the same cRLNumber. The base CRL referenced by the delta must either be the previously issued base CRL or a base CRL issued before that one. Since the new base and the delta must have the same cRLNumber, there can be no differences as a result of "last-minute additions to the base CRL". [Denis] This does not work. Let me explain it differently. Suppose that during the week you do not generate delta-CRLs but for the week-end you decide to do it (e.g. more risk, more transactions done by citizens). So you issue a CRL with the freshest CRLindicator. You say that the delta points to the previous base CRL. The one from yesterday or the one from last week ? In either case this simply does not work. The rule you mention, i.e. "The rule is that when a base CRL is issued a delta-CRL must be issued that has the same cRLNumber" is also wrong. The notion of a base CRL that would have the same number as a delta does not exist. > >Suppose we issue a base CRL every midnight. The question is whether we > >should issue a delta and, if yes, does this delta refer to the previous > >base or to the new one ? > > The delta must refer either to the previous base or a base issued before the previous base. [Denis] Certainly not. Your paper however provides the right answer (on page 1): " A delta-CRL is a CRL that only provides information about certificates who statuses have changed since the issuance of a specific, previously issued CRL". > >Suppose it refers to the previous one. According to the current sentence: > >"The constructed CRL has the CRL number specified in the CRL number > >extension found in the delta CRL used in its construction.", it is > >impossible. If that was the case the delta CRL would have a CRL number equal > >to the base CRL and it is not allowed for two CRLs to have the same CRL > >number. > I think you are confusing two different extensions. The deltaCRLIndicator extension contains a BaseCRLNumber which is used to determine against which base CRLs the delta-CRL can be applied. The cRLNumber extension specifies the CRL number of the full CRL that will be generated by applying the delta-CRL to a base CRL. The sentence above states that the CRL number of the constructed CRL is taken from the cRLNumber extension, not the BaseCRLNumber of the deltaCRLIndicator extension. [Denis] I do not think I make a confusion. The confusion comes from the numbering you introduce (see my earlier comment). Let me conclude: 1) I do not have the time to spend hours of discussions on that topic. However the current text needs to be corrected and I have provided text for this. Please take again a look at it in the light of the following. 2) In your paper you advertise the "traditional delta-CRLs". Let us stay in the tradition and let us mandate the implementation of the "tradition" if someone wans to support the delta-CRL mechanism. Any other method would first need to be proven to be secure (over-issuing CRLs and sliding window delta-CRLs have security problems) and should *anyway* fall in the MAY category, so that noone needs to implement to claim conformance with the delta CRL mechanism. Standard track documents need to make choices among multiple methods, otherwise two different implementations will never interoperate. Regards, Denis Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA18581 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 08:44:13 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id LAA18794 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 11:44:13 -0400 (EDT) Message-Id: <4.2.2.20010420111122.00a133c0@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 20 Apr 2001 11:43:53 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FAE@sottmxs09.entrust .com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sharon, Are you suggesting that in order for an entity to issue CRLs on behalf of a certificate issuer, that CRL issuer would need to issue certificates as well (so that it can qualify as an authority)? I don't think there should be such a requirement, but even if there were it wouldn't settle the issue. Even if only authorities can issue CRLs, there is nothing to prevent that authority from using different keys to sign certificates and CRLs. X.509 states that "[t]he cA component indicates if the certified public key may be used to verify certificate signatures." So, the proper value of the cA bit is determined by the allowable uses of the subject public key, not by the type of entity the subject is. So, even if the certificate subject is a CA, and issues certificates under some key, the cA bit should not be set unless the particular subject public key in the certificate can be used to verify certificate signatures. If an authority is the subject of a certificate and the particular public key of that authority that is being certified is only to be used to verify signatures on CRLs, then the cA bit should not be set. Dave At 10:48 AM 4/20/01 -0400, Sharon Boeyen wrote: >David, sorry but I disagree with your assertions about X.509's >position on this issue. Either by design or by accident, X.509 requires that if CRLs are being issued, they are issued by an 'authority'. Remember that the definition of "authority" is "An entity responsible > >for the issuance of certificates". Much of the text in X.509 predates OCSP or the concept of a validation authority, but I do know that the quotes below are new text added within the past couple of years with the intent of clarifying the role of CAs with respect to CRLs. > >Clause 7.3 says: > >"An authority that issues certificates is required to state, possibly through a published statement of their practices, through the certificates themselves, or through some other identified means, whether: > >- The certificates cannot be revoked; or >- The certificates may be revoked by the same certificate-issuing authority directly; or >- The certificate-issuing authority authorizes a different authority to perform revocation." > >further down in the same clause is the text: > >" >An authority that issues and subsequently revokes certificates: >a) may be required to maintain an audit record of its revocation events for all certificate types issued by that authority (e.g. public-key certificates, attribute certificates issued to end-entities as well as other authorities); > >b) shall provide revocation status information to relying parties using CRLs, on-line certificate status protocol or some other mechanism for the publication of revocation status information; > >c) if using CRLs, shall maintain and publish CRLs even if the lists of revoked certificates are empty." > >The quotes that you included in your message tie in with this base text, since the authority that issued the certificates has these responsibilities around revocation, there was no need for X.509 to state anything specific to CRL issuance. In the indirect CRL case, this was envisioned to be another CA or AA, that combined revocation notices from several CAs/AAs. > >Having said that (with my X.509 editor's hat on), if there is a requirement to have entities that are not CAs or AAs be authorized to issue CRLs on behalf of the certificate issuer (because remember that a CRL is an indication that a certificate is no longer considered valid "by its issuer")changes to X.509 would be needed. I'm not necessarily opposed to such changes, I'm just clarifying, in this message, that they would be needed in order for such implementations to be conformant. This, as usual could be done through the enhancements work or could be proposed through the defect process. One way to enable that kind of change might be to redefine authority and to talk about 3 types rather than two. However, it would take some careful review to ensure that the set of changes was thorough and complete. > >Sharon > > > -----Original Message----- > > From: David A. Cooper [<mailto:david.cooper@nist.gov>mailto:david.cooper@nist.gov] > > Sent: Thursday, April 19, 2001 5:08 PM > > To: ietf-pkix@imc.org > > Subject: cA flag and CRL issuers (was Re: Last Call: > > draft-ietf-pkix-new-part1-06.txt comments) > > > > > > At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: > > >Dave Cooper, > > > > > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: > > >>I see no basis in X.509 for setting the cA flag in > > basicConstraints for certificate subjects that can issue CRLs > > but not certificates. The current discussion about how to > > deal with CRLs for attribute certificates vs. public key > > certificates just further goes to show that it was a mistake > > to suddenly change the rules at the last IETF meeting. > > > > > >We disagree on this point. Nowhere in X.509 or in previous > > PKIX documents has there ever been text to suggest that other > > than a CA can sign a CRL for a public key certificate. So, > > the rules were not changed at the last meeting, they were > > reasserted and clarified. > > > > Steve, > > > > You may say that X.509 and PKIX do not suggest that entities > > other than CAs can sign CRLs. However, I think we all agree > > that both X.509 and PKIX allow for a CRL to be signed with a > > different key than the key used to sign the certificates that > > are covered by that CRL. This may be a result of the CA that > > issued the certificates signing the corresponding CRLs with a > > different key or the CA that issued the certificates > > delegating the CRL issuing to another entity (via the > > distribution points extension). There is no requirement that > > the key used to sign the CRL also be used to sign > > certificates. So, I think we agree that there will be times > > where we will be issuing certificates to entities (whether > > those entities are CAs or not) where the intent is to specify > > that the public keys in the certificates may be used to > > verify signatures on CRLs but not on certificates. > > > > The only place we seem to disagree is on the contents of the > > certificates issued in such circumstances. In particular, > > should the certificates contain a basicConstraints extension > > with the cA bit set? On this point, both X.509 and the > > previous PKIX documents are quite clear that the cA bit > > should not be set. Why? Because a CA is defined as an entity > > that issues public-key certificates and both documents > > similarly state that the cA bit is used to specify whether > > the certificate subject can issue certificates. There is no > > similar connection made between being a CA and issuing CRLs. > > > > > > The following are some quotes from X.509 and pkix-new-part1-05: > > > > In X.509 a CA is defined as "[a]n authority trusted by one or > > more users to create and assign public-key certificates." > > > > Section 7 of X.509 states that "[a] CA-certificate is a > > certificate issued by a CA to a subject that is itself a CA > > and therefore is capable of issuing public-key certificates." > > > > > > The description of basic constraints in X.509 further > > supports the idea that the cA bit is used to specify > > certificate issuing, not certificate and/or CRL issuing: > > > > "This field indicates if the subject may act as a CA, with > > the certified public key being used to verify certificate > > signatures. ... The cA component indicates if the certified > > public key may be used to verify certificate signatures. ... if > > the value of cA is not set to true then the certified public > > key shall not be used to verify a certificate signature" > > > > > > pkix-new-part1-05 states something similar: > > > > "The cA bit indicates if the certified public key may be used > > to verify signatures on other certificates. If the cA bit is > > asserted, then the keyCertSign bit in the key usage extension > > (see 4.2.1.3) MUST also be asserted. If the cA bit is not > > asserted, then the keyCertSign bit in the key usage extension > > MUST NOT be asserted." > > > > > > The description of the key usage bits are consistent with > > this as well. > > > > X.509: > > "The bit keyCertSign is for use in CA-certificates only. If > > KeyUsage is set to keyCertSign and the basic constraints > > extension is present in the same certificate, the value of > > the cA component of that extension shall be set to TRUE." > > > > pkix-new-part1-05: > > "The keyCertSign bit is asserted when the subject public key > > is used for verifying a signature on certificates. This bit > > may only be asserted in CA certificates. If the keyCertSign > > bit is asserted, then the cA bit in the basic constraints > > extension (see 4.2.1.10) MUST also be asserted. If the > > keyCertSign bit is not asserted, then the cA bit in the basic > > constraints extension MUST NOT be asserted. > > > > The cRLSign bit is asserted when the subject public key is > > used for verifying a signature on revocation information > > (e.g., a CRL)." > > > > > > > > So, both X.509 and pkix-new-part1-05 go to great lengths to > > clearly state that only CAs can issue certificates and that > > basicConstraints with the cA bit set to true must be present > > in the certificates where the public key is to be used to > > verify signatures on certificates. There are no similar > > statements about CRLs. In fact, both documents are quite > > clear that the cA bit must not be set when the subject public > > key can not be used to verify certificates. So, if the > > subject public key can be used to verify CRLs, but not > > certificates, the cA bit must not be set. > > > > X.509 is also careful not to preclude the public keys of > > non-CAs from being used to verify signatures on CRLs. For > > instance, an end entity is defined as "[a] certificate > > subject that uses its private key for purposes other than > > signing certificates or an entity that is a relying party." > > This leaves room for an end entity to use its private key to > > sign CRLs. > > > > > > So, if PKIX wants to require that the cA bit be set whenever > > the subject public key can be used to verify CRLs and also > > wants to maintain consistency with X.509, PKIX would have to > > require that any certificate authorizing the use of a public > > key for verifying CRL signatures also authorize the use of > > that public key for verifying certificate signatures. Since > > we are in agreement that we do not want to impose such a > > restriction and that we do want to maintain consistency with > > X.509, we can not require that the cA bit be set when the > > subject public key can only be used to verify CRL signatures. > > > > Dave > > > > Received: from blue01.identrus.com ([216.213.93.123]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA16253 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 08:34:54 -0700 (PDT) Received: by BLUE01 with Internet Mail Service (5.5.2653.19) id <G6T1Y2WK>; Fri, 20 Apr 2001 11:32:56 -0400 Message-ID: <2B55DABB95C4D4119C1300508BD953F114429A@BLUE01> From: Dave Oshman <Dave.Oshman@identrus.com> To: "'Santosh Chokhani'" <chokhani@cygnacom.com>, "David A. Cooper" <david.cooper@nist.gov>, ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Date: Fri, 20 Apr 2001 11:32:45 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C9AF.25ABA6C0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C9AF.25ABA6C0 Content-Type: text/plain; charset="iso-8859-1" I am also in agreement with this. -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Thursday, April 19, 2001 5:10 PM To: David A. Cooper; ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) I agree with David. It should acceptable to have a cRLSign bit on and basicConstraints absent. -----Original Message----- From: David A. Cooper [ mailto:david.cooper@nist.gov <mailto:david.cooper@nist.gov> ] Sent: Thursday, April 19, 2001 5:08 PM To: ietf-pkix@imc.org Subject: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: >Dave Cooper, > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: >>I see no basis in X.509 for setting the cA flag in basicConstraints for certificate subjects that can issue CRLs but not certificates. The current discussion about how to deal with CRLs for attribute certificates vs. public key certificates just further goes to show that it was a mistake to suddenly change the rules at the last IETF meeting. > >We disagree on this point. Nowhere in X.509 or in previous PKIX documents has there ever been text to suggest that other than a CA can sign a CRL for a public key certificate. So, the rules were not changed at the last meeting, they were reasserted and clarified. Steve, You may say that X.509 and PKIX do not suggest that entities other than CAs can sign CRLs. However, I think we all agree that both X.509 and PKIX allow for a CRL to be signed with a different key than the key used to sign the certificates that are covered by that CRL. This may be a result of the CA that issued the certificates signing the corresponding CRLs with a different key or the CA that issued the certificates delegating the CRL issuing to another entity (via the distribution points extension). There is no requirement that the key used to sign the CRL also be used to sign certificates. So, I think we agree that there will be times where we will be issuing certificates to entities (whether those entities are CAs or not) where the intent is to specify that the public keys in the certificates may be used to verify signatures on CRLs but not on certificates. The only place we seem to disagree is on the contents of the certificates issued in such circumstances. In particular, should the certificates contain a basicConstraints extension with the cA bit set? On this point, both X.509 and the previous PKIX documents are quite clear that the cA bit should not be set. Why? Because a CA is defined as an entity that issues public-key certificates and both documents similarly state that the cA bit is used to specify whether the certificate subject can issue certificates. There is no similar connection made between being a CA and issuing CRLs. The following are some quotes from X.509 and pkix-new-part1-05: In X.509 a CA is defined as "[a]n authority trusted by one or more users to create and assign public-key certificates." Section 7 of X.509 states that "[a] CA-certificate is a certificate issued by a CA to a subject that is itself a CA and therefore is capable of issuing public-key certificates." The description of basic constraints in X.509 further supports the idea that the cA bit is used to specify certificate issuing, not certificate and/or CRL issuing: "This field indicates if the subject may act as a CA, with the certified public key being used to verify certificate signatures. ... The cA component indicates if the certified public key may be used to verify certificate signatures. ... if the value of cA is not set to true then the certified public key shall not be used to verify a certificate signature" pkix-new-part1-05 states something similar: "The cA bit indicates if the certified public key may be used to verify signatures on other certificates. If the cA bit is asserted, then the keyCertSign bit in the key usage extension (see 4.2.1.3) MUST also be asserted. If the cA bit is not asserted, then the keyCertSign bit in the key usage extension MUST NOT be asserted." The description of the key usage bits are consistent with this as well. X.509: "The bit keyCertSign is for use in CA-certificates only. If KeyUsage is set to keyCertSign and the basic constraints extension is present in the same certificate, the value of the cA component of that extension shall be set to TRUE." pkix-new-part1-05: "The keyCertSign bit is asserted when the subject public key is used for verifying a signature on certificates. This bit may only be asserted in CA certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the keyCertSign bit is not asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for verifying a signature on revocation information (e.g., a CRL)." So, both X.509 and pkix-new-part1-05 go to great lengths to clearly state that only CAs can issue certificates and that basicConstraints with the cA bit set to true must be present in the certificates where the public key is to be used to verify signatures on certificates. There are no similar statements about CRLs. In fact, both documents are quite clear that the cA bit must not be set when the subject public key can not be used to verify certificates. So, if the subject public key can be used to verify CRLs, but not certificates, the cA bit must not be set. X.509 is also careful not to preclude the public keys of non-CAs from being used to verify signatures on CRLs. For instance, an end entity is defined as "[a] certificate subject that uses its private key for purposes other than signing certificates or an entity that is a relying party." This leaves room for an end entity to use its private key to sign CRLs. So, if PKIX wants to require that the cA bit be set whenever the subject public key can be used to verify CRLs and also wants to maintain consistency with X.509, PKIX would have to require that any certificate authorizing the use of a public key for verifying CRL signatures also authorize the use of that public key for verifying certificate signatures. Since we are in agreement that we do not want to impose such a restriction and that we do want to maintain consistency with X.509, we can not require that the cA bit be set when the subject public key can only be used to verify CRL signatures. Dave ------_=_NextPart_001_01C0C9AF.25ABA6C0 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments)</TITLE> <META content="MSHTML 5.50.4611.1300" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=380253115-20042001><FONT face=Arial color=#0000ff size=2>I am also in agreement with this.</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Santosh Chokhani [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Thursday, April 19, 2001 5:10 PM<BR><B>To:</B> David A. Cooper; ietf-pkix@imc.org<BR><B>Subject:</B> RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments)<BR><BR></FONT></DIV> <P><FONT size=2>I agree with David. It should acceptable to have a cRLSign bit on and basicConstraints absent.</FONT> </P> <P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From: David A. Cooper [<A href="mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]</FONT> <BR><FONT size=2>Sent: Thursday, April 19, 2001 5:08 PM</FONT> <BR><FONT size=2>To: ietf-pkix@imc.org</FONT> <BR><FONT size=2>Subject: cA flag and CRL issuers (was Re: Last Call:</FONT> <BR><FONT size=2>draft-ietf-pkix-new-part1-06.txt comments)</FONT> </P><BR> <P><FONT size=2>At 07:17 PM 4/18/01 -0400, Stephen Kent wrote:</FONT> <BR><FONT size=2>>Dave Cooper,</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote:</FONT> <BR><FONT size=2>>>I see no basis in X.509 for setting the cA flag in basicConstraints for certificate subjects that can issue CRLs but not certificates. The current discussion about how to deal with CRLs for attribute certificates vs. public key certificates just further goes to show that it was a mistake to suddenly change the rules at the last IETF meeting.</FONT></P> <P><FONT size=2>></FONT> <BR><FONT size=2>>We disagree on this point. Nowhere in X.509 or in previous PKIX documents has there ever been text to suggest that other than a CA can sign a CRL for a public key certificate. So, the rules were not changed at the last meeting, they were reasserted and clarified.</FONT></P> <P><FONT size=2>Steve,</FONT> </P> <P><FONT size=2>You may say that X.509 and PKIX do not suggest that entities other than CAs can sign CRLs. However, I think we all agree that both X.509 and PKIX allow for a CRL to be signed with a different key than the key used to sign the certificates that are covered by that CRL. This may be a result of the CA that issued the certificates signing the corresponding CRLs with a different key or the CA that issued the certificates delegating the CRL issuing to another entity (via the distribution points extension). There is no requirement that the key used to sign the CRL also be used to sign certificates. So, I think we agree that there will be times where we will be issuing certificates to entities (whether those entities are CAs or not) where the intent is to specify that the public keys in the certificates may be used to verify signatures on CRLs but not on certificates.</FONT></P> <P><FONT size=2>The only place we seem to disagree is on the contents of the certificates issued in such circumstances. In particular, should the certificates contain a basicConstraints extension with the cA bit set? On this point, both X.509 and the previous PKIX documents are quite clear that the cA bit should not be set. Why? Because a CA is defined as an entity that issues public-key certificates and both documents similarly state that the cA bit is used to specify whether the certificate subject can issue certificates. There is no similar connection made between being a CA and issuing CRLs.</FONT></P><BR> <P><FONT size=2>The following are some quotes from X.509 and pkix-new-part1-05:</FONT> </P> <P><FONT size=2>In X.509 a CA is defined as "[a]n authority trusted by one or more users to create and assign public-key certificates."</FONT> </P> <P><FONT size=2>Section 7 of X.509 states that "[a] CA-certificate is a certificate issued by a CA to a subject that is itself a CA and therefore is capable of issuing public-key certificates."</FONT></P><BR> <P><FONT size=2>The description of basic constraints in X.509 further supports the idea that the cA bit is used to specify certificate issuing, not certificate and/or CRL issuing:</FONT></P> <P><FONT size=2>"This field indicates if the subject may act as a CA, with the certified public key being used to verify certificate signatures. ... The cA component indicates if the certified public key may be used to verify certificate signatures. ... if the value of cA is not set to true then the certified public key shall not be used to verify a certificate signature"</FONT></P><BR> <P><FONT size=2>pkix-new-part1-05 states something similar:</FONT> </P> <P><FONT size=2>"The cA bit indicates if the certified public key may be used to verify signatures on other certificates. If the cA bit is asserted, then the keyCertSign bit in the key usage extension (see 4.2.1.3) MUST also be asserted. If the cA bit is not asserted, then the keyCertSign bit in the key usage extension MUST NOT be asserted."</FONT></P><BR> <P><FONT size=2>The description of the key usage bits are consistent with this as well.</FONT> </P> <P><FONT size=2>X.509:</FONT> <BR><FONT size=2>"The bit keyCertSign is for use in CA-certificates only. If KeyUsage is set to keyCertSign and the basic constraints extension is present in the same certificate, the value of the cA component of that extension shall be set to TRUE."</FONT></P> <P><FONT size=2>pkix-new-part1-05:</FONT> <BR><FONT size=2>"The keyCertSign bit is asserted when the subject public key is used for verifying a signature on certificates. This bit may only be asserted in CA certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the keyCertSign bit is not asserted, then the cA bit in the basic constraints extension MUST NOT be asserted.</FONT></P> <P><FONT size=2>The cRLSign bit is asserted when the subject public key is used for verifying a signature on revocation information (e.g., a CRL)."</FONT></P><BR><BR> <P><FONT size=2>So, both X.509 and pkix-new-part1-05 go to great lengths to clearly state that only CAs can issue certificates and that basicConstraints with the cA bit set to true must be present in the certificates where the public key is to be used to verify signatures on certificates. There are no similar statements about CRLs. In fact, both documents are quite clear that the cA bit must not be set when the subject public key can not be used to verify certificates. So, if the subject public key can be used to verify CRLs, but not certificates, the cA bit must not be set.</FONT></P> <P><FONT size=2>X.509 is also careful not to preclude the public keys of non-CAs from being used to verify signatures on CRLs. For instance, an end entity is defined as "[a] certificate subject that uses its private key for purposes other than signing certificates or an entity that is a relying party." This leaves room for an end entity to use its private key to sign CRLs.</FONT></P><BR> <P><FONT size=2>So, if PKIX wants to require that the cA bit be set whenever the subject public key can be used to verify CRLs and also wants to maintain consistency with X.509, PKIX would have to require that any certificate authorizing the use of a public key for verifying CRL signatures also authorize the use of that public key for verifying certificate signatures. Since we are in agreement that we do not want to impose such a restriction and that we do want to maintain consistency with X.509, we can not require that the cA bit be set when the subject public key can only be used to verify CRL signatures.</FONT></P> <P><FONT size=2>Dave</FONT> </P></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0C9AF.25ABA6C0-- Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA11094 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 07:54:34 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <2VH1A3WX>; Fri, 20 Apr 2001 10:54:02 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FAE@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'David A. Cooper'" <david.cooper@nist.gov>, ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Date: Fri, 20 Apr 2001 10:48:38 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C9A8.FBACABE0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C9A8.FBACABE0 Content-Type: text/plain; charset="iso-8859-1" David, sorry but I disagree with your assertions about X.509's position on this issue. Either by design or by accident, X.509 requires that if CRLs are being issued, they are issued by an 'authority'. Remember that the definition of "authority" is "An entity responsible for the issuance of certificates". Much of the text in X.509 predates OCSP or the concept of a validation authority, but I do know that the quotes below are new text added within the past couple of years with the intent of clarifying the role of CAs with respect to CRLs. Clause 7.3 says: "An authority that issues certificates is required to state, possibly through a published statement of their practices, through the certificates themselves, or through some other identified means, whether: - The certificates cannot be revoked; or - The certificates may be revoked by the same certificate-issuing authority directly; or - The certificate-issuing authority authorizes a different authority to perform revocation." further down in the same clause is the text: " An authority that issues and subsequently revokes certificates: a) may be required to maintain an audit record of its revocation events for all certificate types issued by that authority (e.g. public-key certificates, attribute certificates issued to end-entities as well as other authorities); b) shall provide revocation status information to relying parties using CRLs, on-line certificate status protocol or some other mechanism for the publication of revocation status information; c) if using CRLs, shall maintain and publish CRLs even if the lists of revoked certificates are empty." The quotes that you included in your message tie in with this base text, since the authority that issued the certificates has these responsibilities around revocation, there was no need for X.509 to state anything specific to CRL issuance. In the indirect CRL case, this was envisioned to be another CA or AA, that combined revocation notices from several CAs/AAs. Having said that (with my X.509 editor's hat on), if there is a requirement to have entities that are not CAs or AAs be authorized to issue CRLs on behalf of the certificate issuer (because remember that a CRL is an indication that a certificate is no longer considered valid "by its issuer")changes to X.509 would be needed. I'm not necessarily opposed to such changes, I'm just clarifying, in this message, that they would be needed in order for such implementations to be conformant. This, as usual could be done through the enhancements work or could be proposed through the defect process. One way to enable that kind of change might be to redefine authority and to talk about 3 types rather than two. However, it would take some careful review to ensure that the set of changes was thorough and complete. Sharon > -----Original Message----- > From: David A. Cooper [mailto:david.cooper@nist.gov] > Sent: Thursday, April 19, 2001 5:08 PM > To: ietf-pkix@imc.org > Subject: cA flag and CRL issuers (was Re: Last Call: > draft-ietf-pkix-new-part1-06.txt comments) > > > At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: > >Dave Cooper, > > > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: > >>I see no basis in X.509 for setting the cA flag in > basicConstraints for certificate subjects that can issue CRLs > but not certificates. The current discussion about how to > deal with CRLs for attribute certificates vs. public key > certificates just further goes to show that it was a mistake > to suddenly change the rules at the last IETF meeting. > > > >We disagree on this point. Nowhere in X.509 or in previous > PKIX documents has there ever been text to suggest that other > than a CA can sign a CRL for a public key certificate. So, > the rules were not changed at the last meeting, they were > reasserted and clarified. > > Steve, > > You may say that X.509 and PKIX do not suggest that entities > other than CAs can sign CRLs. However, I think we all agree > that both X.509 and PKIX allow for a CRL to be signed with a > different key than the key used to sign the certificates that > are covered by that CRL. This may be a result of the CA that > issued the certificates signing the corresponding CRLs with a > different key or the CA that issued the certificates > delegating the CRL issuing to another entity (via the > distribution points extension). There is no requirement that > the key used to sign the CRL also be used to sign > certificates. So, I think we agree that there will be times > where we will be issuing certificates to entities (whether > those entities are CAs or not) where the intent is to specify > that the public keys in the certificates may be used to > verify signatures on CRLs but not on certificates. > > The only place we seem to disagree is on the contents of the > certificates issued in such circumstances. In particular, > should the certificates contain a basicConstraints extension > with the cA bit set? On this point, both X.509 and the > previous PKIX documents are quite clear that the cA bit > should not be set. Why? Because a CA is defined as an entity > that issues public-key certificates and both documents > similarly state that the cA bit is used to specify whether > the certificate subject can issue certificates. There is no > similar connection made between being a CA and issuing CRLs. > > > The following are some quotes from X.509 and pkix-new-part1-05: > > In X.509 a CA is defined as "[a]n authority trusted by one or > more users to create and assign public-key certificates." > > Section 7 of X.509 states that "[a] CA-certificate is a > certificate issued by a CA to a subject that is itself a CA > and therefore is capable of issuing public-key certificates." > > > The description of basic constraints in X.509 further > supports the idea that the cA bit is used to specify > certificate issuing, not certificate and/or CRL issuing: > > "This field indicates if the subject may act as a CA, with > the certified public key being used to verify certificate > signatures. ... The cA component indicates if the certified > public key may be used to verify certificate signatures. ... if > the value of cA is not set to true then the certified public > key shall not be used to verify a certificate signature" > > > pkix-new-part1-05 states something similar: > > "The cA bit indicates if the certified public key may be used > to verify signatures on other certificates. If the cA bit is > asserted, then the keyCertSign bit in the key usage extension > (see 4.2.1.3) MUST also be asserted. If the cA bit is not > asserted, then the keyCertSign bit in the key usage extension > MUST NOT be asserted." > > > The description of the key usage bits are consistent with > this as well. > > X.509: > "The bit keyCertSign is for use in CA-certificates only. If > KeyUsage is set to keyCertSign and the basic constraints > extension is present in the same certificate, the value of > the cA component of that extension shall be set to TRUE." > > pkix-new-part1-05: > "The keyCertSign bit is asserted when the subject public key > is used for verifying a signature on certificates. This bit > may only be asserted in CA certificates. If the keyCertSign > bit is asserted, then the cA bit in the basic constraints > extension (see 4.2.1.10) MUST also be asserted. If the > keyCertSign bit is not asserted, then the cA bit in the basic > constraints extension MUST NOT be asserted. > > The cRLSign bit is asserted when the subject public key is > used for verifying a signature on revocation information > (e.g., a CRL)." > > > > So, both X.509 and pkix-new-part1-05 go to great lengths to > clearly state that only CAs can issue certificates and that > basicConstraints with the cA bit set to true must be present > in the certificates where the public key is to be used to > verify signatures on certificates. There are no similar > statements about CRLs. In fact, both documents are quite > clear that the cA bit must not be set when the subject public > key can not be used to verify certificates. So, if the > subject public key can be used to verify CRLs, but not > certificates, the cA bit must not be set. > > X.509 is also careful not to preclude the public keys of > non-CAs from being used to verify signatures on CRLs. For > instance, an end entity is defined as "[a] certificate > subject that uses its private key for purposes other than > signing certificates or an entity that is a relying party." > This leaves room for an end entity to use its private key to > sign CRLs. > > > So, if PKIX wants to require that the cA bit be set whenever > the subject public key can be used to verify CRLs and also > wants to maintain consistency with X.509, PKIX would have to > require that any certificate authorizing the use of a public > key for verifying CRL signatures also authorize the use of > that public key for verifying certificate signatures. Since > we are in agreement that we do not want to impose such a > restriction and that we do want to maintain consistency with > X.509, we can not require that the cA bit be set when the > subject public key can only be used to verify CRL signatures. > > Dave > > ------_=_NextPart_001_01C0C9A8.FBACABE0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: cA flag and CRL issuers (was Re: Last Call: = draft-ietf-pkix-new-part1-06.txt comments)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>David, sorry but I disagree with your assertions = about X.509's </FONT> <BR><FONT SIZE=3D2>position on this issue. Either by design or by = accident, X.509 requires that if CRLs are being issued, they are issued = by an 'authority'. Remember that the definition of = "authority" is "An entity responsible </FONT></P> <P><FONT SIZE=3D2>for the issuance of certificates". Much of the = text in X.509 predates OCSP or the concept of a validation authority, = but I do know that the quotes below are new text added within the past = couple of years with the intent of clarifying the role of CAs with = respect to CRLs.</FONT></P> <P><FONT SIZE=3D2>Clause 7.3 says: </FONT> </P> <P><FONT SIZE=3D2>"An authority that issues certificates is = required to state, possibly through a published statement of their = practices, through the certificates themselves, or through some other = identified means, whether:</FONT></P> <P><FONT SIZE=3D2>- The = certificates cannot be revoked; or</FONT> <BR><FONT SIZE=3D2>- The = certificates may be revoked by the same certificate-issuing authority = directly; or</FONT> <BR><FONT SIZE=3D2>- The = certificate-issuing authority authorizes a different authority to = perform revocation."</FONT> </P> <P><FONT SIZE=3D2>further down in the same clause is the text:</FONT> </P> <P><FONT SIZE=3D2>"</FONT> <BR><FONT SIZE=3D2>An authority that issues and subsequently revokes = certificates:</FONT> <BR><FONT SIZE=3D2>a) may be required to = maintain an audit record of its revocation events for all certificate = types issued by that authority (e.g. public-key certificates, attribute = certificates issued to end-entities as well as other = authorities);</FONT></P> <P><FONT SIZE=3D2>b) shall provide revocation = status information to relying parties using CRLs, on-line certificate = status protocol or some other mechanism for the publication of = revocation status information;</FONT></P> <P><FONT SIZE=3D2>c) if using CRLs, shall = maintain and publish CRLs even if the lists of revoked certificates are = empty."</FONT> </P> <P><FONT SIZE=3D2>The quotes that you included in your message tie in = with this base text, since the authority that issued the certificates = has these responsibilities around revocation, there was no need for = X.509 to state anything specific to CRL issuance. In the indirect CRL = case, this was envisioned to be another CA or AA, that combined = revocation notices from several CAs/AAs. </FONT></P> <P><FONT SIZE=3D2>Having said that (with my X.509 editor's hat on), if = there is a requirement to have entities that are not CAs or AAs be = authorized to issue CRLs on behalf of the certificate issuer (because = remember that a CRL is an indication that a certificate is no longer = considered valid "by its issuer")changes to X.509 would be = needed. I'm not necessarily opposed to such changes, I'm just = clarifying, in this message, that they would be needed in order for = such implementations to be conformant. This, as usual could be done = through the enhancements work or could be proposed through the defect = process. One way to enable that kind of change might be to redefine = authority and to talk about 3 types rather than two. However, it would = take some careful review to ensure that the set of changes was thorough = and complete.</FONT></P> <P><FONT SIZE=3D2>Sharon</FONT> </P> <P><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: David A. Cooper [<A = HREF=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]<= /FONT> <BR><FONT SIZE=3D2>> Sent: Thursday, April 19, 2001 5:08 PM</FONT> <BR><FONT SIZE=3D2>> To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Subject: cA flag and CRL issuers (was Re: Last = Call:</FONT> <BR><FONT SIZE=3D2>> draft-ietf-pkix-new-part1-06.txt = comments)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> At 07:17 PM 4/18/01 -0400, Stephen Kent = wrote:</FONT> <BR><FONT SIZE=3D2>> >Dave Cooper,</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >>At 01:40 PM 4/18/01 -0400, David A. = Cooper wrote:</FONT> <BR><FONT SIZE=3D2>> >>I see no basis in X.509 for setting the = cA flag in </FONT> <BR><FONT SIZE=3D2>> basicConstraints for certificate subjects that = can issue CRLs </FONT> <BR><FONT SIZE=3D2>> but not certificates. The current discussion = about how to </FONT> <BR><FONT SIZE=3D2>> deal with CRLs for attribute certificates vs. = public key </FONT> <BR><FONT SIZE=3D2>> certificates just further goes to show that it = was a mistake </FONT> <BR><FONT SIZE=3D2>> to suddenly change the rules at the last IETF = meeting.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >We disagree on this point. Nowhere in X.509 = or in previous </FONT> <BR><FONT SIZE=3D2>> PKIX documents has there ever been text to = suggest that other </FONT> <BR><FONT SIZE=3D2>> than a CA can sign a CRL for a public key = certificate. So, </FONT> <BR><FONT SIZE=3D2>> the rules were not changed at the last meeting, = they were </FONT> <BR><FONT SIZE=3D2>> reasserted and clarified.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Steve,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> You may say that X.509 and PKIX do not suggest = that entities </FONT> <BR><FONT SIZE=3D2>> other than CAs can sign CRLs. However, I think = we all agree </FONT> <BR><FONT SIZE=3D2>> that both X.509 and PKIX allow for a CRL to be = signed with a </FONT> <BR><FONT SIZE=3D2>> different key than the key used to sign the = certificates that </FONT> <BR><FONT SIZE=3D2>> are covered by that CRL. This may be a result = of the CA that </FONT> <BR><FONT SIZE=3D2>> issued the certificates signing the = corresponding CRLs with a </FONT> <BR><FONT SIZE=3D2>> different key or the CA that issued the = certificates </FONT> <BR><FONT SIZE=3D2>> delegating the CRL issuing to another entity = (via the </FONT> <BR><FONT SIZE=3D2>> distribution points extension). There is no = requirement that </FONT> <BR><FONT SIZE=3D2>> the key used to sign the CRL also be used to = sign </FONT> <BR><FONT SIZE=3D2>> certificates. So, I think we agree that there = will be times </FONT> <BR><FONT SIZE=3D2>> where we will be issuing certificates to = entities (whether </FONT> <BR><FONT SIZE=3D2>> those entities are CAs or not) where the intent = is to specify </FONT> <BR><FONT SIZE=3D2>> that the public keys in the certificates may be = used to </FONT> <BR><FONT SIZE=3D2>> verify signatures on CRLs but not on = certificates.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> The only place we seem to disagree is on the = contents of the </FONT> <BR><FONT SIZE=3D2>> certificates issued in such circumstances. In = particular, </FONT> <BR><FONT SIZE=3D2>> should the certificates contain a = basicConstraints extension </FONT> <BR><FONT SIZE=3D2>> with the cA bit set? On this point, both X.509 = and the </FONT> <BR><FONT SIZE=3D2>> previous PKIX documents are quite clear that = the cA bit </FONT> <BR><FONT SIZE=3D2>> should not be set. Why? Because a CA is defined = as an entity </FONT> <BR><FONT SIZE=3D2>> that issues public-key certificates and both = documents </FONT> <BR><FONT SIZE=3D2>> similarly state that the cA bit is used to = specify whether </FONT> <BR><FONT SIZE=3D2>> the certificate subject can issue certificates. = There is no </FONT> <BR><FONT SIZE=3D2>> similar connection made between being a CA and = issuing CRLs.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> The following are some quotes from X.509 and = pkix-new-part1-05:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> In X.509 a CA is defined as "[a]n = authority trusted by one or </FONT> <BR><FONT SIZE=3D2>> more users to create and assign public-key = certificates."</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Section 7 of X.509 states that "[a] = CA-certificate is a </FONT> <BR><FONT SIZE=3D2>> certificate issued by a CA to a subject that is = itself a CA </FONT> <BR><FONT SIZE=3D2>> and therefore is capable of issuing public-key = certificates."</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> The description of basic constraints in X.509 = further </FONT> <BR><FONT SIZE=3D2>> supports the idea that the cA bit is used to = specify </FONT> <BR><FONT SIZE=3D2>> certificate issuing, not certificate and/or CRL = issuing:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> "This field indicates if the subject may = act as a CA, with </FONT> <BR><FONT SIZE=3D2>> the certified public key being used to verify = certificate </FONT> <BR><FONT SIZE=3D2>> signatures. ... The cA component indicates if = the certified </FONT> <BR><FONT SIZE=3D2>> public key may be used to verify certificate = signatures. ... if </FONT> <BR><FONT SIZE=3D2>> the value of cA is not set to true then the = certified public </FONT> <BR><FONT SIZE=3D2>> key shall not be used to verify a certificate = signature"</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> pkix-new-part1-05 states something = similar:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> "The cA bit indicates if the certified = public key may be used </FONT> <BR><FONT SIZE=3D2>> to verify signatures on other certificates. If = the cA bit is </FONT> <BR><FONT SIZE=3D2>> asserted, then the keyCertSign bit in the key = usage extension </FONT> <BR><FONT SIZE=3D2>> (see 4.2.1.3) MUST also be asserted. If the cA = bit is not </FONT> <BR><FONT SIZE=3D2>> asserted, then the keyCertSign bit in the key = usage extension </FONT> <BR><FONT SIZE=3D2>> MUST NOT be asserted."</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> The description of the key usage bits are = consistent with </FONT> <BR><FONT SIZE=3D2>> this as well.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> X.509:</FONT> <BR><FONT SIZE=3D2>> "The bit keyCertSign is for use in = CA-certificates only. If </FONT> <BR><FONT SIZE=3D2>> KeyUsage is set to keyCertSign and the basic = constraints </FONT> <BR><FONT SIZE=3D2>> extension is present in the same certificate, = the value of </FONT> <BR><FONT SIZE=3D2>> the cA component of that extension shall be set = to TRUE."</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> pkix-new-part1-05:</FONT> <BR><FONT SIZE=3D2>> "The keyCertSign bit is asserted when the = subject public key </FONT> <BR><FONT SIZE=3D2>> is used for verifying a signature on = certificates. This bit </FONT> <BR><FONT SIZE=3D2>> may only be asserted in CA certificates. = If the keyCertSign </FONT> <BR><FONT SIZE=3D2>> bit is asserted, then the cA bit in the basic = constraints </FONT> <BR><FONT SIZE=3D2>> extension (see 4.2.1.10) MUST also be asserted. = If the </FONT> <BR><FONT SIZE=3D2>> keyCertSign bit is not asserted, then the cA = bit in the basic </FONT> <BR><FONT SIZE=3D2>> constraints extension MUST NOT be = asserted.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> The cRLSign bit is asserted when the subject = public key is </FONT> <BR><FONT SIZE=3D2>> used for verifying a signature on revocation = information </FONT> <BR><FONT SIZE=3D2>> (e.g., a CRL)."</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> So, both X.509 and pkix-new-part1-05 go to = great lengths to </FONT> <BR><FONT SIZE=3D2>> clearly state that only CAs can issue = certificates and that </FONT> <BR><FONT SIZE=3D2>> basicConstraints with the cA bit set to true = must be present </FONT> <BR><FONT SIZE=3D2>> in the certificates where the public key is to = be used to </FONT> <BR><FONT SIZE=3D2>> verify signatures on certificates. There are no = similar </FONT> <BR><FONT SIZE=3D2>> statements about CRLs. In fact, both documents = are quite </FONT> <BR><FONT SIZE=3D2>> clear that the cA bit must not be set when the = subject public </FONT> <BR><FONT SIZE=3D2>> key can not be used to verify certificates. So, = if the </FONT> <BR><FONT SIZE=3D2>> subject public key can be used to verify CRLs, = but not </FONT> <BR><FONT SIZE=3D2>> certificates, the cA bit must not be = set.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> X.509 is also careful not to preclude the = public keys of </FONT> <BR><FONT SIZE=3D2>> non-CAs from being used to verify signatures on = CRLs. For </FONT> <BR><FONT SIZE=3D2>> instance, an end entity is defined as "[a] = certificate </FONT> <BR><FONT SIZE=3D2>> subject that uses its private key for purposes = other than </FONT> <BR><FONT SIZE=3D2>> signing certificates or an entity that is a = relying party." </FONT> <BR><FONT SIZE=3D2>> This leaves room for an end entity to use its = private key to </FONT> <BR><FONT SIZE=3D2>> sign CRLs.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> So, if PKIX wants to require that the cA bit be = set whenever </FONT> <BR><FONT SIZE=3D2>> the subject public key can be used to verify = CRLs and also </FONT> <BR><FONT SIZE=3D2>> wants to maintain consistency with X.509, PKIX = would have to </FONT> <BR><FONT SIZE=3D2>> require that any certificate authorizing the = use of a public </FONT> <BR><FONT SIZE=3D2>> key for verifying CRL signatures also authorize = the use of </FONT> <BR><FONT SIZE=3D2>> that public key for verifying certificate = signatures. Since </FONT> <BR><FONT SIZE=3D2>> we are in agreement that we do not want to = impose such a </FONT> <BR><FONT SIZE=3D2>> restriction and that we do want to maintain = consistency with </FONT> <BR><FONT SIZE=3D2>> X.509, we can not require that the cA bit be = set when the </FONT> <BR><FONT SIZE=3D2>> subject public key can only be used to verify = CRL signatures.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Dave</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0C9A8.FBACABE0-- Received: from protactinium (protactinium.btinternet.com [194.73.73.176]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA07550 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 06:42:32 -0700 (PDT) Received: from [213.122.10.72] (helo=vaio) by protactinium with smtp (Exim 3.03 #83) id 14qbB5-00037r-00; Fri, 20 Apr 2001 14:42:28 +0100 Message-ID: <002501c0c9a0$48cfc460$851efea9@vaio> Reply-To: "Liaquat Khan" <liaquat.khan@gta.multicert.org> From: "Liaquat Khan" <liaquat.khan@gta.multicert.org> To: <ietf-pkix@imc.org>, "David A. Cooper" <david.cooper@nist.gov> References: <4.2.2.20010418133051.00addb60@email.nist.gov> <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Date: Fri, 20 Apr 2001 14:46:20 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0022_01C0C9A8.A976D580" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 This is a multi-part message in MIME format. ------=_NextPart_000_0022_01C0C9A8.A976D580 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Yes, I agree with this too. The actual value of the cA flag over and above what is already provided = through the keyCertSign and cRLSign seems limited. =20 Liaquat =20 ----- Original Message -----=20 From: David A. Cooper=20 To: ietf-pkix@imc.org=20 Sent: Thursday, April 19, 2001 10:08 PM Subject: cA flag and CRL issuers (was Re: Last Call: = draft-ietf-pkix-new-part1-06.txt comments) At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: >Dave Cooper, > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: >>I see no basis in X.509 for setting the cA flag in basicConstraints = for certificate subjects that can issue CRLs but not certificates. The = current discussion about how to deal with CRLs for attribute = certificates vs. public key certificates just further goes to show that = it was a mistake to suddenly change the rules at the last IETF meeting. > >We disagree on this point. Nowhere in X.509 or in previous PKIX = documents has there ever been text to suggest that other than a CA can = sign a CRL for a public key certificate. So, the rules were not changed = at the last meeting, they were reasserted and clarified. Steve, You may say that X.509 and PKIX do not suggest that entities other = than CAs can sign CRLs. However, I think we all agree that both X.509 = and PKIX allow for a CRL to be signed with a different key than the key = used to sign the certificates that are covered by that CRL. This may be = a result of the CA that issued the certificates signing the = corresponding CRLs with a different key or the CA that issued the = certificates delegating the CRL issuing to another entity (via the = distribution points extension). There is no requirement that the key = used to sign the CRL also be used to sign certificates. So, I think we = agree that there will be times where we will be issuing certificates to = entities (whether those entities are CAs or not) where the intent is to = specify that the public keys in the certificates may be used to verify = signatures on CRLs but not on certificates. The only place we seem to disagree is on the contents of the = certificates issued in such circumstances. In particular, should the = certificates contain a basicConstraints extension with the cA bit set? = On this point, both X.509 and the previous PKIX documents are quite = clear that the cA bit should not be set. Why? Because a CA is defined as = an entity that issues public-key certificates and both documents = similarly state that the cA bit is used to specify whether the = certificate subject can issue certificates. There is no similar = connection made between being a CA and issuing CRLs. The following are some quotes from X.509 and pkix-new-part1-05: In X.509 a CA is defined as "[a]n authority trusted by one or more = users to create and assign public-key certificates." Section 7 of X.509 states that "[a] CA-certificate is a certificate = issued by a CA to a subject that is itself a CA and therefore is capable = of issuing public-key certificates." The description of basic constraints in X.509 further supports the = idea that the cA bit is used to specify certificate issuing, not = certificate and/or CRL issuing: "This field indicates if the subject may act as a CA, with the = certified public key being used to verify certificate signatures. . The = cA component indicates if the certified public key may be used to verify = certificate signatures. . if the value of cA is not set to true then the = certified public key shall not be used to verify a certificate = signature" pkix-new-part1-05 states something similar: "The cA bit indicates if the certified public key may be used to = verify signatures on other certificates. If the cA bit is asserted, then = the keyCertSign bit in the key usage extension (see 4.2.1.3) MUST also = be asserted. If the cA bit is not asserted, then the keyCertSign bit in = the key usage extension MUST NOT be asserted." The description of the key usage bits are consistent with this as = well. X.509: "The bit keyCertSign is for use in CA-certificates only. If KeyUsage = is set to keyCertSign and the basic constraints extension is present in = the same certificate, the value of the cA component of that extension = shall be set to TRUE." pkix-new-part1-05: "The keyCertSign bit is asserted when the subject public key is used = for verifying a signature on certificates. This bit may only be = asserted in CA certificates. If the keyCertSign bit is asserted, then = the cA bit in the basic constraints extension (see 4.2.1.10) MUST also = be asserted. If the keyCertSign bit is not asserted, then the cA bit in = the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for = verifying a signature on revocation information (e.g., a CRL)." So, both X.509 and pkix-new-part1-05 go to great lengths to clearly = state that only CAs can issue certificates and that basicConstraints = with the cA bit set to true must be present in the certificates where = the public key is to be used to verify signatures on certificates. There = are no similar statements about CRLs. In fact, both documents are quite = clear that the cA bit must not be set when the subject public key can = not be used to verify certificates. So, if the subject public key can be = used to verify CRLs, but not certificates, the cA bit must not be set. X.509 is also careful not to preclude the public keys of non-CAs from = being used to verify signatures on CRLs. For instance, an end entity is = defined as "[a] certificate subject that uses its private key for = purposes other than signing certificates or an entity that is a relying = party." This leaves room for an end entity to use its private key to = sign CRLs. So, if PKIX wants to require that the cA bit be set whenever the = subject public key can be used to verify CRLs and also wants to maintain = consistency with X.509, PKIX would have to require that any certificate = authorizing the use of a public key for verifying CRL signatures also = authorize the use of that public key for verifying certificate = signatures. Since we are in agreement that we do not want to impose such = a restriction and that we do want to maintain consistency with X.509, we = can not require that the cA bit be set when the subject public key can = only be used to verify CRL signatures. Dave ------=_NextPart_000_0022_01C0C9A8.A976D580 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4522.1800" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Yes, I agree with this = too.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>The actual value of the cA flag over = and above what=20 is already provided through the <FONT face=3D"Times New Roman" = size=3D3>keyCertSign=20 <FONT face=3DArial size=3D2>and cRLSign </FONT></FONT>seems = limited. =20 </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Liaquat </FONT></DIV> <BLOCKQUOTE=20 style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; = BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"> <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV> <DIV=20 style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: = black"><B>From:</B>=20 <A title=3Ddavid.cooper@nist.gov = href=3D"mailto:david.cooper@nist.gov">David A.=20 Cooper</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A = title=3Dietf-pkix@imc.org=20 href=3D"mailto:ietf-pkix@imc.org">ietf-pkix@imc.org</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, April 19, 2001 = 10:08=20 PM</DIV> <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> cA flag and CRL = issuers (was Re:=20 Last Call: draft-ietf-pkix-new-part1-06.txt comments)</DIV> <DIV><BR></DIV>At 07:17 PM 4/18/01 -0400, Stephen Kent = wrote:<BR>>Dave=20 Cooper,<BR>><BR>>>At 01:40 PM 4/18/01 -0400, David A. Cooper=20 wrote:<BR>>>I see no basis in X.509 for setting the cA flag in=20 basicConstraints for certificate subjects that can issue CRLs but not=20 certificates. The current discussion about how to deal with CRLs for = attribute=20 certificates vs. public key certificates just further goes to show = that it was=20 a mistake to suddenly change the rules at the last IETF=20 meeting.<BR>><BR>>We disagree on this point. Nowhere in X.509 or = in=20 previous PKIX documents has there ever been text to suggest that other = than a=20 CA can sign a CRL for a public key certificate. So, the rules were not = changed=20 at the last meeting, they were reasserted and=20 clarified.<BR><BR>Steve,<BR><BR>You may say that X.509 and PKIX do not = suggest=20 that entities other than CAs can sign CRLs. However, I think we all = agree that=20 both X.509 and PKIX allow for a CRL to be signed with a different key = than the=20 key used to sign the certificates that are covered by that CRL. This = may be a=20 result of the CA that issued the certificates signing the = corresponding CRLs=20 with a different key or the CA that issued the certificates delegating = the CRL=20 issuing to another entity (via the distribution points extension). = There is no=20 requirement that the key used to sign the CRL also be used to sign=20 certificates. So, I think we agree that there will be times where we = will be=20 issuing certificates to entities (whether those entities are CAs or = not) where=20 the intent is to specify that the public keys in the certificates may = be used=20 to verify signatures on CRLs but not on certificates.<BR><BR>The only = place we=20 seem to disagree is on the contents of the certificates issued in such = circumstances. In particular, should the certificates contain a=20 basicConstraints extension with the cA bit set? On this point, both = X.509 and=20 the previous PKIX documents are quite clear that the cA bit should not = be set.=20 Why? Because a CA is defined as an entity that issues public-key = certificates=20 and both documents similarly state that the cA bit is used to specify = whether=20 the certificate subject can issue certificates. There is no similar = connection=20 made between being a CA and issuing CRLs.<BR><BR><BR>The following are = some=20 quotes from X.509 and pkix-new-part1-05:<BR><BR>In X.509 a CA is = defined as=20 "[a]n authority trusted by one or more users to create and assign = public-key=20 certificates."<BR><BR>Section 7 of X.509 states that "[a] = CA-certificate is a=20 certificate issued by a CA to a subject that is itself a CA and = therefore is=20 capable of issuing public-key certificates."<BR><BR><BR>The = description of=20 basic constraints in X.509 further supports the idea that the cA bit = is used=20 to specify certificate issuing, not certificate and/or CRL=20 issuing:<BR><BR>"This field indicates if the subject may act as a CA, = with the=20 certified public key being used to verify certificate signatures. . = The cA=20 component indicates if the certified public key may be used to verify=20 certificate signatures. . if the value of cA is not set to true then = the=20 certified public key shall not be used to verify a certificate=20 signature"<BR><BR><BR>pkix-new-part1-05 states something = similar:<BR><BR>"The=20 cA bit indicates if the certified public key may be used to verify = signatures=20 on other certificates. If the cA bit is asserted, then the keyCertSign = bit in=20 the key usage extension (see 4.2.1.3) MUST also be asserted. If the cA = bit is=20 not asserted, then the keyCertSign bit in the key usage extension MUST = NOT be=20 asserted."<BR><BR><BR>The description of the key usage bits are = consistent=20 with this as well.<BR><BR>X.509:<BR>"The bit keyCertSign is for use in = CA-certificates only. If KeyUsage is set to keyCertSign and the basic=20 constraints extension is present in the same certificate, the value of = the cA=20 component of that extension shall be set to=20 TRUE."<BR><BR>pkix-new-part1-05:<BR>"The keyCertSign bit is asserted = when the=20 subject public key is used for verifying a signature on = certificates. =20 This bit may only be asserted in CA certificates. If the = keyCertSign bit=20 is asserted, then the cA bit in the basic constraints extension (see = 4.2.1.10)=20 MUST also be asserted. If the keyCertSign bit is not asserted, then = the cA bit=20 in the basic constraints extension MUST NOT be asserted.<BR><BR>The = cRLSign=20 bit is asserted when the subject public key is used for verifying a = signature=20 on revocation information (e.g., a CRL)."<BR><BR><BR><BR>So, both = X.509 and=20 pkix-new-part1-05 go to great lengths to clearly state that only CAs = can issue=20 certificates and that basicConstraints with the cA bit set to true = must be=20 present in the certificates where the public key is to be used to = verify=20 signatures on certificates. There are no similar statements about = CRLs. In=20 fact, both documents are quite clear that the cA bit must not be set = when the=20 subject public key can not be used to verify certificates. So, if the = subject=20 public key can be used to verify CRLs, but not certificates, the cA = bit must=20 not be set.<BR><BR>X.509 is also careful not to preclude the public = keys of=20 non-CAs from being used to verify signatures on CRLs. For instance, an = end=20 entity is defined as "[a] certificate subject that uses its private = key for=20 purposes other than signing certificates or an entity that is a = relying=20 party." This leaves room for an end entity to use its private key to = sign=20 CRLs.<BR><BR><BR>So, if PKIX wants to require that the cA bit be set = whenever=20 the subject public key can be used to verify CRLs and also wants to = maintain=20 consistency with X.509, PKIX would have to require that any = certificate=20 authorizing the use of a public key for verifying CRL signatures also=20 authorize the use of that public key for verifying certificate = signatures.=20 Since we are in agreement that we do not want to impose such a = restriction and=20 that we do want to maintain consistency with X.509, we can not require = that=20 the cA bit be set when the subject public key can only be used to = verify CRL=20 signatures.<BR><BR>Dave<BR><BR><BR></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0022_01C0C9A8.A976D580-- Received: from exchsvr1.entegrity.com (exchsvr1.entegrity.com [207.215.19.3]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA01477 for <ietf-pkix@imc.org>; Fri, 20 Apr 2001 05:16:44 -0700 (PDT) Received: from cooper.entegrity.com (dave.entegrity.se [195.100.88.62]) by exchsvr1.entegrity.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id GFR1B38M; Fri, 20 Apr 2001 05:16:56 -0700 Message-Id: <5.0.2.1.0.20010420135423.0198fb90@exchsvr1.entegrity.com> X-Sender: nada@exchsvr1.entegrity.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Fri, 20 Apr 2001 14:12:59 +0200 To: "Trevor Freeman" <trevorf@windows.microsoft.com>, "Bengt Ohlsson" <bengt.ohlsson@smarttrust.com>, "Russ Housley" <rhousley@rsasecurity.com> From: Nada Kapidzic Cicovic <nada@entegrity.com> Subject: RE: Dedicated CRL signing keys Cc: ietf-pkix@imc.org In-Reply-To: <4AEE3169443CDD4796CA8A00B02191CD6894E3@win-msg-01.wingroup .windeploy.ntdev.microsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Would it not be easier to mandate the support for Authority and Subject key identifiers, than to require the CA to use different DNs when different keys are used for issuing certificates and CRLs. As Tim noted, this problem may occur even for regular CAs (which use the same key for issuing certificates and CRLs) after a key pair rollover. At 09:29 AM 4/19/01 -0700, Trevor Freeman wrote: >Bengt, >Theorizing what could be possible, do not change that support for these >semantics is not mandatory under this profile, which means we are trying >to establish how that client fails gracefully with some kind of >meaningful error I agree with Bengt that key identifier extensions provide enough information for the client to go looking for the right cert path to perform the verification of the signature on the CRL. If the client is not able to locate the proper path it can fail with a meaningful error. Nada >Trevor >-----Original Message----- >From: Bengt Ohlsson [mailto:bengt.ohlsson@smarttrust.com] >Sent: Thursday, April 19, 2001 8:10 AM >To: Trevor Freeman; Russ Housley >Cc: ietf-pkix@imc.org >Subject: RE: Dedicated CRL signing keys > >Trevor and Russ, > >I don't see why the clients should fail to verify the signature >on the CRL. Assume a CA uses separate keys, same DN, >for certificate signing and CRL signing and sets the >AuthorityKeyIdentifier extension in both the certificates >and the CRLs. Then PKIX compliant clients should be able >to build the correct certificate chains for verifying both the >certificates and the CRLs. > >The legislation may require the CA keys to be stored in >hardware without any copies. If you lose a key due to HW >failure you will probaly want to continue to issue the CRLs >with a new key and the same DN. > >This requires the clients to handle the AKI extension to be >able to verify the signature on the new CRLs. This is a >small requirement compared to handle indirect CRLs if >you must change the DN. > >Bengt > >-----Original Message----- >From: Trevor Freeman [mailto:trevorf@windows.microsoft.com] >Sent: den 19 april 2001 01:40 >To: Russ Housley >Cc: ietf-pkix@imc.org >Subject: RE: Dedicated CRL signing keys > > >Hi Russ, >That addresses my concerns. A pkix compliant client can now be >reasonability expected to fail with a more informative error, and the >problem should be in people's faces since the CRL contains a critical >extension. >Trevor > >-----Original Message----- >From: Russ Housley [mailto:rhousley@rsasecurity.com] >Sent: Wednesday, April 18, 2001 2:08 PM >To: Trevor Freeman >Cc: ietf-pkix@imc.org >Subject: Re: Dedicated CRL signing keys > >Trevor: > >I propose the following solution that builds on the Indirect CRL >capabilities that are already available. When a CA wants to employ >separate private keys to sign certificates and CRLs, then that CA MUST >delegate CRL signing to a separate authority. That separate authority >MUST >have a different Distinguished Name that the CA, but it could be >operated >by the same organization. In this way, the IDP CRL extension would flag > >the "unusual" circumstances. Clients that do not support Indirect CRLs >can >fail gracefully (unsupported optional feature), and clients that support > >Indirect CRLs can happily handle the certificates and CRLs. > >Thoughts? > >Russ > >At 01:32 PM 4/18/2001 -0700, Trevor Freeman wrote: > >There has been some discussion regarding the proposal to have CRLs > >signed with CA keys which do not also sign certificates. Since this >will > >not be a mandatory to implement feature, I am concerned about the >impact > >on pkix compliant clients who encounter CRL signed in this way, and how > >we expect them to behave. What seem unacceptable with the current > >proposal is that the signage check on the CRL will fail, and the client > >will have little clue as to why and if this failure is expected. The > >information in the chain, while present, is in the CAs certificate, is > >difficult to find and subtle so would be easily missed by someone > >debugging this problem. I would like to see some clearer indication in >a > >critical extension in the CRL itself that would indicate what was going > >on. In expressing these semantics in a critical extension, we maintain > >the principal that if you don't understand the extension, the client > >knows to fail due to its own inadequacies and that failure is by >design, > >therefore allowing the client's to return an error unsupported option > >rather than invalid signature. > >Trevor Received: from ent250-1.ic.lu (124.imprimerie-centrale.lu [194.154.217.124]) by above.proper.com (8.9.3/8.9.3) with ESMTP id BAA15209; Fri, 20 Apr 2001 01:58:39 -0700 (PDT) Received: from fwgw-2.ic.lu ([192.168.6.1]) by ent250-1.ic.lu (8.9.3/8.9.0) with SMTP id KAA21434; Fri, 20 Apr 2001 10:58:21 +0200 (MET DST) Message-ID: <00e801c0c978$cc087a20$1e0a0a0a@pt.lu> From: "David Sweigert" <sweigert@eurosigncard.lu> To: <ietf-pkix@imc.org> Cc: <owner-ietf-pkix@imc.org> Subject: subscribe Date: Fri, 20 Apr 2001 11:03:41 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00E5_01C0C989.8F3D36B0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 This is a multi-part message in MIME format. ------=_NextPart_000_00E5_01C0C989.8F3D36B0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable subscribe David G. Sweigert Managing Director Contact information: Direct in dial (DID): 352+ 262-072-30 United States Cellular: (443)-413-4820 Luxembourg fax machine: 352+ 262-072-31 http://www.trusttheweb.com ------=_NextPart_000_00E5_01C0C989.8F3D36B0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2919.6307" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>subscribe</FONT></DIV> <DIV> </DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>David G. Sweigert<BR>Managing = Director</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Contact information:<BR>Direct in dial=20 (DID): &= nbsp;=20 352+ 262-072-30<BR>United States=20 Cellular: = (443)-413-4820<BR>Luxembourg=20 fax machine: 352+ 262-072-31<BR><A=20 href=3D"http://www.trusttheweb.com">http://www.trusttheweb.com</A><BR></F= ONT></DIV></BODY></HTML> ------=_NextPart_000_00E5_01C0C989.8F3D36B0-- Received: from mail5.microsoft.com (mail5.microsoft.com [131.107.3.121]) by above.proper.com (8.9.3/8.9.3) with SMTP id RAA11737 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 17:36:59 -0700 (PDT) Received: from 157.54.9.108 by mail5.microsoft.com (InterScan E-Mail VirusWall NT); Thu, 19 Apr 2001 09:40:20 -0700 (Pacific Daylight Time) Received: from red-imc-01.redmond.corp.microsoft.com ([157.54.9.102]) by inet-imc-05.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Thu, 19 Apr 2001 09:40:00 -0700 Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.82]) by red-imc-01.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Thu, 19 Apr 2001 09:39:59 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Thu, 19 Apr 2001 09:39:40 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Dedicated CRL signing keys Date: Thu, 19 Apr 2001 09:39:40 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD6894E4@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Dedicated CRL signing keys Thread-Index: AcDI5IlYhLahcvQ0QHqMVTQq5vIiRgACYv/w From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: <stephen.farrell@baltimore.ie>, "Russ Housley" <rhousley@rsasecurity.com> Cc: <ietf-pkix@imc.org> X-OriginalArrivalTime: 19 Apr 2001 16:39:40.0712 (UTC) FILETIME=[54851280:01C0C8EF] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id RAA11738 Stephen, The route problem is that this is an optional feature, and the net result with the current proposal of profile compliant clients who encounter a CA operating with this option will simply be a signature failure. This presents a fairly high bar to anyone trying to establish why the revocation check is failing. The rational behind using a critical extension in the CRL is that now the conformant client knows that failure is by design without understanding what the problem is since it does not understand the extension and can return a more informative error like option not supported. Trevor -----Original Message----- From: Stephen Farrell [mailto:stephen.farrell@baltimore.ie] Sent: Thursday, April 19, 2001 7:07 AM To: Russ Housley Cc: Trevor Freeman; ietf-pkix@imc.org Subject: Re: Dedicated CRL signing keys Russ, That'd be a bad resolution since it would break deployed CAs who use the same name and different cert and CRL signing keys (and those do exist and are operating). Any other ideas or should we just require clients to understand what's going on based on key usage? Stephen. Russ Housley wrote: > > Trevor: > > I propose the following solution that builds on the Indirect CRL > capabilities that are already available. When a CA wants to employ > separate private keys to sign certificates and CRLs, then that CA MUST > delegate CRL signing to a separate authority. That separate authority MUST > have a different Distinguished Name that the CA, but it could be operated > by the same organization. In this way, the IDP CRL extension would flag > the "unusual" circumstances. Clients that do not support Indirect CRLs can > fail gracefully (unsupported optional feature), and clients that support > Indirect CRLs can happily handle the certificates and CRLs. > > Thoughts? > > Russ > > At 01:32 PM 4/18/2001 -0700, Trevor Freeman wrote: > >There has been some discussion regarding the proposal to have CRLs > >signed with CA keys which do not also sign certificates. Since this will > >not be a mandatory to implement feature, I am concerned about the impact > >on pkix compliant clients who encounter CRL signed in this way, and how > >we expect them to behave. What seem unacceptable with the current > >proposal is that the signage check on the CRL will fail, and the client > >will have little clue as to why and if this failure is expected. The > >information in the chain, while present, is in the CAs certificate, is > >difficult to find and subtle so would be easily missed by someone > >debugging this problem. I would like to see some clearer indication in a > >critical extension in the CRL itself that would indicate what was going > >on. In expressing these semantics in a critical extension, we maintain > >the principal that if you don't understand the extension, the client > >knows to fail due to its own inadequacies and that failure is by design, > >therefore allowing the client's to return an error unsupported option > >rather than invalid signature. > >Trevor -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com Received: from balinese.baltimore.ie (firewall-user@pc215-8.indigo.ie [194.125.215.8]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA02729 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 14:49:09 -0700 (PDT) Received: by balinese.baltimore.ie; id WAA29177; Thu, 19 Apr 2001 22:49:09 +0100 (GMT/IST) Received: from emeairlsw1.ie.baltimore.com(10.153.25.53) by balinese.baltimore.ie via smap (V4.2) id xma022116; Thu, 19 Apr 01 15:07:18 +0100 Received: from bobcat.baltimore.ie (bobcat.ie.baltimore.com) by emeairlsw1.baltimore.com (Content Technologies SMTPRS 4.2.1) with ESMTP id <T53037bed5a0a99193519e@emeairlsw1.baltimore.com>; Thu, 19 Apr 2001 15:05:38 +0100 Received: from baltimore.ie (cis-flcat1.ie.baltimore.com [10.153.24.220]) by bobcat.baltimore.ie (8.9.3/8.9.3) with ESMTP id PAA10843; Thu, 19 Apr 2001 15:10:08 +0100 Message-ID: <3ADEF0F9.50E18FA5@baltimore.ie> Date: Thu, 19 Apr 2001 15:06:49 +0100 From: Stephen Farrell <stephen.farrell@baltimore.ie> Reply-To: stephen.farrell@baltimore.ie Organization: Baltimore Technologies Ltd. X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Russ Housley <rhousley@rsasecurity.com> CC: Trevor Freeman <trevorf@windows.microsoft.com>, ietf-pkix@imc.org Subject: Re: Dedicated CRL signing keys References: <5.0.1.4.2.20010418170147.01c7c300@exna07.securitydynamics.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Russ, That'd be a bad resolution since it would break deployed CAs who use the same name and different cert and CRL signing keys (and those do exist and are operating). Any other ideas or should we just require clients to understand what's going on based on key usage? Stephen. Russ Housley wrote: > > Trevor: > > I propose the following solution that builds on the Indirect CRL > capabilities that are already available. When a CA wants to employ > separate private keys to sign certificates and CRLs, then that CA MUST > delegate CRL signing to a separate authority. That separate authority MUST > have a different Distinguished Name that the CA, but it could be operated > by the same organization. In this way, the IDP CRL extension would flag > the "unusual" circumstances. Clients that do not support Indirect CRLs can > fail gracefully (unsupported optional feature), and clients that support > Indirect CRLs can happily handle the certificates and CRLs. > > Thoughts? > > Russ > > At 01:32 PM 4/18/2001 -0700, Trevor Freeman wrote: > >There has been some discussion regarding the proposal to have CRLs > >signed with CA keys which do not also sign certificates. Since this will > >not be a mandatory to implement feature, I am concerned about the impact > >on pkix compliant clients who encounter CRL signed in this way, and how > >we expect them to behave. What seem unacceptable with the current > >proposal is that the signage check on the CRL will fail, and the client > >will have little clue as to why and if this failure is expected. The > >information in the chain, while present, is in the CAs certificate, is > >difficult to find and subtle so would be easily missed by someone > >debugging this problem. I would like to see some clearer indication in a > >critical extension in the CRL itself that would indicate what was going > >on. In expressing these semantics in a critical extension, we maintain > >the principal that if you don't understand the extension, the client > >knows to fail due to its own inadequacies and that failure is by design, > >therefore allowing the client's to return an error unsupported option > >rather than invalid signature. > >Trevor -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com Received: from netlink.co.nz (mako.netlink.co.nz [202.20.93.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA01289 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 14:28:43 -0700 (PDT) Received: from ronsnotebook (128i-cl128.netlink.net.nz [203.97.144.128]) by netlink.co.nz (8.9.3/8.9.3) with SMTP id JAA02912; Fri, 20 Apr 2001 09:28:42 +1200 (NZST) From: "Ron Segal" <ron.segal@baycorpid.com> To: "David Cross" <dcross@microsoft.com> Cc: <ietf-pkix@imc.org> Subject: RE: Help Sought on Netscape Revocation URL causing MS Programs to hang Date: Fri, 20 Apr 2001 09:32:06 +1200 Message-ID: <LBENKDKNFEPFGMCIMHMMGEBJCFAA.ron.segal@baycorpid.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0148_01C0C97C.C3E31220" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <24A715275661C8428C00432EFCA5CB7C02A98783@red-msg-02.redmond.corp.microsoft.com> This is a multi-part message in MIME format. ------=_NextPart_000_0148_01C0C97C.C3E31220 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi David Thanks for your offer to checkout the certificate chain. Actually a clear explanation has now been offered by free Microsoft support(unexpectedly rapid and knowedgable service I might add, particularly as it was a free web query). It seems that if the revocation check itself is to a secure server (https) and the server certificate itself has a Nescape revocation extension a recursive revocation process can occur. Microsoft are providing a partial fix for this in their new version of Office (XP) by detecting the recursion and halting the process. If this happens the revocation check will fail to provide revocation status. The optimum solution is to remove the Netscape revocation extension from the server certificate. I'm copying this to the list so that others will see that the problem has been 'solved', and the solution (please note server cert providers!). Hope that I did not miss any messages and personally thanked everybody who responded, at least that was the intention. Very best regards Ron -------------- Ron Segal Business Development Manager Baycorp ID Services Ltd PO Box 5052, Wellington, New Zealand Mailto: ron.segal@baycorpid.com Tel: +64 (9) 356 5801 DD: +64 (4) 499 4261 Mob: +64 (21) 678 009 Fax: +64 (9) 356 5818 Web: http://www.baycorpid.com If you received a warning on reading this email, please go to <http://www.baycorpid.com/settings/email.asp> to update your settings -----Original Message----- From: David Cross [mailto:dcross@microsoft.com] Sent: Friday, 20 April 2001 1:39 a.m. To: Ron Segal; ietf-pkix@imc.org Subject: RE: Help Sought on Netscape Revocation URL causing MS Programs to hang I will pass on the job offer, but have you verified that the URLs are valid that are listed in the certificate? If the URLs are no longer valid or cannot be reached, that might explain the behaviour. If you want to send me the certificate chain (privately), we can take a look at it. David B. Cross -----Original Message----- From: Ron Segal [mailto:ron.segal@baycorpid.com] Sent: Wednesday, April 18, 2001 6:59 PM To: ietf-pkix@imc.org Subject: Help Sought on Netscape Revocation URL causing MS Programs to hang Hi Folks If an X.509 v3 certificate contains a proprietary NetscapeRevocationURL extension and a Microsoft program (eg email or browser) is configured to do automatic CRL Distribution Point Checking, then the Microsoft program will hang and timeout after about 5 minutes. Does anybody know of a fix for this problem, e.g. a registry configuration (no cynicism please!)? We are aware that if a cert has both the NetscapeRevocationURL and CRL Distribution Point extensions, then no problem. Your help would be greatly appreciated (and maybe you can get a job at Baycorp!). Very best regards Ron -------------- Ron Segal Business Development Manager Baycorp ID Services Ltd PO Box 5052, Wellington, New Zealand Mailto: ron.segal@baycorpid.com Tel: +64 (4) 499 4231 DD: +64 (4) 499 4261 Mob: +64 (21) 678 009 Fax: +64 (4) 499 4233 Web: http://www.baycorpid.com ------=_NextPart_000_0148_01C0C97C.C3E31220 Content-Type: text/x-vcard; name="Ron Segal.vcf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="Ron Segal.vcf" BEGIN:VCARD VERSION:2.1 N:Segal;Ron FN:Ron Segal ORG:Baycorp ID Services TITLE:Business Development Manager TEL;WORK;VOICE:+64 4 499 4231 TEL;CELL;VOICE:+64 (021) 678009 TEL;WORK;FAX:64 4 499 4233 ADR;WORK;ENCODING=3DQUOTED-PRINTABLE:;;Level 1=3D0D=3D0ALandcorp = House=3D0D=3D0A101 Lambton Quay=3D0D=3D0APO Box 5052;Welling=3D ton;;;New Zealand LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:Level 1=3D0D=3D0ALandcorp = House=3D0D=3D0A101 Lambton Quay=3D0D=3D0APO Box 5052=3D0D=3D0AWell=3D ington=3D0D=3D0ANew Zealand URL: URL:http://www.baycorpid.com KEY;X509;ENCODING=3DBASE64: = MIIGdzCCBV+gAwIBAgIEOhwthjANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJOWjEgMB4G = A1UEChMXQmF5Y29ycCBJRCBTZXJ2aWNlcyBMdGQxGTAXBgNVBAsTEEJheWNvcnAgUGFzc3Bv = cnQxLzAtBgNVBAMTJkJheWNvcnAgUGFzc3BvcnQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X = DTAwMTEyMjIwMzMxMFoXDTAxMTEyNzIwMzMxMFowfDELMAkGA1UEBhMCTloxCjAIBgNVBAgT = AS0xEzARBgNVBAcTCldlbGxpbmd0b24xEDAOBgNVBAoTB0JheWNvcnAxEjAQBgNVBAMTCVJv = biBTZWdhbDEmMCQGCSqGSIb3DQEJARYXcm9uLnNlZ2FsQGJheWNvcnBpZC5jb20wgZ8wDQYJ = KoZIhvcNAQEBBQADgY0AMIGJAoGBANRQxdVFIMgxT5W45/I5HSGKPCCKfijydisE8fhqc/uh = Vqn9wE+CwCMJKKgUM5pH3g+ZyTbBKjctkSDOcmuN2aNGm1EPZq1xORI6byWmd6S9jb5/I2vt = IeqhWQC3MuVhrBFFuOsu1JBiGLmxaHg71ti/b97q50zA/hIOgDAuixtfAgMBAAGjggOEMIID = gDAiBgkrBgEEAZtYAAEEFRYTUm9uYWxkIFNhbXVlbCBTZWdhbDAOBgNVHQ8BAf8EBAMCA/gw = UQYDVR0lBEowSAYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwUGCCsG = AQUFBwMGBggrBgEFBQcDBwYKKwYBBAGCNwoDBDA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8v = d3d3LmJheWNvcnBpZC5jb20vY3JsL3Bhc3Nwb3J0LmNybDAZBgNVHQkEEjAQMA4GA1UEBDEH = EwVTZWdhbDAiBgNVHREEGzAZgRdyb24uc2VnYWxAYmF5Y29ycGlkLmNvbTCCAfIGA1UdIASC = AekwggHlMIIB4QYMKwYBBAGbWAIBAgECMIIBzzCCAZoGCCsGAQUFBwICMIIBjBqCAYhUaGUg = cmlnaHRzLCBvYmxpZ2F0aW9ucyBhbmQgbGlhYmlsaXRpZXMgb2YgdGhlIFN1YmplY3QsIEJh = eWNvcnAgSUQgU2VydmljZXMgYW5kIGFueSByZWx5aW5nIHBhcnR5IGFyZSBzcGVjaWZpZWQg = aW4gdGhlIEJheWNvcnAgUGFzc3BvcnQgQ2VydGlmaWNhdGlvbiBQcmFjdGlzZSBTdGF0ZW1l = bnQuIFlvdSBtdXN0IGVuc3VyZSB0aGF0IHRoaXMgY2VydGlmaWNhdGUgaXMgbm90IHN1c3Bl = bmRlZCBvciByZXZva2VkOyBjb21wbHkgd2l0aCB0aGUgc3BlY2lmaWNhdGlvbnMgaW4gaXRz = IEtleSBVc2FnZSBmaWVsZDsgYWRoZXJlIHRvIEJheWNvcnAgSUQgU2VydmljZXMnIFByaXZh = Y3kgUG9saWN5LiBGdXJ0aGVyIGRldGFpbCBpcyBhdmFpbGFibGUgZnJvbSBCYXljb3JwIElE = IFNlcnZpY2VzOjAvBggrBgEFBQcCARYjaHR0cDovL3d3dy5iYXljb3JwaWQuY29tL3JlcG9z = aXRvcnkwOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzABhh9odHRwOi8vY2VydHN0YXR1cy5i = YXljb3JwaWQuY29tMB8GA1UdIwQYMBaAFHlNfEwOah9O+VNsNHtQxa6cxvR+MB0GA1UdDgQW = BBSQs4oU5iFIMqGm5FFzDKWqV0NDlzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQCM = mcZU4Svrle0oqf8/r080V7/KW/7aaoYk//s161jKoWUs7WfmZzbyOgUQPeIuzk3bqfD9xN2E = kfDkaMiPDg5xZ8O/WKnzV2CLYDZrgyoFZ/o0ol+g1akXdAsgp3U73wk8kc7PfcpttSAQy7Mc = 78Ej+kaU1TUcyaqsJU6+cryb0EfixPosZpUgx8SZcx+KuRej5ZGHk0zCCsVWNS91noMlkN95 = ZP5fkzReeX2xrFmVfqTNawYBywrrvY4ULADRAVFrbqU4h2152KZKsALEpSFZqntLZlR8izqA dz/8d+u0KwTLkSPRJiWemL2iyFkU5H6qQoOLuLEQCQiRNxiblLlI EMAIL;PREF;INTERNET:ron.segal@baycorpid.com REV:20010130T034848Z END:VCARD ------=_NextPart_000_0148_01C0C97C.C3E31220-- Received: from balinese.baltimore.ie (firewall-user@pc215-8.indigo.ie [194.125.215.8]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA00268 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 14:19:37 -0700 (PDT) Received: by balinese.baltimore.ie; id VAA20847; Thu, 19 Apr 2001 21:53:26 +0100 (GMT/IST) Received: from emeairlsw1.ie.baltimore.com(10.153.25.53) by balinese.baltimore.ie via smap (V4.2) id xma006880; Thu, 19 Apr 01 19:36:32 +0100 Received: from bobcat.baltimore.ie (bobcat.ie.baltimore.com) by emeairlsw1.baltimore.com (Content Technologies SMTPRS 4.2.1) with ESMTP id <T530472dbd40a99193519e@emeairlsw1.baltimore.com> for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 19:35:21 +0100 Received: from baltimore.ie (cis-flcat1.ie.baltimore.com [10.153.24.220]) by bobcat.baltimore.ie (8.9.3/8.9.3) with ESMTP id TAA21736 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 19:39:53 +0100 Message-ID: <3ADF302F.92E80F07@baltimore.ie> Date: Thu, 19 Apr 2001 19:36:31 +0100 From: Stephen Farrell <stephen.farrell@baltimore.ie> Reply-To: stephen.farrell@baltimore.ie Organization: Baltimore Technologies Ltd. X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: pkix <ietf-pkix@imc.org> Subject: [Re-Tx: Dedicated CRL signing keys] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Seems like the list is acting funny today. Here's a re-send. Stephen Farrell wrote: > > Russ, > > That'd be a bad resolution since it would break deployed CAs who > use the same name and different cert and CRL signing keys (and > those do exist and are operating). > > Any other ideas or should we just require clients to understand > what's going on based on key usage? > > Stephen. > > Russ Housley wrote: > > > > Trevor: > > > > I propose the following solution that builds on the Indirect CRL > > capabilities that are already available. When a CA wants to employ > > separate private keys to sign certificates and CRLs, then that CA MUST > > delegate CRL signing to a separate authority. That separate authority MUST > > have a different Distinguished Name that the CA, but it could be operated > > by the same organization. In this way, the IDP CRL extension would flag > > the "unusual" circumstances. Clients that do not support Indirect CRLs can > > fail gracefully (unsupported optional feature), and clients that support > > Indirect CRLs can happily handle the certificates and CRLs. > > > > Thoughts? > > > > Russ > > > > At 01:32 PM 4/18/2001 -0700, Trevor Freeman wrote: > > >There has been some discussion regarding the proposal to have CRLs > > >signed with CA keys which do not also sign certificates. Since this will > > >not be a mandatory to implement feature, I am concerned about the impact > > >on pkix compliant clients who encounter CRL signed in this way, and how > > >we expect them to behave. What seem unacceptable with the current > > >proposal is that the signage check on the CRL will fail, and the client > > >will have little clue as to why and if this failure is expected. The > > >information in the chain, while present, is in the CAs certificate, is > > >difficult to find and subtle so would be easily missed by someone > > >debugging this problem. I would like to see some clearer indication in a > > >critical extension in the CRL itself that would indicate what was going > > >on. In expressing these semantics in a critical extension, we maintain > > >the principal that if you don't understand the extension, the client > > >knows to fail due to its own inadequacies and that failure is by design, > > >therefore allowing the client's to return an error unsupported option > > >rather than invalid signature. > > >Trevor > > -- > ____________________________________________________________ > Stephen Farrell > Baltimore Technologies, tel: (direct line) +353 1 881 6716 > 39 Parkgate Street, fax: +353 1 881 7000 > Dublin 8. mailto:stephen.farrell@baltimore.ie > Ireland http://www.baltimore.com -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA00215 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 14:19:16 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JHNYDB7H>; Thu, 19 Apr 2001 17:18:48 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE0F0@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "David A. Cooper" <david.cooper@nist.gov>, ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-n ew-part1-06.txt comments) Date: Thu, 19 Apr 2001 17:10:04 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C915.1A9D0C50" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C915.1A9D0C50 Content-Type: text/plain; charset="iso-8859-1" I agree with David. It should acceptable to have a cRLSign bit on and basicConstraints absent. -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Thursday, April 19, 2001 5:08 PM To: ietf-pkix@imc.org Subject: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: >Dave Cooper, > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: >>I see no basis in X.509 for setting the cA flag in basicConstraints for certificate subjects that can issue CRLs but not certificates. The current discussion about how to deal with CRLs for attribute certificates vs. public key certificates just further goes to show that it was a mistake to suddenly change the rules at the last IETF meeting. > >We disagree on this point. Nowhere in X.509 or in previous PKIX documents has there ever been text to suggest that other than a CA can sign a CRL for a public key certificate. So, the rules were not changed at the last meeting, they were reasserted and clarified. Steve, You may say that X.509 and PKIX do not suggest that entities other than CAs can sign CRLs. However, I think we all agree that both X.509 and PKIX allow for a CRL to be signed with a different key than the key used to sign the certificates that are covered by that CRL. This may be a result of the CA that issued the certificates signing the corresponding CRLs with a different key or the CA that issued the certificates delegating the CRL issuing to another entity (via the distribution points extension). There is no requirement that the key used to sign the CRL also be used to sign certificates. So, I think we agree that there will be times where we will be issuing certificates to entities (whether those entities are CAs or not) where the intent is to specify that the public keys in the certificates may be used to verify signatures on CRLs but not on certificates. The only place we seem to disagree is on the contents of the certificates issued in such circumstances. In particular, should the certificates contain a basicConstraints extension with the cA bit set? On this point, both X.509 and the previous PKIX documents are quite clear that the cA bit should not be set. Why? Because a CA is defined as an entity that issues public-key certificates and both documents similarly state that the cA bit is used to specify whether the certificate subject can issue certificates. There is no similar connection made between being a CA and issuing CRLs. The following are some quotes from X.509 and pkix-new-part1-05: In X.509 a CA is defined as "[a]n authority trusted by one or more users to create and assign public-key certificates." Section 7 of X.509 states that "[a] CA-certificate is a certificate issued by a CA to a subject that is itself a CA and therefore is capable of issuing public-key certificates." The description of basic constraints in X.509 further supports the idea that the cA bit is used to specify certificate issuing, not certificate and/or CRL issuing: "This field indicates if the subject may act as a CA, with the certified public key being used to verify certificate signatures. ... The cA component indicates if the certified public key may be used to verify certificate signatures. ... if the value of cA is not set to true then the certified public key shall not be used to verify a certificate signature" pkix-new-part1-05 states something similar: "The cA bit indicates if the certified public key may be used to verify signatures on other certificates. If the cA bit is asserted, then the keyCertSign bit in the key usage extension (see 4.2.1.3) MUST also be asserted. If the cA bit is not asserted, then the keyCertSign bit in the key usage extension MUST NOT be asserted." The description of the key usage bits are consistent with this as well. X.509: "The bit keyCertSign is for use in CA-certificates only. If KeyUsage is set to keyCertSign and the basic constraints extension is present in the same certificate, the value of the cA component of that extension shall be set to TRUE." pkix-new-part1-05: "The keyCertSign bit is asserted when the subject public key is used for verifying a signature on certificates. This bit may only be asserted in CA certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the keyCertSign bit is not asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for verifying a signature on revocation information (e.g., a CRL)." So, both X.509 and pkix-new-part1-05 go to great lengths to clearly state that only CAs can issue certificates and that basicConstraints with the cA bit set to true must be present in the certificates where the public key is to be used to verify signatures on certificates. There are no similar statements about CRLs. In fact, both documents are quite clear that the cA bit must not be set when the subject public key can not be used to verify certificates. So, if the subject public key can be used to verify CRLs, but not certificates, the cA bit must not be set. X.509 is also careful not to preclude the public keys of non-CAs from being used to verify signatures on CRLs. For instance, an end entity is defined as "[a] certificate subject that uses its private key for purposes other than signing certificates or an entity that is a relying party." This leaves room for an end entity to use its private key to sign CRLs. So, if PKIX wants to require that the cA bit be set whenever the subject public key can be used to verify CRLs and also wants to maintain consistency with X.509, PKIX would have to require that any certificate authorizing the use of a public key for verifying CRL signatures also authorize the use of that public key for verifying certificate signatures. Since we are in agreement that we do not want to impose such a restriction and that we do want to maintain consistency with X.509, we can not require that the cA bit be set when the subject public key can only be used to verify CRL signatures. Dave ------_=_NextPart_001_01C0C915.1A9D0C50 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: cA flag and CRL issuers (was Re: Last Call: = draft-ietf-pkix-new-part1-06.txt comments)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I agree with David. It should acceptable to = have a cRLSign bit on and basicConstraints absent.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: David A. Cooper [<A = HREF=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Thursday, April 19, 2001 5:08 PM</FONT> <BR><FONT SIZE=3D2>To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: cA flag and CRL issuers (was Re: Last = Call:</FONT> <BR><FONT SIZE=3D2>draft-ietf-pkix-new-part1-06.txt comments)</FONT> </P> <BR> <P><FONT SIZE=3D2>At 07:17 PM 4/18/01 -0400, Stephen Kent wrote:</FONT> <BR><FONT SIZE=3D2>>Dave Cooper,</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>>At 01:40 PM 4/18/01 -0400, David A. Cooper = wrote:</FONT> <BR><FONT SIZE=3D2>>>I see no basis in X.509 for setting the cA = flag in basicConstraints for certificate subjects that can issue CRLs = but not certificates. The current discussion about how to deal with = CRLs for attribute certificates vs. public key certificates just = further goes to show that it was a mistake to suddenly change the rules = at the last IETF meeting.</FONT></P> <P><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>We disagree on this point. Nowhere in X.509 or = in previous PKIX documents has there ever been text to suggest that = other than a CA can sign a CRL for a public key certificate. So, the = rules were not changed at the last meeting, they were reasserted and = clarified.</FONT></P> <P><FONT SIZE=3D2>Steve,</FONT> </P> <P><FONT SIZE=3D2>You may say that X.509 and PKIX do not suggest that = entities other than CAs can sign CRLs. However, I think we all agree = that both X.509 and PKIX allow for a CRL to be signed with a different = key than the key used to sign the certificates that are covered by that = CRL. This may be a result of the CA that issued the certificates = signing the corresponding CRLs with a different key or the CA that = issued the certificates delegating the CRL issuing to another entity = (via the distribution points extension). There is no requirement that = the key used to sign the CRL also be used to sign certificates. So, I = think we agree that there will be times where we will be issuing = certificates to entities (whether those entities are CAs or not) where = the intent is to specify that the public keys in the certificates may = be used to verify signatures on CRLs but not on = certificates.</FONT></P> <P><FONT SIZE=3D2>The only place we seem to disagree is on the contents = of the certificates issued in such circumstances. In particular, should = the certificates contain a basicConstraints extension with the cA bit = set? On this point, both X.509 and the previous PKIX documents are = quite clear that the cA bit should not be set. Why? Because a CA is = defined as an entity that issues public-key certificates and both = documents similarly state that the cA bit is used to specify whether = the certificate subject can issue certificates. There is no similar = connection made between being a CA and issuing CRLs.</FONT></P> <BR> <P><FONT SIZE=3D2>The following are some quotes from X.509 and = pkix-new-part1-05:</FONT> </P> <P><FONT SIZE=3D2>In X.509 a CA is defined as "[a]n authority = trusted by one or more users to create and assign public-key = certificates."</FONT> </P> <P><FONT SIZE=3D2>Section 7 of X.509 states that "[a] = CA-certificate is a certificate issued by a CA to a subject that is = itself a CA and therefore is capable of issuing public-key = certificates."</FONT></P> <BR> <P><FONT SIZE=3D2>The description of basic constraints in X.509 further = supports the idea that the cA bit is used to specify certificate = issuing, not certificate and/or CRL issuing:</FONT></P> <P><FONT SIZE=3D2>"This field indicates if the subject may act as = a CA, with the certified public key being used to verify certificate = signatures. ... The cA component indicates if the certified public key = may be used to verify certificate signatures. ... if the value of cA is = not set to true then the certified public key shall not be used to = verify a certificate signature"</FONT></P> <BR> <P><FONT SIZE=3D2>pkix-new-part1-05 states something similar:</FONT> </P> <P><FONT SIZE=3D2>"The cA bit indicates if the certified public = key may be used to verify signatures on other certificates. If the cA = bit is asserted, then the keyCertSign bit in the key usage extension = (see 4.2.1.3) MUST also be asserted. If the cA bit is not asserted, = then the keyCertSign bit in the key usage extension MUST NOT be = asserted."</FONT></P> <BR> <P><FONT SIZE=3D2>The description of the key usage bits are consistent = with this as well.</FONT> </P> <P><FONT SIZE=3D2>X.509:</FONT> <BR><FONT SIZE=3D2>"The bit keyCertSign is for use in = CA-certificates only. If KeyUsage is set to keyCertSign and the basic = constraints extension is present in the same certificate, the value of = the cA component of that extension shall be set to = TRUE."</FONT></P> <P><FONT SIZE=3D2>pkix-new-part1-05:</FONT> <BR><FONT SIZE=3D2>"The keyCertSign bit is asserted when the = subject public key is used for verifying a signature on = certificates. This bit may only be asserted in CA = certificates. If the keyCertSign bit is asserted, then the cA bit = in the basic constraints extension (see 4.2.1.10) MUST also be = asserted. If the keyCertSign bit is not asserted, then the cA bit in = the basic constraints extension MUST NOT be asserted.</FONT></P> <P><FONT SIZE=3D2>The cRLSign bit is asserted when the subject public = key is used for verifying a signature on revocation information (e.g., = a CRL)."</FONT></P> <BR> <BR> <P><FONT SIZE=3D2>So, both X.509 and pkix-new-part1-05 go to great = lengths to clearly state that only CAs can issue certificates and that = basicConstraints with the cA bit set to true must be present in the = certificates where the public key is to be used to verify signatures on = certificates. There are no similar statements about CRLs. In fact, both = documents are quite clear that the cA bit must not be set when the = subject public key can not be used to verify certificates. So, if the = subject public key can be used to verify CRLs, but not certificates, = the cA bit must not be set.</FONT></P> <P><FONT SIZE=3D2>X.509 is also careful not to preclude the public keys = of non-CAs from being used to verify signatures on CRLs. For instance, = an end entity is defined as "[a] certificate subject that uses its = private key for purposes other than signing certificates or an entity = that is a relying party." This leaves room for an end entity to = use its private key to sign CRLs.</FONT></P> <BR> <P><FONT SIZE=3D2>So, if PKIX wants to require that the cA bit be set = whenever the subject public key can be used to verify CRLs and also = wants to maintain consistency with X.509, PKIX would have to require = that any certificate authorizing the use of a public key for verifying = CRL signatures also authorize the use of that public key for verifying = certificate signatures. Since we are in agreement that we do not want = to impose such a restriction and that we do want to maintain = consistency with X.509, we can not require that the cA bit be set when = the subject public key can only be used to verify CRL = signatures.</FONT></P> <P><FONT SIZE=3D2>Dave</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0C915.1A9D0C50-- Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA29196 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 14:08:14 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id RAA00403 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 17:08:16 -0400 (EDT) Message-Id: <4.2.2.20010419092845.00ae0920@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 19 Apr 2001 17:08:07 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) In-Reply-To: <p05010405b703d0078a43@[128.33.4.39]> References: <4.2.2.20010418133051.00addb60@email.nist.gov> <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id OAA29197 At 07:17 PM 4/18/01 -0400, Stephen Kent wrote: >Dave Cooper, > >>At 01:40 PM 4/18/01 -0400, David A. Cooper wrote: >>I see no basis in X.509 for setting the cA flag in basicConstraints for certificate subjects that can issue CRLs but not certificates. The current discussion about how to deal with CRLs for attribute certificates vs. public key certificates just further goes to show that it was a mistake to suddenly change the rules at the last IETF meeting. > >We disagree on this point. Nowhere in X.509 or in previous PKIX documents has there ever been text to suggest that other than a CA can sign a CRL for a public key certificate. So, the rules were not changed at the last meeting, they were reasserted and clarified. Steve, You may say that X.509 and PKIX do not suggest that entities other than CAs can sign CRLs. However, I think we all agree that both X.509 and PKIX allow for a CRL to be signed with a different key than the key used to sign the certificates that are covered by that CRL. This may be a result of the CA that issued the certificates signing the corresponding CRLs with a different key or the CA that issued the certificates delegating the CRL issuing to another entity (via the distribution points extension). There is no requirement that the key used to sign the CRL also be used to sign certificates. So, I think we agree that there will be times where we will be issuing certificates to entities (whether those entities are CAs or not) where the intent is to specify that the public keys in the certificates may be used to verify signatures on CRLs but not on certificates. The only place we seem to disagree is on the contents of the certificates issued in such circumstances. In particular, should the certificates contain a basicConstraints extension with the cA bit set? On this point, both X.509 and the previous PKIX documents are quite clear that the cA bit should not be set. Why? Because a CA is defined as an entity that issues public-key certificates and both documents similarly state that the cA bit is used to specify whether the certificate subject can issue certificates. There is no similar connection made between being a CA and issuing CRLs. The following are some quotes from X.509 and pkix-new-part1-05: In X.509 a CA is defined as "[a]n authority trusted by one or more users to create and assign public-key certificates." Section 7 of X.509 states that "[a] CA-certificate is a certificate issued by a CA to a subject that is itself a CA and therefore is capable of issuing public-key certificates." The description of basic constraints in X.509 further supports the idea that the cA bit is used to specify certificate issuing, not certificate and/or CRL issuing: "This field indicates if the subject may act as a CA, with the certified public key being used to verify certificate signatures. Â… The cA component indicates if the certified public key may be used to verify certificate signatures. Â… if the value of cA is not set to true then the certified public key shall not be used to verify a certificate signature" pkix-new-part1-05 states something similar: "The cA bit indicates if the certified public key may be used to verify signatures on other certificates. If the cA bit is asserted, then the keyCertSign bit in the key usage extension (see 4.2.1.3) MUST also be asserted. If the cA bit is not asserted, then the keyCertSign bit in the key usage extension MUST NOT be asserted." The description of the key usage bits are consistent with this as well. X.509: "The bit keyCertSign is for use in CA-certificates only. If KeyUsage is set to keyCertSign and the basic constraints extension is present in the same certificate, the value of the cA component of that extension shall be set to TRUE." pkix-new-part1-05: "The keyCertSign bit is asserted when the subject public key is used for verifying a signature on certificates. This bit may only be asserted in CA certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the keyCertSign bit is not asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for verifying a signature on revocation information (e.g., a CRL)." So, both X.509 and pkix-new-part1-05 go to great lengths to clearly state that only CAs can issue certificates and that basicConstraints with the cA bit set to true must be present in the certificates where the public key is to be used to verify signatures on certificates. There are no similar statements about CRLs. In fact, both documents are quite clear that the cA bit must not be set when the subject public key can not be used to verify certificates. So, if the subject public key can be used to verify CRLs, but not certificates, the cA bit must not be set. X.509 is also careful not to preclude the public keys of non-CAs from being used to verify signatures on CRLs. For instance, an end entity is defined as "[a] certificate subject that uses its private key for purposes other than signing certificates or an entity that is a relying party." This leaves room for an end entity to use its private key to sign CRLs. So, if PKIX wants to require that the cA bit be set whenever the subject public key can be used to verify CRLs and also wants to maintain consistency with X.509, PKIX would have to require that any certificate authorizing the use of a public key for verifying CRL signatures also authorize the use of that public key for verifying certificate signatures. Since we are in agreement that we do not want to impose such a restriction and that we do want to maintain consistency with X.509, we can not require that the cA bit be set when the subject public key can only be used to verify CRL signatures. Dave Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA20016 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 11:08:29 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id OAA27361; Thu, 19 Apr 2001 14:08:19 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p0501040cb704d8f3c8bd@[128.33.4.39]> In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FA7@sottmxs09.entrust.com> References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FA7@sottmxs09.entrust.com> Date: Thu, 19 Apr 2001 14:04:39 -0400 To: Sharon Boeyen <sharon.boeyen@entrust.com> From: Stephen Kent <kent@bbn.com> Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Cc: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 1:36 PM -0400 4/19/01, Sharon Boeyen wrote: >I have no strong view on this, but did want to clarify that CRL is the >generic term that covers all the others (see 3.3.11 of 509) "A signed >list indicating a set of certificates that are no longer considered >valid by the >certificate issuer. In addition to the generic term CRL, some specific CRL >types are defined for CRLs that cover particular scopes". The definitions >for those are also in subclauses of 3.3. Thanks, that matched my informal notion, but I was not certain. Thanks for the clarification. So, under that definition, "e.g." could be misleading and we need to clarify the text, however it works out. Steve Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA18554 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 10:55:33 -0700 (PDT) Received: from sunlabs.East.Sun.COM ([129.148.75.250]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id KAA04311; Thu, 19 Apr 2001 10:55:35 -0700 (PDT) Received: from sun.com (dhcp75-155 [129.148.75.155]) by sunlabs.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id NAA14931; Thu, 19 Apr 2001 13:55:33 -0400 (EDT) Message-ID: <3ADF25A0.779BA239@sun.com> Date: Thu, 19 Apr 2001 13:51:28 -0400 From: Steve Hanna <steve.hanna@sun.com> Organization: Sun Microsystems, Inc. X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Denis Pinkas <Denis.Pinkas@bull.net> CC: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> <3ADF0833.61D9049F@bull.net> <3ADF119B.8FAC92D9@sun.com> <3ADF1A47.232CF904@bull.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Denis Pinkas wrote: > > However, I object to adding support for limits on trust anchors to > > section 6.1. The algorithm in section 6.1 is the "basic" algorithm that > > everyone MUST implement. Section 6.2 describes various ways to extend > > that algorithm. Multiple trust anchors is one. Limits on trust anchors > > is a second. PEM compatible processing is a third. If one argues that > > limits on trust anchors should be described in section 6.1, one could > > equally argue that PEM compatible processing should be described in > > section 6.1. > > I agree with the intent, but this is NOT what the text says. :-( > > In particular section 6.1 only says " This text describes an algorithm for > X.509 path processing". It does not qualifies it as basic nor says that it > is a set of minimum conditions. Section 6 (third paragraph) says "In section 6.1, the text describes basic path validation." A few paragraphs later, it says "Section 6.2 describes methods for using the path validation algorithm in specific implementations. Two specific cases are discussed: the case where paths may begin with one of several trusted CAs; and where compatibility with the PEM architecture is required." Section 6.1 (first paragraph) says "A conformant implementation MUST include an X.509 path processing procedure that is functionally equivalent to the external behavior of this algorithm." And section 6.1 is titled "Basic Path Validation", while section 6.2 is titled "Using the Path Validation Algorithm". That's why I said that section 6.1 is the "basic" algorithm that everyone MUST implement and section 6.2 describes various ways to extend that algorithm. > Section 6.2 says " The path validation algorithm describes the process of > validating a single certification path". > "An implementation that supports multiple trust anchors may augment the > algorithm presented in section 6.1 to further limit the set of valid paths > which begin with a particular trust anchor." This is one of several variations included in section 6.2. PEM compatible processing is also included in section 6.2. Section 6.2 is clearly not limited to variations which employ multiple trust anchors. > You are proposing that the text from section 6.1 describes the "basic" > algorithm, while the text from section 6.2. describes enhancements to the > basic algorihm. I would not be opposed to your proposal, ... but many text > changes would be required. I don't think so. I think the text at the start of section 6 is clear. Perhaps an introductory paragraph at the start of section 6.2 would make it even clearer, but I don't see any other changes that would be required. -Steve Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA17388 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 10:42:16 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <2VH1AMZW>; Thu, 19 Apr 2001 13:41:45 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3FA7@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Stephen Kent'" <kent@bbn.com>, "David P. Kemp" <dpkemp@missi.ncsc.mil> Cc: ietf-pkix@imc.org Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Date: Thu, 19 Apr 2001 13:36:23 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C8F7.40D2AD80" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C8F7.40D2AD80 Content-Type: text/plain I have no strong view on this, but did want to clarify that CRL is the generic term that covers all the others (see 3.3.11 of 509) "A signed list indicating a set of certificates that are no longer considered valid by the certificate issuer. In addition to the generic term CRL, some specific CRL types are defined for CRLs that cover particular scopes". The definitions for those are also in subclauses of 3.3. > -----Original Message----- > From: Stephen Kent [mailto:kent@bbn.com] > Sent: Thursday, April 19, 2001 1:18 PM > To: David P. Kemp > Cc: ietf-pkix@imc.org > Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments > > > At 11:05 AM -0400 4/19/01, David P. Kemp wrote: > >Steve, > > > >I have no preference whether in the phrase "CertificateList > (e.g., CRL)" > >the "e.g.," stays or goes. Note that some people use CRL to refer > >to every instance of a CertificateList, whereas others use CRL, ARL, > >ACRL, ICRL, DCRL, etc. to distinguish lists used for different > >purposes. Thus CRL may be either an example of, or a synonym for, > >CertificateList. > > > >I agree that the state of the cRLSign bit is not relevant to OCSP > >responses and that CertificateList is the only data structure > >which requires this bit. > > > >Dave K > > Good points. If one considers ARLs and the other examples above, then > I have to admit that "e.g.," is appropriate, though it would be > better to include other instances here to make the distinction > clearer. > > Steve > ------_=_NextPart_001_01C0C8F7.40D2AD80 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>I have no strong view on this, but did want to clarify that CRL is the </FONT> <BR><FONT SIZE=2>generic term that covers all the others (see 3.3.11 of 509) "A signed </FONT> <BR><FONT SIZE=2>list indicating a set of certificates that are no longer considered valid by the </FONT> <BR><FONT SIZE=2>certificate issuer. In addition to the generic term CRL, some specific CRL</FONT> <BR><FONT SIZE=2>types are defined for CRLs that cover particular scopes". The definitions</FONT> <BR><FONT SIZE=2>for those are also in subclauses of 3.3.</FONT> </P> <P><FONT SIZE=2>> -----Original Message-----</FONT> <BR><FONT SIZE=2>> From: Stephen Kent [<A HREF="mailto:kent@bbn.com">mailto:kent@bbn.com</A>]</FONT> <BR><FONT SIZE=2>> Sent: Thursday, April 19, 2001 1:18 PM</FONT> <BR><FONT SIZE=2>> To: David P. Kemp</FONT> <BR><FONT SIZE=2>> Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>> Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> At 11:05 AM -0400 4/19/01, David P. Kemp wrote:</FONT> <BR><FONT SIZE=2>> >Steve,</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >I have no preference whether in the phrase "CertificateList </FONT> <BR><FONT SIZE=2>> (e.g., CRL)"</FONT> <BR><FONT SIZE=2>> >the "e.g.," stays or goes. Note that some people use CRL to refer</FONT> <BR><FONT SIZE=2>> >to every instance of a CertificateList, whereas others use CRL, ARL,</FONT> <BR><FONT SIZE=2>> >ACRL, ICRL, DCRL, etc. to distinguish lists used for different</FONT> <BR><FONT SIZE=2>> >purposes. Thus CRL may be either an example of, or a synonym for,</FONT> <BR><FONT SIZE=2>> >CertificateList.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >I agree that the state of the cRLSign bit is not relevant to OCSP</FONT> <BR><FONT SIZE=2>> >responses and that CertificateList is the only data structure</FONT> <BR><FONT SIZE=2>> >which requires this bit.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >Dave K</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Good points. If one considers ARLs and the other examples above, then </FONT> <BR><FONT SIZE=2>> I have to admit that "e.g.," is appropriate, though it would be </FONT> <BR><FONT SIZE=2>> better to include other instances here to make the distinction </FONT> <BR><FONT SIZE=2>> clearer.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Steve</FONT> <BR><FONT SIZE=2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0C8F7.40D2AD80-- Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA15748 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 10:18:21 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id NAA20210; Thu, 19 Apr 2001 13:18:17 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010408b704cdf733dd@[128.33.4.39]> In-Reply-To: <200104191506.LAA10531@stingray.missi.ncsc.mil> References: <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <p05010405b703d0078a43@[128.33.4.39]> <200104191506.LAA10531@stingray.missi.ncsc.mil> Date: Thu, 19 Apr 2001 13:18:06 -0400 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> From: Stephen Kent <kent@bbn.com> Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 11:05 AM -0400 4/19/01, David P. Kemp wrote: >Steve, > >I have no preference whether in the phrase "CertificateList (e.g., CRL)" >the "e.g.," stays or goes. Note that some people use CRL to refer >to every instance of a CertificateList, whereas others use CRL, ARL, >ACRL, ICRL, DCRL, etc. to distinguish lists used for different >purposes. Thus CRL may be either an example of, or a synonym for, >CertificateList. > >I agree that the state of the cRLSign bit is not relevant to OCSP >responses and that CertificateList is the only data structure >which requires this bit. > >Dave K Good points. If one considers ARLs and the other examples above, then I have to admit that "e.g.," is appropriate, though it would be better to include other instances here to make the distinction clearer. Steve Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA14730 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 10:03:42 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id TAA16970; Thu, 19 Apr 2001 19:03:21 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id TAA17032; Thu, 19 Apr 2001 19:03:09 +0200 Message-ID: <3ADF1A47.232CF904@bull.net> Date: Thu, 19 Apr 2001 19:03:03 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Steve Hanna <steve.hanna@sun.com> CC: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> <3ADF0833.61D9049F@bull.net> <3ADF119B.8FAC92D9@sun.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Steve, > It is certainly true that specifying name constraints for trust anchors > will work when a single trust anchor is used. Perhaps the sentence in > section 6.2 should be changed to say "Implementations may also augment > the algorithm presented in section 6.1 to further limit the set of valid > paths which begin with a particular trust anchor." > > However, I object to adding support for limits on trust anchors to > section 6.1. The algorithm in section 6.1 is the "basic" algorithm that > everyone MUST implement. Section 6.2 describes various ways to extend > that algorithm. Multiple trust anchors is one. Limits on trust anchors > is a second. PEM compatible processing is a third. If one argues that > limits on trust anchors should be described in section 6.1, one could > equally argue that PEM compatible processing should be described in > section 6.1. I agree with the intent, but this is NOT what the text says. :-( In particular section 6.1 only says " This text describes an algorithm for X.509 path processing". It does not qualifies it as basic nor says that it is a set of minimum conditions. Section 6.2 says " The path validation algorithm describes the process of validating a single certification path". Currently, the text for section 6.1. is for a single anchor while the text for section 6.2 is for more than one anchor. "An implementation that supports multiple trust anchors may augment the algorithm presented in section 6.1 to further limit the set of valid paths which begin with a particular trust anchor." You are proposing that the text from section 6.1 describes the "basic" algorithm, while the text from section 6.2. describes enhancements to the basic algorihm. I would not be opposed to your proposal, ... but many text changes would be required. Denis > -Steve > > Denis Pinkas wrote: > > > > One topic per message: This one about applying constraints to the path > > validation algorithm. > > > > In section 6.2 we now have: > > > > The path validation algorithm describes the process of validating a > > single certification path. While each path begins with a specific > > trust anchor, there is no requirement that all paths validated by a > > particular system share a single trust anchor. An implementation > > that supports multiple trust anchors may augment the algorithm > > prresented in section 6.1 to further limit the set of valid paths > > > > ...Please a single r for prresented. > > > > which begin with a particular trust anchor. For example, an > > implementation may specify name constraints that apply to a specific > > trust anchor. > > > > While the sentence is true in the case of multiple trust anchors it is as > > well valid for a single one. So a similar sentence is needed in section 6.1. > > > > In section 6.1 the text says: > > > > A particular certification path may not, however, be appropriate for > > all applications. The path validation process also determines the > > set of certificate policies that are valid for this path, based on > > the certificate policies extension, policy mapping extension, policy > > constraints extension, and inhibit any-policy extension. > > > > The text should rather say: > > > > An application may augment the algorithm presented in section 6.1 > > to further limit the set of valid paths. For example, an > > implementation may specify additional constraints like name > > constraints or specific extensions that apply to the application. > > Therefor the conditions which are described in this section are > > minimum conditions. The path validation process described in this > > section determines the minimum conditions that are to be fulfilled > > by the certification path for the set of certificate policies > > that are valid for this path, based on the certificate policies > > extension, policy mapping extension, policy constraints extension, > > and inhibit any-policy extension, as well as for the name > > constraints, if any. > > > > The main difference between 6.1 and 6.2 is that the additional contraints > > (policy or name constraints) apply globally to the path validation algorithm > > when there is one trust anchor (6.1), but may apply on every trust anchor > > where there are multiple trust anchors (6.2). > > > > Denis Received: from mail5.microsoft.com (mail5.microsoft.com [131.107.3.121]) by above.proper.com (8.9.3/8.9.3) with SMTP id JAA14095 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 09:56:47 -0700 (PDT) Received: from 157.54.9.108 by mail5.microsoft.com (InterScan E-Mail VirusWall NT); Thu, 19 Apr 2001 08:50:38 -0700 (Pacific Daylight Time) Received: from red-msg-02.redmond.corp.microsoft.com ([157.54.12.70]) by inet-imc-05.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Thu, 19 Apr 2001 08:49:01 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Date: Thu, 19 Apr 2001 08:49:01 -0700 Message-ID: <24A715275661C8428C00432EFCA5CB7C02A98798@red-msg-02.redmond.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Last Call: draft-ietf-pkix-new-part1-06.txt comments Thread-Index: AcDI5oDpM+T+bk61T96eHN71ZMdeLwAAZ7Jg From: "David Cross" <dcross@microsoft.com> To: "Denis Pinkas" <Denis.Pinkas@bull.net> Cc: <ietf-pkix@imc.org> X-OriginalArrivalTime: 19 Apr 2001 15:49:01.0962 (UTC) FILETIME=[41489EA0:01C0C8E8] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id JAA14096 Denis said: -->1) There has been a thread on the mailing list where I understand that the conclusion was that a "MUST" was not appropriate and should either be replaced by a "SHOULD" or even the whole sentence should been deleted. I concur. This should be changed or hopefully eliminated. David B. Cross Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA13379 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 09:49:37 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id SAA30686; Thu, 19 Apr 2001 18:49:15 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id SAA16990; Thu, 19 Apr 2001 18:49:04 +0200 Message-ID: <3ADF16FA.4246F348@bull.net> Date: Thu, 19 Apr 2001 18:48:58 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Russ Housley <rhousley@rsasecurity.com> CC: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Russ, > Tim Polk and I just got off the phone. After a lengthy discussion, we > propose a revision to the cRLSign discussion: 1) The only problem is that I concur with Stephen Farrel: I thought the text was clearer first time! Since you do no provide any rational for having that change, only the two of you can understand the rational. :-( I prefer the first text unless you can explain to everybody the rational for the change and then change the text to make that rational a little bit more understandable. :-) Maybe the answer to this point is in a subsequent message, but there has been so many messages on that topic that I have not yet found the time to look at each of them. 2) I am also sensible to the vocabulary problem raised by David Kemp when he says: some people use CRL to refer to every instance of a CertificateList, whereas others use CRL, ARL, ACRL, ICRL, DCRL, etc. to distinguish lists used for different purposes. Thus CRL may be either an example of, or a synonym for, CertificateList. Which convention do we use in PKIX-1 or plan to use ? 3) One last remark that is likely to impact the wording, but before we would need to make a distinction between an ARL and a CRL for leaf certificates: it makes sense from a security point of view, to distinguish between an ARL and a CRL for leaf certificates. The key for signing CRLs containing only leaf certificates (do we have an acronym to designate this ?) SHOULD be different from the CA issuing key. If the key used for signing such CRLs is compromised then the CA may then revoke the CRL Issuer using an ARL and the CA issuing key does NOT need to be changed. There is no advantage to have a different key for signing ARLs since if the key used for signing ARLs is compromised then the CA issuing key MUST be changed. So using the CA issuing key for signing ARLs is not a higher risk and should certainly be allowed. Denis > The cRLSign bit is asserted when the subject public key is used > for verifying a signature on revocation information (e.g., a CRL). > This bit MUST be asserted in CA certificates that are used to > verify signatures on CRLs. If the cRLSign bit is asserted in a CA > certificate, then the cA bit in the basic constraints extension > (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is > asserted in a non-CA certificate, then the cA bit in the basic > constraints extension MUST NOT be asserted. Such non-CA > certificates MUST NOT be used to verify signatures on CRLs > containing revocation information for public key certificates; > however, these non-CA certificates MAY be used to verify > signatures on CRLs containing revocation information concerning > other types of certificates (e.g., attribute certificates). If > neither the cRLSign bit nor the keyCertSign bit are asserted, then > the cA bit in the basic constraints extension MUST NOT be > asserted. > > Hey, this section was only one sentence in RFC 2459... > > Please let us know if anyone has any remaining concerns. > > Russ > > At 09:25 AM 4/18/2001 -0400, Russ Housley wrote: > >Based on this discussion, I think that the working group wants the > >keyCertSign and cRLSign key usage text to read as follows: > > > > The keyCertSign bit is asserted when the subject public key is > > used for verifying a signature on public key certificates. This > > bit MUST only be asserted in CA certificates. If the keyCertSign > > bit is asserted, then the cA bit in the basic constraints > > extension (see 4.2.1.10) MUST also be asserted. If neither the > > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > > in the basic constraints extension MUST NOT be asserted. > > > > The cRLSign bit is asserted when the subject public key is used > > for verifying a signature on certificate revocation lists (CRLs). > > This bit MUST only be asserted in CA certificates and Attribute > > Authority (AA) certificates. If the cRLSign bit is asserted in a > > CA certificate, then the cA bit in the basic constraints extension > > (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is > > asserted in an AA certificate, then the cA bit in the basic > > constraints extension MUST NOT be asserted. If neither the > > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > > in the basic constraints extension MUST NOT be asserted. > > > >Let me know if you disagree. > > > >Russ > > > >At 02:31 PM 4/17/2001 +0100, Stephen Farrell wrote: > > > >>I'd also go along with Jim here - that an AA be allowed to > >>have cRLSign set without having cA set in basicConstraints, > >>i.e. that AA's be an exception to the general rule for EE's > >>and that this be explicitly called out in son-of-2459. I'm > >>assuming that keyCertSign is therefore not set for AA's too > >>(and the text for keyCertSign shouldn't say "certificates", > >>but "public key certificates"). > >> > >>Stephen. > >> > >>Jim Schaad wrote: > >> > > >> > Russ, > >> > > >> > > -----Original Message----- > >> > > From: Russ Housley [mailto:rhousley@rsasecurity.com] > >> > > Sent: Monday, April 16, 2001 10:33 AM > >> > > To: jimsch@exmsft.com > >> > > Cc: ietf-pkix@imc.org > >> > > Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments > >> > > > >> > > > >> > > Jim: > >> > > > >> > > >1. As currently written in section 4.2.1.3, it is not > >> > > possible for a non-CA > >> > > >CRL issuer to be created for attribute certificates. Was > >> > > this the final > >> > > >resolution of this issue? This seems to me to be > >> > > problematic as it means as > >> > > >an end-user one can issue an attribute certificate, but one > >> > > must always use > >> > > >a different agent, which is a CA, to issue the CRLs. This > >> > > means that all > >> > > >attribute CRL issuers are indirect. > >> > > > >> > > I do not recall a consensus on this point. Should an AA that > >> > > supports CRLs > >> > > have the cRLSign bit set in its public key certificate? If > >> > > so, this text > >> > > must change. > >> > > >> > I don't recall anything except private discussions on this issue. It is > >> > here for the mailing list to comment on. > >> > > >> > It is my option that an AA that supports CRLs SHOULD have the cRLSign bit > >> > set. Either that or we ask X509 to create AACertSign and AACrlSign > >> bits and > >> > keep this current text as is. > >> > > >> > > > >> > > >2. Section 4.2.1.3, paragraph last: Current Text: "set in > >> > > An instantiation" > >> > > >modify to "set in an instantiation". > >> > > > >> > > Fixed. > >> > > > >> > > >3. Section 6.2 paragraph 2: change "prresented" to "presented" > >> > > > >> > > Fixed. > >> > > > >> > > >4. Section 6.2 paragraph 2: The text "For example, an > >> > > implementation may > >> > > >specify name constraints that apply to a specific trust > >> > > anchor." is diffcult > >> > > >for me given that the validation algorithm explicitly states > >> > > that name > >> > > >constraints are not applied to self signed certificates. Suggest "For > >> > > >example, an implemenation may modify the algorithm to apply > >> > > name constaints > >> > > >during the initialization phase." > >> > > > >> > > Self-signed certificates are a common mechanism for > >> > > distributing public > >> > > keys for trust anchors, but they are not a mandated > >> > > mechanism. That said, > >> > > I think that your text it an improvement. How about a hybrid: > >> > > > >> > > For example, an implementation MAY modify the algorithm > >> > > to apply name constraints to a specific trust anchor > >> > > during the initialization phase. > >> > > >> > I have no problems with this new text. > >> > > >> > > > >> > > >5. ASN module: > >> > > >part1a.asn(352) : warning XXXXX: The imported symbol 'id-ad' is never > >> > > >referenced > >> > > > >> > > Agree. I removed it. > >> > > > >> > > Russ > >> > > > >> > > > >> > > >> > jim > >> > >>-- > >>____________________________________________________________ > >>Stephen Farrell > >>Baltimore Technologies, tel: (direct line) +353 1 881 6716 > >>39 Parkgate Street, fax: +353 1 881 7000 > >>Dublin 8. mailto:stephen.farrell@baltimore.ie > >>Ireland http://www.baltimore.com Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA13044 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 09:47:34 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id MAA12146 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 12:47:35 -0400 (EDT) Message-Id: <4.2.2.20010419115545.00aed3e0@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 19 Apr 2001 12:47:31 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: delta-CRLs (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) In-Reply-To: <3ADF0513.F5D40E8D@bull.net> References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Denis, There seems to be some confusion about the way that delta-CRLs work. I will try to clarify things with my responses in-line below. At 05:32 PM 4/19/01 +0200, Denis Pinkas wrote: >In the third paragraph the first sentence (still) says: > > When a conforming CA issues a delta CRL, the CA MUST also issue a CRL I must admit that I am not a big fan of this requirement. From my point of view, there are both advantages and disadvantages to issuing a full CRL whenever a delta-CRL is issued. The advantage is that clients that can not process delta-CRLs can always obtain the same status information as those than can process delta-CRLs. The disadvantage is that it imposes a burden of uploading full CRLs to repositories more often than may be necessary. On the other hand, just because the CA issues the full CRLs, this does not mean that clients must retrieve them. In the end, though, it is mostly a policy decision. If you want to provide the same support to clients that can not process delta-CRLs as to those that can, you must issue a full CRL whenever you issue a delta-CRL. I think the decision should be left to CRL issuers, but will not complain if PKIX remains as it is. >3) The text says: > > An application can construct a CRL that is complete for a given > scope, at the current time, in either of the following ways: > > (a) by retrieving the current delta CRL for that scope, and > combining it with an issued CRL that is complete for that scope > and that has a cRLNumber greater than or equal to the cRLNumber of > the base CRL referenced in the delta CRL; or > > (b) by retrieving the current delta CRL for that scope and > combining it with a locally constructed CRL whose cRLNumber is > greater than or equal to the cRLNumber of the base CRL referenced > in the current delta CRL. > > a) It is hard to understand in which case the base CRL may have a > cRLNumber *greater than* the cRLNumber of the base CRL referenced > in the delta CRL. I certainly miss something here. The equality case > is easy to understand. The "greater than" case is much harder. > Is it really needed ? > > b) the case of a locally constructed CRL is quite stange and it is > questionnable why this case is being mentioned. In the following fix, > that case has been deleted. If you want a detailed description on this, you could read my paper on delta-CRLs, http://csrc.nist.gov/pki/documents/sliding_window.pdf, but I'll try to briefly explain here. Suppose that delta-CRLs are issued once an hour. For example, suppose that a base CRL, CRL number 5, was issued at midnight and that every hour for the next 24 hours, delta-CRLs were issued with a BaseCRLNumber of 5. If a relying party performs its first validation at 3:10am, it would the full CRL issued at midnight and the delta-CRL issued at 3:00am (CRL number 8). It would combine these to construct full CRL number 8. In this case, the CRL number of the full CRL used in combination with the delta-CRL would be the same as the BaseCRLNumber in that delta-CRL. A few hours later, at 6:30am, the relying party performs another validation. The relying party has, in its local cache, the contents of CRL number 8 (which it constructed at 3:10am). It wants to update the information in its local case to based on the newly available revocation information. So, it obtains the latest delta-CRL. This delta-CRL has a CRL number of 11 and a BaseCRLnumber of 5. Since it has a BaseCRLNumber of 5, the delta-CRL provides status information for all certificates whose status has changed since CRL number 5 was issued. (midnight). So, clearly the delta-CRL provides status information for all certificates whose status has changed since 3:00am when CRL number 8 was issued. Thus, the relying party can combine the delta-CRL with its locally cached version of full CRL number 8 to obtain the contents of CRL number 11. This is a case where the CRL number of the complete CRL used is greater than the BaseCRLNumber specified in the delta-CRL. There are other reasons why the two numbers may not match, but I will not go into them. If you are interested, you can read my paper. >Finally we should explain what happens at the boundaries, i.e. when a CA >decides to generate a (new) base CRL. Here is a text proposal: > > When issuing a base CRL that supports a delta-CRL mechanism then the > CRL Issuer MUST at the same time issue a delta CRL that points to that > base CRL. This first delta CRL will usually be empty (or will include > last-minute additions to the base CRL). This is not acceptable. The rule is that when a base CRL is issued a delta-CRL must be issued that has the same cRLNumber. The base CRL referenced by the delta must either be the previously issued base CRL or a base CRL issued before that one. Since the new base and the delta must have the same cRLNumber, there can be no differences as a result of "last-minute additions to the base CRL". >Suppose we issue a base CRL every midnight. The question is whether we >should issue a delta and, if yes, does this delta refer to the previous >base or to the new one ? The delta must refer either to the previous base or a base issued before the previous base. >Suppose it refers to the previous one. According to the current sentence: >"The constructed CRL has the CRL number specified in the CRL number >extension found in the delta CRL used in its construction.", it is >impossible. If that was the case the delta CRL would have a CRL number equal >to the base CRL and it is not allowed for two CRLs to have the same CRL >number. I think you are confusing two different extensions. The deltaCRLIndicator extension contains a BaseCRLNumber which is used to determine against which base CRLs the delta-CRL can be applied. The cRLNumber extension specifies the CRL number of the full CRL that will be generated by applying the delta-CRL to a base CRL. The sentence above states that the CRL number of the constructed CRL is taken from the cRLNumber extension, not the BaseCRLNumber of the deltaCRLIndicator extension. Received: from mail2.microsoft.com (mail2.microsoft.com [131.107.3.124]) by above.proper.com (8.9.3/8.9.3) with SMTP id JAA12203 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 09:37:12 -0700 (PDT) Received: from 157.54.9.108 by mail2.microsoft.com (InterScan E-Mail VirusWall NT); Thu, 19 Apr 2001 09:30:16 -0700 (Pacific Daylight Time) Received: from red-imc-01.redmond.corp.microsoft.com ([157.54.9.102]) by inet-imc-05.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Thu, 19 Apr 2001 09:30:09 -0700 Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.82]) by red-imc-01.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Thu, 19 Apr 2001 09:30:09 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Thu, 19 Apr 2001 09:29:50 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Dedicated CRL signing keys Date: Thu, 19 Apr 2001 09:29:49 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD6894E3@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Dedicated CRL signing keys Thread-Index: AcDI4xGqYvA/uF2bR/WOkoeOod7CHgACUOEw From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "Bengt Ohlsson" <bengt.ohlsson@smarttrust.com>, "Russ Housley" <rhousley@rsasecurity.com> Cc: <ietf-pkix@imc.org> X-OriginalArrivalTime: 19 Apr 2001 16:29:50.0302 (UTC) FILETIME=[F49BA7E0:01C0C8ED] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id JAA12205 Bengt, Theorizing what could be possible, do not change that support for these semantics is not mandatory under this profile, which means we are trying to establish how that client fails gracefully with some kind of meaningful error Trevor -----Original Message----- From: Bengt Ohlsson [mailto:bengt.ohlsson@smarttrust.com] Sent: Thursday, April 19, 2001 8:10 AM To: Trevor Freeman; Russ Housley Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Trevor and Russ, I don't see why the clients should fail to verify the signature on the CRL. Assume a CA uses separate keys, same DN, for certificate signing and CRL signing and sets the AuthorityKeyIdentifier extension in both the certificates and the CRLs. Then PKIX compliant clients should be able to build the correct certificate chains for verifying both the certificates and the CRLs. The legislation may require the CA keys to be stored in hardware without any copies. If you lose a key due to HW failure you will probaly want to continue to issue the CRLs with a new key and the same DN. This requires the clients to handle the AKI extension to be able to verify the signature on the new CRLs. This is a small requirement compared to handle indirect CRLs if you must change the DN. Bengt -----Original Message----- From: Trevor Freeman [mailto:trevorf@windows.microsoft.com] Sent: den 19 april 2001 01:40 To: Russ Housley Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Hi Russ, That addresses my concerns. A pkix compliant client can now be reasonability expected to fail with a more informative error, and the problem should be in people's faces since the CRL contains a critical extension. Trevor -----Original Message----- From: Russ Housley [mailto:rhousley@rsasecurity.com] Sent: Wednesday, April 18, 2001 2:08 PM To: Trevor Freeman Cc: ietf-pkix@imc.org Subject: Re: Dedicated CRL signing keys Trevor: I propose the following solution that builds on the Indirect CRL capabilities that are already available. When a CA wants to employ separate private keys to sign certificates and CRLs, then that CA MUST delegate CRL signing to a separate authority. That separate authority MUST have a different Distinguished Name that the CA, but it could be operated by the same organization. In this way, the IDP CRL extension would flag the "unusual" circumstances. Clients that do not support Indirect CRLs can fail gracefully (unsupported optional feature), and clients that support Indirect CRLs can happily handle the certificates and CRLs. Thoughts? Russ At 01:32 PM 4/18/2001 -0700, Trevor Freeman wrote: >There has been some discussion regarding the proposal to have CRLs >signed with CA keys which do not also sign certificates. Since this will >not be a mandatory to implement feature, I am concerned about the impact >on pkix compliant clients who encounter CRL signed in this way, and how >we expect them to behave. What seem unacceptable with the current >proposal is that the signage check on the CRL will fail, and the client >will have little clue as to why and if this failure is expected. The >information in the chain, while present, is in the CAs certificate, is >difficult to find and subtle so would be easily missed by someone >debugging this problem. I would like to see some clearer indication in a >critical extension in the CRL itself that would indicate what was going >on. In expressing these semantics in a critical extension, we maintain >the principal that if you don't understand the extension, the client >knows to fail due to its own inadequacies and that failure is by design, >therefore allowing the client's to return an error unsupported option >rather than invalid signature. >Trevor Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA11614 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 09:31:05 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id MAA13727 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 12:30:37 -0400 (EDT) Message-Id: <200104191630.MAA13723@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Thu, 19 Apr 2001 12:28:55 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> <3ADF0513.F5D40E8D@bull.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Denis Pinkas wrote: > > b) the case of a locally constructed CRL is quite stange and it is > questionnable why this case is being mentioned. In the following fix, > that case has been deleted. Denis, The case of a locally-constructed CRL is necessary, and must not be forbidden. If you assume: 1) certificates are valid for two years 2) delta CRLs are issued every hour 3) delta CRLs are based on the most recently issued full CRL 4) relying parties download every full CRL and calculate revocation bandwidth as a function of full CRL issuance period, you will find that the minimum bandwidth occurs at some very long interval (greater than 30 days). This is because full CRLs are much larger than deltas, and as the interval goes up, the bytes per day of full CRLs goes down and the bytes per day for deltas goes up, until they are balanced. If you discard assumption 4 and allow relying parties to construct a running revocation state database exclusively from delta CRLs, the minimum bandwidth occurs at a much shorter interval (one hour in the limit, but 24 hours may be acceptably close to the minimum). Depending on CRL population and revocation rate, the bandwidth difference between delta+full and delta-only can be several orders of magnitude. Relying parties must be permitted to maintain revocation state using only delta CRLs and (very) infrequent full CRLs. Dave Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA11400 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 09:30:10 -0700 (PDT) Received: from sunlabs.East.Sun.COM ([129.148.75.250]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id JAA06952; Thu, 19 Apr 2001 09:30:11 -0700 (PDT) Received: from sun.com (dhcp75-155 [129.148.75.155]) by sunlabs.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id MAA09796; Thu, 19 Apr 2001 12:30:09 -0400 (EDT) Message-ID: <3ADF119B.8FAC92D9@sun.com> Date: Thu, 19 Apr 2001 12:26:03 -0400 From: Steve Hanna <steve.hanna@sun.com> Organization: Sun Microsystems, Inc. X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Denis Pinkas <Denis.Pinkas@bull.net> CC: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> <3ADF0833.61D9049F@bull.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit It is certainly true that specifying name constraints for trust anchors will work when a single trust anchor is used. Perhaps the sentence in section 6.2 should be changed to say "Implementations may also augment the algorithm presented in section 6.1 to further limit the set of valid paths which begin with a particular trust anchor." However, I object to adding support for limits on trust anchors to section 6.1. The algorithm in section 6.1 is the "basic" algorithm that everyone MUST implement. Section 6.2 describes various ways to extend that algorithm. Multiple trust anchors is one. Limits on trust anchors is a second. PEM compatible processing is a third. If one argues that limits on trust anchors should be described in section 6.1, one could equally argue that PEM compatible processing should be described in section 6.1. -Steve Denis Pinkas wrote: > > One topic per message: This one about applying constraints to the path > validation algorithm. > > In section 6.2 we now have: > > The path validation algorithm describes the process of validating a > single certification path. While each path begins with a specific > trust anchor, there is no requirement that all paths validated by a > particular system share a single trust anchor. An implementation > that supports multiple trust anchors may augment the algorithm > prresented in section 6.1 to further limit the set of valid paths > > ...Please a single r for prresented. > > which begin with a particular trust anchor. For example, an > implementation may specify name constraints that apply to a specific > trust anchor. > > While the sentence is true in the case of multiple trust anchors it is as > well valid for a single one. So a similar sentence is needed in section 6.1. > > In section 6.1 the text says: > > A particular certification path may not, however, be appropriate for > all applications. The path validation process also determines the > set of certificate policies that are valid for this path, based on > the certificate policies extension, policy mapping extension, policy > constraints extension, and inhibit any-policy extension. > > The text should rather say: > > An application may augment the algorithm presented in section 6.1 > to further limit the set of valid paths. For example, an > implementation may specify additional constraints like name > constraints or specific extensions that apply to the application. > Therefor the conditions which are described in this section are > minimum conditions. The path validation process described in this > section determines the minimum conditions that are to be fulfilled > by the certification path for the set of certificate policies > that are valid for this path, based on the certificate policies > extension, policy mapping extension, policy constraints extension, > and inhibit any-policy extension, as well as for the name > constraints, if any. > > The main difference between 6.1 and 6.2 is that the additional contraints > (policy or name constraints) apply globally to the path validation algorithm > when there is one trust anchor (6.1), but may apply on every trust anchor > where there are multiple trust anchors (6.2). > > Denis Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA09804 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 09:10:10 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 2LAW5J94; Thu, 19 Apr 2001 09:05:32 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: <ietf-pkix@imc.org> Cc: "Tim Polk" <tim.polk@nist.gov>, <rhousley@rsasecurity.com>, <brauckmann@trustcenter.de> Subject: RE: Dedicated CRL signing keys Date: Thu, 19 Apr 2001 09:10:31 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGAEOGCDAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <4.2.0.58.20010419113507.01e5ac70@email.nist.gov> Tim, Russ and Juergen, I agree that CRL signature checks following CA key changeover need to work properly. This could be done via the same "new-with-old" certificate that extends the RP's trust to the new CA keypair. But why can't it also be done via an IDP extension in a CRL signed with the soon-to-be-retired CA private key? I echo Juergen's question. Russ, why must the DN be different? Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Tim Polk [mailto:tim.polk@nist.gov] Sent: Thursday, April 19, 2001 8:41 AM To: ietf-pkix@imc.org Cc: Russ Housley; Trevor Freeman Subject: Re: Dedicated CRL signing keys Folks, When we discussed this solution offline yesterday, I was enthusiastic. It appeared to resolve a problem using the tools we already have available. However, upon further reflection, this proposal creates as many problems as it resolves. Consider a CA that issues certificates and CRLs under using key pair "A" for three years, then switches to key pair "B" for the next three years. In this case, the CA does not maintain private key "A" after the rollover certificates are issued. Under the proposed solution, the CA would have to change its name, since it was going to issue CRLs under a different key pair than the certificates were issued under. Even worse, there would be no way to insert the CDP with the new name in the old certificates. I think our solution ... isn't. Sigh. Tim Polk At 05:07 PM 4/18/01 -0400, Russ Housley wrote: >Trevor: > >I propose the following solution that builds on the Indirect CRL >capabilities that are already available. When a CA wants to employ >separate private keys to sign certificates and CRLs, then that CA MUST >delegate CRL signing to a separate authority. That separate authority >MUST have a different Distinguished Name that the CA, but it could be >operated by the same organization. In this way, the IDP CRL extension >would flag the "unusual" circumstances. Clients that do not support >Indirect CRLs can fail gracefully (unsupported optional feature), and >clients that support Indirect CRLs can happily handle the certificates and >CRLs. > >Thoughts? > >Russ > >At 01:32 PM 4/18/2001 -0700, Trevor Freeman wrote: >>There has been some discussion regarding the proposal to have CRLs >>signed with CA keys which do not also sign certificates. Since this will >>not be a mandatory to implement feature, I am concerned about the impact >>on pkix compliant clients who encounter CRL signed in this way, and how >>we expect them to behave. What seem unacceptable with the current >>proposal is that the signage check on the CRL will fail, and the client >>will have little clue as to why and if this failure is expected. The >>information in the chain, while present, is in the CAs certificate, is >>difficult to find and subtle so would be easily missed by someone >>debugging this problem. I would like to see some clearer indication in a >>critical extension in the CRL itself that would indicate what was going >>on. In expressing these semantics in a critical extension, we maintain >>the principal that if you don't understand the extension, the client >>knows to fail due to its own inadequacies and that failure is by design, >>therefore allowing the client's to return an error unsupported option >>rather than invalid signature. >>Trevor > Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA08114 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 08:46:32 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id RAA38934 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 17:46:10 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id RAA12168 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 17:45:59 +0200 Message-ID: <3ADF0833.61D9049F@bull.net> Date: Thu, 19 Apr 2001 17:45:55 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit One topic per message: This one about applying constraints to the path validation algorithm. In section 6.2 we now have: The path validation algorithm describes the process of validating a single certification path. While each path begins with a specific trust anchor, there is no requirement that all paths validated by a particular system share a single trust anchor. An implementation that supports multiple trust anchors may augment the algorithm prresented in section 6.1 to further limit the set of valid paths ...Please a single r for prresented. which begin with a particular trust anchor. For example, an implementation may specify name constraints that apply to a specific trust anchor. While the sentence is true in the case of multiple trust anchors it is as well valid for a single one. So a similar sentence is needed in section 6.1. In section 6.1 the text says: A particular certification path may not, however, be appropriate for all applications. The path validation process also determines the set of certificate policies that are valid for this path, based on the certificate policies extension, policy mapping extension, policy constraints extension, and inhibit any-policy extension. The text should rather say: An application may augment the algorithm presented in section 6.1 to further limit the set of valid paths. For example, an implementation may specify additional constraints like name constraints or specific extensions that apply to the application. Therefor the conditions which are described in this section are minimum conditions. The path validation process described in this section determines the minimum conditions that are to be fulfilled by the certification path for the set of certificate policies that are valid for this path, based on the certificate policies extension, policy mapping extension, policy constraints extension, and inhibit any-policy extension, as well as for the name constraints, if any. The main difference between 6.1 and 6.2 is that the additional contraints (policy or name constraints) apply globally to the path validation algorithm when there is one trust anchor (6.1), but may apply on every trust anchor where there are multiple trust anchors (6.2). Denis Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA07619 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 08:42:38 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id LAA21887; Thu, 19 Apr 2001 11:42:39 -0400 (EDT) Message-Id: <4.2.0.58.20010419113507.01e5ac70@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 19 Apr 2001 11:40:47 -0400 To: <ietf-pkix@imc.org> From: Tim Polk <tim.polk@nist.gov> Subject: Re: Dedicated CRL signing keys Cc: Russ Housley <rhousley@rsasecurity.com>, "Trevor Freeman" <trevorf@windows.microsoft.com> In-Reply-To: <5.0.1.4.2.20010418170147.01c7c300@exna07.securitydynamics. com> References: <4AEE3169443CDD4796CA8A00B02191CD6894DF@win-msg-01.wingroup .windeploy.ntdev.microsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Folks, When we discussed this solution offline yesterday, I was enthusiastic. It appeared to resolve a problem using the tools we already have available. However, upon further reflection, this proposal creates as many problems as it resolves. Consider a CA that issues certificates and CRLs under using key pair "A" for three years, then switches to key pair "B" for the next three years. In this case, the CA does not maintain private key "A" after the rollover certificates are issued. Under the proposed solution, the CA would have to change its name, since it was going to issue CRLs under a different key pair than the certificates were issued under. Even worse, there would be no way to insert the CDP with the new name in the old certificates. I think our solution ... isn't. Sigh. Tim Polk At 05:07 PM 4/18/01 -0400, Russ Housley wrote: >Trevor: > >I propose the following solution that builds on the Indirect CRL >capabilities that are already available. When a CA wants to employ >separate private keys to sign certificates and CRLs, then that CA MUST >delegate CRL signing to a separate authority. That separate authority >MUST have a different Distinguished Name that the CA, but it could be >operated by the same organization. In this way, the IDP CRL extension >would flag the "unusual" circumstances. Clients that do not support >Indirect CRLs can fail gracefully (unsupported optional feature), and >clients that support Indirect CRLs can happily handle the certificates and >CRLs. > >Thoughts? > >Russ > >At 01:32 PM 4/18/2001 -0700, Trevor Freeman wrote: >>There has been some discussion regarding the proposal to have CRLs >>signed with CA keys which do not also sign certificates. Since this will >>not be a mandatory to implement feature, I am concerned about the impact >>on pkix compliant clients who encounter CRL signed in this way, and how >>we expect them to behave. What seem unacceptable with the current >>proposal is that the signage check on the CRL will fail, and the client >>will have little clue as to why and if this failure is expected. The >>information in the chain, while present, is in the CAs certificate, is >>difficult to find and subtle so would be easily missed by someone >>debugging this problem. I would like to see some clearer indication in a >>critical extension in the CRL itself that would indicate what was going >>on. In expressing these semantics in a critical extension, we maintain >>the principal that if you don't understand the extension, the client >>knows to fail due to its own inadequacies and that failure is by design, >>therefore allowing the client's to return an error unsupported option >>rather than invalid signature. >>Trevor > Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA06770 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 08:33:12 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id RAA35798 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 17:32:49 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id RAA06082 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 17:32:38 +0200 Message-ID: <3ADF0513.F5D40E8D@bull.net> Date: Thu, 19 Apr 2001 17:32:35 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 CC: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id IAA06771 One topic per message: This one about delta-CRLs (section 5.2.4). In the third paragraph the first sentence (still) says: When a conforming CA issues a delta CRL, the CA MUST also issue a CRL that is complete for the given scope. 1) There has been a thread on the mailing list where I understand that the conclusion was that a "MUST" was not appropriate and should either be replaced by a "SHOULD" or even the whole sentence should been deleted. 2) The text is also misleading while speaking of "the" delta-CRL since at one time there will be many delta-CRLs in a repository and the basic question is to know which one to use. The document offers no guidance on that topic, but it should. 3) The text says: An application can construct a CRL that is complete for a given scope, at the current time, in either of the following ways: (a) by retrieving the current delta CRL for that scope, and combining it with an issued CRL that is complete for that scope and that has a cRLNumber greater than or equal to the cRLNumber of the base CRL referenced in the delta CRL; or (b) by retrieving the current delta CRL for that scope and combining it with a locally constructed CRL whose cRLNumber is greater than or equal to the cRLNumber of the base CRL referenced in the current delta CRL. a) It is hard to understand in which case the base CRL may have a cRLNumber *greater than* the cRLNumber of the base CRL referenced in the delta CRL. I certainly miss something here. The equality case is easy to understand. The "greater than" case is much harder. Is it really needed ? b) the case of a locally constructed CRL is quite stange and it is questionnable why this case is being mentioned. In the following fix, that case has been deleted. 4) The FreshestRL extension is described without sufficient explanations to understand the use of that extension. So I propose the following for section 5.2.6. Add : "This extension MUST be present when a delta CRL mechanism is supported for that CRL." To solve the first three concerns I propose to replace the third and fourth paragraphs of section 5.2.4. by : The Delta CRL Indicator in a delta CRL and the CRL number from a complete CRL MUST contain the same value so that they can be associated. When a delta CRL is issued, it MUST cover the same set of reasons and the same set of certificates that were covered by the base CRL it references. An application can construct a CRL that is the most current for a given scope, at the current time, by retrieving the current base CRL for that scope, and combining it with a delta-CRL which contains a Delta CRL Indicator equal to the cRLNumber of the base CRL and where the current date from that delta-CRL is between thisUpdate and nextUpdate; or ... then the text continues with: The constructed CRL has the CRL number specified in the CRL number extension found in the delta CRL used in its construction. Finally we should explain what happens at the boundaries, i.e. when a CA decides to generate a (new) base CRL. Here is a text proposal: When issuing a base CRL that supports a delta-CRL mechanism then the CRL Issuer MUST at the same time issue a delta CRL that points to that base CRL. This first delta CRL will usually be empty (or will include last-minute additions to the base CRL). Since I have had private exchanges with both Tim Polk and David Cooper from NIST, on that topic the following explanations are primarily for them: Suppose we issue a base CRL every midnight. The question is whether we should issue a delta and, if yes, does this delta refer to the previous base or to the new one ? Suppose it refers to the previous one. According to the current sentence: "The constructed CRL has the CRL number specified in the CRL number extension found in the delta CRL used in its construction.", it is impossible. If that was the case the delta CRL would have a CRL number equal to the base CRL and it is not allowed for two CRLs to have the same CRL number. So only the other case remains: when a base CRL is issued an usually empty delta CRL must also be issued. At a first glance this does not seem to be optimum, but it is ! The algorithm remains unchanged whatever the time of the day may be. When a base CRL contains the freshest CRLextension this means that a delta mechanism is supported. If the application is wishing to take advantage of the freshest information, then it MUST find a CRL where both the delta refers to that CRL number and where the current date is between thisUpdate and nextUpdate. An alternative would be to support another extension saying "by the way, do not look for any delta during the next hour". This is a solution that we should not promote for three good reasons: 1° this is yet-another-extension; 2° this changes the basic algorithm; 3° the optimization would be for the first delta only. If a delta is issued every hour and a base once a day, then the optimization is only for one hour (e.g. between midnight and one o'clock) and not for the remaining 23 hours. Regards, Denis Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA05745 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 08:24:13 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id LAA354458; Thu, 19 Apr 2001 11:22:13 -0400 Received: from d02ml237.somers.hqregion.ibm.com (d02ml237.sby.ibm.com [9.45.4.171]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id LAA10058; Thu, 19 Apr 2001 11:18:34 -0400 Importance: Normal Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments To: Stephen Kent <kent@bbn.com> Cc: "Michael Myers" <myers@coastside.net>, <ietf-pkix@imc.org> X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: <OF0F7A8CCE.C49915C8-ON85256A33.0053AFFE@somers.hqregion.ibm.com> From: "Tom Gindin" <tgindin@us.ibm.com> Date: Thu, 19 Apr 2001 11:23:30 -0400 X-MIMETrack: Serialize by Router on D02ML237/02/M/IBM(Release 5.0.7 |March 21, 2001) at 04/19/2001 11:23:38 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Are there Key Purpose ID's defined for AA's and for OCSP responders anywhere other than new-part1, where they don't exist? If not, shouldn't there be, and shouldn't we recommend that the PKC's for such entities SHOULD contain them? I think it's probably a little late for MUST. We also might want a separate Key Purpose ID for signing CRL's for AA's only. Tom Gindin Stephen Kent <kent@bbn.com> on 04/19/2001 10:40:37 AM To: "Michael Myers" <myers@coastside.net> cc: <ietf-pkix@imc.org> Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments At 9:34 PM -0700 4/18/01, Michael Myers wrote: >Steve, > >> -----Original Message----- >> From: Stephen Kent [mailto:kent@bbn.com] >> Sent: Wednesday, April 18, 2001 4:18 PM >> >> . . . >> . . . Nowhere in X.509 or in previous PKIX >> documents has there ever been text to suggest >> that other than a CA can sign a CRL for a >> public key certificate. > >I take it you mean CA as an entity vs. CA as the key the signed the >certificate. yes. > >> Also, in responde to other messages I've just been reading, I want to >> pont out that OCSP responses are not CRLs . . . > >But one could (in fact it is being done) use OCSP to functionally replace >CRLs. yes, one could, but the name for the bit is specific to CRLs, not to any revocation status mechanism that exists or might exist in the future. Steve Received: from internet.across ([213.212.5.232]) by above.proper.com (8.9.3/8.9.3) with SMTP id IAA03498 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 08:11:32 -0700 (PDT) Received: FROM acrossw02.acrosswireless.com BY internet.across ; Thu Apr 19 17:16:12 2001 +0200 Received: by acrossw02.acrosswireless.com with Internet Mail Service (5.5.2650.21) id <2LFZB4YG>; Thu, 19 Apr 2001 17:10:30 +0200 Message-ID: <F32A02BE32BAD41187210008C7168C7A020E11@acrossw02.acrosswireless.com> From: Bengt Ohlsson <bengt.ohlsson@smarttrust.com> To: "'Trevor Freeman'" <trevorf@windows.microsoft.com>, Russ Housley <rhousley@rsasecurity.com> Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Date: Thu, 19 Apr 2001 17:10:25 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Trevor and Russ, I don't see why the clients should fail to verify the signature on the CRL. Assume a CA uses separate keys, same DN, for certificate signing and CRL signing and sets the AuthorityKeyIdentifier extension in both the certificates and the CRLs. Then PKIX compliant clients should be able to build the correct certificate chains for verifying both the certificates and the CRLs. The legislation may require the CA keys to be stored in hardware without any copies. If you lose a key due to HW failure you will probaly want to continue to issue the CRLs with a new key and the same DN. This requires the clients to handle the AKI extension to be able to verify the signature on the new CRLs. This is a small requirement compared to handle indirect CRLs if you must change the DN. Bengt -----Original Message----- From: Trevor Freeman [mailto:trevorf@windows.microsoft.com] Sent: den 19 april 2001 01:40 To: Russ Housley Cc: ietf-pkix@imc.org Subject: RE: Dedicated CRL signing keys Hi Russ, That addresses my concerns. A pkix compliant client can now be reasonability expected to fail with a more informative error, and the problem should be in people's faces since the CRL contains a critical extension. Trevor -----Original Message----- From: Russ Housley [mailto:rhousley@rsasecurity.com] Sent: Wednesday, April 18, 2001 2:08 PM To: Trevor Freeman Cc: ietf-pkix@imc.org Subject: Re: Dedicated CRL signing keys Trevor: I propose the following solution that builds on the Indirect CRL capabilities that are already available. When a CA wants to employ separate private keys to sign certificates and CRLs, then that CA MUST delegate CRL signing to a separate authority. That separate authority MUST have a different Distinguished Name that the CA, but it could be operated by the same organization. In this way, the IDP CRL extension would flag the "unusual" circumstances. Clients that do not support Indirect CRLs can fail gracefully (unsupported optional feature), and clients that support Indirect CRLs can happily handle the certificates and CRLs. Thoughts? Russ At 01:32 PM 4/18/2001 -0700, Trevor Freeman wrote: >There has been some discussion regarding the proposal to have CRLs >signed with CA keys which do not also sign certificates. Since this will >not be a mandatory to implement feature, I am concerned about the impact >on pkix compliant clients who encounter CRL signed in this way, and how >we expect them to behave. What seem unacceptable with the current >proposal is that the signage check on the CRL will fail, and the client >will have little clue as to why and if this failure is expected. The >information in the chain, while present, is in the CAs certificate, is >difficult to find and subtle so would be easily missed by someone >debugging this problem. I would like to see some clearer indication in a >critical extension in the CRL itself that would indicate what was going >on. In expressing these semantics in a critical extension, we maintain >the principal that if you don't understand the extension, the client >knows to fail due to its own inadequacies and that failure is by design, >therefore allowing the client's to return an error unsupported option >rather than invalid signature. >Trevor Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA02625 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 08:07:13 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id LAA10535 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 11:06:45 -0400 (EDT) Message-Id: <200104191506.LAA10531@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Thu, 19 Apr 2001 11:05:03 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <p05010405b703d0078a43@[128.33.4.39]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Steve, I have no preference whether in the phrase "CertificateList (e.g., CRL)" the "e.g.," stays or goes. Note that some people use CRL to refer to every instance of a CertificateList, whereas others use CRL, ARL, ACRL, ICRL, DCRL, etc. to distinguish lists used for different purposes. Thus CRL may be either an example of, or a synonym for, CertificateList. I agree that the state of the cRLSign bit is not relevant to OCSP responses and that CertificateList is the only data structure which requires this bit. Dave K Stephen Kent wrote: > > Also, in responde to other messages I've just been reading, I want to > pont out that OCSP responses are not CRLs, so the value of the > cRLSign bit should not be an issue for an OCSP responder. This > suggests that the Lation abbreviation "e.g.," is inappropriately used > when referring to revocation status info verified using a cert with > the cRLSign bit enabled. CRLs are the only data structures the > validation of which is relevant to this bit. They are not an example. > > Steve Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA01293 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 07:38:55 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id KAA28004; Thu, 19 Apr 2001 10:38:40 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010400b704a8df7cbb@[128.33.4.39]> In-Reply-To: <EOEGJNFMMIBDKGFONJJDKECICAAA.myers@coastside.net> References: <EOEGJNFMMIBDKGFONJJDKECICAAA.myers@coastside.net> Date: Thu, 19 Apr 2001 10:40:37 -0400 To: "Michael Myers" <myers@coastside.net> From: Stephen Kent <kent@bbn.com> Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Cc: <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 9:34 PM -0700 4/18/01, Michael Myers wrote: >Steve, > >> -----Original Message----- >> From: Stephen Kent [mailto:kent@bbn.com] >> Sent: Wednesday, April 18, 2001 4:18 PM >> >> . . . >> . . . Nowhere in X.509 or in previous PKIX >> documents has there ever been text to suggest >> that other than a CA can sign a CRL for a >> public key certificate. > >I take it you mean CA as an entity vs. CA as the key the signed the >certificate. yes. > >> Also, in responde to other messages I've just been reading, I want to >> pont out that OCSP responses are not CRLs . . . > >But one could (in fact it is being done) use OCSP to functionally replace >CRLs. yes, one could, but the name for the bit is specific to CRLs, not to any revocation status mechanism that exists or might exist in the future. Steve Received: from mystic1.trustcenter.de (mystic1.trustcenter.de [193.194.157.34]) by above.proper.com (8.9.3/8.9.3) with SMTP id XAA21542 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 23:53:36 -0700 (PDT) Received: by mystic1.trustcenter.de; id IAA04142; Thu, 19 Apr 2001 08:50:13 +0200 Received: from nodnsquery(192.168.200.233) by mystic1.trustcenter.de via smap (V5.0) id xma004138; Thu, 19 Apr 01 08:49:45 +0200 Received: from trustcenter.de (titan.trustcenter.de [192.168.200.244]) by venus.trustcenter.de (8.11.0/8.11.0) with ESMTP id f3J6qYI04798; Thu, 19 Apr 2001 08:52:34 +0200 (MET DST) Message-ID: <3ADE8B32.3BECFF34@trustcenter.de> Date: Thu, 19 Apr 2001 08:52:34 +0200 From: Juergen Brauckmann <brauckmann@trustcenter.de> X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Russ Housley <rhousley@rsasecurity.com> CC: ietf-pkix@imc.org Subject: Re: Dedicated CRL signing keys References: <5.0.1.4.2.20010418170147.01c7c300@exna07.securitydynamics.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Russ Housley wrote: > I propose the following solution that builds on the Indirect CRL > capabilities that are already available. When a CA wants to employ > separate private keys to sign certificates and CRLs, then that CA MUST > delegate CRL signing to a separate authority. That separate authority MUST > have a different Distinguished Name that the CA, Why must it have a different DN? Regards, Juergen Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id VAA09178 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 21:36:31 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f3J4Zid26765; Wed, 18 Apr 2001 21:35:44 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Stephen Kent" <kent@bbn.com>, "David A. Cooper" <david.cooper@nist.gov> Cc: <ietf-pkix@imc.org> Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Date: Wed, 18 Apr 2001 21:34:20 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDKECICAAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <p05010405b703d0078a43@[128.33.4.39]> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Steve, > -----Original Message----- > From: Stephen Kent [mailto:kent@bbn.com] > Sent: Wednesday, April 18, 2001 4:18 PM > > . . . > . . . Nowhere in X.509 or in previous PKIX > documents has there ever been text to suggest > that other than a CA can sign a CRL for a > public key certificate. I take it you mean CA as an entity vs. CA as the key the signed the certificate. > Also, in responde to other messages I've just been reading, I want to > pont out that OCSP responses are not CRLs . . . But one could (in fact it is being done) use OCSP to functionally replace CRLs. Mike Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id VAA08377 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 21:05:04 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GC000E01U0R3I@ext-mail.valicert.com> for ietf-pkix@imc.org; Wed, 18 Apr 2001 21:05:15 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GC000DKXU0QBV@ext-mail.valicert.com>; Wed, 18 Apr 2001 21:05:15 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26PHTD>; Wed, 18 Apr 2001 21:04:08 -0700 Content-return: allowed Date: Wed, 18 Apr 2001 21:04:00 -0700 From: Ryan Hurst <ryanh@valicert.com> Subject: RE: Help Sought on Netscape Revocation URL causing MS Programs to hang To: "'Ron Segal'" <ron.segal@baycorpid.com>, ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E0119EC20@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Ron, Microsoft implements its revocation checking logic in a library called cryptnet.dll, in this DLL there is an implementation of a function called CryptVerifyRevocation. When the cryptnet.dll function is registered as a provider to CryptVerifyRevocation it will be called when a revocation check is requested. This DLL has had several updates and may or may not have this behavior in all versions (What version of the OS and service pack are you running?) Regardless, there are several ways to work with this issue: 1. Disable revocation checking (which can be done by removing the problematic CertVerifyRevocation provider in the registry, or at the application level by telling the application not to check for revocation) -- Not much of a solution I know; but 5 min delay for attempting to retrieve the CRL is insane. 2. ValiCert has a "Desktop Validator" solution that has an implementation of the CryptVerifyRevocation call that supports OCSP, SCVP and CRLs. If you install this plug-in you can configure it to supercede all other revocation providers. In this configuration you would not be exposed to this problem. However the shipping version of this product does not support automatically retrieving CRLs based off of certificate extensions (aka CRLdp and NetscapeRevocationURL). Instead you must configure either a default OCSP/SCVP responder or specify a CA specify responder or CRL location. If you would like to use OCSP we at ValiCert have a responder and the good folks over at OpenSSL have been working on a implementation as-well. Hope this helps, Ryan M. Hurst -----Original Message----- From: Ron Segal [mailto:ron.segal@baycorpid.com] Sent: Wednesday, April 18, 2001 6:59 PM To: ietf-pkix@imc.org Subject: Help Sought on Netscape Revocation URL causing MS Programs to hang Hi Folks If an X.509 v3 certificate contains a proprietary NetscapeRevocationURL extension and a Microsoft program (eg email or browser) is configured to do automatic CRL Distribution Point Checking, then the Microsoft program will hang and timeout after about 5 minutes. Does anybody know of a fix for this problem, e.g. a registry configuration (no cynicism please!)? We are aware that if a cert has both the NetscapeRevocationURL and CRL Distribution Point extensions, then no problem. Your help would be greatly appreciated (and maybe you can get a job at Baycorp!). Very best regards Ron -------------- Ron Segal Business Development Manager Baycorp ID Services Ltd PO Box 5052, Wellington, New Zealand Mailto: ron.segal@baycorpid.com Tel: +64 (4) 499 4231 DD: +64 (4) 499 4261 Mob: +64 (21) 678 009 Fax: +64 (4) 499 4233 Web: http://www.baycorpid.com Received: from netlink.co.nz (mako.netlink.co.nz [202.20.93.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA03854 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 18:55:49 -0700 (PDT) Received: from ronsnotebook (128i-cl128.netlink.net.nz [203.97.144.128]) by netlink.co.nz (8.9.3/8.9.3) with SMTP id NAA08605 for <ietf-pkix@imc.org>; Thu, 19 Apr 2001 13:55:51 +1200 (NZST) From: "Ron Segal" <ron.segal@baycorpid.com> To: <ietf-pkix@imc.org> Subject: Help Sought on Netscape Revocation URL causing MS Programs to hang Date: Thu, 19 Apr 2001 13:59:13 +1200 Message-ID: <LBENKDKNFEPFGMCIMHMMAEANCFAA.ron.segal@baycorpid.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0113_01C0C8D8.EA361D40" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 This is a multi-part message in MIME format. ------=_NextPart_000_0113_01C0C8D8.EA361D40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hi Folks If an X.509 v3 certificate contains a proprietary NetscapeRevocationURL extension and a Microsoft program (eg email or browser) is configured to do automatic CRL Distribution Point Checking, then the Microsoft program will hang and timeout after about 5 minutes. Does anybody know of a fix for this problem, e.g. a registry configuration (no cynicism please!)? We are aware that if a cert has both the NetscapeRevocationURL and CRL Distribution Point extensions, then no problem. Your help would be greatly appreciated (and maybe you can get a job at Baycorp!). Very best regards Ron -------------- Ron Segal Business Development Manager Baycorp ID Services Ltd PO Box 5052, Wellington, New Zealand Mailto: ron.segal@baycorpid.com Tel: +64 (4) 499 4231 DD: +64 (4) 499 4261 Mob: +64 (21) 678 009 Fax: +64 (4) 499 4233 Web: http://www.baycorpid.com ------=_NextPart_000_0113_01C0C8D8.EA361D40 Content-Type: text/x-vcard; name="Ron Segal.vcf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="Ron Segal.vcf" BEGIN:VCARD VERSION:2.1 N:Segal;Ron FN:Ron Segal ORG:Baycorp ID Services TITLE:Business Development Manager TEL;WORK;VOICE:+64 4 499 4231 TEL;CELL;VOICE:+64 (021) 678009 TEL;WORK;FAX:64 4 499 4233 ADR;WORK;ENCODING=3DQUOTED-PRINTABLE:;;Level 1=3D0D=3D0ALandcorp = House=3D0D=3D0A101 Lambton Quay=3D0D=3D0APO Box 5052;Welling=3D ton;;;New Zealand LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:Level 1=3D0D=3D0ALandcorp = House=3D0D=3D0A101 Lambton Quay=3D0D=3D0APO Box 5052=3D0D=3D0AWell=3D ington=3D0D=3D0ANew Zealand URL: URL:http://www.baycorpid.com KEY;X509;ENCODING=3DBASE64: = MIIGdzCCBV+gAwIBAgIEOhwthjANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJOWjEgMB4G = A1UEChMXQmF5Y29ycCBJRCBTZXJ2aWNlcyBMdGQxGTAXBgNVBAsTEEJheWNvcnAgUGFzc3Bv = cnQxLzAtBgNVBAMTJkJheWNvcnAgUGFzc3BvcnQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X = DTAwMTEyMjIwMzMxMFoXDTAxMTEyNzIwMzMxMFowfDELMAkGA1UEBhMCTloxCjAIBgNVBAgT = AS0xEzARBgNVBAcTCldlbGxpbmd0b24xEDAOBgNVBAoTB0JheWNvcnAxEjAQBgNVBAMTCVJv = biBTZWdhbDEmMCQGCSqGSIb3DQEJARYXcm9uLnNlZ2FsQGJheWNvcnBpZC5jb20wgZ8wDQYJ = KoZIhvcNAQEBBQADgY0AMIGJAoGBANRQxdVFIMgxT5W45/I5HSGKPCCKfijydisE8fhqc/uh = Vqn9wE+CwCMJKKgUM5pH3g+ZyTbBKjctkSDOcmuN2aNGm1EPZq1xORI6byWmd6S9jb5/I2vt = IeqhWQC3MuVhrBFFuOsu1JBiGLmxaHg71ti/b97q50zA/hIOgDAuixtfAgMBAAGjggOEMIID = gDAiBgkrBgEEAZtYAAEEFRYTUm9uYWxkIFNhbXVlbCBTZWdhbDAOBgNVHQ8BAf8EBAMCA/gw = UQYDVR0lBEowSAYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwUGCCsG = AQUFBwMGBggrBgEFBQcDBwYKKwYBBAGCNwoDBDA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8v = d3d3LmJheWNvcnBpZC5jb20vY3JsL3Bhc3Nwb3J0LmNybDAZBgNVHQkEEjAQMA4GA1UEBDEH = EwVTZWdhbDAiBgNVHREEGzAZgRdyb24uc2VnYWxAYmF5Y29ycGlkLmNvbTCCAfIGA1UdIASC = AekwggHlMIIB4QYMKwYBBAGbWAIBAgECMIIBzzCCAZoGCCsGAQUFBwICMIIBjBqCAYhUaGUg = cmlnaHRzLCBvYmxpZ2F0aW9ucyBhbmQgbGlhYmlsaXRpZXMgb2YgdGhlIFN1YmplY3QsIEJh = eWNvcnAgSUQgU2VydmljZXMgYW5kIGFueSByZWx5aW5nIHBhcnR5IGFyZSBzcGVjaWZpZWQg = aW4gdGhlIEJheWNvcnAgUGFzc3BvcnQgQ2VydGlmaWNhdGlvbiBQcmFjdGlzZSBTdGF0ZW1l = bnQuIFlvdSBtdXN0IGVuc3VyZSB0aGF0IHRoaXMgY2VydGlmaWNhdGUgaXMgbm90IHN1c3Bl = bmRlZCBvciByZXZva2VkOyBjb21wbHkgd2l0aCB0aGUgc3BlY2lmaWNhdGlvbnMgaW4gaXRz = IEtleSBVc2FnZSBmaWVsZDsgYWRoZXJlIHRvIEJheWNvcnAgSUQgU2VydmljZXMnIFByaXZh = Y3kgUG9saWN5LiBGdXJ0aGVyIGRldGFpbCBpcyBhdmFpbGFibGUgZnJvbSBCYXljb3JwIElE = IFNlcnZpY2VzOjAvBggrBgEFBQcCARYjaHR0cDovL3d3dy5iYXljb3JwaWQuY29tL3JlcG9z = aXRvcnkwOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzABhh9odHRwOi8vY2VydHN0YXR1cy5i = YXljb3JwaWQuY29tMB8GA1UdIwQYMBaAFHlNfEwOah9O+VNsNHtQxa6cxvR+MB0GA1UdDgQW = BBSQs4oU5iFIMqGm5FFzDKWqV0NDlzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQCM = mcZU4Svrle0oqf8/r080V7/KW/7aaoYk//s161jKoWUs7WfmZzbyOgUQPeIuzk3bqfD9xN2E = kfDkaMiPDg5xZ8O/WKnzV2CLYDZrgyoFZ/o0ol+g1akXdAsgp3U73wk8kc7PfcpttSAQy7Mc = 78Ej+kaU1TUcyaqsJU6+cryb0EfixPosZpUgx8SZcx+KuRej5ZGHk0zCCsVWNS91noMlkN95 = ZP5fkzReeX2xrFmVfqTNawYBywrrvY4ULADRAVFrbqU4h2152KZKsALEpSFZqntLZlR8izqA dz/8d+u0KwTLkSPRJiWemL2iyFkU5H6qQoOLuLEQCQiRNxiblLlI EMAIL;PREF;INTERNET:ron.segal@baycorpid.com REV:20010130T034848Z END:VCARD ------=_NextPart_000_0113_01C0C8D8.EA361D40-- Received: from mail3.microsoft.com (mail3.microsoft.com [131.107.3.123]) by above.proper.com (8.9.3/8.9.3) with SMTP id QAA26211 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 16:41:53 -0700 (PDT) Received: from 157.54.9.104 by mail3.microsoft.com (InterScan E-Mail VirusWall NT); Wed, 18 Apr 2001 16:38:58 -0700 (Pacific Daylight Time) Received: from red-imc-02.redmond.corp.microsoft.com ([157.54.9.107]) by inet-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Wed, 18 Apr 2001 16:40:40 -0700 Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.82]) by red-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Wed, 18 Apr 2001 16:40:39 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Wed, 18 Apr 2001 16:40:20 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Dedicated CRL signing keys Date: Wed, 18 Apr 2001 16:40:20 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD6894E1@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Dedicated CRL signing keys Thread-Index: AcDITFqRcQruJeOXRvCgnBY//iVDgQAEyltA From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "Russ Housley" <rhousley@rsasecurity.com> Cc: <ietf-pkix@imc.org> X-OriginalArrivalTime: 18 Apr 2001 23:40:20.0743 (UTC) FILETIME=[EE566970:01C0C860] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id QAA26212 Hi Russ, That addresses my concerns. A pkix compliant client can now be reasonability expected to fail with a more informative error, and the problem should be in people's faces since the CRL contains a critical extension. Trevor -----Original Message----- From: Russ Housley [mailto:rhousley@rsasecurity.com] Sent: Wednesday, April 18, 2001 2:08 PM To: Trevor Freeman Cc: ietf-pkix@imc.org Subject: Re: Dedicated CRL signing keys Trevor: I propose the following solution that builds on the Indirect CRL capabilities that are already available. When a CA wants to employ separate private keys to sign certificates and CRLs, then that CA MUST delegate CRL signing to a separate authority. That separate authority MUST have a different Distinguished Name that the CA, but it could be operated by the same organization. In this way, the IDP CRL extension would flag the "unusual" circumstances. Clients that do not support Indirect CRLs can fail gracefully (unsupported optional feature), and clients that support Indirect CRLs can happily handle the certificates and CRLs. Thoughts? Russ At 01:32 PM 4/18/2001 -0700, Trevor Freeman wrote: >There has been some discussion regarding the proposal to have CRLs >signed with CA keys which do not also sign certificates. Since this will >not be a mandatory to implement feature, I am concerned about the impact >on pkix compliant clients who encounter CRL signed in this way, and how >we expect them to behave. What seem unacceptable with the current >proposal is that the signage check on the CRL will fail, and the client >will have little clue as to why and if this failure is expected. The >information in the chain, while present, is in the CAs certificate, is >difficult to find and subtle so would be easily missed by someone >debugging this problem. I would like to see some clearer indication in a >critical extension in the CRL itself that would indicate what was going >on. In expressing these semantics in a critical extension, we maintain >the principal that if you don't understand the extension, the client >knows to fail due to its own inadequacies and that failure is by design, >therefore allowing the client's to return an error unsupported option >rather than invalid signature. >Trevor Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA24415 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 16:16:48 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id TAA00232; Wed, 18 Apr 2001 19:16:45 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010405b703d0078a43@[128.33.4.39]> In-Reply-To: <4.2.2.20010418133051.00addb60@email.nist.gov> References: <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> Date: Wed, 18 Apr 2001 19:17:35 -0400 To: "David A. Cooper" <david.cooper@nist.gov> From: Stephen Kent <kent@bbn.com> Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Dave Cooper, >Dave, > >I agree with you. I see no basis in X.509 for setting the cA flag in >basicConstraints for certificate subjects that can issue CRLs but >not certificates. The current discussion about how to deal with CRLs >for attribute certificates vs. public key certificates just further >goes to show that it was a mistake to suddenly change the rules at >the last IETF meeting. We disagree on this point. Nowhere in X.509 or in previous PKIX documents has there ever been text to suggest that other than a CA can sign a CRL for a public key certificate. So, the rules were not changed at the last meeting, they were reasserted and clarified. Also, in responde to other messages I've just been reading, I want to pont out that OCSP responses are not CRLs, so the value of the cRLSign bit should not be an issue for an OCSP responder. This suggests that the Lation abbreviation "e.g.," is inappropriately used when referring to revocation status info verified using a cert with the cRLSign bit enabled. CRLs are the only data structures the validation of which is relevant to this bit. They are not an example. Steve Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id OAA15816 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 14:12:37 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 18 Apr 2001 21:09:59 UT Received: from HOUSLEY-LAP.rsasecurity.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id RAA09500; Wed, 18 Apr 2001 17:12:37 -0400 (EDT) Message-Id: <5.0.1.4.2.20010418170147.01c7c300@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Wed, 18 Apr 2001 17:07:37 -0400 To: "Trevor Freeman" <trevorf@windows.microsoft.com> From: Russ Housley <rhousley@rsasecurity.com> Subject: Re: Dedicated CRL signing keys Cc: <ietf-pkix@imc.org> In-Reply-To: <4AEE3169443CDD4796CA8A00B02191CD6894DF@win-msg-01.wingroup .windeploy.ntdev.microsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Trevor: I propose the following solution that builds on the Indirect CRL capabilities that are already available. When a CA wants to employ separate private keys to sign certificates and CRLs, then that CA MUST delegate CRL signing to a separate authority. That separate authority MUST have a different Distinguished Name that the CA, but it could be operated by the same organization. In this way, the IDP CRL extension would flag the "unusual" circumstances. Clients that do not support Indirect CRLs can fail gracefully (unsupported optional feature), and clients that support Indirect CRLs can happily handle the certificates and CRLs. Thoughts? Russ At 01:32 PM 4/18/2001 -0700, Trevor Freeman wrote: >There has been some discussion regarding the proposal to have CRLs >signed with CA keys which do not also sign certificates. Since this will >not be a mandatory to implement feature, I am concerned about the impact >on pkix compliant clients who encounter CRL signed in this way, and how >we expect them to behave. What seem unacceptable with the current >proposal is that the signage check on the CRL will fail, and the client >will have little clue as to why and if this failure is expected. The >information in the chain, while present, is in the CAs certificate, is >difficult to find and subtle so would be easily missed by someone >debugging this problem. I would like to see some clearer indication in a >critical extension in the CRL itself that would indicate what was going >on. In expressing these semantics in a critical extension, we maintain >the principal that if you don't understand the extension, the client >knows to fail due to its own inadequacies and that failure is by design, >therefore allowing the client's to return an error unsupported option >rather than invalid signature. >Trevor Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA12208 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 13:41:56 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 18 Apr 2001 20:39:18 UT Received: from HOUSLEY-LAP.rsasecurity.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA06977; Wed, 18 Apr 2001 16:41:53 -0400 (EDT) Message-Id: <5.0.1.4.2.20010418163944.01c6a190@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Wed, 18 Apr 2001 16:41:05 -0400 To: Sharon Boeyen <sharon.boeyen@entrust.com> From: Russ Housley <rhousley@rsasecurity.com> Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Cc: ietf-pkix@imc.org, "Hoyt Kesterson (E-mail)" <hoytkesterson@earthlink.net> In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust .com> Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" <html> Sharon:<br> <br> <blockquote type=cite class=cite cite><font size=2>Russ, when I reviewed your text, only one point came to mind. There are <br> cases where a single authority will act as both a CA for public-key certificates</font> <br> <font size=2>and an AA for attribute certificates. As such, it would issue CRLs for the <br> public-key certs and CRLs for the attribute certs. If I'm interpreting your <br> text correctly, you would not permit the same certificate to indicate both?</font> </blockquote><br> The PKIX AC Profile explicitly forbids one entity from acting as both a CA and an AA. This restriction has been in the document from the very first draft.<br> <br> Russ<br> <br> </html> Received: from mail2.microsoft.com (mail2.microsoft.com [131.107.3.124]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA11337 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 13:34:06 -0700 (PDT) Received: from 157.54.1.52 by mail2.microsoft.com (InterScan E-Mail VirusWall NT); Wed, 18 Apr 2001 13:33:29 -0700 (Pacific Daylight Time) Received: from red-imc-02.redmond.corp.microsoft.com ([157.54.9.107]) by inet-imc-06.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Wed, 18 Apr 2001 13:32:59 -0700 Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.82]) by red-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Wed, 18 Apr 2001 13:32:59 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Wed, 18 Apr 2001 13:32:39 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Dedicated CRL signing keys Date: Wed, 18 Apr 2001 13:32:39 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD6894DF@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Dedicated CRL signing keys Thread-Index: AcDIRsKidLRcSnAYSVedloWGQiCqFQ== From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: <ietf-pkix@imc.org> X-OriginalArrivalTime: 18 Apr 2001 20:32:39.0728 (UTC) FILETIME=[B63FE300:01C0C846] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id NAA11338 There has been some discussion regarding the proposal to have CRLs signed with CA keys which do not also sign certificates. Since this will not be a mandatory to implement feature, I am concerned about the impact on pkix compliant clients who encounter CRL signed in this way, and how we expect them to behave. What seem unacceptable with the current proposal is that the signage check on the CRL will fail, and the client will have little clue as to why and if this failure is expected. The information in the chain, while present, is in the CAs certificate, is difficult to find and subtle so would be easily missed by someone debugging this problem. I would like to see some clearer indication in a critical extension in the CRL itself that would indicate what was going on. In expressing these semantics in a critical extension, we maintain the principal that if you don't understand the extension, the client knows to fail due to its own inadequacies and that failure is by design, therefore allowing the client's to return an error unsupported option rather than invalid signature. Trevor Received: from femail3.sdc1.sfba.home.com (femail3.sdc1.sfba.home.com [24.0.95.83]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA11209 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 13:32:27 -0700 (PDT) Received: from revelation ([65.4.166.11]) by femail3.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010418202957.PXOW26961.femail3.sdc1.sfba.home.com@revelation>; Wed, 18 Apr 2001 13:29:57 -0700 Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch5@home.com> To: "'Russ Housley'" <rhousley@rsasecurity.com> Cc: <ietf-pkix@imc.org> Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Date: Wed, 18 Apr 2001 13:35:16 -0700 Message-ID: <001201c0c847$144ae620$0e00a8c0@soaringhawk.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0013_01C0C80C.67EC0E20" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <5.0.1.4.2.20010418155824.01c602b0@exna07.securitydynamics.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 This is a multi-part message in MIME format. ------=_NextPart_000_0013_01C0C80C.67EC0E20 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit In that case I am happy with the originally proposed text. The change to the basicConstraints text is fine with me also. jim -----Original Message----- From: Russ Housley [mailto:rhousley@rsasecurity.com] Sent: Wednesday, April 18, 2001 1:00 PM To: jimsch@exmsft.com Cc: ietf-pkix@imc.org Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Jim: RFC 2459 permits OCSP responders to have the cRLSign bit set. That is why the most recently proposed text says "revocation information" not "CRL." Russ At 12:08 PM 4/18/2001 -0400, Santosh Chokhani wrote: Russ, Two items: 1. You also need to change the text on the basic constraints extension. 2. This text implies to me that the cRLSign bit must be set for an OCSP responder (it does revocation information) is that what you want? jim ------=_NextPart_000_0013_01C0C80C.67EC0E20 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D093483420-18042001>In=20 that case I am happy with the originally proposed text. The change = to the=20 basicConstraints text is fine with me also.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D093483420-18042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D093483420-18042001>jim</SPAN></FONT></DIV> <BLOCKQUOTE=20 style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: = 0px; PADDING-LEFT: 5px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Russ Housley=20 [mailto:rhousley@rsasecurity.com]<BR><B>Sent:</B> Wednesday, April 18, = 2001=20 1:00 PM<BR><B>To:</B> jimsch@exmsft.com<BR><B>Cc:</B>=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: Last Call:=20 draft-ietf-pkix-new-part1-06.txt = comments<BR><BR></DIV></FONT>Jim:<BR><BR>RFC=20 2459 permits OCSP responders to have the cRLSign bit set. That = is why=20 the most recently proposed text says "revocation information" not=20 "CRL."<BR><BR>Russ<BR><BR><BR>At 12:08 PM 4/18/2001 -0400, Santosh = Chokhani=20 wrote:<BR> <BLOCKQUOTE class=3Dcite cite type=3D"cite"><FONT = size=3D2>Russ,</FONT>=20 <BR><BR><FONT size=3D2>Two items:</FONT> <BR><BR><FONT = size=3D2>1. You=20 also need to change the text on the basic constraints = extension.</FONT>=20 <BR><FONT size=3D2>2. This text implies to me that the cRLSign = bit must=20 be set for an OCSP</FONT> <BR><FONT size=3D2>responder (it does = revocation=20 information) is that what you want?</FONT> <BR><BR><FONT = size=3D2>jim</FONT>=20 </BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0013_01C0C80C.67EC0E20-- Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA09218 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 13:05:20 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 18 Apr 2001 20:02:42 UT Received: from HOUSLEY-LAP.rsasecurity.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA04203; Wed, 18 Apr 2001 16:05:11 -0400 (EDT) Message-Id: <5.0.1.4.2.20010418155824.01c602b0@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Wed, 18 Apr 2001 16:00:19 -0400 To: jimsch@exmsft.com From: Russ Housley <rhousley@rsasecurity.com> Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Cc: ietf-pkix@imc.org In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE004@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" <html> Jim:<br> <br> RFC 2459 permits OCSP responders to have the cRLSign bit set. That is why the most recently proposed text says "revocation information" not "CRL."<br> <br> Russ<br> <br> <br> At 12:08 PM 4/18/2001 -0400, Santosh Chokhani wrote:<br> <blockquote type=cite class=cite cite><font size=2>Russ,</font> <br> <br> <font size=2>Two items:</font> <br> <br> <font size=2>1. You also need to change the text on the basic constraints extension.</font> <br> <font size=2>2. This text implies to me that the cRLSign bit must be set for an OCSP</font> <br> <font size=2>responder (it does revocation information) is that what you want?</font> <br> <br> <font size=2>jim</font> </blockquote></html> Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA09142 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 13:05:13 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 18 Apr 2001 20:02:35 UT Received: from HOUSLEY-LAP.rsasecurity.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA04207; Wed, 18 Apr 2001 16:05:12 -0400 (EDT) Message-Id: <5.0.1.4.2.20010418160406.01c5e8f0@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Wed, 18 Apr 2001 16:05:07 -0400 To: <jimsch@exmsft.com> From: Russ Housley <rhousley@rsasecurity.com> Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Cc: <ietf-pkix@imc.org> In-Reply-To: <000001c0c822$dbbffe90$0e00a8c0@soaringhawk.net> References: <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Jim: >You also need to change the text on the basic constraints extension. You are correct. I propose: The cA bit indicates whether the certified public key may be used to verify signatures on other certificates. If the cA bit is asserted, then either the keyCertSign bit or the cRLSign bit in the key usage extension (see 4.2.1.3) MUST also be asserted. If the cA bit is not asserted, then the keyCertSign bit in the key usage extension MUST NOT be asserted. Russ Received: from femail3.sdc1.sfba.home.com (femail3.sdc1.sfba.home.com [24.0.95.83]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA08048 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 12:55:17 -0700 (PDT) Received: from revelation ([65.4.166.11]) by femail3.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010418195248.PUPP26961.femail3.sdc1.sfba.home.com@revelation>; Wed, 18 Apr 2001 12:52:48 -0700 Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch5@home.com> To: "'Ambarish Malpani'" <ambarish@valicert.com>, "'David P. Kemp'" <dpkemp@missi.ncsc.mil>, <ietf-pkix@imc.org> Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Date: Wed, 18 Apr 2001 12:58:06 -0700 Message-ID: <000b01c0c841$e3804e40$0e00a8c0@soaringhawk.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C28@exchange.valicert.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Other than changing "(e.g. CRL)" to "(CRL)" I like this below text better. It was the "e.g." combined with the text that made me thing of non CRL ways of doing revocation information. jim > -----Original Message----- > From: Ambarish Malpani [mailto:ambarish@valicert.com] > Sent: Wednesday, April 18, 2001 11:41 AM > To: 'David P. Kemp'; ietf-pkix@imc.org > Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments > > > > I like this. > > Part of what I like about this also, is the fact that it doesn't > prevent a non-CA from issuing indirect CRLs. I like the symmetry > between CRL issuance and OCSP response issuance. > > A > > > --------------------------------------------------------------------- > Ambarish Malpani > Architect 650.567.5457 > ValiCert, Inc. ambarish@valicert.com > 339 N. Bernardo Ave. http://www.valicert.com > Mountain View, CA 94043 > > > > -----Original Message----- > > From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil] > > Sent: Wednesday, April 18, 2001 10:08 AM > > To: ietf-pkix@imc.org > > Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments > > > > > > P.S., my preference is to not use the cA bit to make a distinction > > between types of CRL signers, in which case the text is > much simpler: > > > > The cRLSign bit MUST be asserted when the subject > public key is > > used for verifying a signature on a CertificateList > > (e.g., a CRL). > > > > If the keyCertSign bit is asserted, then the cA bit in the > > basic constraints extension (see 4.2.1.10) MUST be asserted. > > If the keyCertSign bit is not asserted, then the cA bit > > in the basic constraints extension MUST NOT be asserted. > > > > Dave > > > > > Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA04334 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 11:47:54 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <2VH1AKTV>; Wed, 18 Apr 2001 14:47:25 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F9D@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'David A. Cooper'" <david.cooper@nist.gov>, ietf-pkix@imc.org Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Date: Wed, 18 Apr 2001 14:42:07 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C837.44EB4640" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C837.44EB4640 Content-Type: text/plain Hi Dave, you would use the SOAIdentifier extension (see 509 clause 15.3.2.1). This extension can ONLY be present in a public-key certificate issued to an SOA. If an SOA wants to DELEGATE the authority to another AA to allow it to issue attribute certs, that would be done in an attribute cert that contained the basicAttConstraints extension (see clause 15.5.2.1). Sharon > -----Original Message----- > From: David A. Cooper [mailto:david.cooper@nist.gov] > Sent: Wednesday, April 18, 2001 1:40 PM > To: ietf-pkix@imc.org > Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments > > > Dave, > > I agree with you. I see no basis in X.509 for setting the cA > flag in basicConstraints for certificate subjects that can > issue CRLs but not certificates. The current discussion about > how to deal with CRLs for attribute certificates vs. public > key certificates just further goes to show that it was a > mistake to suddenly change the rules at the last IETF meeting. > > I must say, though, that I am still confused about what is > the correct thing to do when dealing with attribute > certificates. If the subject of a public key certificate can > issue attribute certificates but not public key certificates, > what bits in the key usage extension should be set? My > understanding is that the keyCertSign bit should not be set, > but this seems to leave digitalSignature as the next best option. > > > At 01:08 PM 4/18/01 -0400, David P. Kemp wrote: > >P.S., my preference is to not use the cA bit to make a distinction > >between types of CRL signers, in which case the text is much simpler: > > > > The cRLSign bit MUST be asserted when the subject > public key is > > used for verifying a signature on a CertificateList > (e.g., a CRL). > > > > If the keyCertSign bit is asserted, then the cA bit in the > > basic constraints extension (see 4.2.1.10) MUST be asserted. > > If the keyCertSign bit is not asserted, then the cA bit > > in the basic constraints extension MUST NOT be asserted. > > > >Dave > > > > > > > >"David P. Kemp" wrote: > > > > > > The 9:25 AM version was clearer. This version adds a > restriction on > > > which type of authority may sign which type of revocation > list. Neither > > > version defines "CA certificate"; my impression was that > > > > > > If the cA bit is set, then the certificate *is* a CA > certificate, > > > > > > not the backwards-sounding > > > > > > If the cRLSign bit is asserted in a CA certificate, > then the cA bit > > > MUST be asserted. > > > > > > How about the following: > > > > > > The cRLSign bit is asserted when the subject public > key is used > > > for verifying a signature on a CertificateList > (e.g., a CRL). > > > If the cA bit in the basic constraints extension > (see 4.2.1.10) > > > is not asserted, then the public key MUST NOT be > used to verify > > > signatures on CRLs containing revocation > information for public > > > key certificates, however it may be used to verify > signatures > > > on CRLs containing revocation information for other types of > > > certificates (e.g., attribute certificates). > > > * If the cA bit is asserted, then the public key MUST > NOT be used > > > * to verify signatures on CRLs containing revocation > information > > > * for certificates other than public key certificates. > > > > > > If the keyCertSign bit is asserted, then the cA bit > in the basic > > > constraints extension MUST be asserted. If neither > the cRLSign > > > bit nor the keyCertSign bit are asserted, then the > cA bit in the > > > basic constraints extension MUST NOT be asserted. > > > > > > The third sentence (marked ***) is new; I don't know if > you intended > > > the asymmetry of allowing CAs to revoke ACs but > forbidding AAs from > > > revoking PKCs. If neither CAs nor AAs can revoke the > other's certs, > > > then the third sentence is needed. > > > > > > Dave > > ------_=_NextPart_001_01C0C837.44EB4640 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>Hi Dave, you would use the SOAIdentifier extension (see 509 clause 15.3.2.1). </FONT> <BR><FONT SIZE=2>This extension can ONLY be present in a public-key certificate issued to an SOA. </FONT> <BR><FONT SIZE=2>If an SOA wants to DELEGATE the authority to another AA to allow it to issue</FONT> <BR><FONT SIZE=2>attribute certs, that would be done in an attribute cert that contained the </FONT> <BR><FONT SIZE=2>basicAttConstraints extension (see clause 15.5.2.1).</FONT> </P> <P><FONT SIZE=2>Sharon </FONT> </P> <P><FONT SIZE=2>> -----Original Message-----</FONT> <BR><FONT SIZE=2>> From: David A. Cooper [<A HREF="mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]</FONT> <BR><FONT SIZE=2>> Sent: Wednesday, April 18, 2001 1:40 PM</FONT> <BR><FONT SIZE=2>> To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>> Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Dave,</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> I agree with you. I see no basis in X.509 for setting the cA </FONT> <BR><FONT SIZE=2>> flag in basicConstraints for certificate subjects that can </FONT> <BR><FONT SIZE=2>> issue CRLs but not certificates. The current discussion about </FONT> <BR><FONT SIZE=2>> how to deal with CRLs for attribute certificates vs. public </FONT> <BR><FONT SIZE=2>> key certificates just further goes to show that it was a </FONT> <BR><FONT SIZE=2>> mistake to suddenly change the rules at the last IETF meeting.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> I must say, though, that I am still confused about what is </FONT> <BR><FONT SIZE=2>> the correct thing to do when dealing with attribute </FONT> <BR><FONT SIZE=2>> certificates. If the subject of a public key certificate can </FONT> <BR><FONT SIZE=2>> issue attribute certificates but not public key certificates, </FONT> <BR><FONT SIZE=2>> what bits in the key usage extension should be set? My </FONT> <BR><FONT SIZE=2>> understanding is that the keyCertSign bit should not be set, </FONT> <BR><FONT SIZE=2>> but this seems to leave digitalSignature as the next best option.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> At 01:08 PM 4/18/01 -0400, David P. Kemp wrote:</FONT> <BR><FONT SIZE=2>> >P.S., my preference is to not use the cA bit to make a distinction</FONT> <BR><FONT SIZE=2>> >between types of CRL signers, in which case the text is much simpler:</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > The cRLSign bit MUST be asserted when the subject </FONT> <BR><FONT SIZE=2>> public key is</FONT> <BR><FONT SIZE=2>> > used for verifying a signature on a CertificateList </FONT> <BR><FONT SIZE=2>> (e.g., a CRL).</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > If the keyCertSign bit is asserted, then the cA bit in the </FONT> <BR><FONT SIZE=2>> > basic constraints extension (see 4.2.1.10) MUST be asserted.</FONT> <BR><FONT SIZE=2>> > If the keyCertSign bit is not asserted, then the cA bit</FONT> <BR><FONT SIZE=2>> > in the basic constraints extension MUST NOT be asserted.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >Dave</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >"David P. Kemp" wrote:</FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > The 9:25 AM version was clearer. This version adds a </FONT> <BR><FONT SIZE=2>> restriction on</FONT> <BR><FONT SIZE=2>> > > which type of authority may sign which type of revocation </FONT> <BR><FONT SIZE=2>> list. Neither</FONT> <BR><FONT SIZE=2>> > > version defines "CA certificate"; my impression was that</FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > If the cA bit is set, then the certificate *is* a CA </FONT> <BR><FONT SIZE=2>> certificate,</FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > not the backwards-sounding</FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > If the cRLSign bit is asserted in a CA certificate, </FONT> <BR><FONT SIZE=2>> then the cA bit</FONT> <BR><FONT SIZE=2>> > > MUST be asserted.</FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > How about the following:</FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > The cRLSign bit is asserted when the subject public </FONT> <BR><FONT SIZE=2>> key is used</FONT> <BR><FONT SIZE=2>> > > for verifying a signature on a CertificateList </FONT> <BR><FONT SIZE=2>> (e.g., a CRL).</FONT> <BR><FONT SIZE=2>> > > If the cA bit in the basic constraints extension </FONT> <BR><FONT SIZE=2>> (see 4.2.1.10)</FONT> <BR><FONT SIZE=2>> > > is not asserted, then the public key MUST NOT be </FONT> <BR><FONT SIZE=2>> used to verify</FONT> <BR><FONT SIZE=2>> > > signatures on CRLs containing revocation </FONT> <BR><FONT SIZE=2>> information for public</FONT> <BR><FONT SIZE=2>> > > key certificates, however it may be used to verify </FONT> <BR><FONT SIZE=2>> signatures</FONT> <BR><FONT SIZE=2>> > > on CRLs containing revocation information for other types of</FONT> <BR><FONT SIZE=2>> > > certificates (e.g., attribute certificates).</FONT> <BR><FONT SIZE=2>> > > * If the cA bit is asserted, then the public key MUST </FONT> <BR><FONT SIZE=2>> NOT be used</FONT> <BR><FONT SIZE=2>> > > * to verify signatures on CRLs containing revocation </FONT> <BR><FONT SIZE=2>> information</FONT> <BR><FONT SIZE=2>> > > * for certificates other than public key certificates.</FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > If the keyCertSign bit is asserted, then the cA bit </FONT> <BR><FONT SIZE=2>> in the basic</FONT> <BR><FONT SIZE=2>> > > constraints extension MUST be asserted. If neither </FONT> <BR><FONT SIZE=2>> the cRLSign</FONT> <BR><FONT SIZE=2>> > > bit nor the keyCertSign bit are asserted, then the </FONT> <BR><FONT SIZE=2>> cA bit in the</FONT> <BR><FONT SIZE=2>> > > basic constraints extension MUST NOT be asserted.</FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > The third sentence (marked ***) is new; I don't know if </FONT> <BR><FONT SIZE=2>> you intended</FONT> <BR><FONT SIZE=2>> > > the asymmetry of allowing CAs to revoke ACs but </FONT> <BR><FONT SIZE=2>> forbidding AAs from</FONT> <BR><FONT SIZE=2>> > > revoking PKCs. If neither CAs nor AAs can revoke the </FONT> <BR><FONT SIZE=2>> other's certs,</FONT> <BR><FONT SIZE=2>> > > then the third sentence is needed.</FONT> <BR><FONT SIZE=2>> > > </FONT> <BR><FONT SIZE=2>> > > Dave</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0C837.44EB4640-- Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA03896 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 11:41:32 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GC000A013XGH7@ext-mail.valicert.com> for ietf-pkix@imc.org; Wed, 18 Apr 2001 11:41:40 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GC0009JO3XGWI@ext-mail.valicert.com>; Wed, 18 Apr 2001 11:41:40 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26P10P>; Wed, 18 Apr 2001 11:40:34 -0700 Content-return: allowed Date: Wed, 18 Apr 2001 11:40:33 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments To: "'David P. Kemp'" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E014C8C28@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" I like this. Part of what I like about this also, is the fact that it doesn't prevent a non-CA from issuing indirect CRLs. I like the symmetry between CRL issuance and OCSP response issuance. A --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com Mountain View, CA 94043 > -----Original Message----- > From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil] > Sent: Wednesday, April 18, 2001 10:08 AM > To: ietf-pkix@imc.org > Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments > > > P.S., my preference is to not use the cA bit to make a distinction > between types of CRL signers, in which case the text is much simpler: > > The cRLSign bit MUST be asserted when the subject public key is > used for verifying a signature on a CertificateList > (e.g., a CRL). > > If the keyCertSign bit is asserted, then the cA bit in the > basic constraints extension (see 4.2.1.10) MUST be asserted. > If the keyCertSign bit is not asserted, then the cA bit > in the basic constraints extension MUST NOT be asserted. > > Dave > > Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA00999 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 10:40:10 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id NAA22463 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 13:40:10 -0400 (EDT) Message-Id: <4.2.2.20010418133051.00addb60@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 18 Apr 2001 13:40:08 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments In-Reply-To: <200104181709.NAA09898@stingray.missi.ncsc.mil> References: <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Dave, I agree with you. I see no basis in X.509 for setting the cA flag in basicConstraints for certificate subjects that can issue CRLs but not certificates. The current discussion about how to deal with CRLs for attribute certificates vs. public key certificates just further goes to show that it was a mistake to suddenly change the rules at the last IETF meeting. I must say, though, that I am still confused about what is the correct thing to do when dealing with attribute certificates. If the subject of a public key certificate can issue attribute certificates but not public key certificates, what bits in the key usage extension should be set? My understanding is that the keyCertSign bit should not be set, but this seems to leave digitalSignature as the next best option. At 01:08 PM 4/18/01 -0400, David P. Kemp wrote: >P.S., my preference is to not use the cA bit to make a distinction >between types of CRL signers, in which case the text is much simpler: > > The cRLSign bit MUST be asserted when the subject public key is > used for verifying a signature on a CertificateList (e.g., a CRL). > > If the keyCertSign bit is asserted, then the cA bit in the > basic constraints extension (see 4.2.1.10) MUST be asserted. > If the keyCertSign bit is not asserted, then the cA bit > in the basic constraints extension MUST NOT be asserted. > >Dave > > > >"David P. Kemp" wrote: > > > > The 9:25 AM version was clearer. This version adds a restriction on > > which type of authority may sign which type of revocation list. Neither > > version defines "CA certificate"; my impression was that > > > > If the cA bit is set, then the certificate *is* a CA certificate, > > > > not the backwards-sounding > > > > If the cRLSign bit is asserted in a CA certificate, then the cA bit > > MUST be asserted. > > > > How about the following: > > > > The cRLSign bit is asserted when the subject public key is used > > for verifying a signature on a CertificateList (e.g., a CRL). > > If the cA bit in the basic constraints extension (see 4.2.1.10) > > is not asserted, then the public key MUST NOT be used to verify > > signatures on CRLs containing revocation information for public > > key certificates, however it may be used to verify signatures > > on CRLs containing revocation information for other types of > > certificates (e.g., attribute certificates). > > * If the cA bit is asserted, then the public key MUST NOT be used > > * to verify signatures on CRLs containing revocation information > > * for certificates other than public key certificates. > > > > If the keyCertSign bit is asserted, then the cA bit in the basic > > constraints extension MUST be asserted. If neither the cRLSign > > bit nor the keyCertSign bit are asserted, then the cA bit in the > > basic constraints extension MUST NOT be asserted. > > > > The third sentence (marked ***) is new; I don't know if you intended > > the asymmetry of allowing CAs to revoke ACs but forbidding AAs from > > revoking PKCs. If neither CAs nor AAs can revoke the other's certs, > > then the third sentence is needed. > > > > Dave Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA00574 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 10:36:03 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <2VH1AKL3>; Wed, 18 Apr 2001 13:35:34 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: ietf-pkix@imc.org Cc: "Hoyt Kesterson (E-mail)" <hoytkesterson@earthlink.net> Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Date: Wed, 18 Apr 2001 13:30:12 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C82D.39742390" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C82D.39742390 Content-Type: text/plain The cRLSign bit should be restricted to verifying signatures on CRLs (not on other types of revocation status information) regardless of who issues the CRLs. On that topic, the 509 intent was that either the issuer of a certificate or an entity authorized (to issue indirect CRLs) by the issuer of the certificate would issue the relevant CRL(s) for that certificate. That intent applies to both public-key and attribute certificates. Russ, when I reviewed your text, only one point came to mind. There are cases where a single authority will act as both a CA for public-key certificates and an AA for attribute certificates. As such, it would issue CRLs for the public-key certs and CRLs for the attribute certs. If I'm interpreting your text correctly, you would not permit the same certificate to indicate both? Incidentally I just noticed another editorial correction that will need to be made to 509 to correctly indicate that both CAs and AAs can sign CRLs. In the text for the cRLSign bit in the keyUsage extension (clause 8.2.2.3), "for verifying a CA's signature" should read "for verifying an authority's signature", in line with the editorial changes I made throughout 509 as mentioned in an earlier message. This one was missed. Sharon > -----Original Message----- > From: Marc Branchaud [mailto:marcnarc@rsasecurity.com] > Sent: Wednesday, April 18, 2001 12:36 PM > To: ietf-pkix@imc.org > Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments > > > > Jim Schaad wrote: > > > > 2. This text implies to me that the cRLSign bit must be > set for an OCSP > > responder (it does revocation information) is that what you want? > > > > The way I read it, the bit can only be set for OCSP > responders that serve > status for non-public-key certs. In other words, the cRLSign > bit MUST NOT be > asserted in all deployed OCSP responder certs. (AFAIK, there > are no OCSP > responders currently serving status on attribute certs, > though it certainly > would be easy for them to do so.) OTOH, the CRLSign bit MAY > be asserted for > OCSP responders that _only_ serve status for non-public-key > certificates. If > an OCSP responder serves status for both types of > certificate, then I guess > the bit would stay off... > > Either way, the situation WRT OCSP responders is vague. I > suggest that the > first sentence be changed as follows: > > The cRLSign bit is asserted when the subject public key is > used for BOTH > verifying a signature on a certificate and for verifying a > signature on > revocation information (e.g., a CRL). > > I think this aligns most closely with the intended use of the > bit, i.e. that > it should only apply to entities that issue certificates. > Thus, a plain OCSP > responder would not have the bit asserted in its cert. But > if a CA or AA key > is used to sign OCSP responses, then the bit SHOULD (MUST?) > be asserted in > the CA/AA's cert. To emphasize that, I recommend changing the second > sentence to: > > This bit MUST be asserted in CA certificates that are used > to verify > signatures on CRLs and/or OCSP responses. > > Marc > ------_=_NextPart_001_01C0C82D.39742390 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>The cRLSign bit should be restricted to verifying signatures on </FONT> <BR><FONT SIZE=2>CRLs (not on other types of revocation status information) regardless</FONT> <BR><FONT SIZE=2>of who issues the CRLs.</FONT> </P> <P><FONT SIZE=2>On that topic, the 509 intent was that either the issuer of a certificate</FONT> <BR><FONT SIZE=2>or an entity authorized (to issue indirect CRLs) by the issuer of the certificate would issue the </FONT> <BR><FONT SIZE=2>relevant CRL(s) for that certificate. That intent applies to both public-key</FONT> <BR><FONT SIZE=2>and attribute certificates. </FONT> </P> <P><FONT SIZE=2>Russ, when I reviewed your text, only one point came to mind. There are </FONT> <BR><FONT SIZE=2>cases where a single authority will act as both a CA for public-key certificates</FONT> <BR><FONT SIZE=2>and an AA for attribute certificates. As such, it would issue CRLs for the </FONT> <BR><FONT SIZE=2>public-key certs and CRLs for the attribute certs. If I'm interpreting your </FONT> <BR><FONT SIZE=2>text correctly, you would not permit the same certificate to indicate both?</FONT> </P> <P><FONT SIZE=2>Incidentally I just noticed another editorial correction that will need to </FONT> <BR><FONT SIZE=2>be made to 509 to correctly indicate that both CAs and AAs can sign CRLs. In the text for </FONT> <BR><FONT SIZE=2>the cRLSign bit in the keyUsage extension (clause 8.2.2.3),</FONT> <BR><FONT SIZE=2>"for verifying a CA's signature" should read "for verifying an authority's signature", in </FONT> <BR><FONT SIZE=2>line with the editorial changes I made throughout 509 as mentioned in an earlier message. </FONT> <BR><FONT SIZE=2>This one was missed. </FONT> </P> <P><FONT SIZE=2>Sharon </FONT> </P> <P><FONT SIZE=2>> -----Original Message-----</FONT> <BR><FONT SIZE=2>> From: Marc Branchaud [<A HREF="mailto:marcnarc@rsasecurity.com">mailto:marcnarc@rsasecurity.com</A>]</FONT> <BR><FONT SIZE=2>> Sent: Wednesday, April 18, 2001 12:36 PM</FONT> <BR><FONT SIZE=2>> To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>> Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Jim Schaad wrote:</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > 2. This text implies to me that the cRLSign bit must be </FONT> <BR><FONT SIZE=2>> set for an OCSP</FONT> <BR><FONT SIZE=2>> > responder (it does revocation information) is that what you want?</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> The way I read it, the bit can only be set for OCSP </FONT> <BR><FONT SIZE=2>> responders that serve</FONT> <BR><FONT SIZE=2>> status for non-public-key certs. In other words, the cRLSign </FONT> <BR><FONT SIZE=2>> bit MUST NOT be</FONT> <BR><FONT SIZE=2>> asserted in all deployed OCSP responder certs. (AFAIK, there </FONT> <BR><FONT SIZE=2>> are no OCSP</FONT> <BR><FONT SIZE=2>> responders currently serving status on attribute certs, </FONT> <BR><FONT SIZE=2>> though it certainly</FONT> <BR><FONT SIZE=2>> would be easy for them to do so.) OTOH, the CRLSign bit MAY </FONT> <BR><FONT SIZE=2>> be asserted for</FONT> <BR><FONT SIZE=2>> OCSP responders that _only_ serve status for non-public-key </FONT> <BR><FONT SIZE=2>> certificates. If</FONT> <BR><FONT SIZE=2>> an OCSP responder serves status for both types of </FONT> <BR><FONT SIZE=2>> certificate, then I guess</FONT> <BR><FONT SIZE=2>> the bit would stay off...</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Either way, the situation WRT OCSP responders is vague. I </FONT> <BR><FONT SIZE=2>> suggest that the</FONT> <BR><FONT SIZE=2>> first sentence be changed as follows:</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> The cRLSign bit is asserted when the subject public key is </FONT> <BR><FONT SIZE=2>> used for BOTH</FONT> <BR><FONT SIZE=2>> verifying a signature on a certificate and for verifying a </FONT> <BR><FONT SIZE=2>> signature on</FONT> <BR><FONT SIZE=2>> revocation information (e.g., a CRL).</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> I think this aligns most closely with the intended use of the </FONT> <BR><FONT SIZE=2>> bit, i.e. that</FONT> <BR><FONT SIZE=2>> it should only apply to entities that issue certificates. </FONT> <BR><FONT SIZE=2>> Thus, a plain OCSP</FONT> <BR><FONT SIZE=2>> responder would not have the bit asserted in its cert. But </FONT> <BR><FONT SIZE=2>> if a CA or AA key</FONT> <BR><FONT SIZE=2>> is used to sign OCSP responses, then the bit SHOULD (MUST?) </FONT> <BR><FONT SIZE=2>> be asserted in</FONT> <BR><FONT SIZE=2>> the CA/AA's cert. To emphasize that, I recommend changing the second</FONT> <BR><FONT SIZE=2>> sentence to:</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> This bit MUST be asserted in CA certificates that are used </FONT> <BR><FONT SIZE=2>> to verify</FONT> <BR><FONT SIZE=2>> signatures on CRLs and/or OCSP responses.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Marc</FONT> <BR><FONT SIZE=2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0C82D.39742390-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA29413 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 10:22:12 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JFQR8AKK>; Wed, 18 Apr 2001 13:21:40 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE01B@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Date: Wed, 18 Apr 2001 13:12:58 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C82A.D09792F0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C82A.D09792F0 Content-Type: text/plain; charset="iso-8859-1" Dave: This text is clearer than your previous text and is also acceptable to me. This accommodates OCSP responders nicely. -----Original Message----- From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil] Sent: Wednesday, April 18, 2001 1:08 PM To: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments P.S., my preference is to not use the cA bit to make a distinction between types of CRL signers, in which case the text is much simpler: The cRLSign bit MUST be asserted when the subject public key is used for verifying a signature on a CertificateList (e.g., a CRL). If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST be asserted. If the keyCertSign bit is not asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. Dave "David P. Kemp" wrote: > > The 9:25 AM version was clearer. This version adds a restriction on > which type of authority may sign which type of revocation list. Neither > version defines "CA certificate"; my impression was that > > If the cA bit is set, then the certificate *is* a CA certificate, > > not the backwards-sounding > > If the cRLSign bit is asserted in a CA certificate, then the cA bit > MUST be asserted. > > How about the following: > > The cRLSign bit is asserted when the subject public key is used > for verifying a signature on a CertificateList (e.g., a CRL). > If the cA bit in the basic constraints extension (see 4.2.1.10) > is not asserted, then the public key MUST NOT be used to verify > signatures on CRLs containing revocation information for public > key certificates, however it may be used to verify signatures > on CRLs containing revocation information for other types of > certificates (e.g., attribute certificates). > * If the cA bit is asserted, then the public key MUST NOT be used > * to verify signatures on CRLs containing revocation information > * for certificates other than public key certificates. > > If the keyCertSign bit is asserted, then the cA bit in the basic > constraints extension MUST be asserted. If neither the cRLSign > bit nor the keyCertSign bit are asserted, then the cA bit in the > basic constraints extension MUST NOT be asserted. > > The third sentence (marked ***) is new; I don't know if you intended > the asymmetry of allowing CAs to revoke ACs but forbidding AAs from > revoking PKCs. If neither CAs nor AAs can revoke the other's certs, > then the third sentence is needed. > > Dave ------_=_NextPart_001_01C0C82A.D09792F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Dave:</FONT> </P> <P><FONT SIZE=3D2>This text is clearer than your previous text and is = also acceptable to me. This accommodates OCSP responders = nicely.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: David P. Kemp [<A = HREF=3D"mailto:dpkemp@missi.ncsc.mil">mailto:dpkemp@missi.ncsc.mil</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Wednesday, April 18, 2001 1:08 PM</FONT> <BR><FONT SIZE=3D2>To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: Last Call: = draft-ietf-pkix-new-part1-06.txt comments</FONT> </P> <BR> <P><FONT SIZE=3D2>P.S., my preference is to not use the cA bit to make = a distinction</FONT> <BR><FONT SIZE=3D2>between types of CRL signers, in which case the text = is much simpler:</FONT> </P> <P><FONT SIZE=3D2> The cRLSign bit MUST = be asserted when the subject public key is</FONT> <BR><FONT SIZE=3D2> used for verifying a = signature on a CertificateList (e.g., a CRL).</FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2> If the keyCertSign = bit is asserted, then the cA bit in the </FONT> <BR><FONT SIZE=3D2> basic constraints = extension (see 4.2.1.10) MUST be asserted.</FONT> <BR><FONT SIZE=3D2> If the keyCertSign = bit is not asserted, then the cA bit</FONT> <BR><FONT SIZE=3D2> in the basic = constraints extension MUST NOT be asserted.</FONT> </P> <P><FONT SIZE=3D2>Dave</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>"David P. Kemp" wrote:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> The 9:25 AM version was clearer. This = version adds a restriction on</FONT> <BR><FONT SIZE=3D2>> which type of authority may sign which type of = revocation list. Neither</FONT> <BR><FONT SIZE=3D2>> version defines "CA certificate"; my = impression was that</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> If the cA bit is set, then the = certificate *is* a CA certificate,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> not the backwards-sounding</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> If the cRLSign bit is asserted in a = CA certificate, then the cA bit</FONT> <BR><FONT SIZE=3D2>> MUST be asserted.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> How about the following:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> The cRLSign = bit is asserted when the subject public key is used</FONT> <BR><FONT SIZE=3D2>> for = verifying a signature on a CertificateList (e.g., a CRL).</FONT> <BR><FONT SIZE=3D2>> If the cA = bit in the basic constraints extension (see 4.2.1.10)</FONT> <BR><FONT SIZE=3D2>> is not = asserted, then the public key MUST NOT be used to verify</FONT> <BR><FONT SIZE=3D2>> signatures = on CRLs containing revocation information for public</FONT> <BR><FONT SIZE=3D2>> key = certificates, however it may be used to verify signatures</FONT> <BR><FONT SIZE=3D2>> on CRLs = containing revocation information for other types of</FONT> <BR><FONT SIZE=3D2>> = certificates (e.g., attribute certificates).</FONT> <BR><FONT SIZE=3D2>> * If the cA bit is = asserted, then the public key MUST NOT be used</FONT> <BR><FONT SIZE=3D2>> * to verify signatures = on CRLs containing revocation information</FONT> <BR><FONT SIZE=3D2>> * for certificates = other than public key certificates.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> If the = keyCertSign bit is asserted, then the cA bit in the basic</FONT> <BR><FONT SIZE=3D2>> constraints = extension MUST be asserted. If neither the cRLSign</FONT> <BR><FONT SIZE=3D2>> bit nor the = keyCertSign bit are asserted, then the cA bit in the</FONT> <BR><FONT SIZE=3D2>> basic = constraints extension MUST NOT be asserted.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> The third sentence (marked ***) is new; I don't = know if you intended</FONT> <BR><FONT SIZE=3D2>> the asymmetry of allowing CAs to revoke ACs but = forbidding AAs from</FONT> <BR><FONT SIZE=3D2>> revoking PKCs. If neither CAs nor AAs can = revoke the other's certs,</FONT> <BR><FONT SIZE=3D2>> then the third sentence is needed.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Dave</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0C82A.D09792F0-- Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA28301 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 10:10:21 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id NAA09902 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 13:09:53 -0400 (EDT) Message-Id: <200104181709.NAA09898@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Wed, 18 Apr 2001 13:08:09 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit P.S., my preference is to not use the cA bit to make a distinction between types of CRL signers, in which case the text is much simpler: The cRLSign bit MUST be asserted when the subject public key is used for verifying a signature on a CertificateList (e.g., a CRL). If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST be asserted. If the keyCertSign bit is not asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. Dave "David P. Kemp" wrote: > > The 9:25 AM version was clearer. This version adds a restriction on > which type of authority may sign which type of revocation list. Neither > version defines "CA certificate"; my impression was that > > If the cA bit is set, then the certificate *is* a CA certificate, > > not the backwards-sounding > > If the cRLSign bit is asserted in a CA certificate, then the cA bit > MUST be asserted. > > How about the following: > > The cRLSign bit is asserted when the subject public key is used > for verifying a signature on a CertificateList (e.g., a CRL). > If the cA bit in the basic constraints extension (see 4.2.1.10) > is not asserted, then the public key MUST NOT be used to verify > signatures on CRLs containing revocation information for public > key certificates, however it may be used to verify signatures > on CRLs containing revocation information for other types of > certificates (e.g., attribute certificates). > * If the cA bit is asserted, then the public key MUST NOT be used > * to verify signatures on CRLs containing revocation information > * for certificates other than public key certificates. > > If the keyCertSign bit is asserted, then the cA bit in the basic > constraints extension MUST be asserted. If neither the cRLSign > bit nor the keyCertSign bit are asserted, then the cA bit in the > basic constraints extension MUST NOT be asserted. > > The third sentence (marked ***) is new; I don't know if you intended > the asymmetry of allowing CAs to revoke ACs but forbidding AAs from > revoking PKCs. If neither CAs nor AAs can revoke the other's certs, > then the third sentence is needed. > > Dave Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA28266 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 10:10:16 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GBZ00901ZPCHU@ext-mail.valicert.com> for ietf-pkix@imc.org; Wed, 18 Apr 2001 10:10:24 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GBZ009GEZPC1B@ext-mail.valicert.com>; Wed, 18 Apr 2001 10:10:24 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26P1H0>; Wed, 18 Apr 2001 10:09:18 -0700 Content-return: allowed Date: Wed, 18 Apr 2001 10:09:17 -0700 From: Frank Balluffi <frankb@valicert.com> Subject: CMP: Use of PKIMessages To: "'cadams@entrust.com'" <cadams@entrust.com>, "'stephen.farrell@baltimore.ie'" <stephen.farrell@baltimore.ie> Cc: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E014BABBF@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Carlisle and Stephen, draft-ietf-pkix-rfc2510bis-03.txt defines PKIMessages as: PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage whereas RFC 2510 uses PKIMessages within its text, but does not define the type. Am I correct in assuming that section 5.4 of RFC 2510 and Appendix G of draft-ietf-pkix-rfc2510bis-03.txt describe methods for transporting PKIMessage (singular), not PKIMessages (plural). Thanks. Frank Received: from mail2.microsoft.com (mail2.microsoft.com [131.107.3.124]) by above.proper.com (8.9.3/8.9.3) with SMTP id JAA27236 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 09:58:06 -0700 (PDT) Received: from 157.54.9.100 by mail2.microsoft.com (InterScan E-Mail VirusWall NT); Wed, 18 Apr 2001 09:21:07 -0700 (Pacific Daylight Time) Received: from red-msg-02.redmond.corp.microsoft.com ([157.54.12.70]) by inet-imc-03.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Wed, 18 Apr 2001 09:21:04 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Date: Wed, 18 Apr 2001 09:21:04 -0700 Message-ID: <24A715275661C8428C00432EFCA5CB7C02A9872A@red-msg-02.redmond.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Last Call: draft-ietf-pkix-new-part1-06.txt comments Thread-Index: AcDII0NIXSzq4bh2R0yu7BV/1gqwgQAAMnUw From: "David Cross" <dcross@microsoft.com> To: "Santosh Chokhani" <chokhani@cygnacom.com>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 18 Apr 2001 16:21:05.0009 (UTC) FILETIME=[91188E10:01C0C823] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id JAA27237 I concur with Santosh. David B. Cross -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Wednesday, April 18, 2001 9:08 AM To: jimsch@exmsft.com; 'Russ Housley'; ietf-pkix@imc.org Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Russ: More importantly, is the RFC saying that OCSP responder is a CA or AA. I think it is neither. Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA27020 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 09:56:27 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id MAA09270 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 12:55:59 -0400 (EDT) Message-Id: <200104181655.MAA09266@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Wed, 18 Apr 2001 12:54:12 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit The 9:25 AM version was clearer. This version adds a restriction on which type of authority may sign which type of revocation list. Neither version defines "CA certificate"; my impression was that If the cA bit is set, then the certificate *is* a CA certificate, not the backwards-sounding If the cRLSign bit is asserted in a CA certificate, then the cA bit MUST be asserted. How about the following: The cRLSign bit is asserted when the subject public key is used for verifying a signature on a CertificateList (e.g., a CRL). If the cA bit in the basic constraints extension (see 4.2.1.10) is not asserted, then the public key MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates, however it may be used to verify signatures on CRLs containing revocation information for other types of certificates (e.g., attribute certificates). * If the cA bit is asserted, then the public key MUST NOT be used * to verify signatures on CRLs containing revocation information * for certificates other than public key certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension MUST be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The third sentence (marked ***) is new; I don't know if you intended the asymmetry of allowing CAs to revoke ACs but forbidding AAs from revoking PKCs. If neither CAs nor AAs can revoke the other's certs, then the third sentence is needed. Dave Stephen Farrell wrote: > > I thought it was clearer first time! But its still ok. > > Stephen. > > Russ Housley wrote: > > > > Tim Polk and I just got off the phone. After a lengthy discussion, we > > propose a revision to the cRLSign discussion: > > > > The cRLSign bit is asserted when the subject public key is used > > for verifying a signature on revocation information (e.g., a CRL). > > This bit MUST be asserted in CA certificates that are used to > > verify signatures on CRLs. If the cRLSign bit is asserted in a CA > > certificate, then the cA bit in the basic constraints extension > > (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is > > asserted in a non-CA certificate, then the cA bit in the basic > > constraints extension MUST NOT be asserted. Such non-CA > > certificates MUST NOT be used to verify signatures on CRLs > > containing revocation information for public key certificates; > > however, these non-CA certificates MAY be used to verify > > signatures on CRLs containing revocation information concerning > > other types of certificates (e.g., attribute certificates). If > > neither the cRLSign bit nor the keyCertSign bit are asserted, then > > the cA bit in the basic constraints extension MUST NOT be > > asserted. > > > > Hey, this section was only one sentence in RFC 2459... > > > > Please let us know if anyone has any remaining concerns. > > > > Russ Received: from home.x509.com (home.x509.com [199.175.150.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA25702 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 09:37:45 -0700 (PDT) Received: from rsasecurity.com (eskarina.eng.x509.com [10.7.33.45]) by home.x509.com (8.11.2/XCERT) with ESMTP id f3IGbHQ88236 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 09:37:17 -0700 (PDT) Sender: marcnarc@home.x509.com Message-ID: <3ADDC266.2AEF1C49@rsasecurity.com> Date: Wed, 18 Apr 2001 09:35:50 -0700 From: Marc Branchaud <marcnarc@rsasecurity.com> Organization: RSA Security X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18 i686) X-Accept-Language: en, fr MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <000001c0c822$dbbffe90$0e00a8c0@soaringhawk.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Jim Schaad wrote: > > 2. This text implies to me that the cRLSign bit must be set for an OCSP > responder (it does revocation information) is that what you want? > The way I read it, the bit can only be set for OCSP responders that serve status for non-public-key certs. In other words, the cRLSign bit MUST NOT be asserted in all deployed OCSP responder certs. (AFAIK, there are no OCSP responders currently serving status on attribute certs, though it certainly would be easy for them to do so.) OTOH, the CRLSign bit MAY be asserted for OCSP responders that _only_ serve status for non-public-key certificates. If an OCSP responder serves status for both types of certificate, then I guess the bit would stay off... Either way, the situation WRT OCSP responders is vague. I suggest that the first sentence be changed as follows: The cRLSign bit is asserted when the subject public key is used for BOTH verifying a signature on a certificate and for verifying a signature on revocation information (e.g., a CRL). I think this aligns most closely with the intended use of the bit, i.e. that it should only apply to entities that issue certificates. Thus, a plain OCSP responder would not have the bit asserted in its cert. But if a CA or AA key is used to sign OCSP responses, then the bit SHOULD (MUST?) be asserted in the CA/AA's cert. To emphasize that, I recommend changing the second sentence to: This bit MUST be asserted in CA certificates that are used to verify signatures on CRLs and/or OCSP responses. Marc Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA24177 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 09:17:27 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JFQR70CF>; Wed, 18 Apr 2001 12:16:57 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE004@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: jimsch@exmsft.com, "'Russ Housley'" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Date: Wed, 18 Apr 2001 12:08:14 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C821.C5D63640" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C821.C5D63640 Content-Type: text/plain; charset="iso-8859-1" Russ: More importantly, is the RFC saying that OCSP responder is a CA or AA. I think it is neither. -----Original Message----- From: Jim Schaad [mailto:jimsch5@home.com] Sent: Wednesday, April 18, 2001 12:16 PM To: 'Russ Housley'; ietf-pkix@imc.org Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Russ, Two items: 1. You also need to change the text on the basic constraints extension. 2. This text implies to me that the cRLSign bit must be set for an OCSP responder (it does revocation information) is that what you want? jim > -----Original Message----- > From: Russ Housley [mailto:rhousley@rsasecurity.com] > Sent: Wednesday, April 18, 2001 8:07 AM > To: ietf-pkix@imc.org > Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments > > > Tim Polk and I just got off the phone. After a lengthy > discussion, we > propose a revision to the cRLSign discussion: > > The cRLSign bit is asserted when the subject public key is used > for verifying a signature on revocation information > (e.g., a CRL). > This bit MUST be asserted in CA certificates that are used to > verify signatures on CRLs. If the cRLSign bit is > asserted in a CA > certificate, then the cA bit in the basic constraints extension > (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is > asserted in a non-CA certificate, then the cA bit in the basic > constraints extension MUST NOT be asserted. Such non-CA > certificates MUST NOT be used to verify signatures on CRLs > containing revocation information for public key certificates; > however, these non-CA certificates MAY be used to verify > signatures on CRLs containing revocation information concerning > other types of certificates (e.g., attribute certificates). If > neither the cRLSign bit nor the keyCertSign bit are > asserted, then > the cA bit in the basic constraints extension MUST NOT be > asserted. > > Hey, this section was only one sentence in RFC 2459... > > Please let us know if anyone has any remaining concerns. > > Russ > > > At 09:25 AM 4/18/2001 -0400, Russ Housley wrote: > >Based on this discussion, I think that the working group wants the > >keyCertSign and cRLSign key usage text to read as follows: > > > > The keyCertSign bit is asserted when the subject public key is > > used for verifying a signature on public key > certificates. This > > bit MUST only be asserted in CA certificates. If the > keyCertSign > > bit is asserted, then the cA bit in the basic constraints > > extension (see 4.2.1.10) MUST also be asserted. If > neither the > > cRLSign bit nor the keyCertSign bit are asserted, > then the cA bit > > in the basic constraints extension MUST NOT be asserted. > > > > The cRLSign bit is asserted when the subject public > key is used > > for verifying a signature on certificate revocation > lists (CRLs). > > This bit MUST only be asserted in CA certificates and > Attribute > > Authority (AA) certificates. If the cRLSign bit is > asserted in a > > CA certificate, then the cA bit in the basic > constraints extension > > (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is > > asserted in an AA certificate, then the cA bit in the basic > > constraints extension MUST NOT be asserted. If neither the > > cRLSign bit nor the keyCertSign bit are asserted, > then the cA bit > > in the basic constraints extension MUST NOT be asserted. > > > >Let me know if you disagree. > > > >Russ > > > >At 02:31 PM 4/17/2001 +0100, Stephen Farrell wrote: > > > >>I'd also go along with Jim here - that an AA be allowed to > >>have cRLSign set without having cA set in basicConstraints, > >>i.e. that AA's be an exception to the general rule for EE's > >>and that this be explicitly called out in son-of-2459. I'm > >>assuming that keyCertSign is therefore not set for AA's too > >>(and the text for keyCertSign shouldn't say "certificates", > >>but "public key certificates"). > >> > >>Stephen. > >> > >>Jim Schaad wrote: > >> > > >> > Russ, > >> > > >> > > -----Original Message----- > >> > > From: Russ Housley [mailto:rhousley@rsasecurity.com] > >> > > Sent: Monday, April 16, 2001 10:33 AM > >> > > To: jimsch@exmsft.com > >> > > Cc: ietf-pkix@imc.org > >> > > Subject: Re: Last Call: > draft-ietf-pkix-new-part1-06.txt comments > >> > > > >> > > > >> > > Jim: > >> > > > >> > > >1. As currently written in section 4.2.1.3, it is not > >> > > possible for a non-CA > >> > > >CRL issuer to be created for attribute certificates. Was > >> > > this the final > >> > > >resolution of this issue? This seems to me to be > >> > > problematic as it means as > >> > > >an end-user one can issue an attribute certificate, but one > >> > > must always use > >> > > >a different agent, which is a CA, to issue the CRLs. This > >> > > means that all > >> > > >attribute CRL issuers are indirect. > >> > > > >> > > I do not recall a consensus on this point. Should an AA that > >> > > supports CRLs > >> > > have the cRLSign bit set in its public key certificate? If > >> > > so, this text > >> > > must change. > >> > > >> > I don't recall anything except private discussions on > this issue. It is > >> > here for the mailing list to comment on. > >> > > >> > It is my option that an AA that supports CRLs SHOULD > have the cRLSign bit > >> > set. Either that or we ask X509 to create AACertSign > and AACrlSign > >> bits and > >> > keep this current text as is. > >> > > >> > > > >> > > >2. Section 4.2.1.3, paragraph last: Current Text: "set in > >> > > An instantiation" > >> > > >modify to "set in an instantiation". > >> > > > >> > > Fixed. > >> > > > >> > > >3. Section 6.2 paragraph 2: change "prresented" to "presented" > >> > > > >> > > Fixed. > >> > > > >> > > >4. Section 6.2 paragraph 2: The text "For example, an > >> > > implementation may > >> > > >specify name constraints that apply to a specific trust > >> > > anchor." is diffcult > >> > > >for me given that the validation algorithm explicitly states > >> > > that name > >> > > >constraints are not applied to self signed > certificates. Suggest "For > >> > > >example, an implemenation may modify the algorithm to apply > >> > > name constaints > >> > > >during the initialization phase." > >> > > > >> > > Self-signed certificates are a common mechanism for > >> > > distributing public > >> > > keys for trust anchors, but they are not a mandated > >> > > mechanism. That said, > >> > > I think that your text it an improvement. How about a hybrid: > >> > > > >> > > For example, an implementation MAY modify the algorithm > >> > > to apply name constraints to a specific trust anchor > >> > > during the initialization phase. > >> > > >> > I have no problems with this new text. > >> > > >> > > > >> > > >5. ASN module: > >> > > >part1a.asn(352) : warning XXXXX: The imported symbol > 'id-ad' is never > >> > > >referenced > >> > > > >> > > Agree. I removed it. > >> > > > >> > > Russ > >> > > > >> > > > >> > > >> > jim > >> > >>-- > >>____________________________________________________________ > >>Stephen Farrell > >>Baltimore Technologies, tel: (direct line) +353 1 881 6716 > >>39 Parkgate Street, fax: +353 1 881 7000 > >>Dublin 8. mailto:stephen.farrell@baltimore.ie > >>Ireland http://www.baltimore.com > > ------_=_NextPart_001_01C0C821.C5D63640 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Russ:</FONT> </P> <P><FONT SIZE=3D2>More importantly, is the RFC saying that OCSP = responder is a CA or AA. I think it is neither.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Jim Schaad [<A = HREF=3D"mailto:jimsch5@home.com">mailto:jimsch5@home.com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Wednesday, April 18, 2001 12:16 PM</FONT> <BR><FONT SIZE=3D2>To: 'Russ Housley'; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: Last Call: = draft-ietf-pkix-new-part1-06.txt comments</FONT> </P> <BR> <P><FONT SIZE=3D2>Russ,</FONT> </P> <P><FONT SIZE=3D2>Two items:</FONT> </P> <P><FONT SIZE=3D2>1. You also need to change the text on the = basic constraints extension.</FONT> <BR><FONT SIZE=3D2>2. This text implies to me that the cRLSign = bit must be set for an OCSP</FONT> <BR><FONT SIZE=3D2>responder (it does revocation information) is that = what you want?</FONT> </P> <P><FONT SIZE=3D2>jim</FONT> </P> <P><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: Russ Housley [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>> Sent: Wednesday, April 18, 2001 8:07 AM</FONT> <BR><FONT SIZE=3D2>> To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Subject: Re: Last Call: = draft-ietf-pkix-new-part1-06.txt comments</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Tim Polk and I just got off the phone. = After a lengthy</FONT> <BR><FONT SIZE=3D2>> discussion, we</FONT> <BR><FONT SIZE=3D2>> propose a revision to the cRLSign = discussion:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> The = cRLSign bit is asserted when the subject public key is used</FONT> <BR><FONT SIZE=3D2>> for = verifying a signature on revocation information</FONT> <BR><FONT SIZE=3D2>> (e.g., a CRL).</FONT> <BR><FONT SIZE=3D2>> This = bit MUST be asserted in CA certificates that are used to</FONT> <BR><FONT SIZE=3D2>> = verify signatures on CRLs. If the cRLSign bit is</FONT> <BR><FONT SIZE=3D2>> asserted in a CA</FONT> <BR><FONT SIZE=3D2>> = certificate, then the cA bit in the basic constraints extension</FONT> <BR><FONT SIZE=3D2>> (see = 4.2.1.10) MUST also be asserted. If the cRLSign bit is</FONT> <BR><FONT SIZE=3D2>> = asserted in a non-CA certificate, then the cA bit in the basic</FONT> <BR><FONT SIZE=3D2>> = constraints extension MUST NOT be asserted. Such non-CA</FONT> <BR><FONT SIZE=3D2>> = certificates MUST NOT be used to verify signatures on CRLs</FONT> <BR><FONT SIZE=3D2>> = containing revocation information for public key certificates;</FONT> <BR><FONT SIZE=3D2>> = however, these non-CA certificates MAY be used to verify</FONT> <BR><FONT SIZE=3D2>> = signatures on CRLs containing revocation information concerning</FONT> <BR><FONT SIZE=3D2>> other = types of certificates (e.g., attribute certificates). If</FONT> <BR><FONT SIZE=3D2>> = neither the cRLSign bit nor the keyCertSign bit are</FONT> <BR><FONT SIZE=3D2>> asserted, then</FONT> <BR><FONT SIZE=3D2>> the = cA bit in the basic constraints extension MUST NOT be</FONT> <BR><FONT SIZE=3D2>> = asserted.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Hey, this section was only one sentence in RFC = 2459...</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Please let us know if anyone has any remaining = concerns.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Russ</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> At 09:25 AM 4/18/2001 -0400, Russ Housley = wrote:</FONT> <BR><FONT SIZE=3D2>> >Based on this discussion, I think that the = working group wants the</FONT> <BR><FONT SIZE=3D2>> >keyCertSign and cRLSign key usage text to = read as follows:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > The = keyCertSign bit is asserted when the subject public key is</FONT> <BR><FONT SIZE=3D2>> > used = for verifying a signature on public key</FONT> <BR><FONT SIZE=3D2>> certificates. This</FONT> <BR><FONT SIZE=3D2>> > bit = MUST only be asserted in CA certificates. If the</FONT> <BR><FONT SIZE=3D2>> keyCertSign</FONT> <BR><FONT SIZE=3D2>> > bit is = asserted, then the cA bit in the basic constraints</FONT> <BR><FONT SIZE=3D2>> > = extension (see 4.2.1.10) MUST also be asserted. If</FONT> <BR><FONT SIZE=3D2>> neither the</FONT> <BR><FONT SIZE=3D2>> > = cRLSign bit nor the keyCertSign bit are asserted,</FONT> <BR><FONT SIZE=3D2>> then the cA bit</FONT> <BR><FONT SIZE=3D2>> > in the = basic constraints extension MUST NOT be asserted.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > The = cRLSign bit is asserted when the subject public</FONT> <BR><FONT SIZE=3D2>> key is used</FONT> <BR><FONT SIZE=3D2>> > for = verifying a signature on certificate revocation</FONT> <BR><FONT SIZE=3D2>> lists (CRLs).</FONT> <BR><FONT SIZE=3D2>> > This = bit MUST only be asserted in CA certificates and</FONT> <BR><FONT SIZE=3D2>> Attribute</FONT> <BR><FONT SIZE=3D2>> > = Authority (AA) certificates. If the cRLSign bit is</FONT> <BR><FONT SIZE=3D2>> asserted in a</FONT> <BR><FONT SIZE=3D2>> > CA = certificate, then the cA bit in the basic</FONT> <BR><FONT SIZE=3D2>> constraints extension</FONT> <BR><FONT SIZE=3D2>> > (see = 4.2.1.10) MUST also be asserted. If the cRLSign bit is</FONT> <BR><FONT SIZE=3D2>> > = asserted in an AA certificate, then the cA bit in the basic</FONT> <BR><FONT SIZE=3D2>> > = constraints extension MUST NOT be asserted. If neither the</FONT> <BR><FONT SIZE=3D2>> > = cRLSign bit nor the keyCertSign bit are asserted,</FONT> <BR><FONT SIZE=3D2>> then the cA bit</FONT> <BR><FONT SIZE=3D2>> > in the = basic constraints extension MUST NOT be asserted.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Let me know if you disagree.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Russ</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >At 02:31 PM 4/17/2001 +0100, Stephen = Farrell wrote:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >>I'd also go along with Jim here - that = an AA be allowed to</FONT> <BR><FONT SIZE=3D2>> >>have cRLSign set without having cA set = in basicConstraints,</FONT> <BR><FONT SIZE=3D2>> >>i.e. that AA's be an exception to the = general rule for EE's</FONT> <BR><FONT SIZE=3D2>> >>and that this be explicitly called out = in son-of-2459. I'm</FONT> <BR><FONT SIZE=3D2>> >>assuming that keyCertSign is therefore = not set for AA's too</FONT> <BR><FONT SIZE=3D2>> >>(and the text for keyCertSign shouldn't = say "certificates",</FONT> <BR><FONT SIZE=3D2>> >>but "public key = certificates").</FONT> <BR><FONT SIZE=3D2>> >></FONT> <BR><FONT SIZE=3D2>> >>Stephen.</FONT> <BR><FONT SIZE=3D2>> >></FONT> <BR><FONT SIZE=3D2>> >>Jim Schaad wrote:</FONT> <BR><FONT SIZE=3D2>> >> ></FONT> <BR><FONT SIZE=3D2>> >> > Russ,</FONT> <BR><FONT SIZE=3D2>> >> ></FONT> <BR><FONT SIZE=3D2>> >> > > -----Original = Message-----</FONT> <BR><FONT SIZE=3D2>> >> > > From: Russ Housley [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>> >> > > Sent: Monday, April 16, 2001 = 10:33 AM</FONT> <BR><FONT SIZE=3D2>> >> > > To: jimsch@exmsft.com</FONT> <BR><FONT SIZE=3D2>> >> > > Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> >> > > Subject: Re: Last = Call:</FONT> <BR><FONT SIZE=3D2>> draft-ietf-pkix-new-part1-06.txt = comments</FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > > Jim:</FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > > >1. As currently written = in section 4.2.1.3, it is not</FONT> <BR><FONT SIZE=3D2>> >> > > possible for a non-CA</FONT> <BR><FONT SIZE=3D2>> >> > > >CRL issuer to be created = for attribute certificates. Was</FONT> <BR><FONT SIZE=3D2>> >> > > this the final</FONT> <BR><FONT SIZE=3D2>> >> > > >resolution of this = issue? This seems to me to be</FONT> <BR><FONT SIZE=3D2>> >> > > problematic as it means = as</FONT> <BR><FONT SIZE=3D2>> >> > > >an end-user one can = issue an attribute certificate, but one</FONT> <BR><FONT SIZE=3D2>> >> > > must always use</FONT> <BR><FONT SIZE=3D2>> >> > > >a different agent, which = is a CA, to issue the CRLs. This</FONT> <BR><FONT SIZE=3D2>> >> > > means that all</FONT> <BR><FONT SIZE=3D2>> >> > > >attribute CRL issuers = are indirect.</FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > > I do not recall a consensus = on this point. Should an AA that</FONT> <BR><FONT SIZE=3D2>> >> > > supports CRLs</FONT> <BR><FONT SIZE=3D2>> >> > > have the cRLSign bit set in = its public key certificate? If</FONT> <BR><FONT SIZE=3D2>> >> > > so, this text</FONT> <BR><FONT SIZE=3D2>> >> > > must change.</FONT> <BR><FONT SIZE=3D2>> >> ></FONT> <BR><FONT SIZE=3D2>> >> > I don't recall anything except = private discussions on</FONT> <BR><FONT SIZE=3D2>> this issue. It is</FONT> <BR><FONT SIZE=3D2>> >> > here for the mailing list to = comment on.</FONT> <BR><FONT SIZE=3D2>> >> ></FONT> <BR><FONT SIZE=3D2>> >> > It is my option that an AA that = supports CRLs SHOULD</FONT> <BR><FONT SIZE=3D2>> have the cRLSign bit</FONT> <BR><FONT SIZE=3D2>> >> > set. Either that or we ask = X509 to create AACertSign</FONT> <BR><FONT SIZE=3D2>> and AACrlSign</FONT> <BR><FONT SIZE=3D2>> >> bits and</FONT> <BR><FONT SIZE=3D2>> >> > keep this current text as = is.</FONT> <BR><FONT SIZE=3D2>> >> ></FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > > >2. Section 4.2.1.3, = paragraph last: Current Text: "set in</FONT> <BR><FONT SIZE=3D2>> >> > > An = instantiation"</FONT> <BR><FONT SIZE=3D2>> >> > > >modify to "set in = an instantiation".</FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > > Fixed.</FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > > >3. Section 6.2 paragraph = 2: change "prresented" to "presented"</FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > > Fixed.</FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > > >4. Section 6.2 paragraph = 2: The text "For example, an</FONT> <BR><FONT SIZE=3D2>> >> > > implementation may</FONT> <BR><FONT SIZE=3D2>> >> > > >specify name constraints = that apply to a specific trust</FONT> <BR><FONT SIZE=3D2>> >> > > anchor." is = diffcult</FONT> <BR><FONT SIZE=3D2>> >> > > >for me given that the = validation algorithm explicitly states</FONT> <BR><FONT SIZE=3D2>> >> > > that name</FONT> <BR><FONT SIZE=3D2>> >> > > >constraints are not = applied to self signed</FONT> <BR><FONT SIZE=3D2>> certificates. Suggest "For</FONT> <BR><FONT SIZE=3D2>> >> > > >example, an = implemenation may modify the algorithm to apply</FONT> <BR><FONT SIZE=3D2>> >> > > name constaints</FONT> <BR><FONT SIZE=3D2>> >> > > >during the = initialization phase."</FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > > Self-signed certificates are = a common mechanism for</FONT> <BR><FONT SIZE=3D2>> >> > > distributing public</FONT> <BR><FONT SIZE=3D2>> >> > > keys for trust anchors, but = they are not a mandated</FONT> <BR><FONT SIZE=3D2>> >> > > mechanism. That = said,</FONT> <BR><FONT SIZE=3D2>> >> > > I think that your text it an = improvement. How about a hybrid:</FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > > For = example, an implementation MAY modify the algorithm</FONT> <BR><FONT SIZE=3D2>> >> > > to = apply name constraints to a specific trust anchor</FONT> <BR><FONT SIZE=3D2>> >> > > = during the initialization phase.</FONT> <BR><FONT SIZE=3D2>> >> ></FONT> <BR><FONT SIZE=3D2>> >> > I have no problems with this new = text.</FONT> <BR><FONT SIZE=3D2>> >> ></FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > > >5. ASN module:</FONT> <BR><FONT SIZE=3D2>> >> > > >part1a.asn(352) : = warning XXXXX: The imported symbol</FONT> <BR><FONT SIZE=3D2>> 'id-ad' is never</FONT> <BR><FONT SIZE=3D2>> >> > > >referenced</FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > > Agree. I removed it.</FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > > Russ</FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> > ></FONT> <BR><FONT SIZE=3D2>> >> ></FONT> <BR><FONT SIZE=3D2>> >> > jim</FONT> <BR><FONT SIZE=3D2>> >></FONT> <BR><FONT SIZE=3D2>> >>--</FONT> <BR><FONT SIZE=3D2>> = >>____________________________________________________________</FO= NT> <BR><FONT SIZE=3D2>> >>Stephen Farrell</FONT> <BR><FONT SIZE=3D2>> >>Baltimore Technologies, = tel: (direct line) +353 1 881 6716</FONT> <BR><FONT SIZE=3D2>> >>39 Parkgate = Street,  = ; fax: +353 1 881 = 7000</FONT> <BR><FONT SIZE=3D2>> >>Dublin = 8. &nbs= p; <A = HREF=3D"mailto:stephen.farrell@baltimore.ie">mailto:stephen.farrell@balt= imore.ie</A></FONT> <BR><FONT SIZE=3D2>> = >>Ireland &nb= sp; &nb= sp; <A = HREF=3D"http://www.baltimore.com" = TARGET=3D"_blank">http://www.baltimore.com</A></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0C821.C5D63640-- Received: from femail3.sdc1.sfba.home.com (femail3.sdc1.sfba.home.com [24.0.95.83]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA23769 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 09:13:11 -0700 (PDT) Received: from revelation ([65.4.166.11]) by femail3.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010418161041.PALC26961.femail3.sdc1.sfba.home.com@revelation>; Wed, 18 Apr 2001 09:10:41 -0700 Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch5@home.com> To: "'Russ Housley'" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Date: Wed, 18 Apr 2001 09:15:58 -0700 Message-ID: <000001c0c822$dbbffe90$0e00a8c0@soaringhawk.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Russ, Two items: 1. You also need to change the text on the basic constraints extension. 2. This text implies to me that the cRLSign bit must be set for an OCSP responder (it does revocation information) is that what you want? jim > -----Original Message----- > From: Russ Housley [mailto:rhousley@rsasecurity.com] > Sent: Wednesday, April 18, 2001 8:07 AM > To: ietf-pkix@imc.org > Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments > > > Tim Polk and I just got off the phone. After a lengthy > discussion, we > propose a revision to the cRLSign discussion: > > The cRLSign bit is asserted when the subject public key is used > for verifying a signature on revocation information > (e.g., a CRL). > This bit MUST be asserted in CA certificates that are used to > verify signatures on CRLs. If the cRLSign bit is > asserted in a CA > certificate, then the cA bit in the basic constraints extension > (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is > asserted in a non-CA certificate, then the cA bit in the basic > constraints extension MUST NOT be asserted. Such non-CA > certificates MUST NOT be used to verify signatures on CRLs > containing revocation information for public key certificates; > however, these non-CA certificates MAY be used to verify > signatures on CRLs containing revocation information concerning > other types of certificates (e.g., attribute certificates). If > neither the cRLSign bit nor the keyCertSign bit are > asserted, then > the cA bit in the basic constraints extension MUST NOT be > asserted. > > Hey, this section was only one sentence in RFC 2459... > > Please let us know if anyone has any remaining concerns. > > Russ > > > At 09:25 AM 4/18/2001 -0400, Russ Housley wrote: > >Based on this discussion, I think that the working group wants the > >keyCertSign and cRLSign key usage text to read as follows: > > > > The keyCertSign bit is asserted when the subject public key is > > used for verifying a signature on public key > certificates. This > > bit MUST only be asserted in CA certificates. If the > keyCertSign > > bit is asserted, then the cA bit in the basic constraints > > extension (see 4.2.1.10) MUST also be asserted. If > neither the > > cRLSign bit nor the keyCertSign bit are asserted, > then the cA bit > > in the basic constraints extension MUST NOT be asserted. > > > > The cRLSign bit is asserted when the subject public > key is used > > for verifying a signature on certificate revocation > lists (CRLs). > > This bit MUST only be asserted in CA certificates and > Attribute > > Authority (AA) certificates. If the cRLSign bit is > asserted in a > > CA certificate, then the cA bit in the basic > constraints extension > > (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is > > asserted in an AA certificate, then the cA bit in the basic > > constraints extension MUST NOT be asserted. If neither the > > cRLSign bit nor the keyCertSign bit are asserted, > then the cA bit > > in the basic constraints extension MUST NOT be asserted. > > > >Let me know if you disagree. > > > >Russ > > > >At 02:31 PM 4/17/2001 +0100, Stephen Farrell wrote: > > > >>I'd also go along with Jim here - that an AA be allowed to > >>have cRLSign set without having cA set in basicConstraints, > >>i.e. that AA's be an exception to the general rule for EE's > >>and that this be explicitly called out in son-of-2459. I'm > >>assuming that keyCertSign is therefore not set for AA's too > >>(and the text for keyCertSign shouldn't say "certificates", > >>but "public key certificates"). > >> > >>Stephen. > >> > >>Jim Schaad wrote: > >> > > >> > Russ, > >> > > >> > > -----Original Message----- > >> > > From: Russ Housley [mailto:rhousley@rsasecurity.com] > >> > > Sent: Monday, April 16, 2001 10:33 AM > >> > > To: jimsch@exmsft.com > >> > > Cc: ietf-pkix@imc.org > >> > > Subject: Re: Last Call: > draft-ietf-pkix-new-part1-06.txt comments > >> > > > >> > > > >> > > Jim: > >> > > > >> > > >1. As currently written in section 4.2.1.3, it is not > >> > > possible for a non-CA > >> > > >CRL issuer to be created for attribute certificates. Was > >> > > this the final > >> > > >resolution of this issue? This seems to me to be > >> > > problematic as it means as > >> > > >an end-user one can issue an attribute certificate, but one > >> > > must always use > >> > > >a different agent, which is a CA, to issue the CRLs. This > >> > > means that all > >> > > >attribute CRL issuers are indirect. > >> > > > >> > > I do not recall a consensus on this point. Should an AA that > >> > > supports CRLs > >> > > have the cRLSign bit set in its public key certificate? If > >> > > so, this text > >> > > must change. > >> > > >> > I don't recall anything except private discussions on > this issue. It is > >> > here for the mailing list to comment on. > >> > > >> > It is my option that an AA that supports CRLs SHOULD > have the cRLSign bit > >> > set. Either that or we ask X509 to create AACertSign > and AACrlSign > >> bits and > >> > keep this current text as is. > >> > > >> > > > >> > > >2. Section 4.2.1.3, paragraph last: Current Text: "set in > >> > > An instantiation" > >> > > >modify to "set in an instantiation". > >> > > > >> > > Fixed. > >> > > > >> > > >3. Section 6.2 paragraph 2: change "prresented" to "presented" > >> > > > >> > > Fixed. > >> > > > >> > > >4. Section 6.2 paragraph 2: The text "For example, an > >> > > implementation may > >> > > >specify name constraints that apply to a specific trust > >> > > anchor." is diffcult > >> > > >for me given that the validation algorithm explicitly states > >> > > that name > >> > > >constraints are not applied to self signed > certificates. Suggest "For > >> > > >example, an implemenation may modify the algorithm to apply > >> > > name constaints > >> > > >during the initialization phase." > >> > > > >> > > Self-signed certificates are a common mechanism for > >> > > distributing public > >> > > keys for trust anchors, but they are not a mandated > >> > > mechanism. That said, > >> > > I think that your text it an improvement. How about a hybrid: > >> > > > >> > > For example, an implementation MAY modify the algorithm > >> > > to apply name constraints to a specific trust anchor > >> > > during the initialization phase. > >> > > >> > I have no problems with this new text. > >> > > >> > > > >> > > >5. ASN module: > >> > > >part1a.asn(352) : warning XXXXX: The imported symbol > 'id-ad' is never > >> > > >referenced > >> > > > >> > > Agree. I removed it. > >> > > > >> > > Russ > >> > > > >> > > > >> > > >> > jim > >> > >>-- > >>____________________________________________________________ > >>Stephen Farrell > >>Baltimore Technologies, tel: (direct line) +353 1 881 6716 > >>39 Parkgate Street, fax: +353 1 881 7000 > >>Dublin 8. mailto:stephen.farrell@baltimore.ie > >>Ireland http://www.baltimore.com > > Received: from balinese.baltimore.ie (firewall-user@pc215-8.indigo.ie [194.125.215.8]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA15849 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 08:23:23 -0700 (PDT) Received: by balinese.baltimore.ie; id QAA18337; Wed, 18 Apr 2001 16:23:22 +0100 (GMT/IST) Received: from emeairlsw1.ie.baltimore.com(10.153.25.53) by balinese.baltimore.ie via smap (V4.2) id xma017923; Wed, 18 Apr 01 16:22:37 +0100 Received: from bobcat.baltimore.ie (bobcat.ie.baltimore.com) by emeairlsw1.baltimore.com (Content Technologies SMTPRS 4.2.1) with ESMTP id <T52fe9af8520a99193519e@emeairlsw1.baltimore.com>; Wed, 18 Apr 2001 16:21:27 +0100 Received: from baltimore.ie (cis-flcat1.ie.baltimore.com [10.153.24.220]) by bobcat.baltimore.ie (8.9.3/8.9.3) with ESMTP id QAA14643; Wed, 18 Apr 2001 16:25:52 +0100 Message-ID: <3ADDB13C.D85E216A@baltimore.ie> Date: Wed, 18 Apr 2001 16:22:36 +0100 From: Stephen Farrell <stephen.farrell@baltimore.ie> Reply-To: stephen.farrell@baltimore.ie Organization: Baltimore Technologies Ltd. X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Russ Housley <rhousley@rsasecurity.com> CC: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I thought it was clearer first time! But its still ok. Stephen. Russ Housley wrote: > > Tim Polk and I just got off the phone. After a lengthy discussion, we > propose a revision to the cRLSign discussion: > > The cRLSign bit is asserted when the subject public key is used > for verifying a signature on revocation information (e.g., a CRL). > This bit MUST be asserted in CA certificates that are used to > verify signatures on CRLs. If the cRLSign bit is asserted in a CA > certificate, then the cA bit in the basic constraints extension > (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is > asserted in a non-CA certificate, then the cA bit in the basic > constraints extension MUST NOT be asserted. Such non-CA > certificates MUST NOT be used to verify signatures on CRLs > containing revocation information for public key certificates; > however, these non-CA certificates MAY be used to verify > signatures on CRLs containing revocation information concerning > other types of certificates (e.g., attribute certificates). If > neither the cRLSign bit nor the keyCertSign bit are asserted, then > the cA bit in the basic constraints extension MUST NOT be > asserted. > > Hey, this section was only one sentence in RFC 2459... > > Please let us know if anyone has any remaining concerns. > > Russ > > At 09:25 AM 4/18/2001 -0400, Russ Housley wrote: > >Based on this discussion, I think that the working group wants the > >keyCertSign and cRLSign key usage text to read as follows: > > > > The keyCertSign bit is asserted when the subject public key is > > used for verifying a signature on public key certificates. This > > bit MUST only be asserted in CA certificates. If the keyCertSign > > bit is asserted, then the cA bit in the basic constraints > > extension (see 4.2.1.10) MUST also be asserted. If neither the > > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > > in the basic constraints extension MUST NOT be asserted. > > > > The cRLSign bit is asserted when the subject public key is used > > for verifying a signature on certificate revocation lists (CRLs). > > This bit MUST only be asserted in CA certificates and Attribute > > Authority (AA) certificates. If the cRLSign bit is asserted in a > > CA certificate, then the cA bit in the basic constraints extension > > (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is > > asserted in an AA certificate, then the cA bit in the basic > > constraints extension MUST NOT be asserted. If neither the > > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > > in the basic constraints extension MUST NOT be asserted. > > > >Let me know if you disagree. > > > >Russ > > > >At 02:31 PM 4/17/2001 +0100, Stephen Farrell wrote: > > > >>I'd also go along with Jim here - that an AA be allowed to > >>have cRLSign set without having cA set in basicConstraints, > >>i.e. that AA's be an exception to the general rule for EE's > >>and that this be explicitly called out in son-of-2459. I'm > >>assuming that keyCertSign is therefore not set for AA's too > >>(and the text for keyCertSign shouldn't say "certificates", > >>but "public key certificates"). > >> > >>Stephen. > >> > >>Jim Schaad wrote: > >> > > >> > Russ, > >> > > >> > > -----Original Message----- > >> > > From: Russ Housley [mailto:rhousley@rsasecurity.com] > >> > > Sent: Monday, April 16, 2001 10:33 AM > >> > > To: jimsch@exmsft.com > >> > > Cc: ietf-pkix@imc.org > >> > > Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments > >> > > > >> > > > >> > > Jim: > >> > > > >> > > >1. As currently written in section 4.2.1.3, it is not > >> > > possible for a non-CA > >> > > >CRL issuer to be created for attribute certificates. Was > >> > > this the final > >> > > >resolution of this issue? This seems to me to be > >> > > problematic as it means as > >> > > >an end-user one can issue an attribute certificate, but one > >> > > must always use > >> > > >a different agent, which is a CA, to issue the CRLs. This > >> > > means that all > >> > > >attribute CRL issuers are indirect. > >> > > > >> > > I do not recall a consensus on this point. Should an AA that > >> > > supports CRLs > >> > > have the cRLSign bit set in its public key certificate? If > >> > > so, this text > >> > > must change. > >> > > >> > I don't recall anything except private discussions on this issue. It is > >> > here for the mailing list to comment on. > >> > > >> > It is my option that an AA that supports CRLs SHOULD have the cRLSign bit > >> > set. Either that or we ask X509 to create AACertSign and AACrlSign > >> bits and > >> > keep this current text as is. > >> > > >> > > > >> > > >2. Section 4.2.1.3, paragraph last: Current Text: "set in > >> > > An instantiation" > >> > > >modify to "set in an instantiation". > >> > > > >> > > Fixed. > >> > > > >> > > >3. Section 6.2 paragraph 2: change "prresented" to "presented" > >> > > > >> > > Fixed. > >> > > > >> > > >4. Section 6.2 paragraph 2: The text "For example, an > >> > > implementation may > >> > > >specify name constraints that apply to a specific trust > >> > > anchor." is diffcult > >> > > >for me given that the validation algorithm explicitly states > >> > > that name > >> > > >constraints are not applied to self signed certificates. Suggest "For > >> > > >example, an implemenation may modify the algorithm to apply > >> > > name constaints > >> > > >during the initialization phase." > >> > > > >> > > Self-signed certificates are a common mechanism for > >> > > distributing public > >> > > keys for trust anchors, but they are not a mandated > >> > > mechanism. That said, > >> > > I think that your text it an improvement. How about a hybrid: > >> > > > >> > > For example, an implementation MAY modify the algorithm > >> > > to apply name constraints to a specific trust anchor > >> > > during the initialization phase. > >> > > >> > I have no problems with this new text. > >> > > >> > > > >> > > >5. ASN module: > >> > > >part1a.asn(352) : warning XXXXX: The imported symbol 'id-ad' is never > >> > > >referenced > >> > > > >> > > Agree. I removed it. > >> > > > >> > > Russ > >> > > > >> > > > >> > > >> > jim > >> > >>-- > >>____________________________________________________________ > >>Stephen Farrell > >>Baltimore Technologies, tel: (direct line) +353 1 881 6716 > >>39 Parkgate Street, fax: +353 1 881 7000 > >>Dublin 8. mailto:stephen.farrell@baltimore.ie > >>Ireland http://www.baltimore.com -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id IAA13363 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 08:08:04 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 18 Apr 2001 15:05:25 UT Received: from HOUSLEY-LAP.rsasecurity.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id LAA11714 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 11:08:02 -0400 (EDT) Message-Id: <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Wed, 18 Apr 2001 11:06:32 -0400 To: ietf-pkix@imc.org From: Russ Housley <rhousley@rsasecurity.com> Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments In-Reply-To: <5.0.1.4.2.20010418092053.01a9b370@exna07.securitydynamics. com> References: <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Tim Polk and I just got off the phone. After a lengthy discussion, we propose a revision to the cRLSign discussion: The cRLSign bit is asserted when the subject public key is used for verifying a signature on revocation information (e.g., a CRL). This bit MUST be asserted in CA certificates that are used to verify signatures on CRLs. If the cRLSign bit is asserted in a CA certificate, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is asserted in a non-CA certificate, then the cA bit in the basic constraints extension MUST NOT be asserted. Such non-CA certificates MUST NOT be used to verify signatures on CRLs containing revocation information for public key certificates; however, these non-CA certificates MAY be used to verify signatures on CRLs containing revocation information concerning other types of certificates (e.g., attribute certificates). If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. Hey, this section was only one sentence in RFC 2459... Please let us know if anyone has any remaining concerns. Russ At 09:25 AM 4/18/2001 -0400, Russ Housley wrote: >Based on this discussion, I think that the working group wants the >keyCertSign and cRLSign key usage text to read as follows: > > The keyCertSign bit is asserted when the subject public key is > used for verifying a signature on public key certificates. This > bit MUST only be asserted in CA certificates. If the keyCertSign > bit is asserted, then the cA bit in the basic constraints > extension (see 4.2.1.10) MUST also be asserted. If neither the > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > in the basic constraints extension MUST NOT be asserted. > > The cRLSign bit is asserted when the subject public key is used > for verifying a signature on certificate revocation lists (CRLs). > This bit MUST only be asserted in CA certificates and Attribute > Authority (AA) certificates. If the cRLSign bit is asserted in a > CA certificate, then the cA bit in the basic constraints extension > (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is > asserted in an AA certificate, then the cA bit in the basic > constraints extension MUST NOT be asserted. If neither the > cRLSign bit nor the keyCertSign bit are asserted, then the cA bit > in the basic constraints extension MUST NOT be asserted. > >Let me know if you disagree. > >Russ > >At 02:31 PM 4/17/2001 +0100, Stephen Farrell wrote: > >>I'd also go along with Jim here - that an AA be allowed to >>have cRLSign set without having cA set in basicConstraints, >>i.e. that AA's be an exception to the general rule for EE's >>and that this be explicitly called out in son-of-2459. I'm >>assuming that keyCertSign is therefore not set for AA's too >>(and the text for keyCertSign shouldn't say "certificates", >>but "public key certificates"). >> >>Stephen. >> >>Jim Schaad wrote: >> > >> > Russ, >> > >> > > -----Original Message----- >> > > From: Russ Housley [mailto:rhousley@rsasecurity.com] >> > > Sent: Monday, April 16, 2001 10:33 AM >> > > To: jimsch@exmsft.com >> > > Cc: ietf-pkix@imc.org >> > > Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments >> > > >> > > >> > > Jim: >> > > >> > > >1. As currently written in section 4.2.1.3, it is not >> > > possible for a non-CA >> > > >CRL issuer to be created for attribute certificates. Was >> > > this the final >> > > >resolution of this issue? This seems to me to be >> > > problematic as it means as >> > > >an end-user one can issue an attribute certificate, but one >> > > must always use >> > > >a different agent, which is a CA, to issue the CRLs. This >> > > means that all >> > > >attribute CRL issuers are indirect. >> > > >> > > I do not recall a consensus on this point. Should an AA that >> > > supports CRLs >> > > have the cRLSign bit set in its public key certificate? If >> > > so, this text >> > > must change. >> > >> > I don't recall anything except private discussions on this issue. It is >> > here for the mailing list to comment on. >> > >> > It is my option that an AA that supports CRLs SHOULD have the cRLSign bit >> > set. Either that or we ask X509 to create AACertSign and AACrlSign >> bits and >> > keep this current text as is. >> > >> > > >> > > >2. Section 4.2.1.3, paragraph last: Current Text: "set in >> > > An instantiation" >> > > >modify to "set in an instantiation". >> > > >> > > Fixed. >> > > >> > > >3. Section 6.2 paragraph 2: change "prresented" to "presented" >> > > >> > > Fixed. >> > > >> > > >4. Section 6.2 paragraph 2: The text "For example, an >> > > implementation may >> > > >specify name constraints that apply to a specific trust >> > > anchor." is diffcult >> > > >for me given that the validation algorithm explicitly states >> > > that name >> > > >constraints are not applied to self signed certificates. Suggest "For >> > > >example, an implemenation may modify the algorithm to apply >> > > name constaints >> > > >during the initialization phase." >> > > >> > > Self-signed certificates are a common mechanism for >> > > distributing public >> > > keys for trust anchors, but they are not a mandated >> > > mechanism. That said, >> > > I think that your text it an improvement. How about a hybrid: >> > > >> > > For example, an implementation MAY modify the algorithm >> > > to apply name constraints to a specific trust anchor >> > > during the initialization phase. >> > >> > I have no problems with this new text. >> > >> > > >> > > >5. ASN module: >> > > >part1a.asn(352) : warning XXXXX: The imported symbol 'id-ad' is never >> > > >referenced >> > > >> > > Agree. I removed it. >> > > >> > > Russ >> > > >> > > >> > >> > jim >> >>-- >>____________________________________________________________ >>Stephen Farrell >>Baltimore Technologies, tel: (direct line) +353 1 881 6716 >>39 Parkgate Street, fax: +353 1 881 7000 >>Dublin 8. mailto:stephen.farrell@baltimore.ie >>Ireland http://www.baltimore.com Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id GAA07226 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 06:25:08 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 18 Apr 2001 13:22:29 UT Received: from HOUSLEY-LAP.rsasecurity.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id JAA02350 for <ietf-pkix@imc.org>; Wed, 18 Apr 2001 09:25:08 -0400 (EDT) Message-Id: <5.0.1.4.2.20010418092053.01a9b370@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Wed, 18 Apr 2001 09:25:01 -0400 To: ietf-pkix@imc.org From: Russ Housley <rhousley@rsasecurity.com> Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments In-Reply-To: <3ADC45A6.71B550EA@baltimore.ie> References: <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Based on this discussion, I think that the working group wants the keyCertSign and cRLSign key usage text to read as follows: The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates. This bit MUST only be asserted in CA certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. The cRLSign bit is asserted when the subject public key is used for verifying a signature on certificate revocation lists (CRLs). This bit MUST only be asserted in CA certificates and Attribute Authority (AA) certificates. If the cRLSign bit is asserted in a CA certificate, then the cA bit in the basic constraints extension (see 4.2.1.10) MUST also be asserted. If the cRLSign bit is asserted in an AA certificate, then the cA bit in the basic constraints extension MUST NOT be asserted. If neither the cRLSign bit nor the keyCertSign bit are asserted, then the cA bit in the basic constraints extension MUST NOT be asserted. Let me know if you disagree. Russ At 02:31 PM 4/17/2001 +0100, Stephen Farrell wrote: >I'd also go along with Jim here - that an AA be allowed to >have cRLSign set without having cA set in basicConstraints, >i.e. that AA's be an exception to the general rule for EE's >and that this be explicitly called out in son-of-2459. I'm >assuming that keyCertSign is therefore not set for AA's too >(and the text for keyCertSign shouldn't say "certificates", >but "public key certificates"). > >Stephen. > >Jim Schaad wrote: > > > > Russ, > > > > > -----Original Message----- > > > From: Russ Housley [mailto:rhousley@rsasecurity.com] > > > Sent: Monday, April 16, 2001 10:33 AM > > > To: jimsch@exmsft.com > > > Cc: ietf-pkix@imc.org > > > Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments > > > > > > > > > Jim: > > > > > > >1. As currently written in section 4.2.1.3, it is not > > > possible for a non-CA > > > >CRL issuer to be created for attribute certificates. Was > > > this the final > > > >resolution of this issue? This seems to me to be > > > problematic as it means as > > > >an end-user one can issue an attribute certificate, but one > > > must always use > > > >a different agent, which is a CA, to issue the CRLs. This > > > means that all > > > >attribute CRL issuers are indirect. > > > > > > I do not recall a consensus on this point. Should an AA that > > > supports CRLs > > > have the cRLSign bit set in its public key certificate? If > > > so, this text > > > must change. > > > > I don't recall anything except private discussions on this issue. It is > > here for the mailing list to comment on. > > > > It is my option that an AA that supports CRLs SHOULD have the cRLSign bit > > set. Either that or we ask X509 to create AACertSign and AACrlSign > bits and > > keep this current text as is. > > > > > > > > >2. Section 4.2.1.3, paragraph last: Current Text: "set in > > > An instantiation" > > > >modify to "set in an instantiation". > > > > > > Fixed. > > > > > > >3. Section 6.2 paragraph 2: change "prresented" to "presented" > > > > > > Fixed. > > > > > > >4. Section 6.2 paragraph 2: The text "For example, an > > > implementation may > > > >specify name constraints that apply to a specific trust > > > anchor." is diffcult > > > >for me given that the validation algorithm explicitly states > > > that name > > > >constraints are not applied to self signed certificates. Suggest "For > > > >example, an implemenation may modify the algorithm to apply > > > name constaints > > > >during the initialization phase." > > > > > > Self-signed certificates are a common mechanism for > > > distributing public > > > keys for trust anchors, but they are not a mandated > > > mechanism. That said, > > > I think that your text it an improvement. How about a hybrid: > > > > > > For example, an implementation MAY modify the algorithm > > > to apply name constraints to a specific trust anchor > > > during the initialization phase. > > > > I have no problems with this new text. > > > > > > > > >5. ASN module: > > > >part1a.asn(352) : warning XXXXX: The imported symbol 'id-ad' is never > > > >referenced > > > > > > Agree. I removed it. > > > > > > Russ > > > > > > > > > > jim > >-- >____________________________________________________________ >Stephen Farrell >Baltimore Technologies, tel: (direct line) +353 1 881 6716 >39 Parkgate Street, fax: +353 1 881 7000 >Dublin 8. mailto:stephen.farrell@baltimore.ie >Ireland http://www.baltimore.com Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA15257 for <ietf-pkix@imc.org>; Tue, 17 Apr 2001 13:18:06 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 17 Apr 2001 20:15:29 UT Received: from HOUSLEY-LAP.rsasecurity.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA23010; Tue, 17 Apr 2001 16:18:06 -0400 (EDT) Message-Id: <5.0.1.4.2.20010417120305.01b21da0@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Tue, 17 Apr 2001 12:10:24 -0400 To: stephen.farrell@baltimore.ie From: Russ Housley <rhousley@rsasecurity.com> Subject: Re: Comments to PKIX AC profile Cc: ietf-pkix@imc.org In-Reply-To: <3ADC415C.CECBE1CB@baltimore.ie> References: <0B95FB5619B3D411817E006008A59259692963@wfhqex06.gfgsi.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Steve: I think that it is very important to align with the version 2 AC syntax in X.509-2000. Since we mandate the implementation of version 2 AC and the X.509-2000 version 1 AC syntax is not backward compatible with the original X.509-1997 AC syntax, I suggest that we drop the version 1 syntax from our document altogether. Does this approach raise concerns? Russ At 02:13 PM 4/17/2001 +0100, Stephen Farrell wrote: >Hi John, > >You're right about the EXPLICIT, but can't I just change the current >module to (the 509-2000 compatible) IMPLICIT tagging rather than add a >whole new module? (Maybe that's what you meant.) > >Same thing for clearance: I'll make the change you suggest. > >BTW: both of these break code, so anyone with code compliant to the >-06 I-D, who has a reason not to make the change should yell about >this now. > >Regards, >Stephen (who just hates sneaky tagging:-) > > >"Pawling, John" wrote: > > > > All, > > > > In a separate message, Stephen Henson reported an incompatibility between > > the Attribute Certificate (AC) ASN.1 syntaxes defined in the PKIX AC > Profile > > for Authorization <draft-ietf-pkix-ac509prof-06.txt> and draft 2000 X.509 > > Recommendation (4th Edition, Draft V7, 23 Feb 2001). > > The PKIX AC Profile, Appendix B, ASN.1 module includes "DEFINITIONS > EXPLICIT > > TAGS ::=", but the 2000 X.509 Recommendation ASN.1 module defining the AC > > syntax includes "DEFINITIONS IMPLICIT TAGS ::=". Recommend that the > PKIX AC > > Profile should be changed so that the AC ASN.1 syntax is equivalent (i.e. > > produces the identical ASN.1 hex encoding) to that defined in the draft > 2000 > > X.509 Recommendation. This could be accomplished by moving the AC syntax > > definition (and component syntax definitions) from the existing Appendix B > > module to a new ASN.1 module that includes "DEFINITIONS IMPLICIT TAGS ::=". > > That is the strategy used in the draft 2000 X.509 Recommendation. > > > > Also, recommend that ac509prof-06 file should be changed so that the > > Clearance attribute ASN.1 syntax defined in Appendix B is equivalent to > that > > defined in X.501. X.501 defines the Clearance attribute syntax using > > AUTOMATIC TAGS. The Clearance attribute syntax in the PKIX AC profile > > should be changed as follows to be consistent with X.501: > > > > Clearance ::= SEQUENCE > > { > > policyId > > [0] OBJECT IDENTIFIER, > > classList > > [1] ClassList DEFAULT {unclassified}, > > securityCategories > > [2] SET OF SecurityCategory OPTIONAL > > } > > > > =========================================== > > John Pawling, John.Pawling@GetronicsGov.com > > Getronics Government Solutions, LLC > > =========================================== > >-- >____________________________________________________________ >Stephen Farrell >Baltimore Technologies, tel: (direct line) +353 1 881 6716 >39 Parkgate Street, fax: +353 1 881 7000 >Dublin 8. mailto:stephen.farrell@baltimore.ie >Ireland http://www.baltimore.com Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA09636 for <ietf-pkix@imc.org>; Tue, 17 Apr 2001 12:19:23 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JDJ8PVW4>; Tue, 17 Apr 2001 15:18:53 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F8F@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "500 list (E-mail)" <osidirectory@az05.bull.com> Cc: "pkix (E-mail)" <ietf-pkix@imc.org> Subject: New Defect Report on X.509 Date: Tue, 17 Apr 2001 15:13:39 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C772.82519E00" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C772.82519E00 Content-Type: text/plain; charset="iso-8859-1" Based on a requirement from the IETF PKIX WG and their profile of X.509 public-key certificates, I've raised a new defect report on X.509 (DR 278). The DR proposes modifying the text of clause 8.4.2.6 (4th edition) to lift the restriction that the freshestCRL extension be ONLY a certificate extension. This change aligns with the PKIX use of freshestCRL as a CRL extension. The full DR can be obtained at: ftp://ftp.bull.com/pub/OSIdirectory/DefectResolution/DefectReports/X.509andR elated/DR_278.pdf Sharon ------_=_NextPart_001_01C0C772.82519E00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>New Defect Report on X.509</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Based on a requirement from the IETF PKIX WG and = their profile of X.509 public-key certificates, I've raised a new = defect report on X.509 (DR 278). The DR proposes modifying the text of = clause 8.4.2.6 (4th edition) to lift the restriction that the = freshestCRL extension be ONLY a certificate extension. This change = aligns with the PKIX use of freshestCRL as a CRL extension. The full DR = can be obtained at:</FONT></P> <P><FONT SIZE=3D2><A = HREF=3D"ftp://ftp.bull.com/pub/OSIdirectory/DefectResolution/DefectRepor= ts/X.509andRelated/DR_278.pdf" = TARGET=3D"_blank">ftp://ftp.bull.com/pub/OSIdirectory/DefectResolution/D= efectReports/X.509andRelated/DR_278.pdf</A></FONT> </P> <BR> <P><FONT SIZE=3D2>Sharon</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0C772.82519E00-- Received: from wfhqex05.gfgsi.com (netva01.getronicsgov.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA19298 for <ietf-pkix@imc.org>; Tue, 17 Apr 2001 07:14:54 -0700 (PDT) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id <H95FYW1D>; Tue, 17 Apr 2001 10:16:12 -0400 Message-ID: <0B95FB5619B3D411817E006008A592596929BD@wfhqex06.gfgsi.com> From: "Pawling, John" <John.Pawling@GetronicsGov.com> To: "'stephen.farrell@baltimore.ie'" <stephen.farrell@baltimore.ie> Cc: "ietf-pkix@imc. org (E-mail)" <ietf-pkix@imc.org> Subject: RE: Comments to PKIX AC profile Date: Tue, 17 Apr 2001 10:16:10 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Stephen, Thank you for your response. I agree that you can just change "DEFINITIONS EXPLICIT TAGS" to "DEFINITIONS IMPLICIT TAGS" in the current module. =========================================== John Pawling, John.Pawling@GetronicsGov.com Getronics Government Solutions, LLC =========================================== -----Original Message----- From: Stephen Farrell [mailto:stephen.farrell@baltimore.ie] Sent: Tuesday, April 17, 2001 9:13 AM To: Pawling, John Cc: ietf-pkix@imc. org (E-mail) Subject: Re: Comments to PKIX AC profile Hi John, You're right about the EXPLICIT, but can't I just change the current module to (the 509-2000 compatible) IMPLICIT tagging rather than add a whole new module? (Maybe that's what you meant.) Same thing for clearance: I'll make the change you suggest. BTW: both of these break code, so anyone with code compliant to the -06 I-D, who has a reason not to make the change should yell about this now. Regards, Stephen (who just hates sneaky tagging:-) "Pawling, John" wrote: > > All, > > In a separate message, Stephen Henson reported an incompatibility between > the Attribute Certificate (AC) ASN.1 syntaxes defined in the PKIX AC Profile > for Authorization <draft-ietf-pkix-ac509prof-06.txt> and draft 2000 X.509 > Recommendation (4th Edition, Draft V7, 23 Feb 2001). > The PKIX AC Profile, Appendix B, ASN.1 module includes "DEFINITIONS EXPLICIT > TAGS ::=", but the 2000 X.509 Recommendation ASN.1 module defining the AC > syntax includes "DEFINITIONS IMPLICIT TAGS ::=". Recommend that the PKIX AC > Profile should be changed so that the AC ASN.1 syntax is equivalent (i.e. > produces the identical ASN.1 hex encoding) to that defined in the draft 2000 > X.509 Recommendation. This could be accomplished by moving the AC syntax > definition (and component syntax definitions) from the existing Appendix B > module to a new ASN.1 module that includes "DEFINITIONS IMPLICIT TAGS ::=". > That is the strategy used in the draft 2000 X.509 Recommendation. > > Also, recommend that ac509prof-06 file should be changed so that the > Clearance attribute ASN.1 syntax defined in Appendix B is equivalent to that > defined in X.501. X.501 defines the Clearance attribute syntax using > AUTOMATIC TAGS. The Clearance attribute syntax in the PKIX AC profile > should be changed as follows to be consistent with X.501: > > Clearance ::= SEQUENCE > { > policyId > [0] OBJECT IDENTIFIER, > classList > [1] ClassList DEFAULT {unclassified}, > securityCategories > [2] SET OF SecurityCategory OPTIONAL > } > > =========================================== > John Pawling, John.Pawling@GetronicsGov.com > Getronics Government Solutions, LLC > =========================================== -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com Received: from balinese.baltimore.ie (firewall-user@pc215-8.indigo.ie [194.125.215.8]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA15751 for <ietf-pkix@imc.org>; Tue, 17 Apr 2001 06:32:17 -0700 (PDT) Received: by balinese.baltimore.ie; id OAA28713; Tue, 17 Apr 2001 14:32:17 +0100 (GMT/IST) Received: from emeairlsw1.ie.baltimore.com(10.153.25.53) by balinese.baltimore.ie via smap (V4.2) id xma028283; Tue, 17 Apr 01 14:31:20 +0100 Received: from bobcat.baltimore.ie (bobcat.ie.baltimore.com) by emeairlsw1.baltimore.com (Content Technologies SMTPRS 4.2.1) with ESMTP id <T52f90ebcf90a99193515a@emeairlsw1.baltimore.com>; Tue, 17 Apr 2001 14:30:10 +0100 Received: from baltimore.ie (cis-flcat1.ie.baltimore.com [10.153.24.220]) by bobcat.baltimore.ie (8.9.3/8.9.3) with ESMTP id OAA28743; Tue, 17 Apr 2001 14:34:29 +0100 Message-ID: <3ADC45A6.71B550EA@baltimore.ie> Date: Tue, 17 Apr 2001 14:31:18 +0100 From: Stephen Farrell <stephen.farrell@baltimore.ie> Reply-To: stephen.farrell@baltimore.ie Organization: Baltimore Technologies Ltd. X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: jimsch@exmsft.com CC: "'Russ Housley'" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I'd also go along with Jim here - that an AA be allowed to have cRLSign set without having cA set in basicConstraints, i.e. that AA's be an exception to the general rule for EE's and that this be explicitly called out in son-of-2459. I'm assuming that keyCertSign is therefore not set for AA's too (and the text for keyCertSign shouldn't say "certificates", but "public key certificates"). Stephen. Jim Schaad wrote: > > Russ, > > > -----Original Message----- > > From: Russ Housley [mailto:rhousley@rsasecurity.com] > > Sent: Monday, April 16, 2001 10:33 AM > > To: jimsch@exmsft.com > > Cc: ietf-pkix@imc.org > > Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments > > > > > > Jim: > > > > >1. As currently written in section 4.2.1.3, it is not > > possible for a non-CA > > >CRL issuer to be created for attribute certificates. Was > > this the final > > >resolution of this issue? This seems to me to be > > problematic as it means as > > >an end-user one can issue an attribute certificate, but one > > must always use > > >a different agent, which is a CA, to issue the CRLs. This > > means that all > > >attribute CRL issuers are indirect. > > > > I do not recall a consensus on this point. Should an AA that > > supports CRLs > > have the cRLSign bit set in its public key certificate? If > > so, this text > > must change. > > I don't recall anything except private discussions on this issue. It is > here for the mailing list to comment on. > > It is my option that an AA that supports CRLs SHOULD have the cRLSign bit > set. Either that or we ask X509 to create AACertSign and AACrlSign bits and > keep this current text as is. > > > > > >2. Section 4.2.1.3, paragraph last: Current Text: "set in > > An instantiation" > > >modify to "set in an instantiation". > > > > Fixed. > > > > >3. Section 6.2 paragraph 2: change "prresented" to "presented" > > > > Fixed. > > > > >4. Section 6.2 paragraph 2: The text "For example, an > > implementation may > > >specify name constraints that apply to a specific trust > > anchor." is diffcult > > >for me given that the validation algorithm explicitly states > > that name > > >constraints are not applied to self signed certificates. Suggest "For > > >example, an implemenation may modify the algorithm to apply > > name constaints > > >during the initialization phase." > > > > Self-signed certificates are a common mechanism for > > distributing public > > keys for trust anchors, but they are not a mandated > > mechanism. That said, > > I think that your text it an improvement. How about a hybrid: > > > > For example, an implementation MAY modify the algorithm > > to apply name constraints to a specific trust anchor > > during the initialization phase. > > I have no problems with this new text. > > > > > >5. ASN module: > > >part1a.asn(352) : warning XXXXX: The imported symbol 'id-ad' is never > > >referenced > > > > Agree. I removed it. > > > > Russ > > > > > > jim -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com Received: from balinese.baltimore.ie (firewall-user@pc215-8.indigo.ie [194.125.215.8]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA13297 for <ietf-pkix@imc.org>; Tue, 17 Apr 2001 06:14:17 -0700 (PDT) Received: by balinese.baltimore.ie; id OAA23693; Tue, 17 Apr 2001 14:14:16 +0100 (GMT/IST) Received: from emeairlsw1.ie.baltimore.com(10.153.25.53) by balinese.baltimore.ie via smap (V4.2) id xma023458; Tue, 17 Apr 01 14:13:18 +0100 Received: from bobcat.baltimore.ie (bobcat.ie.baltimore.com) by emeairlsw1.baltimore.com (Content Technologies SMTPRS 4.2.1) with ESMTP id <T52f8fdfc080a99193515a@emeairlsw1.baltimore.com>; Tue, 17 Apr 2001 14:11:52 +0100 Received: from baltimore.ie (cis-flcat1.ie.baltimore.com [10.153.24.220]) by bobcat.baltimore.ie (8.9.3/8.9.3) with ESMTP id OAA27985; Tue, 17 Apr 2001 14:16:10 +0100 Message-ID: <3ADC415C.CECBE1CB@baltimore.ie> Date: Tue, 17 Apr 2001 14:13:00 +0100 From: Stephen Farrell <stephen.farrell@baltimore.ie> Reply-To: stephen.farrell@baltimore.ie Organization: Baltimore Technologies Ltd. X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "Pawling, John" <John.Pawling@GetronicsGov.com> CC: "ietf-pkix@imc. org (E-mail)" <ietf-pkix@imc.org> Subject: Re: Comments to PKIX AC profile References: <0B95FB5619B3D411817E006008A59259692963@wfhqex06.gfgsi.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi John, You're right about the EXPLICIT, but can't I just change the current module to (the 509-2000 compatible) IMPLICIT tagging rather than add a whole new module? (Maybe that's what you meant.) Same thing for clearance: I'll make the change you suggest. BTW: both of these break code, so anyone with code compliant to the -06 I-D, who has a reason not to make the change should yell about this now. Regards, Stephen (who just hates sneaky tagging:-) "Pawling, John" wrote: > > All, > > In a separate message, Stephen Henson reported an incompatibility between > the Attribute Certificate (AC) ASN.1 syntaxes defined in the PKIX AC Profile > for Authorization <draft-ietf-pkix-ac509prof-06.txt> and draft 2000 X.509 > Recommendation (4th Edition, Draft V7, 23 Feb 2001). > The PKIX AC Profile, Appendix B, ASN.1 module includes "DEFINITIONS EXPLICIT > TAGS ::=", but the 2000 X.509 Recommendation ASN.1 module defining the AC > syntax includes "DEFINITIONS IMPLICIT TAGS ::=". Recommend that the PKIX AC > Profile should be changed so that the AC ASN.1 syntax is equivalent (i.e. > produces the identical ASN.1 hex encoding) to that defined in the draft 2000 > X.509 Recommendation. This could be accomplished by moving the AC syntax > definition (and component syntax definitions) from the existing Appendix B > module to a new ASN.1 module that includes "DEFINITIONS IMPLICIT TAGS ::=". > That is the strategy used in the draft 2000 X.509 Recommendation. > > Also, recommend that ac509prof-06 file should be changed so that the > Clearance attribute ASN.1 syntax defined in Appendix B is equivalent to that > defined in X.501. X.501 defines the Clearance attribute syntax using > AUTOMATIC TAGS. The Clearance attribute syntax in the PKIX AC profile > should be changed as follows to be consistent with X.501: > > Clearance ::= SEQUENCE > { > policyId > [0] OBJECT IDENTIFIER, > classList > [1] ClassList DEFAULT {unclassified}, > securityCategories > [2] SET OF SecurityCategory OPTIONAL > } > > =========================================== > John Pawling, John.Pawling@GetronicsGov.com > Getronics Government Solutions, LLC > =========================================== -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com Received: from balinese.baltimore.ie (firewall-user@pc215-8.indigo.ie [194.125.215.8]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA12621 for <ietf-pkix@imc.org>; Tue, 17 Apr 2001 06:05:17 -0700 (PDT) Received: by balinese.baltimore.ie; id OAA21739; Tue, 17 Apr 2001 14:05:17 +0100 (GMT/IST) Received: from emeairlsw1.ie.baltimore.com(10.153.25.53) by balinese.baltimore.ie via smap (V4.2) id xma021628; Tue, 17 Apr 01 14:04:39 +0100 Received: from bobcat.baltimore.ie (bobcat.ie.baltimore.com) by emeairlsw1.baltimore.com (Content Technologies SMTPRS 4.2.1) with ESMTP id <T52f8f64ea40a99193515a@emeairlsw1.baltimore.com>; Tue, 17 Apr 2001 14:03:29 +0100 Received: from baltimore.ie (cis-flcat1.ie.baltimore.com [10.153.24.220]) by bobcat.baltimore.ie (8.9.3/8.9.3) with ESMTP id OAA27620; Tue, 17 Apr 2001 14:07:47 +0100 Message-ID: <3ADC3F64.895C47B0@baltimore.ie> Date: Tue, 17 Apr 2001 14:04:37 +0100 From: Stephen Farrell <stephen.farrell@baltimore.ie> Reply-To: stephen.farrell@baltimore.ie Organization: Baltimore Technologies Ltd. X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Hideyuki Odahara <odahara@dsa.isl.ntt.co.jp> CC: ietf-pkix@imc.org Subject: Re: attributes in AC References: <20010410173741.DB73.ODAHARA@dsa.isl.ntt.co.jp> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Slightly late response, but here it is... Syntactically, the access identity attribute can't have the authInfo field present. This basically means that you should use the access identity field if the relying party is willing to believe a straight assertion from the AA about the holder's identity. In theory that should be enough, but it turns out that there are many applications which still require a username & password to identify/authenticate a user, so the service auth info attribute allows support for such applications. As an example of where this might apply, say you inegrate the AC relying party code into a web server, with a set of web applications being called from the web server. Now some of those applications will simply accept a user identity passed from the web server, using say the ssl client or holder field for identity, others will have their own concept of usernames (so you can use the access identity for those), but still others will have their own username/password handling (so you can use service auth info and not bother the user with entry of additional passwords). Hope this makes it clearer, Stephen. Hideyuki Odahara wrote: > > Please teach me the difference of the use of > "Service Authentication Infomation" and "Access Identity" > in Attribute Certificate, and how to use the "Access Identity" > attribute if you have any concrete example. > > It is described that "this is a different use to that intended > for the svceAuthInfo attribute discribed in 4.4.1 above." at the > page 19 in the internet-draft(draft-ietf-pkix-ac509prof). > But there is no example what situation does it suit. > > thanks > > ---------- > Hideyuki Odahara $B!'(B odahara@dsa.isl.ntt.co.jp -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA06911 for <ietf-pkix@imc.org>; Mon, 16 Apr 2001 15:39:13 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA12218; Mon, 16 Apr 2001 18:39:04 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010403b70123bcc46f@[128.33.4.39]> In-Reply-To: <200104111733.TAA20049@emeriau.edelweb.fr> References: <200104111733.TAA20049@emeriau.edelweb.fr> Date: Mon, 16 Apr 2001 18:36:43 -0400 To: Peter Sylvester <Peter.Sylvester@EdelWeb.fr> From: Stephen Kent <kent@bbn.com> Subject: Re: Meaning of Non-repudiation Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 7:33 PM +0200 4/11/01, Peter Sylvester wrote: >Effective only at time of generation seems somewhat difficult; >it always happens later. > >What is the essential difference between some authentication >handshake 'on line' or some exchange using S/MIME. > >Consider for example just signature on domain boundaries, > >Or between a user and and ISP relay in order to allow >relaying from authorized users etc. Non repudiation is largely an application layer issue, if one believes that a person is making a binding commitment when NR is mentioned. So, a signed authentication handshake might prove that someone accessed a site, but it does not say what the person did while accessing the site. Also, most authentication handshakes do not make provision for third party time stamping, an essential element of most non-repudiation schemes. So, no, I don't view those sorts of signed transactions as being the same as an S/MIME message. Steve Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA22858 for <ietf-pkix@imc.org>; Mon, 16 Apr 2001 12:11:54 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GBW00I01FZNQQ@ext-mail.valicert.com> for ietf-pkix@imc.org; Mon, 16 Apr 2001 12:11:47 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GBW00HKXFZMSD@ext-mail.valicert.com>; Mon, 16 Apr 2001 12:11:46 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR2635JM>; Mon, 16 Apr 2001 12:10:46 -0700 Content-return: allowed Date: Mon, 16 Apr 2001 12:10:45 -0700 From: Peter Williams <peterw@valicert.com> Subject: RE: Extension name divergence between PKIX profile and X.509 4th Edition To: "'Sharon Boeyen'" <sharon.boeyen@entrust.com> Cc: ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E182C27@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: multipart/alternative; boundary="Boundary_(ID_FP5+iAhSY28L90bOh9gU2A)" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --Boundary_(ID_FP5+iAhSY28L90bOh9gU2A) Content-type: text/plain; charset="iso-8859-1" Sharon Might aswell ensure that the pointer class can be used in any type of certificate, any type of CRL, and any other type of "security token" contemplated by X.509. The signed XML work (outside IETF) is completing nicely, with application to cert management, biometric data, inter-domain messaging and authorization. Signed XML objects can benefit from the generalized standardization of references to RevocationLists in X.509. -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Monday, April 16, 2001 11:34 AM To: 'Russ Housley'; Sharon Boeyen Cc: ietf-pkix@imc.org Subject: RE: Extension name divergence between PKIX profile and X.509 4th Edition I'll raise a defect on the 509 list proposing this. I suspect it won't be controversial. Sharon -----Original Message----- From: Russ Housley [mailto:rhousley@rsasecurity.com] Sent: Friday, April 13, 2001 2:26 PM To: Sharon Boeyen Cc: ietf-pkix@imc.org Subject: RE: Extension name divergence between PKIX profile and X.509 4th Edition Sharon: The inclusion of freshestCRL in either a certificate or CRL has been in the document for quite some time. I think that it is very attractive for the "pointer" within a certificate or CRL to have the same syntax and semantics. If X.509 can accommodate this approach, I think it would be very helpful. I know that at least one implementation is using this approach. Russ At 07:33 PM 4/11/2001 -0400, Sharon Boeyen wrote: David, I think this is a problem because X.509 states that the freshest CRL extension SHALL only be used as a certificate extension. The extension is identified by its OID and any other use of that OID is non conformant with its definition. X.509 currently has the delta info extension to point from a CRL to related delta CRLs. If the syntax of that extension is insufficient, then one of the following should happen: - a new extension is defined that meets the need - syntax of delta info extension is extended or modified to satisfy the need - text for freshest CRL extension is modified to allow it to be a certificate as well as a CRL extension. The 3rd one sounds the simplest and least destructive. Since we are about to send the current set of defects out for final ballot, this is timely. I don't recall specific discussion that drove the freshest CRL to be a certificate only extension, but I think the text was basically modelled after CRL DP extension. Is there firm agreement in PKIX that this is required? If so, we should propose the change to the 509 list - This could either be done as part of the current enhancements work (similar to the change that will allow subjectDirectoryAttributes to be set as a critical extension) or it might be suitable for the defect process. Cheers, Sharon --Boundary_(ID_FP5+iAhSY28L90bOh9gU2A) Content-type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 5.00.3103.1000" name=GENERATOR></HEAD> <BODY> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=875055118-16042001>Sharon</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=875055118-16042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=875055118-16042001>Might aswell ensure that the pointer class can be used in any type</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=875055118-16042001>of certificate, any type of CRL, and any other type of "security token"</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=875055118-16042001>contemplated by </SPAN></FONT><FONT color=#0000ff face=Arial size=2><SPAN class=875055118-16042001>X.509.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=875055118-16042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=875055118-16042001>The signed XML work (outside IETF) is completing nicely, with</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=875055118-16042001>application to cert management, biometric data, inter-domain messaging </SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=875055118-16042001>and authorization. </SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=875055118-16042001>Signed XML objects</SPAN></FONT><FONT face=Arial><FONT color=#0000ff size=2><SPAN class=875055118-16042001> can benefit from</SPAN></FONT><FONT color=#0000ff size=2><SPAN class=875055118-16042001> the generalized standardization of </SPAN></FONT></FONT></DIV> <DIV><FONT face=Arial><FONT color=#0000ff size=2><SPAN class=875055118-16042001>references to RevocationLists </SPAN></FONT></FONT><FONT face=Arial><FONT color=#0000ff size=2><SPAN class=875055118-16042001>in X.509.</SPAN></FONT></FONT></DIV> <DIV><FONT face=Arial><FONT color=#0000ff size=2><SPAN class=875055118-16042001></SPAN></FONT></FONT> </DIV> <DIV><FONT face=Tahoma><FONT size=2><SPAN class=875055118-16042001> </SPAN>-----Original Message-----<BR><B>From:</B> Sharon Boeyen [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Monday, April 16, 2001 11:34 AM<BR><B>To:</B> 'Russ Housley'; Sharon Boeyen<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: Extension name divergence between PKIX profile and X.509 4th Edition<BR><BR></DIV></FONT> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"></FONT> <DIV><SPAN class=533013818-16042001><FONT color=#0000ff face=Arial size=2>I'll raise a defect on the 509 list proposing this. I suspect it won't be controversial.</FONT></SPAN></DIV> <DIV><SPAN class=533013818-16042001><FONT color=#0000ff face=Arial size=2></FONT></SPAN> </DIV> <DIV><SPAN class=533013818-16042001><FONT color=#0000ff face=Arial size=2>Sharon</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px"> <DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Russ Housley [mailto:rhousley@rsasecurity.com]<BR><B>Sent:</B> Friday, April 13, 2001 2:26 PM<BR><B>To:</B> Sharon Boeyen<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: Extension name divergence between PKIX profile and X.509 4th Edition<BR><BR></FONT></DIV>Sharon:<BR><BR>The inclusion of freshestCRL in either a certificate or CRL has been in the document for quite some time. I think that it is very attractive for the "pointer" within a certificate or CRL to have the same syntax and semantics.<BR><BR>If X.509 can accommodate this approach, I think it would be very helpful. I know that at least one implementation is using this approach.<BR><BR>Russ<BR><BR><BR>At 07:33 PM 4/11/2001 -0400, Sharon Boeyen wrote:<BR> <BLOCKQUOTE class=cite type="cite" cite><FONT size=2>David, I think this is a problem because X.509 states that the <BR>freshest CRL extension SHALL only be used as a certificate extension. <BR>The extension is identified by its OID and any other use of that OID</FONT> <BR><FONT size=2>is non conformant with its definition. X.509 currently has the delta info extension to point</FONT> <BR><FONT size=2>from a CRL to related delta CRLs. If the syntax of that extension is <BR>insufficient, then one of the following should happen:</FONT> <BR><FONT size=2>- a new extension is defined that meets the need</FONT> <BR><FONT size=2>- syntax of delta info extension is extended or modified to satisfy the need</FONT> <BR><FONT size=2>- text for freshest CRL extension is modified to allow it to be a certificate <BR>as well as a CRL extension.</FONT> <BR><BR><FONT size=2>The 3rd one sounds the simplest and least destructive. Since we are about to send the current set of <BR>defects out for final ballot, this is timely. I don't recall specific discussion <BR>that drove the freshest CRL to be a certificate only extension, but I think the text was</FONT> <BR><FONT size=2>basically modelled after CRL DP extension. <BR><BR>Is there firm agreement in PKIX that this is required? If so, we should propose <BR>the change to the 509 list - This could either be done as part of the current enhancements <BR>work (similar to the change that will allow subjectDirectoryAttributes to be set as a critical</FONT> <BR><FONT size=2>extension) or it might be suitable for the defect process.</FONT> <BR><BR><FONT size=2>Cheers,</FONT> <BR><FONT size=2>Sharon</FONT> </BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> --Boundary_(ID_FP5+iAhSY28L90bOh9gU2A)-- Received: from femail3.sdc1.sfba.home.com (femail3.sdc1.sfba.home.com [24.0.95.83]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA22265 for <ietf-pkix@imc.org>; Mon, 16 Apr 2001 11:56:50 -0700 (PDT) Received: from revelation ([65.4.166.11]) by femail3.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010416185421.CJAW26961.femail3.sdc1.sfba.home.com@revelation>; Mon, 16 Apr 2001 11:54:21 -0700 Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch5@home.com> To: "'Russ Housley'" <rhousley@rsasecurity.com> Cc: <ietf-pkix@imc.org> Subject: RE: Last Call: draft-ietf-pkix-new-part1-06.txt comments Date: Mon, 16 Apr 2001 11:59:33 -0700 Message-ID: <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <5.0.1.4.2.20010416115432.01b4dad0@exna07.securitydynamics.com> Russ, > -----Original Message----- > From: Russ Housley [mailto:rhousley@rsasecurity.com] > Sent: Monday, April 16, 2001 10:33 AM > To: jimsch@exmsft.com > Cc: ietf-pkix@imc.org > Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments > > > Jim: > > >1. As currently written in section 4.2.1.3, it is not > possible for a non-CA > >CRL issuer to be created for attribute certificates. Was > this the final > >resolution of this issue? This seems to me to be > problematic as it means as > >an end-user one can issue an attribute certificate, but one > must always use > >a different agent, which is a CA, to issue the CRLs. This > means that all > >attribute CRL issuers are indirect. > > I do not recall a consensus on this point. Should an AA that > supports CRLs > have the cRLSign bit set in its public key certificate? If > so, this text > must change. I don't recall anything except private discussions on this issue. It is here for the mailing list to comment on. It is my option that an AA that supports CRLs SHOULD have the cRLSign bit set. Either that or we ask X509 to create AACertSign and AACrlSign bits and keep this current text as is. > > >2. Section 4.2.1.3, paragraph last: Current Text: "set in > An instantiation" > >modify to "set in an instantiation". > > Fixed. > > >3. Section 6.2 paragraph 2: change "prresented" to "presented" > > Fixed. > > >4. Section 6.2 paragraph 2: The text "For example, an > implementation may > >specify name constraints that apply to a specific trust > anchor." is diffcult > >for me given that the validation algorithm explicitly states > that name > >constraints are not applied to self signed certificates. Suggest "For > >example, an implemenation may modify the algorithm to apply > name constaints > >during the initialization phase." > > Self-signed certificates are a common mechanism for > distributing public > keys for trust anchors, but they are not a mandated > mechanism. That said, > I think that your text it an improvement. How about a hybrid: > > For example, an implementation MAY modify the algorithm > to apply name constraints to a specific trust anchor > during the initialization phase. I have no problems with this new text. > > >5. ASN module: > >part1a.asn(352) : warning XXXXX: The imported symbol 'id-ad' is never > >referenced > > Agree. I removed it. > > Russ > > jim Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA21547 for <ietf-pkix@imc.org>; Mon, 16 Apr 2001 11:39:25 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <JB2AFC7P>; Mon, 16 Apr 2001 14:38:57 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F7B@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Russ Housley'" <rhousley@rsasecurity.com>, Sharon Boeyen <sharon.boeyen@entrust.com> Cc: ietf-pkix@imc.org Subject: RE: Extension name divergence between PKIX profile and X.509 4th Edition Date: Mon, 16 Apr 2001 14:33:45 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C6A3.C550CE30" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C6A3.C550CE30 Content-Type: text/plain I'll raise a defect on the 509 list proposing this. I suspect it won't be controversial. Sharon -----Original Message----- From: Russ Housley [mailto:rhousley@rsasecurity.com] Sent: Friday, April 13, 2001 2:26 PM To: Sharon Boeyen Cc: ietf-pkix@imc.org Subject: RE: Extension name divergence between PKIX profile and X.509 4th Edition Sharon: The inclusion of freshestCRL in either a certificate or CRL has been in the document for quite some time. I think that it is very attractive for the "pointer" within a certificate or CRL to have the same syntax and semantics. If X.509 can accommodate this approach, I think it would be very helpful. I know that at least one implementation is using this approach. Russ At 07:33 PM 4/11/2001 -0400, Sharon Boeyen wrote: David, I think this is a problem because X.509 states that the freshest CRL extension SHALL only be used as a certificate extension. The extension is identified by its OID and any other use of that OID is non conformant with its definition. X.509 currently has the delta info extension to point from a CRL to related delta CRLs. If the syntax of that extension is insufficient, then one of the following should happen: - a new extension is defined that meets the need - syntax of delta info extension is extended or modified to satisfy the need - text for freshest CRL extension is modified to allow it to be a certificate as well as a CRL extension. The 3rd one sounds the simplest and least destructive. Since we are about to send the current set of defects out for final ballot, this is timely. I don't recall specific discussion that drove the freshest CRL to be a certificate only extension, but I think the text was basically modelled after CRL DP extension. Is there firm agreement in PKIX that this is required? If so, we should propose the change to the 509 list - This could either be done as part of the current enhancements work (similar to the change that will allow subjectDirectoryAttributes to be set as a critical extension) or it might be suitable for the defect process. Cheers, Sharon ------_=_NextPart_001_01C0C6A3.C550CE30 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=US-ASCII"> <META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=533013818-16042001><FONT face=Arial color=#0000ff size=2>I'll raise a defect on the 509 list proposing this. I suspect it won't be controversial.</FONT></SPAN></DIV> <DIV><SPAN class=533013818-16042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=533013818-16042001><FONT face=Arial color=#0000ff size=2>Sharon</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Russ Housley [mailto:rhousley@rsasecurity.com]<BR><B>Sent:</B> Friday, April 13, 2001 2:26 PM<BR><B>To:</B> Sharon Boeyen<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: Extension name divergence between PKIX profile and X.509 4th Edition<BR><BR></FONT></DIV>Sharon:<BR><BR>The inclusion of freshestCRL in either a certificate or CRL has been in the document for quite some time. I think that it is very attractive for the "pointer" within a certificate or CRL to have the same syntax and semantics.<BR><BR>If X.509 can accommodate this approach, I think it would be very helpful. I know that at least one implementation is using this approach.<BR><BR>Russ<BR><BR><BR>At 07:33 PM 4/11/2001 -0400, Sharon Boeyen wrote:<BR> <BLOCKQUOTE class=cite cite type="cite"><FONT size=2>David, I think this is a problem because X.509 states that the <BR>freshest CRL extension SHALL only be used as a certificate extension. <BR>The extension is identified by its OID and any other use of that OID</FONT> <BR><FONT size=2>is non conformant with its definition. X.509 currently has the delta info extension to point</FONT> <BR><FONT size=2>from a CRL to related delta CRLs. If the syntax of that extension is <BR>insufficient, then one of the following should happen:</FONT> <BR><FONT size=2>- a new extension is defined that meets the need</FONT> <BR><FONT size=2>- syntax of delta info extension is extended or modified to satisfy the need</FONT> <BR><FONT size=2>- text for freshest CRL extension is modified to allow it to be a certificate <BR>as well as a CRL extension.</FONT> <BR><BR><FONT size=2>The 3rd one sounds the simplest and least destructive. Since we are about to send the current set of <BR>defects out for final ballot, this is timely. I don't recall specific discussion <BR>that drove the freshest CRL to be a certificate only extension, but I think the text was</FONT> <BR><FONT size=2>basically modelled after CRL DP extension. <BR><BR>Is there firm agreement in PKIX that this is required? If so, we should propose <BR>the change to the 509 list - This could either be done as part of the current enhancements <BR>work (similar to the change that will allow subjectDirectoryAttributes to be set as a critical</FONT> <BR><FONT size=2>extension) or it might be suitable for the defect process.</FONT> <BR><BR><FONT size=2>Cheers,</FONT> <BR><FONT size=2>Sharon</FONT> </BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0C6A3.C550CE30-- Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA20864 for <ietf-pkix@imc.org>; Mon, 16 Apr 2001 11:26:37 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 16 Apr 2001 18:24:01 UT Received: from HOUSLEY-LAP.rsasecurity.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id OAA02628; Mon, 16 Apr 2001 14:26:24 -0400 (EDT) Message-Id: <5.0.1.4.2.20010416115432.01b4dad0@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 16 Apr 2001 13:32:49 -0400 To: jimsch@exmsft.com From: Russ Housley <rhousley@rsasecurity.com> Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments Cc: ietf-pkix@imc.org In-Reply-To: <001701c0c472$b141a8c0$0e00a8c0@soaringhawk.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Jim: >1. As currently written in section 4.2.1.3, it is not possible for a non-CA >CRL issuer to be created for attribute certificates. Was this the final >resolution of this issue? This seems to me to be problematic as it means as >an end-user one can issue an attribute certificate, but one must always use >a different agent, which is a CA, to issue the CRLs. This means that all >attribute CRL issuers are indirect. I do not recall a consensus on this point. Should an AA that supports CRLs have the cRLSign bit set in its public key certificate? If so, this text must change. >2. Section 4.2.1.3, paragraph last: Current Text: "set in An instantiation" >modify to "set in an instantiation". Fixed. >3. Section 6.2 paragraph 2: change "prresented" to "presented" Fixed. >4. Section 6.2 paragraph 2: The text "For example, an implementation may >specify name constraints that apply to a specific trust anchor." is diffcult >for me given that the validation algorithm explicitly states that name >constraints are not applied to self signed certificates. Suggest "For >example, an implemenation may modify the algorithm to apply name constaints >during the initialization phase." Self-signed certificates are a common mechanism for distributing public keys for trust anchors, but they are not a mandated mechanism. That said, I think that your text it an improvement. How about a hybrid: For example, an implementation MAY modify the algorithm to apply name constraints to a specific trust anchor during the initialization phase. >5. ASN module: >part1a.asn(352) : warning XXXXX: The imported symbol 'id-ad' is never >referenced Agree. I removed it. Russ Received: from KVRA ([211.217.77.46]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA14071; Sat, 14 Apr 2001 08:39:40 -0700 (PDT) From: Sabrina_B@btts.net Message-ID: <000079eb7bf9$0000089b$000056d3@btts.net> To: <moneysavers@paynomore.org> Subject: Customer Care Center 22227 Date: Fri, 13 Apr 2001 06:05:59 -0800 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 1 X-MSMail-Priority: High <HTML> <BODY> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD>= <TITLE>Take Control Of Your Conference Calls</TITLE><META http-equiv=3DCon= tent-Type content=3D"text/html; charset=3Dwindows-1252"><META content=3D"M= SHTML 5.50.4134.100" name=3DGENERATOR></HEAD><BODY vLink=3D#c0c0c0 link=3D= #c0c0c0 bgColor=3D#000000 leftMargin=3D0><PRE><FONT face=3Darial,helvetica= ><HEAD><META content=3DFrontPage.Editor.Document name=3DProgId><DIV align=3D= center><CENTER><TABLE height=3D789 cellSpacing=3D0 cellPadding=3D0 width=3D= 602 border=3D0><TBODY><TR vAlign=3Dtop><TD width=3D602 height=3D452><DIV a= lign=3Dcenter><TABLE width=3D470 border=3D0><TBODY><TR><TD><P align=3Dcent= er><FONT color=3D#0000ff size=3D7><B><FONT color=3D999999 size=3D6>Why Pay= More For Your </FONT></B></FONT><FONT color=3D#999999 size=3D6><B>Confere= nce Calls?</B></FONT></P></TD></TR></TBODY></TABLE><TABLE width=3D352 bord= er=3D0><TBODY><TR><TD><P align=3Dcenter><FONT color=3D#ff0000 size=3D5>Onl= y <U><B>.18 Cents </B></U>per minute (Including long distance!)</FONT></P>= </TD></TR></TBODY></TABLE></DIV><UL><UL><UL><UL><UL><LI><DIV align=3Dleft>= <FONT color=3D999999 size=3D3><B>No setup fees</B></FONT></DIV><LI><DIV al= ign=3Dleft><FONT color=3D999999 size=3D3><B>No contracts or monthly fees</= B></FONT></DIV><LI><DIV align=3Dleft><FONT color=3D999999 size=3D3><B>Call= anytime, from anywhere, to anywhere</B></FONT></DIV><LI><DIV align=3Dleft= ><FONT color=3D999999 size=3D3><B>International Dial In 18 cents per minut= e</B></FONT></DIV><LI><DIV align=3Dleft><FONT color=3D999999 size=3D3><B>C= onnects up to 100 participants</B></FONT></DIV><LI><DIV align=3Dleft><FONT= color=3D999999 size=3D3><B>Operator Help available 24/7</B></FONT></DIV><= /LI></UL></UL></UL></UL></UL><DIV align=3Dcenter><TABLE width=3D424 border= =3D0><TBODY><TR><TD><DIV align=3Dcenter><FONT color=3D#ff0000 size=3D6><B>= <FONT size=3D5>Get the best quality, the easiest to use,</FONT></B></FONT>= <FONT color=3D#ff0000 size=3D5><B>and lowest rate in the industry.</B></F= ONT></DIV></TD></TR></TBODY></TABLE><TABLE width=3D300 border=3D0><TBODY><= TR><TD height=3D73><DIV align=3Dcenter><P align=3Dcenter><FONT color=3D#99= 9999 size=3D4>If you like saving money, fill out the form below and one of= our consultants will contact you.</FONT></P></DIV></TD></TR></TBODY></TAB= LE></DIV></BLOCKQUOTE></BLOCKQUOTE><DIV align=3Dcenter><P align=3Dcenter><= FONT color=3D#ff0000 size=3D2>Required Input Field</FONT><FONT color=3D#ff= 0000 size=3D2>*</FONT></P><TABLE cellSpacing=3D0 borderColorDark=3D#333300= cellPadding=3D3 width=3D600 borderColorLight=3D#ffffcc><TBODY><TR><TD><FO= RM action=3D"mailto:inbox001@excite.com?subject=3DConference_Inquiry" meth= od=3Dpost encType=3Dtext/plain><DIV align=3Dcenter><TABLE width=3D"100%"><= TBODY><TR><TD width=3D"49%"><DIV align=3Dright><FONT face=3D"Arial, Helvet= ica, sans-serif" color=3D#ff0000 size=3D2>Name*</FONT></DIV></TD><TD width= =3D"51%"><FONT color=3D#ff0000><INPUT name=3DNAME> </FONT></TD></TR><TR><T= D width=3D"49%"><DIV align=3Dright><FONT face=3D"Arial, Helvetica, sans-se= rif" color=3D#ff0000 size=3D2>Web Address*</FONT></DIV></TD><TD width=3D"5= 1%"><FONT color=3D#ff0000><INPUT value=3Dhttp:// name=3DURL> </FONT></TD><= /TR><TR><TD width=3D"49%"><DIV align=3Dright><FONT face=3D"Arial, Helvetic= a, sans-serif" color=3D#ff0000 size=3D2>Company Name*</FONT></DIV></TD><TD= width=3D"51%"><FONT color=3D#ff0000><INPUT name=3DCOMPANY_NAME> </FONT></= TD></TR><TR><TD width=3D"49%"><DIV align=3Dright><FONT face=3D"Arial, Helv= etica, sans-serif" color=3D#ff0000 size=3D2>State</FONT></DIV></TD><TD wid= th=3D"51%"><FONT color=3D#ff0000><INPUT size=3D2 name=3DSTATE> </FONT></TD= ></TR><TR><TD width=3D"49%"><DIV align=3Dright><FONT face=3D"Arial, Helvet= ica, sans-serif" color=3D#ff0000 size=3D2>Business Phone*</FONT></DIV></TD= ><TD width=3D"51%"><FONT color=3D#ff0000><INPUT name=3DBUS_PHONE> </FONT><= /TD></TR><TR><TD width=3D"49%"><DIV align=3Dright><FONT face=3D"Arial, Hel= vetica, sans-serif" color=3D#ff0000 size=3D2>Home Phone</FONT></DIV></TD><= TD width=3D"51%"><FONT color=3D#ff0000><INPUT name=3DHOME_PHONE> </FONT></= TD></TR><TR><TD width=3D"49%"><DIV align=3Dright><FONT face=3D"Arial, Helv= etica, sans-serif" color=3D#ff0000 size=3D2>E-mail*</FONT></DIV></TD><TD w= idth=3D"51%"><FONT color=3D#ff0000><INPUT name=3DEMAIL> </FONT></TD></TR><= TR><TD width=3D"49%"><DIV align=3Dright><FONT face=3D"Arial, Helvetica, sa= ns-serif" color=3D#ff0000 size=3D2>Type of Business</FONT></DIV></TD><TD w= idth=3D"51%"><FONT color=3D#ff0000><INPUT name=3DTYPE_OF_BUSINESS> </FONT>= </TD></TR></TBODY></TABLE><P><BR>  = ; &= nbsp; &nb= sp; <DIV align=3Dcenter><INPUT type=3Dsubmit value=3D"Submit In= formation" name=3Dsubmit><P align=3Dcenter></BR><B></BR><FONT color=3D9999= 99 face=3D"Arial, Helvetica, sans-serif" size=3D5><P align=3Dcenter>This c= ould be your ad!</FONT></B><FONT face=3D"Arial, Helvetica, sans-serif" siz= e=3D2><BR><A href=3D"mailto:market202@excite.com?subject=3DDirect Marketin= g"><FONT color=3Dff0000>Click here to e-mail us your contact info</A>.</FO= NT></P><P align=3Dcenter><FONT face=3D"Arial, Helvetica, sans-serif" color= =3D#999999 size=3D1>This email is to those persons that have contacted Con= ference Calls for Less regarding available services or product information= . If this email is reaching you in error and you feel that you have not c= ontacted us, <A href=3D"mailto:rem0ve.@excite.com?subject=3DRemove_Confere= nce">click here</A>. We apologize and will gladly remove you from our mail= ing list.</FONT></P></DIV></DIV></BODY> </BODY> </HTML> Received: from mail2.microsoft.com (mail2.microsoft.com [131.107.3.124]) by above.proper.com (8.9.3/8.9.3) with SMTP id SAA06948 for <ietf-pkix@imc.org>; Fri, 13 Apr 2001 18:36:10 -0700 (PDT) Received: from 157.54.7.67 by mail2.microsoft.com (InterScan E-Mail VirusWall NT); Fri, 13 Apr 2001 18:35:44 -0700 (Pacific Daylight Time) Received: from red-msg-02.redmond.corp.microsoft.com ([157.54.12.70]) by inet-imc-04.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Fri, 13 Apr 2001 18:34:27 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: Updates to CMC draft. Date: Fri, 13 Apr 2001 18:34:28 -0700 Message-ID: <24A715275661C8428C00432EFCA5CB7C01E3F1EB@red-msg-02.redmond.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Updates to CMC draft. Thread-Index: AcCv+qI5R4X2WouPQ8eLA4qIXQ3nNwUiA3yQ From: "David Cross" <dcross@microsoft.com> To: <jimsch@exmsft.com>, "IETF-PKIX (E-mail)" <ietf-pkix@imc.org> X-OriginalArrivalTime: 14 Apr 2001 01:34:27.0682 (UTC) FILETIME=[0B5DA420:01C0C483] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id SAA06949 Jim: One item - 5.6 Transaction Management Control Attributes The transactionId attribute identifies a given transaction. It is used between client and server to manage the state of an operation. Clients MAY include a transactionID attribute in request messages. If the original request contains a transactionID attribute, all subsequent request and response messages MUST include the same transactionID attribute. A server MUST use only transactionIds in the outermost PKIdata object. TransactionIds on inner PKIdata objects are for intermediate entities. I think some clarification is in order for what the server SHOULD do. It is implied because the client MAY include the transactionID, but does cause some confusion for those reading for compliance. David B. Cross -----Original Message----- From: Jim Schaad [mailto:jimsch5@home.com] Sent: Sunday, March 18, 2001 2:27 PM To: IETF-PKIX (E-mail) Subject: Updates to CMC draft. I have released a new CMC draft to the mailing list. This message details the main changes in the draft from the RFC. 1. A new success/failure status structure has been defined to allow for secondary protocols to add new failure codes. This was found necessary/desirable when creating the Symmetric Key Distribution draft in the S/MIME working group. 2. A number of typos, edits and some unclear language was updated based on the mail messages that I have received. jim Received: from femail3.sdc1.sfba.home.com (femail3.sdc1.sfba.home.com [24.0.95.83]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA00541 for <ietf-pkix@imc.org>; Fri, 13 Apr 2001 16:34:38 -0700 (PDT) Received: from revelation ([65.4.166.11]) by femail3.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010413233211.FKSN13920.femail3.sdc1.sfba.home.com@revelation>; Fri, 13 Apr 2001 16:32:11 -0700 Reply-To: <jimsch@exmsft.com> From: "Jim Schaad" <jimsch5@home.com> To: "IETF-PKIX \(E-mail\)" <ietf-pkix@imc.org> Cc: "Russ Housley \(E-mail\)" <rhousley@rsasecurity.com>, "Tim Polk \(E-mail\)" <wpolk@nist.gov> Subject: Last Call: draft-ietf-pkix-new-part1-06.txt comments Date: Fri, 13 Apr 2001 16:37:23 -0700 Message-ID: <001701c0c472$b141a8c0$0e00a8c0@soaringhawk.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 1. As currently written in section 4.2.1.3, it is not possible for a non-CA CRL issuer to be created for attribute certificates. Was this the final resolution of this issue? This seems to me to be problematic as it means as an end-user one can issue an attribute certificate, but one must always use a different agent, which is a CA, to issue the CRLs. This means that all attribute CRL issuers are indirect. 2. Section 4.2.1.3, paragraph last: Current Text: "set in An instantiation" modify to "set in an instantiation". 3. Section 6.2 paragraph 2: change "prresented" to "presented" 4. Section 6.2 paragraph 2: The text "For example, an implementation may specify name constraints that apply to a specific trust anchor." is diffcult for me given that the validation algorithm explicitly states that name constraints are not applied to self signed certificates. Suggest "For example, an implemenation may modify the algorithm to apply name constaints during the initialization phase." 5. ASN module: part1a.asn(352) : warning XXXXX: The imported symbol 'id-ad' is never referenced jim Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id MAA13203 for <ietf-pkix@imc.org>; Fri, 13 Apr 2001 12:36:47 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 13 Apr 2001 19:34:15 UT Received: from HOUSLEY-LAP.rsasecurity.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id PAA22548; Fri, 13 Apr 2001 15:36:31 -0400 (EDT) Message-Id: <5.0.1.4.2.20010413142250.01b03148@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Fri, 13 Apr 2001 14:26:16 -0400 To: Sharon Boeyen <sharon.boeyen@entrust.com> From: Russ Housley <rhousley@rsasecurity.com> Subject: RE: Extension name divergence between PKIX profile and X.509 4th Edition Cc: ietf-pkix@imc.org In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F6B@sottmxs09.entrust .com> Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" <html> Sharon:<br> <br> The inclusion of freshestCRL in either a certificate or CRL has been in the document for quite some time. I think that it is very attractive for the "pointer" within a certificate or CRL to have the same syntax and semantics.<br> <br> If X.509 can accommodate this approach, I think it would be very helpful. I know that at least one implementation is using this approach.<br> <br> Russ<br> <br> <br> At 07:33 PM 4/11/2001 -0400, Sharon Boeyen wrote:<br> <blockquote type=cite class=cite cite><font size=2>David, I think this is a problem because X.509 states that the <br> freshest CRL extension SHALL only be used as a certificate extension. <br> The extension is identified by its OID and any other use of that OID</font> <br> <font size=2>is non conformant with its definition. X.509 currently has the delta info extension to point</font> <br> <font size=2>from a CRL to related delta CRLs. If the syntax of that extension is <br> insufficient, then one of the following should happen:</font> <br> <font size=2>- a new extension is defined that meets the need</font> <br> <font size=2>- syntax of delta info extension is extended or modified to satisfy the need</font> <br> <font size=2>- text for freshest CRL extension is modified to allow it to be a certificate <br> as well as a CRL extension.</font> <br> <br> <font size=2>The 3rd one sounds the simplest and least destructive. Since we are about to send the current set of <br> defects out for final ballot, this is timely. I don't recall specific discussion <br> that drove the freshest CRL to be a certificate only extension, but I think the text was</font> <br> <font size=2>basically modelled after CRL DP extension. <br> <br> Is there firm agreement in PKIX that this is required? If so, we should propose <br> the change to the 509 list - This could either be done as part of the current enhancements <br> work (similar to the change that will allow subjectDirectoryAttributes to be set as a critical</font> <br> <font size=2>extension) or it might be suitable for the defect process.</font> <br> <br> <font size=2>Cheers,</font> <br> <font size=2>Sharon</font> </blockquote></html> Received: from mailg.telia.com (mailg.telia.com [194.22.194.26]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA07849 for <ietf-pkix@imc.org>; Fri, 13 Apr 2001 03:42:22 -0700 (PDT) Received: from d1o69.telia.com (d1o69.telia.com [62.20.144.241]) by mailg.telia.com (8.11.2/8.11.0) with ESMTP id f3DAgLH08376 for <ietf-pkix@imc.org>; Fri, 13 Apr 2001 12:42:21 +0200 (CEST) Received: from mega (t7o69p237.telia.com [213.65.46.237]) by d1o69.telia.com (8.10.2/8.10.1) with SMTP id f3DAgKa29555 for <ietf-pkix@imc.org>; Fri, 13 Apr 2001 12:42:21 +0200 (CEST) Message-ID: <003901c0c406$243a9200$0200a8c0@vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "PKIX-List" <ietf-pkix@imc.org> Subject: Solving a hard MITM-problem Date: Fri, 13 Apr 2001 12:40:20 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id DAA07850 Hi All, Sorry for the ramblings regarding Domain-PKI etc. Nevertheless I wonder if you security experts could (without refraining to the impossibility of making secure serves, or claims that the EU will have a global employee- PKI running in September), seriously take a look on a problem that affect systems based on domain security in conjunction with user's with web-browsers. To this category belong: Purple, Shibboleth, MSFT's Passport(!), VISA's 3D Secure, and the coming OAISIS security services standard. ENTITIES: Client: browser-user associated with an Attribute Authority (AA). Relying Party (RP). The RP has a trust relationship with the AA. The client's relation to the RP is indirect (typically an AA representative). SCENARIO: The client wants to logon on a RP-controlled web-server with the use of an on-the-fly created "ticket" that an AA web-server issues to the client on demand. The ticket contains a redirect to an RP URL. PROBLEM DECRIPTION: The client (user) will (hopefully) to his/her "own" organization (AA), long-term authenticate using client-certificates which eliminates MITM-attacks using SSL. At least the AA is protected from fake clients. A potential problem with MITM SSL-attacks remains with the redirected client-to-RP server connection as it is not terminated by client-certificates as they are replaced by "tickets" that has no key/cert-binding to the client. I.e. a MITM-attacker could during the redirected SSL-connect to the RP (ticket consumer) "snatch" the ticket and get access to the client's resources at the RP. This attack on SSL has been described by others so it exists although it normally requires user to accept a rogue cert. So what to do? "Tweaking" SSL seems highly unlikely and I haven't come up with any nice tweaks that would work anyway. But I have found one *possible* way that could be implemented if schemes like Purple, Shibboleth and OASIS security services become mainstream: The AA (Attribute authority making redirected tickets) could in the redirect indicate that it expects the RP server-cert to be signed by a CA known/accepted by the AA through the use of an OCSP lookup URL + certID for the OCSP signer cert which is specified by the AA and that there must be one-to-one redirect host-name correlation or the redirect will not be carried out. I.e. this would be a [technically] rather simple "fix" in a browser. Could be migrated into browsers any day without giving unwanted side-effects or incompatibilities. What do U think? Regards Anders Rundgren Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id TAA06331 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 19:42:05 -0700 (PDT) Received: by exchange.cylink.com with Internet Mail Service (5.5.2650.21) id <2LAWZTX4>; Wed, 11 Apr 2001 19:37:54 -0700 Message-ID: <1BE57AA01A5ED411866500B0D049657B42A619@exchange.cylink.com> From: "Covey, Carlin" <ccovey@cylink.com> To: "'Sharon Boeyen '" <sharon.boeyen@entrust.com>, "''David A. Cooper' '" <david.cooper@nist.gov>, "''ietf-pkix@imc.org ' '" <ietf-pkix@imc.org> Subject: RE: Extension name divergence between PKIX profile and X.509 4th Edition Date: Wed, 11 Apr 2001 19:37:45 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe Content-Type: text/plain; charset="iso-8859-1" Sharon and David, If X.509 is willing to accept "Freshest CRL" as both a certificate extension and a CRL extension, I prefer that option. - Carlin Covey Cylink Corp. -----Original Message----- From: Sharon Boeyen To: 'David A. Cooper'; 'ietf-pkix@imc.org ' Sent: 4/11/01 4:33 PM Subject: RE: Extension name divergence between PKIX profile and X.509 4th Edition David, I think this is a problem because X.509 states that the freshest CRL extension SHALL only be used as a certificate extension. The extension is identified by its OID and any other use of that OID is non conformant with its definition. X.509 currently has the delta info extension to point from a CRL to related delta CRLs. If the syntax of that extension is insufficient, then one of the following should happen: - a new extension is defined that meets the need - syntax of delta info extension is extended or modified to satisfy the need - text for freshest CRL extension is modified to allow it to be a certificate as well as a CRL extension. The 3rd one sounds the simplest and least destructive. Since we are about to send the current set of defects out for final ballot, this is timely. I don't recall specific discussion that drove the freshest CRL to be a certificate only extension, but I think the text was basically modelled after CRL DP extension. Is there firm agreement in PKIX that this is required? If so, we should propose the change to the 509 list - This could either be done as part of the current enhancements work (similar to the change that will allow subjectDirectoryAttributes to be set as a critical extension) or it might be suitable for the defect process. Cheers, Sharon > -----Original Message----- > From: David A. Cooper [ mailto:david.cooper@nist.gov <mailto:david.cooper@nist.gov> ] > Sent: Wednesday, April 11, 2001 5:31 PM > To: 'ietf-pkix@imc.org ' > Subject: Re: Extension name divergence between PKIX profile and X.509 > 4th Edition > > > Carlin, > > This is something that was briefly discussed on the list in > early March (see messages with the subject "RE: WG Last Call: > Son-of-2459: More about delta-CRLs" in the mail list > archive). I don't think there is any problem with what PKIX > has done. PKIX has simply chosen (1) not to include the > deltaInfo extension in its profile and (2) to specify a > private Internet extension for CRLs, freshestCRL. Granted, > the freshestCRL CRL extension uses the same OID as a > certificate-only extension defined in X.509. But, since the > syntax and semantics are the same and they are distinguished > by their location (certificate vs. CRL), I don't think this > should cause any confusion. > > During the earlier discussion, there seemed to be a desire by > some to specify whether the pointer to delta-CRLs should be > in the certificate or the CRL, and most seemed to prefer to > place this information in the CRL. If one is going to do > this, then there is the choice between the deltaInfo > extension and the freshestCRL extension. One possible > advantage of the freshestCRL extension over the deltaInfo > extension is that it is more flexible. Of course, this added > flexibility may mean additional implementation complexity. > > There wasn't really much of a debate in March over whether > delta-CRL information should be placed in certificates or > CRLs, and if in CRLs whether to use the PKIX freshestCRL > extension or the X.509 deltaInfo extension. If you have any > thoughts, I'd be interested in hearing them. > > Dave > > At 12:48 PM 4/11/01 -0700, Covey, Carlin wrote: > >There appears to be a bit of divergence between certain > extension names and > >definitions used in X.509 4th Edition > X.509_4thEditionDraftV6.pdf and the > >PKIX profile (draft-ietf-pkix-new-part1-05.txt). > > > >draft-ietf-pkix-new-part1-05.txt describes a "Freshest CRL" > extension (which > >is also called "Delta CRL Distribution Point"). The > extension is described > >in section 4.2.1.16, a subsection under 4.2 Standard > Certificate Extensions, > >and it is described again in section 5.2.6, a subsection > under 5.2 CRL > >Extensions. So according to the PKIX profile the extension > appears to be > >usable as either a certificate extension or a CRL extension, > with identical > >syntax. Section 8.6.2.6 of X.509 4th edition draft V6 > describes a "Freshest > >CRL Extension" with the same syntax as in the PKIX profile, > but says it > >shall be used only as a certificate extension. There is a > CRL extension > >defined in X.509 called "Delta Information extension" whose > usage appears to > >more or less match the PKIX CRL extension "Freshest CRL," > but whose syntax > >is not the same as the X.509 "Freshest CRL" certificate extension. > > > >Are my document versions out of date, or is this divergence > intentional, or > >is it time for a little mid-course correction? > > > >- Carlin Covey > > Cylink Corporation > > Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA26873 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 16:38:59 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <2W9NHL1Z>; Wed, 11 Apr 2001 19:38:32 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F6B@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'David A. Cooper'" <david.cooper@nist.gov>, "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Subject: RE: Extension name divergence between PKIX profile and X.509 4th Edition Date: Wed, 11 Apr 2001 19:33:38 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C2DF.D58829A0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C2DF.D58829A0 Content-Type: text/plain David, I think this is a problem because X.509 states that the freshest CRL extension SHALL only be used as a certificate extension. The extension is identified by its OID and any other use of that OID is non conformant with its definition. X.509 currently has the delta info extension to point from a CRL to related delta CRLs. If the syntax of that extension is insufficient, then one of the following should happen: - a new extension is defined that meets the need - syntax of delta info extension is extended or modified to satisfy the need - text for freshest CRL extension is modified to allow it to be a certificate as well as a CRL extension. The 3rd one sounds the simplest and least destructive. Since we are about to send the current set of defects out for final ballot, this is timely. I don't recall specific discussion that drove the freshest CRL to be a certificate only extension, but I think the text was basically modelled after CRL DP extension. Is there firm agreement in PKIX that this is required? If so, we should propose the change to the 509 list - This could either be done as part of the current enhancements work (similar to the change that will allow subjectDirectoryAttributes to be set as a critical extension) or it might be suitable for the defect process. Cheers, Sharon > -----Original Message----- > From: David A. Cooper [mailto:david.cooper@nist.gov] > Sent: Wednesday, April 11, 2001 5:31 PM > To: 'ietf-pkix@imc.org ' > Subject: Re: Extension name divergence between PKIX profile and X.509 > 4th Edition > > > Carlin, > > This is something that was briefly discussed on the list in > early March (see messages with the subject "RE: WG Last Call: > Son-of-2459: More about delta-CRLs" in the mail list > archive). I don't think there is any problem with what PKIX > has done. PKIX has simply chosen (1) not to include the > deltaInfo extension in its profile and (2) to specify a > private Internet extension for CRLs, freshestCRL. Granted, > the freshestCRL CRL extension uses the same OID as a > certificate-only extension defined in X.509. But, since the > syntax and semantics are the same and they are distinguished > by their location (certificate vs. CRL), I don't think this > should cause any confusion. > > During the earlier discussion, there seemed to be a desire by > some to specify whether the pointer to delta-CRLs should be > in the certificate or the CRL, and most seemed to prefer to > place this information in the CRL. If one is going to do > this, then there is the choice between the deltaInfo > extension and the freshestCRL extension. One possible > advantage of the freshestCRL extension over the deltaInfo > extension is that it is more flexible. Of course, this added > flexibility may mean additional implementation complexity. > > There wasn't really much of a debate in March over whether > delta-CRL information should be placed in certificates or > CRLs, and if in CRLs whether to use the PKIX freshestCRL > extension or the X.509 deltaInfo extension. If you have any > thoughts, I'd be interested in hearing them. > > Dave > > At 12:48 PM 4/11/01 -0700, Covey, Carlin wrote: > >There appears to be a bit of divergence between certain > extension names and > >definitions used in X.509 4th Edition > X.509_4thEditionDraftV6.pdf and the > >PKIX profile (draft-ietf-pkix-new-part1-05.txt). > > > >draft-ietf-pkix-new-part1-05.txt describes a "Freshest CRL" > extension (which > >is also called "Delta CRL Distribution Point"). The > extension is described > >in section 4.2.1.16, a subsection under 4.2 Standard > Certificate Extensions, > >and it is described again in section 5.2.6, a subsection > under 5.2 CRL > >Extensions. So according to the PKIX profile the extension > appears to be > >usable as either a certificate extension or a CRL extension, > with identical > >syntax. Section 8.6.2.6 of X.509 4th edition draft V6 > describes a "Freshest > >CRL Extension" with the same syntax as in the PKIX profile, > but says it > >shall be used only as a certificate extension. There is a > CRL extension > >defined in X.509 called "Delta Information extension" whose > usage appears to > >more or less match the PKIX CRL extension "Freshest CRL," > but whose syntax > >is not the same as the X.509 "Freshest CRL" certificate extension. > > > >Are my document versions out of date, or is this divergence > intentional, or > >is it time for a little mid-course correction? > > > >- Carlin Covey > > Cylink Corporation > > ------_=_NextPart_001_01C0C2DF.D58829A0 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=US-ASCII"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: Extension name divergence between PKIX profile and X.509 4th Edition</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>David, I think this is a problem because X.509 states that the </FONT> <BR><FONT SIZE=2>freshest CRL extension SHALL only be used as a certificate extension. </FONT> <BR><FONT SIZE=2>The extension is identified by its OID and any other use of that OID</FONT> <BR><FONT SIZE=2>is non conformant with its definition. X.509 currently has the delta info extension to point</FONT> <BR><FONT SIZE=2>from a CRL to related delta CRLs. If the syntax of that extension is </FONT> <BR><FONT SIZE=2>insufficient, then one of the following should happen:</FONT> <BR><FONT SIZE=2>- a new extension is defined that meets the need</FONT> <BR><FONT SIZE=2>- syntax of delta info extension is extended or modified to satisfy the need</FONT> <BR><FONT SIZE=2>- text for freshest CRL extension is modified to allow it to be a certificate </FONT> <BR><FONT SIZE=2>as well as a CRL extension.</FONT> </P> <P><FONT SIZE=2>The 3rd one sounds the simplest and least destructive. Since we are about to send the current set of </FONT> <BR><FONT SIZE=2>defects out for final ballot, this is timely. I don't recall specific discussion </FONT> <BR><FONT SIZE=2>that drove the freshest CRL to be a certificate only extension, but I think the text was</FONT> <BR><FONT SIZE=2>basically modelled after CRL DP extension. </FONT> </P> <P><FONT SIZE=2>Is there firm agreement in PKIX that this is required? If so, we should propose </FONT> <BR><FONT SIZE=2>the change to the 509 list - This could either be done as part of the current enhancements </FONT> <BR><FONT SIZE=2>work (similar to the change that will allow subjectDirectoryAttributes to be set as a critical</FONT> <BR><FONT SIZE=2>extension) or it might be suitable for the defect process.</FONT> </P> <P><FONT SIZE=2>Cheers,</FONT> <BR><FONT SIZE=2>Sharon</FONT> <BR><FONT SIZE=2>> -----Original Message-----</FONT> <BR><FONT SIZE=2>> From: David A. Cooper [<A HREF="mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]</FONT> <BR><FONT SIZE=2>> Sent: Wednesday, April 11, 2001 5:31 PM</FONT> <BR><FONT SIZE=2>> To: 'ietf-pkix@imc.org '</FONT> <BR><FONT SIZE=2>> Subject: Re: Extension name divergence between PKIX profile and X.509</FONT> <BR><FONT SIZE=2>> 4th Edition</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Carlin,</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> This is something that was briefly discussed on the list in </FONT> <BR><FONT SIZE=2>> early March (see messages with the subject "RE: WG Last Call: </FONT> <BR><FONT SIZE=2>> Son-of-2459: More about delta-CRLs" in the mail list </FONT> <BR><FONT SIZE=2>> archive). I don't think there is any problem with what PKIX </FONT> <BR><FONT SIZE=2>> has done. PKIX has simply chosen (1) not to include the </FONT> <BR><FONT SIZE=2>> deltaInfo extension in its profile and (2) to specify a </FONT> <BR><FONT SIZE=2>> private Internet extension for CRLs, freshestCRL. Granted, </FONT> <BR><FONT SIZE=2>> the freshestCRL CRL extension uses the same OID as a </FONT> <BR><FONT SIZE=2>> certificate-only extension defined in X.509. But, since the </FONT> <BR><FONT SIZE=2>> syntax and semantics are the same and they are distinguished </FONT> <BR><FONT SIZE=2>> by their location (certificate vs. CRL), I don't think this </FONT> <BR><FONT SIZE=2>> should cause any confusion.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> During the earlier discussion, there seemed to be a desire by </FONT> <BR><FONT SIZE=2>> some to specify whether the pointer to delta-CRLs should be </FONT> <BR><FONT SIZE=2>> in the certificate or the CRL, and most seemed to prefer to </FONT> <BR><FONT SIZE=2>> place this information in the CRL. If one is going to do </FONT> <BR><FONT SIZE=2>> this, then there is the choice between the deltaInfo </FONT> <BR><FONT SIZE=2>> extension and the freshestCRL extension. One possible </FONT> <BR><FONT SIZE=2>> advantage of the freshestCRL extension over the deltaInfo </FONT> <BR><FONT SIZE=2>> extension is that it is more flexible. Of course, this added </FONT> <BR><FONT SIZE=2>> flexibility may mean additional implementation complexity.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> There wasn't really much of a debate in March over whether </FONT> <BR><FONT SIZE=2>> delta-CRL information should be placed in certificates or </FONT> <BR><FONT SIZE=2>> CRLs, and if in CRLs whether to use the PKIX freshestCRL </FONT> <BR><FONT SIZE=2>> extension or the X.509 deltaInfo extension. If you have any </FONT> <BR><FONT SIZE=2>> thoughts, I'd be interested in hearing them.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Dave</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> At 12:48 PM 4/11/01 -0700, Covey, Carlin wrote:</FONT> <BR><FONT SIZE=2>> >There appears to be a bit of divergence between certain </FONT> <BR><FONT SIZE=2>> extension names and</FONT> <BR><FONT SIZE=2>> >definitions used in X.509 4th Edition </FONT> <BR><FONT SIZE=2>> X.509_4thEditionDraftV6.pdf and the</FONT> <BR><FONT SIZE=2>> >PKIX profile (draft-ietf-pkix-new-part1-05.txt).</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >draft-ietf-pkix-new-part1-05.txt describes a "Freshest CRL" </FONT> <BR><FONT SIZE=2>> extension (which</FONT> <BR><FONT SIZE=2>> >is also called "Delta CRL Distribution Point"). The </FONT> <BR><FONT SIZE=2>> extension is described</FONT> <BR><FONT SIZE=2>> >in section 4.2.1.16, a subsection under 4.2 Standard </FONT> <BR><FONT SIZE=2>> Certificate Extensions,</FONT> <BR><FONT SIZE=2>> >and it is described again in section 5.2.6, a subsection </FONT> <BR><FONT SIZE=2>> under 5.2 CRL</FONT> <BR><FONT SIZE=2>> >Extensions. So according to the PKIX profile the extension </FONT> <BR><FONT SIZE=2>> appears to be</FONT> <BR><FONT SIZE=2>> >usable as either a certificate extension or a CRL extension, </FONT> <BR><FONT SIZE=2>> with identical</FONT> <BR><FONT SIZE=2>> >syntax. Section 8.6.2.6 of X.509 4th edition draft V6 </FONT> <BR><FONT SIZE=2>> describes a "Freshest</FONT> <BR><FONT SIZE=2>> >CRL Extension" with the same syntax as in the PKIX profile, </FONT> <BR><FONT SIZE=2>> but says it</FONT> <BR><FONT SIZE=2>> >shall be used only as a certificate extension. There is a </FONT> <BR><FONT SIZE=2>> CRL extension</FONT> <BR><FONT SIZE=2>> >defined in X.509 called "Delta Information extension" whose </FONT> <BR><FONT SIZE=2>> usage appears to</FONT> <BR><FONT SIZE=2>> >more or less match the PKIX CRL extension "Freshest CRL," </FONT> <BR><FONT SIZE=2>> but whose syntax</FONT> <BR><FONT SIZE=2>> >is not the same as the X.509 "Freshest CRL" certificate extension. </FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >Are my document versions out of date, or is this divergence </FONT> <BR><FONT SIZE=2>> intentional, or</FONT> <BR><FONT SIZE=2>> >is it time for a little mid-course correction? </FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> >- Carlin Covey</FONT> <BR><FONT SIZE=2>> > Cylink Corporation</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0C2DF.D58829A0-- Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA24630 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 15:51:50 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id SAA83796; Wed, 11 Apr 2001 18:49:53 -0400 Received: from d02ml237.somers.hqregion.ibm.com (d02ml237.sby.ibm.com [9.45.4.171]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id SAA114292; Wed, 11 Apr 2001 18:46:17 -0400 Importance: Normal Subject: Re: Meaning of Non-repudiation To: Stephen Kent <kent@bbn.com> Cc: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: <OF1C0D33B9.A843F12B-ON85256A2B.007CECD7@somers.hqregion.ibm.com> From: "Tom Gindin" <tgindin@us.ibm.com> Date: Wed, 11 Apr 2001 18:50:57 -0400 X-MIMETrack: Serialize by Router on D02ML237/02/M/IBM(Release 5.0.7 |March 21, 2001) at 04/11/2001 06:51:19 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii IMHO, if X.509 had not been calling the bit in KeyUsage "non-repudiation" for some years, I would prefer to put "Persistent Data Authentication" into KeyUsage and define several different flavors of non-repudiation in ExtendedKeyUsage, profiling non-repudiation services in parallel with those ExtendedKeyUsage values. This would also allow us to define different levels of NR and put them into certificates in a natural way. However, they have been calling the bit "non-repudiation", and I'm not sure we can change its meaning on the installed base of certificates and on the X.509 group without an unusual level of unanimity and near-certainty that it won't break anything. Tom Gindin Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA19227 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 14:45:23 -0700 (PDT) Received: from INET-PRV-MTA by prv-mail20.provo.novell.com with Novell_GroupWise; Wed, 11 Apr 2001 15:44:52 -0600 Message-Id: <sad47bf4.030@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 6.0 Date: Wed, 11 Apr 2001 15:44:46 -0600 From: "Bob Jueneman" <BJUENEMAN@novell.com> To: <todd.glassey@att.net>, <dpkemp@missi.ncsc.mil> Cc: <ietf-pkix@imc.org> Subject: Re: Meaning of Non-repudiation Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id OAA19228 Oh, indeed it does. The OID refers to the Dewey decimal system number of a book on the shelf in the public library of Grand Forks, ND, which happens to be under water right now due to a flood, but if you go there and read the book, it will answer all of your questions. "42" Bob >>> <todd.glassey@att.net> 04/11/01 03:01PM >>> Actually by adding a simple OID structure to the NR bit this whole problem goes away. The OID represents the type of NR the bit signifies the state -- Regards, Todd > bjueneman@novell.com wrote: > > > > David, > > > > >...Here is the litmus test: do you agree that in > > >order to validate a signature on an S/MIME message (any message, for > > >any purpose, signed by any entity), the NR bit must be set? > > > > I certainly don't, because of the ambiguity caused by the uncertain > > legalisms. I note that the certificates issued by DoD and contained on > > the > > Common Access Card, even those issued to federal contractors, DO > > contain the NR bit, and for that reason I would be quite reluctant > > personally to use such a certificate. > > > That's why, if Steve doesn't want to change the name of the bit, > definitions are essential. Are we talking: > > 1) non-binding (ephemeral) authentication vs. binding (persistent) > signatures, or > > 2) non-legally-binding persistent signatures vs. legally-binding > persistent signatures. > > We haven't had any success in two years of attempting to come to grips > with 2. I agree with Ed Gerck that problem 2 is important, but it > cannot be solved with one bit in a certificate. I agree with you > that a bit that claims to address 2 should be deprecated. > > Problem 1 is easily solved with one bit, as long as the definitions > are unambiguous. It would be preferable to rename the bit because > the word NR is an obstacle to common understanding and agreement. > But if agreement and understanding can occur without changing the > name, that's fine with me. Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA17716 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 14:31:13 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id RAA16631 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 17:31:14 -0400 (EDT) Message-Id: <4.2.2.20010411171123.00a58100@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 11 Apr 2001 17:30:33 -0400 To: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> From: "David A. Cooper" <david.cooper@nist.gov> Subject: Re: Extension name divergence between PKIX profile and X.509 4th Edition In-Reply-To: <1BE57AA01A5ED411866500B0D049657B42A618@exchange.cylink.com > Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Carlin, This is something that was briefly discussed on the list in early March (see messages with the subject "RE: WG Last Call: Son-of-2459: More about delta-CRLs" in the mail list archive). I don't think there is any problem with what PKIX has done. PKIX has simply chosen (1) not to include the deltaInfo extension in its profile and (2) to specify a private Internet extension for CRLs, freshestCRL. Granted, the freshestCRL CRL extension uses the same OID as a certificate-only extension defined in X.509. But, since the syntax and semantics are the same and they are distinguished by their location (certificate vs. CRL), I don't think this should cause any confusion. During the earlier discussion, there seemed to be a desire by some to specify whether the pointer to delta-CRLs should be in the certificate or the CRL, and most seemed to prefer to place this information in the CRL. If one is going to do this, then there is the choice between the deltaInfo extension and the freshestCRL extension. One possible advantage of the freshestCRL extension over the deltaInfo extension is that it is more flexible. Of course, this added flexibility may mean additional implementation complexity. There wasn't really much of a debate in March over whether delta-CRL information should be placed in certificates or CRLs, and if in CRLs whether to use the PKIX freshestCRL extension or the X.509 deltaInfo extension. If you have any thoughts, I'd be interested in hearing them. Dave At 12:48 PM 4/11/01 -0700, Covey, Carlin wrote: >There appears to be a bit of divergence between certain extension names and >definitions used in X.509 4th Edition X.509_4thEditionDraftV6.pdf and the >PKIX profile (draft-ietf-pkix-new-part1-05.txt). > >draft-ietf-pkix-new-part1-05.txt describes a "Freshest CRL" extension (which >is also called "Delta CRL Distribution Point"). The extension is described >in section 4.2.1.16, a subsection under 4.2 Standard Certificate Extensions, >and it is described again in section 5.2.6, a subsection under 5.2 CRL >Extensions. So according to the PKIX profile the extension appears to be >usable as either a certificate extension or a CRL extension, with identical >syntax. Section 8.6.2.6 of X.509 4th edition draft V6 describes a "Freshest >CRL Extension" with the same syntax as in the PKIX profile, but says it >shall be used only as a certificate extension. There is a CRL extension >defined in X.509 called "Delta Information extension" whose usage appears to >more or less match the PKIX CRL extension "Freshest CRL," but whose syntax >is not the same as the X.509 "Freshest CRL" certificate extension. > >Are my document versions out of date, or is this divergence intentional, or >is it time for a little mid-course correction? > >- Carlin Covey > Cylink Corporation Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA15596 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 14:10:37 -0700 (PDT) Received: from [128.33.238.44] (TC051.BBN.COM [128.33.238.51]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id RAA06180; Wed, 11 Apr 2001 17:10:37 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p0501040eb6fa50022227@[128.33.238.44]> In-Reply-To: <200104111705.NAA18984@stingray.missi.ncsc.mil> References: <4.3.2.7.2.20010406162323.00ae9dc0@poptop.llnl.gov> <200104091802.OAA03222@stingray.missi.ncsc.mil> <p0501040ab6fa32eff970@[128.33.238.44]> <200104111705.NAA18984@stingray.missi.ncsc.mil> Date: Wed, 11 Apr 2001 14:22:40 -0400 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> From: Stephen Kent <kent@bbn.com> Subject: Re: Meaning of Non-repudiation Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" David, >Stephen Kent wrote: >> >> I do not anticipate any change to the NR bit in X.509 nor in PKIX. > >Fair enough. But if the name of the bit is not changed, then the >definition must be clarified, to avoid the ambiguity evident below: > >> The main purpose for the NR bit is to allow a cert to be designated >> as NOT being associated with signatures used in NR transactions. This >> is a safety feature for the EE. By using a cert with the NR bit set >> to FALSE, the EE is explicitly stating that the signature generated >> with the corresponding private key is not be be considered binding, >> e.g., it is for authentication but not for non-repudiation. > >This is the problem - some people associate the words NR and "binding" >with "creating an obligation". > >I agree completely with your "not considered binding", as long as there >is an explicit statement that binding means persistent - i.e., effective >for some time after generation, as opposed to effective only at the >time of generation. Here is the litmus test: do you agree that in >order to validate a signature on an S/MIME message (any message, for >any purpose, signed by any entity), the NR bit must be set? I do view NR as a form of persistent authentication and integrity, but not all persistent forms are NR. Using your example, S/MIME offers me only one means of providing data origin authentication and integrity (at least when using RSA), i.e., signing a hash of the message I send. I want to be able to send an authenticated e-mail that says "Yes, I'll go along with that proposal" without risking that this informal message might later be construed to be a binding, non-repudiable communication. The NR bit should allow me to do that. I would like to have a different certificate (with a different key pair) reserved for transactions where I will be very careful about what I sign, where I sign it (not on some random machine with software unknown to me), etc. Steve Received: from mtiwmhc26.worldnet.att.net (mtiwmhc26.worldnet.att.net [204.127.131.51]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA15173 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 14:02:25 -0700 (PDT) From: todd.glassey@att.net Received: from webmail.worldnet.att.net ([204.127.135.29]) by mtiwmhc26.worldnet.att.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010411210142.CAWB21649.mtiwmhc26.worldnet.att.net@webmail.worldnet.att.net>; Wed, 11 Apr 2001 21:01:42 +0000 Received: from [161.215.27.111] by webmail.worldnet.att.net; Wed, 11 Apr 2001 21:01:42 +0000 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Cc: bjueneman@novell.com, ietf-pkix@imc.org Subject: Re: Meaning of Non-repudiation Date: Wed, 11 Apr 2001 21:01:42 +0000 X-Mailer: AT&T Message Center Version 1 (Mar 27 2001) Message-Id: <20010411210142.CAWB21649.mtiwmhc26.worldnet.att.net@webmail.worldnet.att.net> Actually by adding a simple OID structure to the NR bit this whole problem goes away. The OID represents the type of NR the bit signifies the state -- Regards, Todd > bjueneman@novell.com wrote: > > > > David, > > > > >...Here is the litmus test: do you agree that in > > >order to validate a signature on an S/MIME message (any message, for > > >any purpose, signed by any entity), the NR bit must be set? > > > > I certainly don't, because of the ambiguity caused by the uncertain > > legalisms. I note that the certificates issued by DoD and contained on > > the > > Common Access Card, even those issued to federal contractors, DO > > contain the NR bit, and for that reason I would be quite reluctant > > personally to use such a certificate. > > > That's why, if Steve doesn't want to change the name of the bit, > definitions are essential. Are we talking: > > 1) non-binding (ephemeral) authentication vs. binding (persistent) > signatures, or > > 2) non-legally-binding persistent signatures vs. legally-binding > persistent signatures. > > We haven't had any success in two years of attempting to come to grips > with 2. I agree with Ed Gerck that problem 2 is important, but it > cannot be solved with one bit in a certificate. I agree with you > that a bit that claims to address 2 should be deprecated. > > Problem 1 is easily solved with one bit, as long as the definitions > are unambiguous. It would be preferable to rename the bit because > the word NR is an obstacle to common understanding and agreement. > But if agreement and understanding can occur without changing the > name, that's fine with me. Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA11835 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 13:15:31 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id QAA27186; Wed, 11 Apr 2001 16:15:03 -0400 (EDT) Message-Id: <200104112015.QAA27182@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Wed, 11 Apr 2001 16:13:29 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: bjueneman@novell.com CC: ietf-pkix@imc.org Subject: Re: Meaning of Non-repudiation References: <200104111918.MAA07237@above.proper.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit bjueneman@novell.com wrote: > > David, > > >...Here is the litmus test: do you agree that in > >order to validate a signature on an S/MIME message (any message, for > >any purpose, signed by any entity), the NR bit must be set? > > I certainly don't, because of the ambiguity caused by the uncertain > legalisms. I note that the certificates issued by DoD and contained on > the > Common Access Card, even those issued to federal contractors, DO > contain the NR bit, and for that reason I would be quite reluctant > personally to use such a certificate. That's why, if Steve doesn't want to change the name of the bit, definitions are essential. Are we talking: 1) non-binding (ephemeral) authentication vs. binding (persistent) signatures, or 2) non-legally-binding persistent signatures vs. legally-binding persistent signatures. We haven't had any success in two years of attempting to come to grips with 2. I agree with Ed Gerck that problem 2 is important, but it cannot be solved with one bit in a certificate. I agree with you that a bit that claims to address 2 should be deprecated. Problem 1 is easily solved with one bit, as long as the definitions are unambiguous. It would be preferable to rename the bit because the word NR is an obstacle to common understanding and agreement. But if agreement and understanding can occur without changing the name, that's fine with me. Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA09586 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 12:52:46 -0700 (PDT) Received: by exchange.cylink.com with Internet Mail Service (5.5.2650.21) id <2LAWZS4C>; Wed, 11 Apr 2001 12:48:33 -0700 Message-ID: <1BE57AA01A5ED411866500B0D049657B42A618@exchange.cylink.com> From: "Covey, Carlin" <ccovey@cylink.com> To: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Subject: Extension name divergence between PKIX profile and X.509 4th Edit ion Date: Wed, 11 Apr 2001 12:48:31 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe Content-Type: text/plain; charset="iso-8859-1" There appears to be a bit of divergence between certain extension names and definitions used in X.509 4th Edition X.509_4thEditionDraftV6.pdf and the PKIX profile (draft-ietf-pkix-new-part1-05.txt). draft-ietf-pkix-new-part1-05.txt describes a "Freshest CRL" extension (which is also called "Delta CRL Distribution Point"). The extension is described in section 4.2.1.16, a subsection under 4.2 Standard Certificate Extensions, and it is described again in section 5.2.6, a subsection under 5.2 CRL Extensions. So according to the PKIX profile the extension appears to be usable as either a certificate extension or a CRL extension, with identical syntax. Section 8.6.2.6 of X.509 4th edition draft V6 describes a "Freshest CRL Extension" with the same syntax as in the PKIX profile, but says it shall be used only as a certificate extension. There is a CRL extension defined in X.509 called "Delta Information extension" whose usage appears to more or less match the PKIX CRL extension "Freshest CRL," but whose syntax is not the same as the X.509 "Freshest CRL" certificate extension. Are my document versions out of date, or is this divergence intentional, or is it time for a little mid-course correction? - Carlin Covey Cylink Corporation ------------------------------------------------------------ P.S. Here are some quotes from the documents: >From draft-ietf-pkix-new-part1-05.txt: 4.2 Standard Certificate Extensions ... 4.2.1.16 Freshest CRL (a.k.a. Delta CRL Distribution Point) The freshest CRL extension identifies how delta-CRL information is obtained. The same syntax is used for this extension and the cRLDistributionPoints extension, and is described in section 4.2.1.14. 5.2 CRL Extensions ... 5.2.6 Freshest CRL (a.k.a. Delta CRL Distribution Point) The freshest CRL extension identifies how delta-CRL information for this CRL is obtained. The extension MUST be non-critical. The same syntax is used for this extension as the cRLDistributionPoints certificate extension, and is described in section 4.2.1.14. The same conventions apply to both extensions. >From X.509_4thEditionDraftV6.pdf: 8.5.2.9 Delta Information extension This CRL extension is for use in CRLs that are not dCRLs and is used to indicate to relying parties that dCRLs are also available for the CRL containing this extension. The extension provides the location at which the related dCRLs can be found and optionally the time at which the next dCRL is to be issued. 8.6.2.6 Freshest CRL extension The freshest CRL extension shall be used only as a certificate extension and may be used in certificates issued to authorities as well as certificates issued to users. This field identifies the CRL to which a certificate user should refer to obtain the freshest revocation information (e.g.: latest dCRL). Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA07237 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 12:18:27 -0700 (PDT) From: bjueneman@novell.com Message-Id: <200104111918.MAA07237@above.proper.com> Received: from INET-PRV-MTA by prv-mail20.provo.novell.com with Novell_GroupWise; Wed, 11 Apr 2001 13:17:53 -0600 Mime-Version: 1.0 Date: Wed, 11 Apr 2001 13:24:00 -0600 X-Mailer: Groupwise 5.5.3.1 Subject: Re: Meaning of Non-repudiation To: "David P. Kemp"<dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="____TJBOSMHBKHISCPLUZFFZ____" --____TJBOSMHBKHISCPLUZFFZ____ Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable David, >...Here is the litmus test: do you agree that in >order to validate a signature on an S/MIME message (any message, for >any purpose, signed by any entity), the NR bit must be set? I certainly don't, because of the ambiguity caused by the uncertain=20 legalisms. I note that the certificates issued by DoD and contained on = the=20 Common Access Card, even those issued to federal contractors, DO=20 contain the NR bit, and for that reason I would be quite reluctant personally to use such a certificate. Likewise, I would be =20 concerned if I were the CIO of such a federal contractor and someone in my organization were to use such a certificate for any=20 purpose, but most especially for anything outside of the strict=20 purview of the DoD. The DoD CP may provide some definitive=20 definition of what NR means in their context (although I haven't=20 read it, and wouldn't bet my life on it), but who is in a position to = say=20 that the DoD CP would be binding on some other, unrelated, relying party? Back in the AUTODIN days, there was a sharp distinction drawn=20 between "official" traffic, which were essentially legally binding=20 military orders sent by or under the authority of the commanding=20 officer, vs. "unofficial" traffic, which could be much less formal. Nuclear release orders, troop movements -- "take that hill or die trying", transfer of funds from one account to another, contract signings and=20 amendments, legal or other official notices -- those are the sorts of things that I would think might legitimately deserve something like the NR bit within DoD. Using a certificate containing the NR bit to sign your previous=20 message, although not wrong per se, would certainly constitute overkill and an unnecessary risk, at least to my way of=20 thinking. =20 Personally, I would keep the private key corresponding to a public=20 key in a certificate containing the NR bit stored away in my safe, or in some other very secure location, to be taken out with considerable=20 trepidation and perhaps a certain amount of ceremony. I would=20 NEVER use it for this kind of casual e-mail, even though I am willing=20 to sign it to demonstrate authenticity of origin and the absence of=20 any modification. Despite my willingness to agree that I signed the=20 message, I don't regard it as legally binding -- it isn't a contract (no = offer and acceptance of consideration), it isn't a legal notice, will, testament,= or other form of obligation, it is just a letter. (Even if I were to sign it "Love and kisses", I wouldn't expect to be held to that commitment with respect to this audience! :-) "I do not anticipate any change to the NR bit in X.509 nor in PKIX." Steve Kent "We have met the enemy, and they is us."=20 Pogo Regards, Bob --____TJBOSMHBKHISCPLUZFFZ____ Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" CONTENT-DESCRIPTION: S/MIME Cryptographic Signature MIIMlwYJKoZIhvcNAQcCoIIMiDCCDIQCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCCh8w ggUIMIID8KADAgECAhoCFAAAABQ0/V7yZC4krZCad8s8I/9yAgID2jANBgkqhkiG9w0BAQUFADAy MRswGQYDVQQLExJOb3ZlbGwgRW1wbG95ZWUgQ0ExEzARBgNVBAoUCk5PVkVMTF9JTkMwHhcNOTkx MDA5MTcyMDAwWhcNMDkxMDA5MTcyMDAwWjAyMRswGQYDVQQLExJOb3ZlbGwgRW1wbG95ZWUgQ0Ex EzARBgNVBAoUCk5PVkVMTF9JTkMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFXNJ5 6dllO0vfXHFpTJKFXsPp4/ODFGguxqQOt/gRB+jEILRth9kko6r1DRMVtdJ3vYFxujArU9E1dEUL mf12vQOHveLyiu3+2QWFoWxGMRzdeziJkB5lk8noS3yhCCBoEOh+8UZ8xbeXRiBE9Trn4e5mojH8 +ao7khHpd5tw2MbfDgEh7ngp0jg7ZvLUz/UW4ki8em35g3KC3UFdUO/q+V/n2NUqnpgUH2bkpoib kSMjwAfVn50B1PpK/MJMGvtYGiVtTvq6VKDR+wa8WC7uVEQiPbEiH8KOKd9fFBCsZvd12fbfUeNI FmrnNkk5Ob/p/GRKrppExWbGueulpBExAgMBAAGjggIOMIICCjAKBgNVHQ4EAwQBATAMBgNVHSME BTADgAEBMA8GA1UdEwEBAAQFMAMBAf8wDgYDVR0PAQEABAQDAgEGMIIBywYLYIZIAYb4NwEJBAEB AQAEggG3MIIBswQCAQABAf8THU5vdmVsbCBTZWN1cml0eSBBdHRyaWJ1dGUodG0pFkNodHRwOi8v ZGV2ZWxvcGVyLm5vdmVsbC5jb20vcmVwb3NpdG9yeS9hdHRyaWJ1dGVzL2NlcnRhdHRyc192MTAu aHRtMIIBRKAaAQEAMAgwBgIBAQIBRjAIMAYCAQECAQoCAWmhGgEBADAIMAYCAQECAUYwCDAGAgEB AgEKAgFpogYCARgBAf+jggEAoFoCAQICAgD/AgEAAw0AgAAAAAAAAAAAAAAAAwkAgAAAAAAAAAAw GDAQAgEAAgh//////////wEBAAIEBvDfSDAYMBACAQACCH//////////AQEAAgQG8N9IMFKhUgIB AgICAP8CAQADDQBAAAAAAAAAAAAAAAADCQBAAAAAAAAAADAVMBACAQACCH//////////AQEAAgEU MBUwEAIBAAIIf/////////8BAQACARSiTjBMAgECAgIA/wIBAAMNAID//////////////wMJAID/ ////////MBIwEAIBAAIIf/////////8BAf8wEjAQAgEAAgh//////////wEB/zANBgkqhkiG9w0B AQUFAAOCAQEAaiESm7ALSKkCI86jYyeRPzNazTY4f0GepqTPidwM546hDZKxkFfKjop9nhZDEg0S xj69kL7mlqowVlU6dgoEPgqwPglP0jBO60EyzqjorrVbnpuSNUVoY+6OyymyrdNrx2DGTBTqsI/i urILrt1V2b8ioTAWSp9lHr5LxAOxQgTeNMMI/b5B0sTlAlwBNbn2K1b11EfYdxSmkQZfsQVCmfKl 8y2xqF7X2+W45Zgdev0/JQxCXlRVoGEMbshs7V5AECg9qezn9dTyfCX1nS+YoLkJf0khv2MrcfrN 1SG2EGusV2NVDxCdXFuLhyWxwAxVLoI5LNIMLFa4P8vAinCxJTCCBQ8wggP3oAMCAQICGgIUAAAA FDT9XvJkLiStkJp3yzwj/3ICAgTqMA0GCSqGSIb3DQEBBQUAMDIxGzAZBgNVBAsTEk5vdmVsbCBF bXBsb3llZSBDQTETMBEGA1UEChQKTk9WRUxMX0lOQzAeFw05OTEwMDkxODE4MDBaFw0wMTEwMDkx ODE4MDBaMEIxEjAQBgNVBAMTCUJKdWVuZW1hbjENMAsGA1UECxMETlNSRDEMMAoGA1UECxMDUFJW MQ8wDQYDVQQKEwZOb3ZlbGwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3eHuGT669 GWzGuMYSIvezmPdEFF0nbdlhqv0KwebG5WHi4TiLyX7s8l6+0CQRAF9rFQhEdh7I2lti9hgrNOjo 4SZvxU0PstQcN9ad6usXMzHBa36Xj31kJUhguKEKpCaUYGmWPcq6ehLcuxTv0nuq1QvAGTIqjCT5 y/tpSwo2nXpb9UXOEpZg8CmL6OTKj44cAmHzPk6dElXxF7SjnhkNOYNvwgs/Afa+7iOX0Lv6vTYJ eaz1eklKMSoJf5mZ/EZfJjUkf5jDRdIb5Rog2/HWMEsBvP2vgiBrV1nwVFGBkpfs1qwq0A7h3UdG bm8NlzgFMs2lltqtONbGiZK5UMoDAgMBAAGjggIFMIICATAMBgNVHSMEBTADgAEBMCIGA1UdEQEB AAQYMBaBFEJKVUVORU1BTkBub3ZlbGwuY29tMIIBywYLYIZIAYb4NwEJBAEBAQAEggG3MIIBswQC AQABAf8THU5vdmVsbCBTZWN1cml0eSBBdHRyaWJ1dGUodG0pFkNodHRwOi8vZGV2ZWxvcGVyLm5v dmVsbC5jb20vcmVwb3NpdG9yeS9hdHRyaWJ1dGVzL2NlcnRhdHRyc192MTAuaHRtMIIBRKAaAQEA MAgwBgIBAQIBRjAIMAYCAQECAQoCAWmhGgEBADAIMAYCAQECAUYwCDAGAgEBAgEKAgFpogYCARQB Af+jggEAoFoCAQICAgD/AgEAAw0AgAAAAAAAAAAAAAAAAwkAgAAAAAAAAAAwGDAQAgEAAgh///// /////wEBAAIEBvDfSDAYMBACAQACCH//////////AQEAAgQG8N9IMFKhUgIBAgICAP8CAQADDQBA AAAAAAAAAAAAAAADCQBAAAAAAAAAADAVMBACAQACCH//////////AQEAAgEUMBUwEAIBAAIIf/// //////8BAQACARSiTjBMAgECAgEAAgIA/wMNAIAAAAAAAAAAAAAAAAMJAIAAAAAAAAAAMBIwEAIB AAIIf/////////8BAQAwEjAQAgEAAgh//////////wEBADANBgkqhkiG9w0BAQUFAAOCAQEAiEId iox84BfJlz8suOJdTEwkuJsT1AbsLBwWzEpwfBS5FRGglOyKwlj8Fq+bFmgnBX//wbW4gjutgAEu w8fXGUaQ9d2qwUn06Ta8C8AeBr7XmxrHe1Hs4YBQfqtVpdbZDasgeOhJhKSAMmIbv7jajwI9oZ93 aS5w/ArkTGFm+hpexZsSHtTjcKFAQ977M+QwbnilmnBfPYiQk+y/uGcAeJqJRnmzbfrbmzlpsyqg yJENC+zD4O5tq9Gn53pHpG1EnjX/ZN3+jM0HKIc/rDuQ+yQ4e3LReenrRbmAoDlD5krF2sfFXphb P86HUMcytbnXDgBbtKYdVtH/kDDMHCMQBTGCAkAwggI8AgEBMFAwMjEbMBkGA1UECxMSTm92ZWxs IEVtcGxveWVlIENBMRMwEQYDVQQKFApOT1ZFTExfSU5DAhoCFAAAABQ0/V7yZC4krZCad8s8I/9y AgIE6jAJBgUrDgMCGgUAoIHGMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF MQ8XDTAxMDQxMTEzMjQ0MFowIwYJKoZIhvcNAQkEMRYEFDjYY51biO62d5wvqfbULJtMcOyLMGcG CSqGSIb3DQEJDzFaMFgwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAoGCCqGSIb3DQMEMA0G CCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAcGBSsOAwIaMA0GCSqGSIb3DQEB AQUABIIBACEl2ccOhxlf2O0A9zw4o7vBPi3F7hRI0ePA3tg9F3BLCnLI773sQRE6S97lfmchN5GR /3Kvr/qwgMzyI82Ept4V6lt1qxUnxzv/9pe9PstxD5Nt+PjwthtYwAQ9l4DkdqMIynkObXS+Kl+N v/Ebz/UEezqdRzLIxz/ZcYT5l54MUi1QhaclTkc7oD8gmhdfQL4WY5T7ZdQVv2PhFS4lLepD3/j8 OSfR1rhhmj1dsUX8+M2abg1hHqasyFtkushUDHRF6zlTGNlCmbvNEoSJobyj4k/5/txh/iF7wY+d p5rnt/CO5qSkfp+57XXVFFn/xiW2a1L6uvhk7EYL/+UZVp8= --____TJBOSMHBKHISCPLUZFFZ____-- Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA06515 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 12:07:11 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id PAA24312 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 15:06:43 -0400 (EDT) Message-Id: <200104111906.PAA24308@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Wed, 11 Apr 2001 15:05:12 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Meaning of Non-repudiation References: <200104111733.TAA20049@emeriau.edelweb.fr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Peter Sylvester wrote: > > Effective only at time of generation seems somewhat difficult; > it always happens later. Sometimes one sacrifices rigor for clarity. A more precise expression of the HAK remark might be: A fundamental distinction exists between a party A being able to convince itself at time t0+e of the validity of a digital signature s generated at time t0, and that party being able to convince others at some time t1 >= t0+e that s was valid at time t0. For all practical purposes, e (read epsilon, a very small value) could be fixed at one minute without significantly affecting the use cases. If you receive a signed message one second after it was sent and know that the signature will become invalid 59 seconds later, the lack of the NR bit will have achieved its purpose. If the signature is not "binding" then your user agent should not treat it as binding; it should authenticate the message and then discard the authentication information before storing the message. > What is the essential difference between some authentication > handshake 'on line' or some [authentication] exchange using S/MIME. > > Consider for example just signature on domain boundaries, No difference - that's the point. If the client signs S/MIME data without NR and sends it to the domain gateway, the gateway bcomes responsible for the data's integrity because the client signature becomes invalid one hop or 59 seconds hence. A proper gateway will honor the keyUsage bit and strip off the now-useless client signature exactly as it would strip off an SSL protocol layer before forwarding the data. If the client signs with NR, then the domain signature could optionally be added to it rather than replacing it. Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA01100 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 10:33:56 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id TAA25199; Wed, 11 Apr 2001 19:33:57 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.3); Wed, 11 Apr 2001 19:33:57 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id TAA13093; Wed, 11 Apr 2001 19:33:56 +0200 (MET DST) From: Peter Sylvester <Peter.Sylvester@EdelWeb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.7.6/8.6.6) id TAA20049; Wed, 11 Apr 2001 19:33:55 +0200 (MET DST) Date: Wed, 11 Apr 2001 19:33:55 +0200 (MET DST) Message-Id: <200104111733.TAA20049@emeriau.edelweb.fr> To: ietf-pkix@imc.org, dpkemp@missi.ncsc.mil Subject: Re: Meaning of Non-repudiation Effective only at time of generation seems somewhat difficult; it always happens later. What is the essential difference between some authentication handshake 'on line' or some exchange using S/MIME. Consider for example just signature on domain boundaries, Or between a user and and ISP relay in order to allow relaying from authorized users etc. > I agree completely with your "not considered binding", as long as there > is an explicit statement that binding means persistent - i.e., effective > for some time after generation, as opposed to effective only at the > time of generation. Here is the litmus test: do you agree that in > order to validate a signature on an S/MIME message (any message, for > any purpose, signed by any entity), the NR bit must be set? > Received: from rbhub101.chamb.disa.mil (rbhub101.chamb.disa.mil [209.22.120.24]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA00333 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 10:16:00 -0700 (PDT) Received: by rbhub101.chamb.disa.mil with Internet Mail Service (5.5.2650.21) id <2SH8RPVC>; Wed, 11 Apr 2001 13:16:02 -0400 Message-ID: <8BCA8883305DD411BA1200204804EE4A0349B230@rbmail102.chamb.disa.mil> From: "Friedrichs, Paul LCDR" <FriedriP@ncr.disa.mil> To: "'Santosh Chokhani'" <chokhani@cygnacom.com>, Anders Rundgren <anders.rundgren@telia.com>, "Fillingham, David W." <dwfilli@missi.ncsc.mil>, PKIX-List <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, pki-twg@nist.gov, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner, Clark J." <cjwagne@missi.ncsc.mil>, judith.spencer@gsa.gov, Michelle.Moldenhauer@do.treas.gov, "'Steve Hanna (SUN)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com>, Roger Younglove <ryounglove@lucent.com> Subject: RE: DoD Bridge Certification Authority Phase II Demonstrations Date: Wed, 11 Apr 2001 13:15:57 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C2AB.12D307B0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C2AB.12D307B0 Content-Type: text/plain; charset="ISO-8859-1" HI All, Fascinating thread. I wonder whether we are confusing application and credential architectures. I think this is how I see it. Perhaps I'm missing something. (Or perhaps I'm totally naive): Application architectures need to address who/what must, might or must not know the existence of whom/what, and who/what trusts whom/what for what purpose. (Perhaps only people should be said to "trust" and so "rely on" might be a better word, but the differences and relationship between trust and reliance shouldn't be overlooked.) Notions of authorities, officers, and agents must be addressed by the application architecture. Nonrepudiation and confidentiality are very different application requirements that may require very different application architectures (and subjects). Credentials can be issued to subjects required by application architectures (e.g., to individuals and agents/organizations). Except, perhaps, when considering nation states, the trustworthiness of signature credentials should be able to be abstracted from the trust between subjects. Signature credentials need to be trustworthy and of comparable/known trustworthiness (only) across the subjects with whom subjects wish to securely interact. Perhaps this is an excellent place for a government service. (The US's Privacy Act is a *BIG* challenge when statically naming private citizens.) (Another thought is that where the existence of subjects is known only locally, locally managed signature credentials are likely most efficient.) Signature credential architectures wishing to support wide interoperability should be able to focus on addressing the core challenge of the commonness of the credentials' strength (not who trusts whom). The best mix of signature credential architecture options will depend on what sorts of signature credential service providers succeed in the marketplace. Because of the possibility of and frequent requirement for data recovery, the encryption credential seems to be a very different challenge. Perhaps it will always be best for trust domains to issue their own encryption credentials, suggesting that a different credential architecture mix will be required. I think the application, signature credential, and encryption credential challenges/architectures are independent. Paul ------_=_NextPart_001_01C0C2AB.12D307B0 Content-Type: text/html; charset="ISO-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <TITLE>RE: DoD Bridge Certification Authority Phase II Demonstrations</TITLE> <META content="MSHTML 5.50.4207.2601" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2>HI All,</FONT></SPAN></DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2>Fascinating thread. I wonder whether we are confusing application and credential architectures. I think this is how I see it. Perhaps I'm missing something. (Or perhaps I'm totally naive): </FONT></SPAN></DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2>Application architectures need to address who/what must, might or must not know the existence of whom/what, and who/what trusts whom/what for what purpose. (Perhaps only people should be said to "trust" and so "rely on" might be a better word, but the differences and relationship between trust and reliance shouldn't be overlooked.) Notions of authorities, officers, and agents must be addressed by the application architecture. Nonrepudiation and confidentiality are very different application requirements that may require very different application architectures (and subjects).</FONT></SPAN></DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2>Credentials can be issued to subjects required by application architectures (e.g., to individuals and agents/organizations). </FONT></SPAN></DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2>Except, perhaps, when considering nation states, the trustworthiness of signature credentials should be able to be abstracted from the trust between subjects. Signature credentials need to be trustworthy and of comparable/known trustworthiness (only) across the subjects with whom subjects wish to securely interact. Perhaps this is an excellent place for a government service. (The US's Privacy Act is a *BIG* challenge when statically naming private citizens.) (Another thought is that where the existence of subjects is known only locally, locally managed signature credentials are likely most efficient.) Signature credential architectures wishing to support wide interoperability should be able to focus on addressing the core challenge of the commonness of the credentials' strength (not who trusts whom). The best mix of signature credential architecture options will depend on what sorts of signature credential service providers succeed in the marketplace. </FONT></SPAN></DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2>Because of the possibility of and frequent requirement for data recovery, the encryption credential seems to be a very different challenge. Perhaps it will always be best for trust domains to issue their own encryption credentials, suggesting that a different credential architecture mix will be required. </FONT></SPAN></DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2>I think the application, signature credential, and encryption credential challenges/architectures are independent.</FONT></SPAN></DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2>Paul</FONT></SPAN></DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=646160616-11042001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV></BODY></HTML> ------_=_NextPart_001_01C0C2AB.12D307B0-- Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA29620 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 10:06:10 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id NAA18988 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 13:05:41 -0400 (EDT) Message-Id: <200104111705.NAA18984@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Wed, 11 Apr 2001 13:04:08 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Meaning of Non-repudiation References: <4.3.2.7.2.20010406162323.00ae9dc0@poptop.llnl.gov> <200104091802.OAA03222@stingray.missi.ncsc.mil> <p0501040ab6fa32eff970@[128.33.238.44]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Stephen Kent wrote: > > I do not anticipate any change to the NR bit in X.509 nor in PKIX. Fair enough. But if the name of the bit is not changed, then the definition must be clarified, to avoid the ambiguity evident below: > The main purpose for the NR bit is to allow a cert to be designated > as NOT being associated with signatures used in NR transactions. This > is a safety feature for the EE. By using a cert with the NR bit set > to FALSE, the EE is explicitly stating that the signature generated > with the corresponding private key is not be be considered binding, > e.g., it is for authentication but not for non-repudiation. This is the problem - some people associate the words NR and "binding" with "creating an obligation". I agree completely with your "not considered binding", as long as there is an explicit statement that binding means persistent - i.e., effective for some time after generation, as opposed to effective only at the time of generation. Here is the litmus test: do you agree that in order to validate a signature on an S/MIME message (any message, for any purpose, signed by any entity), the NR bit must be set? Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA27276 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 09:19:29 -0700 (PDT) Received: from [128.33.238.44] (TC107.BBN.COM [128.33.238.107]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id MAA21942 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 12:19:29 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p0501040ab6fa32eff970@[128.33.238.44]> In-Reply-To: <200104091802.OAA03222@stingray.missi.ncsc.mil> References: <4.3.2.7.2.20010406162323.00ae9dc0@poptop.llnl.gov> <200104091802.OAA03222@stingray.missi.ncsc.mil> Date: Wed, 11 Apr 2001 12:20:03 -0400 To: ietf-pkix@imc.org From: Stephen Kent <kent@bbn.com> Subject: Re: Meaning of Non-repudiation Content-Type: text/plain; charset="us-ascii" ; format="flowed" Folks, I do not anticipate any change to the NR bit in X.509 nor in PKIX. I've read the extended dialogue on this topic and it has a familiar ring. However, many of the arguments put forth seem to be narrow, or miss the point entirely. Yes, it is true that the NR bit is not sufficient for NR. It was never claimed to be. Yes, if suitable, external, contractual agreement exists, the NR bit is not necessary for NR. The main purpose for the NR bit is to allow a cert to be designated as NOT being associated with signatures used in NR transactions. This is a safety feature for the EE. By using a cert with the NR bit set to FALSE, the EE is explicitly stating that the signature generated with the corresponding private key is not be be considered binding, e.g., it is for authentication but not for non-repudiation. Yes, if the user has multiple certs with the same key and the NR bit is set in some but not others, this utility is voided. In general we can't prevent users from engaging in such behavior. An RP that holds a copy of the cert used in a NR transaction has a defense against such a user, if push come to shove. So, I suggest that we table the discussion on the labeling of the NR bit and leave the more detailed discussions of how to achieve technical NR to the relevant documents, of which 2459 (its successors and assigns ...) is not one. Steve Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA20647 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 08:32:19 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <2W9NH1GB>; Wed, 11 Apr 2001 11:31:47 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CDDE5@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Anders Rundgren <anders.rundgren@telia.com>, Santosh Chokhani <chokhani@cygnacom.com>, "Fillingham, David W." <dwfilli@missi.ncsc.mil>, PKIX-List <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, pki-twg@nist.gov, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner, Clark J." <cjwagne@missi.ncsc.mil>, judith.spencer@gsa.gov, Michelle.Moldenhauer@do.treas.gov, "'Steve Hanna (SUN)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com>, Roger Younglove <ryounglove@lucent.com> Subject: RE: DoD Bridge Certification Authority Phase II Demonstrations Date: Wed, 11 Apr 2001 11:23:12 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C29B.52808E10" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C29B.52808E10 Content-Type: text/plain; charset="iso-8859-1" Anders: See comments in-line. I suggest that we take this off-line and not waste others' time. All: I am sorry for this rambling. -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@telia.com] Sent: Wednesday, April 11, 2001 4:00 AM To: Santosh Chokhani; Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD PKI TWG'; pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA Integration'; 'Steve Capps'; Wagner, Clark J.; judith.spencer@gsa.gov; Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna (SUN)'; 'Susan Dernik'; Roger Younglove Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations Santosh, I do understand this. But assume that your customers have so far not been aware of alternatives? To say that they cannot accept intermediaries is like saying "we do not trust file-servers". That's a rather extreme position. Many organizations live or die depending on how their "intermediaries" work. [Santosh Chokhani] There is a deference in availability of service and trusting confidentiality and integrity provided by a service. You did not comment on all the drawbacks of using client-end-to-end encryption in an organization- environment. [Santosh Chokhani] Each option has its benefits and drawbacks and that is why we have so many architectures and products with different approaches. If a project group involves very few people (two lawyers on the same case) that have exclusive rights to their information the situation may call for end-to-end encryption. [Santosh Chokhani] We need end-end encryption and authentication many times. I.e. domain-PKI is definitely not only about security, but about who is in control (i.e. owns and is responsible for the information). If DoD builds on a model where the individual is the owner, I think that they pretty soon will get severe problems, as lost private keys can lead to information- loss in a way the paper-world have never seen. Then we are into key backup-schemes that if applied to individuals is a major problem. Applied to domain-PKI it is *almost* reasonable. [Santosh Chokhani] Lost private keys are not a problem if key recovery is properly implemented. Please note that you do not need to recover signature private keys since once they are used for signing they are not required for verification. Just like gravity, we tend to sign before verifying the signature. Anders ----- Original Message ----- From: Santosh <mailto:chokhani@cygnacom.com> Chokhani To: Anders <mailto:anders.rundgren@telia.com> Rundgren ; Santosh Chokhani <mailto:chokhani@cygnacom.com> ; Fillingham, <mailto:dwfilli@missi.ncsc.mil> David W. ; PKIX-List <mailto:ietf-pkix@imc.org> ; 'KPCMWG' <mailto:kpcm@kpcmwg.org> ; 'DoD PKI TWG' <mailto:DOD-BWG-TWG@kpcmwg.org> ; pki-twg@nist.gov <mailto:pki-twg@nist.gov> ; 'Bridge CA Mail <mailto:BridgeCA@kpcmwg.org> List' ; 'BCA Integration' <mailto:bcatest@anassoc.com> ; 'Steve <mailto:scapps@radium.ncsc.mil> Capps' ; Wagner, Clark J. <mailto:cjwagne@missi.ncsc.mil> ; judith.spencer@gsa.gov <mailto:judith.spencer@gsa.gov> ; Michelle.Moldenhauer@do.treas.gov <mailto:Michelle.Moldenhauer@do.treas.gov> ; 'Steve Hanna <mailto:steve.hanna@sun.com> (SUN)' ; 'Susan Dernik' <mailto:Susan.Dernik@baltimore.com> ; Roger <mailto:ryounglove@lucent.com> Younglove Sent: Tuesday, April 10, 2001 23:30 Subject: RE: DoD Bridge Certification Authority Phase II Demonstrations Anders: I do not think you understand this. My customers do not want intermediate systems except the people working on the project to access the data. -----Original Message----- From: Anders Rundgren [ mailto:anders.rundgren@telia.com <mailto:anders.rundgren@telia.com> ] Sent: Tuesday, April 10, 2001 5:26 PM To: Santosh Chokhani; Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD PKI TWG'; pki-twg@nist.gov <mailto:pki-twg@nist.gov> ; 'Bridge CA Mail List'; 'BCA Integration'; 'Steve Capps'; Wagner, Clark J.; judith.spencer@gsa.gov <mailto:judith.spencer@gsa.gov> ; Michelle.Moldenhauer@do.treas.gov <mailto:Michelle.Moldenhauer@do.treas.gov> ; 'Steve Hanna (SUN)'; 'Susan Dernik'; Roger Younglove Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations Santosh, >Having looked at the papers you sent, I think your solutions may be ok as a B2B solution. I believe so. >But, I see end to end security requiring PKI. Even in our company's case where >we run independent labs, do PKI consulting and build PKI products, some of our lab >customers when they send us documents over the Internet, they want only the lab >personnel assigned to the project to read it. They do it using end-end encryption. >PKI concepts were designed for this distributed, client centric model. Even in this example you have conflicts with different interests that may suggest that a domain-solution could fit as well. Assume that more than one individual is supposed to be able to access the sent document. In that case it would be more appropriate to encrypt using a domain public key and let the receiver's local client file access system direct who is going to have access to the document. Otherwise it looks like this document is not a part of some organization's activity and in that case domain-PKI does of course not apply. In the senders end it may be in the organization's interests to monitor all outgoing documents. That is in conflict with the client doing the encryption. And the very same problem is also valid for archiving of signed data from authorities. Using domain-PKI you get it for free. Using client-PKI (only) you get less control which is bad as control probably was the reason for adding PKI in the first place! And now the heat is on directories... An interesting side-effect of Purple-type of solutions is that [more or less] public directories holding information about employees become largely superfluous as all information required for a certain relation is in the tickets themselves. I.e. purchaser "profile" information is a typical item that now finally have gotten a suitable container to be transported in. /anders ------_=_NextPart_001_01C0C29B.52808E10 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>RE: DoD Bridge Certification Authority Phase II Demonstrations</TITLE> <META content="MSHTML 5.00.2014.210" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=268584714-11042001>Anders: See comments in-line. I suggest that we take this off-line and not waste others' time.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=268584714-11042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=268584714-11042001>All: I am sorry for this rambling. </SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=268584714-11042001></SPAN></FONT> </DIV> <DIV class=OutlookMessageHeader><FONT face="Times New Roman" size=2>-----Original Message-----<BR><B>From:</B> Anders Rundgren [mailto:anders.rundgren@telia.com]<BR><B>Sent:</B> Wednesday, April 11, 2001 4:00 AM<BR><B>To:</B> Santosh Chokhani; Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD PKI TWG'; pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA Integration'; 'Steve Capps'; Wagner, Clark J.; judith.spencer@gsa.gov; Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna (SUN)'; 'Susan Dernik'; Roger Younglove<BR><B>Subject:</B> Re: DoD Bridge Certification Authority Phase II Demonstrations<BR><BR></FONT></DIV> <DIV> <DIV><FONT face=Arial size=2>Santosh,</FONT></DIV> <DIV><FONT face=Arial size=2>I do understand this. But assume that your customers have so far not been aware of alternatives?</FONT></DIV> <DIV><FONT face=Arial size=2>To say that they cannot accept intermediaries is like saying "we do not trust file-servers". That's</FONT></DIV> <DIV><FONT size=2><FONT face=Arial>a rather extreme position. Many organizations live or die depending on how their "intermediaries" work.<BR><FONT color=#0000ff><SPAN class=268584714-11042001>[Santosh Chokhani] There is a deference in availability of service and trusting confidentiality and integrity provided by a service.</SPAN></FONT></FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>You did not comment on all the drawbacks of using client-end-to-end encryption in an organization-</FONT></DIV> <DIV><FONT size=2><FONT face=Arial>environment.<BR><FONT color=#0000ff><SPAN class=268584714-11042001>[Santosh Chokhani] Each option has its benefits and drawbacks and that is why we have so many architectures and products with different approaches. </SPAN></FONT></FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>If a project group involves very few people (two lawyers on the same case) that have exclusive</FONT></DIV> <DIV><FONT size=2><FONT face=Arial>rights to their information the situation may call for end-to-end encryption.<BR><FONT color=#0000ff><SPAN class=268584714-11042001>[Santosh Chokhani] We need end-end encryption and authentication many times. </SPAN></FONT></FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>I.e. domain-PKI is definitely not only about security, but about who is in control (i.e. owns and is</FONT></DIV> <DIV><FONT face=Arial size=2>responsible for the information). If DoD builds on a model where the individual is the owner,</FONT></DIV> <DIV><FONT face=Arial size=2>I think that they pretty soon will get severe problems, as lost private keys can lead to information-</FONT></DIV> <DIV><FONT face=Arial size=2>loss in a way the paper-world have never seen. Then we are into key backup-schemes that</FONT></DIV> <DIV><FONT size=2><FONT face=Arial>if applied to individuals is a major problem. Applied to domain-PKI it is *almost* reasonable.<BR><FONT color=#0000ff><SPAN class=268584714-11042001>[Santosh Chokhani] Lost private keys are not a problem if key recovery is properly implemented. Please note that you do not need to recover signature private keys since once they are used for signing they are not required for verification. Just like gravity, we tend to sign before verifying the signature.</SPAN></FONT></FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Anders</FONT></DIV></DIV> <BLOCKQUOTE style="BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px; PADDING-RIGHT: 0px"> <DIV style="FONT: 10pt arial">----- Original Message ----- </DIV> <DIV style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B> <A href="mailto:chokhani@cygnacom.com" title=chokhani@cygnacom.com>Santosh Chokhani</A> </DIV> <DIV style="FONT: 10pt arial"><B>To:</B> <A href="mailto:anders.rundgren@telia.com" title=anders.rundgren@telia.com>Anders Rundgren</A> ; <A href="mailto:chokhani@cygnacom.com" title=chokhani@cygnacom.com>Santosh Chokhani</A> ; <A href="mailto:dwfilli@missi.ncsc.mil" title=dwfilli@missi.ncsc.mil>Fillingham, David W.</A> ; <A href="mailto:ietf-pkix@imc.org" title=ietf-pkix@imc.org>PKIX-List</A> ; <A href="mailto:kpcm@kpcmwg.org" title=kpcm@kpcmwg.org>'KPCMWG'</A> ; <A href="mailto:DOD-BWG-TWG@kpcmwg.org" title=DOD-BWG-TWG@kpcmwg.org>'DoD PKI TWG'</A> ; <A href="mailto:pki-twg@nist.gov" title=pki-twg@nist.gov>pki-twg@nist.gov</A> ; <A href="mailto:BridgeCA@kpcmwg.org" title=BridgeCA@kpcmwg.org>'Bridge CA Mail List'</A> ; <A href="mailto:bcatest@anassoc.com" title=bcatest@anassoc.com>'BCA Integration'</A> ; <A href="mailto:scapps@radium.ncsc.mil" title=scapps@radium.ncsc.mil>'Steve Capps'</A> ; <A href="mailto:cjwagne@missi.ncsc.mil" title=cjwagne@missi.ncsc.mil>Wagner, Clark J.</A> ; <A href="mailto:judith.spencer@gsa.gov" title=judith.spencer@gsa.gov>judith.spencer@gsa.gov</A> ; <A href="mailto:Michelle.Moldenhauer@do.treas.gov" title=Michelle.Moldenhauer@do.treas.gov>Michelle.Moldenhauer@do.treas.gov</A> ; <A href="mailto:steve.hanna@sun.com" title=steve.hanna@sun.com>'Steve Hanna (SUN)'</A> ; <A href="mailto:Susan.Dernik@baltimore.com" title=Susan.Dernik@baltimore.com>'Susan Dernik'</A> ; <A href="mailto:ryounglove@lucent.com" title=ryounglove@lucent.com>Roger Younglove</A> </DIV> <DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, April 10, 2001 23:30</DIV> <DIV style="FONT: 10pt arial"><B>Subject:</B> RE: DoD Bridge Certification Authority Phase II Demonstrations</DIV> <DIV><BR></DIV> <P><FONT size=2>Anders:</FONT> </P> <P><FONT size=2>I do not think you understand this. My customers do not want intermediate systems except the people working on the project to access the data.</FONT></P> <P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From: Anders Rundgren [<A href="mailto:anders.rundgren@telia.com">mailto:anders.rundgren@telia.com</A>]</FONT> <BR><FONT size=2>Sent: Tuesday, April 10, 2001 5:26 PM</FONT> <BR><FONT size=2>To: Santosh Chokhani; Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD</FONT> <BR><FONT size=2>PKI TWG'; <A href="mailto:pki-twg@nist.gov">pki-twg@nist.gov</A>; 'Bridge CA Mail List'; 'BCA Integration';</FONT> <BR><FONT size=2>'Steve Capps'; Wagner, Clark J.; <A href="mailto:judith.spencer@gsa.gov">judith.spencer@gsa.gov</A>;</FONT> <BR><FONT size=2><A href="mailto:Michelle.Moldenhauer@do.treas.gov">Michelle.Moldenhauer@do.treas.gov</A>; 'Steve Hanna (SUN)'; 'Susan Dernik';</FONT> <BR><FONT size=2>Roger Younglove</FONT> <BR><FONT size=2>Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations</FONT> </P><BR> <P><FONT size=2>Santosh, </FONT></P> <P><FONT size=2>>Having looked at the papers you sent, I think your solutions may be ok as a B2B solution. </FONT></P> <P><FONT size=2>I believe so.</FONT> </P> <P><FONT size=2>>But, I see end to end security requiring PKI. Even in our company's case where </FONT><BR><FONT size=2>>we run independent labs, do PKI consulting and build PKI products, some of our lab </FONT><BR><FONT size=2>>customers when they send us documents over the Internet, they want only the lab </FONT><BR><FONT size=2>>personnel assigned to the project to read it. They do it using end-end encryption. </FONT><BR><FONT size=2>>PKI concepts were designed for this distributed, client centric model. </FONT></P> <P><FONT size=2>Even in this example you have conflicts with different interests that may suggest that </FONT><BR><FONT size=2>a domain-solution could fit as well. Assume that more than one individual is </FONT><BR><FONT size=2>supposed to be able to access the sent document. In that case it would be more </FONT><BR><FONT size=2>appropriate to encrypt using a domain public key and let the receiver's local client file access </FONT><BR><FONT size=2>system direct who is going to have access to the document. Otherwise it looks </FONT><BR><FONT size=2>like this document is not a part of some organization's activity and in that case </FONT><BR><FONT size=2>domain-PKI does of course not apply. In the senders end it may be in the </FONT><BR><FONT size=2>organization's interests to monitor all outgoing documents. That is in conflict </FONT><BR><FONT size=2>with the client doing the encryption. </FONT></P> <P><FONT size=2>And the very same problem is also valid for archiving of signed data from authorities. </FONT><BR><FONT size=2>Using domain-PKI you get it for free. Using client-PKI (only) you get less </FONT><BR><FONT size=2>control which is bad as control probably was the reason for adding PKI in the first place! </FONT></P> <P><FONT size=2>And now the heat is on directories...</FONT> </P> <P><FONT size=2>An interesting side-effect of Purple-type of solutions is that [more or less] public directories</FONT> <BR><FONT size=2>holding information about employees become largely superfluous as all information required</FONT> <BR><FONT size=2>for a certain relation is in the tickets themselves. I.e. purchaser "profile" information is a</FONT> <BR><FONT size=2>typical item that now finally have gotten a suitable container to be transported in.</FONT> </P> <P><FONT size=2>/anders</FONT> </P></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0C29B.52808E10-- Received: from mailf.telia.com (mailf.telia.com [194.22.194.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id AAA07322 for <ietf-pkix@imc.org>; Wed, 11 Apr 2001 00:07:59 -0700 (PDT) Received: from arport ([212.181.94.147]) by mailf.telia.com (8.11.2/8.11.0) with SMTP id f3B77ix25258; Wed, 11 Apr 2001 09:07:45 +0200 (CEST) Message-ID: <008901c0c25d$5f4fb460$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Santosh Chokhani" <chokhani@cygnacom.com>, "Fillingham, David W." <dwfilli@missi.ncsc.mil>, "PKIX-List" <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, <pki-twg@nist.gov>, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner, Clark J." <cjwagne@missi.ncsc.mil>, <judith.spencer@gsa.gov>, <Michelle.Moldenhauer@do.treas.gov>, "'Steve Hanna \(SUN\)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com>, "Roger Younglove" <ryounglove@lucent.com> References: <8D7EC1912E25D411A32100D0B76953977CDD91@scygmxs01.cygnacom.com> Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations Date: Wed, 11 Apr 2001 09:59:39 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0084_01C0C26E.1F962AA0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 This is a multi-part message in MIME format. ------=_NextPart_000_0084_01C0C26E.1F962AA0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: DoD Bridge Certification Authority Phase II DemonstrationsSantosh, I do understand this. But assume that your customers have so far not = been aware of alternatives? To say that they cannot accept intermediaries is like saying "we do not = trust file-servers". That's a rather extreme position. Many organizations live or die depending on = how their "intermediaries" work. You did not comment on all the drawbacks of using client-end-to-end = encryption in an organization- environment. If a project group involves very few people (two lawyers on the same = case) that have exclusive rights to their information the situation may call for end-to-end = encryption. I.e. domain-PKI is definitely not only about security, but about who is = in control (i.e. owns and is responsible for the information). If DoD builds on a model where the = individual is the owner, I think that they pretty soon will get severe problems, as lost private = keys can lead to information- loss in a way the paper-world have never seen. Then we are into key = backup-schemes that if applied to individuals is a major problem. Applied to domain-PKI it = is *almost* reasonable. Anders ----- Original Message -----=20 From: Santosh Chokhani=20 To: Anders Rundgren ; Santosh Chokhani ; Fillingham, David W. ; = PKIX-List ; 'KPCMWG' ; 'DoD PKI TWG' ; pki-twg@nist.gov ; 'Bridge CA = Mail List' ; 'BCA Integration' ; 'Steve Capps' ; Wagner, Clark J. ; = judith.spencer@gsa.gov ; Michelle.Moldenhauer@do.treas.gov ; 'Steve = Hanna (SUN)' ; 'Susan Dernik' ; Roger Younglove=20 Sent: Tuesday, April 10, 2001 23:30 Subject: RE: DoD Bridge Certification Authority Phase II = Demonstrations Anders:=20 I do not think you understand this. My customers do not want = intermediate systems except the people working on the project to access = the data. -----Original Message-----=20 From: Anders Rundgren [mailto:anders.rundgren@telia.com]=20 Sent: Tuesday, April 10, 2001 5:26 PM=20 To: Santosh Chokhani; Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD=20 PKI TWG'; pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA Integration';=20 'Steve Capps'; Wagner, Clark J.; judith.spencer@gsa.gov;=20 Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna (SUN)'; 'Susan = Dernik';=20 Roger Younglove=20 Subject: Re: DoD Bridge Certification Authority Phase II = Demonstrations=20 Santosh,=20 >Having looked at the papers you sent, I think your solutions may be = ok as a B2B solution.=20 I believe so.=20 >But, I see end to end security requiring PKI. Even in our company's = case where=20 >we run independent labs, do PKI consulting and build PKI products, = some of our lab=20 >customers when they send us documents over the Internet, they want = only the lab=20 >personnel assigned to the project to read it. They do it using = end-end encryption.=20 >PKI concepts were designed for this distributed, client centric = model.=20 Even in this example you have conflicts with different interests that = may suggest that=20 a domain-solution could fit as well. Assume that more than one = individual is=20 supposed to be able to access the sent document. In that case it would = be more=20 appropriate to encrypt using a domain public key and let the = receiver's local client file access=20 system direct who is going to have access to the document. Otherwise = it looks=20 like this document is not a part of some organization's activity and = in that case=20 domain-PKI does of course not apply. In the senders end it may be in = the=20 organization's interests to monitor all outgoing documents. That is in = conflict=20 with the client doing the encryption.=20 And the very same problem is also valid for archiving of signed data = from authorities.=20 Using domain-PKI you get it for free. Using client-PKI (only) you get = less=20 control which is bad as control probably was the reason for adding PKI = in the first place!=20 And now the heat is on directories...=20 An interesting side-effect of Purple-type of solutions is that [more = or less] public directories=20 holding information about employees become largely superfluous as all = information required=20 for a certain relation is in the tickets themselves. I.e. purchaser = "profile" information is a=20 typical item that now finally have gotten a suitable container to be = transported in.=20 /anders=20 ------=_NextPart_000_0084_01C0C26E.1F962AA0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>RE: DoD Bridge Certification Authority Phase II = Demonstrations</TITLE> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2> <DIV><FONT face=3DArial size=3D2>Santosh,</FONT></DIV> <DIV><FONT face=3DArial size=3D2>I do understand this. But assume that = your=20 customers have so far not been aware of alternatives?</FONT></DIV> <DIV><FONT face=3DArial size=3D2>To say that they cannot accept = intermediaries is=20 like saying "we do not trust file-servers". = That's</FONT></DIV> <DIV><FONT face=3DArial size=3D2>a rather extreme position. Many = organizations=20 live or die depending on how their "intermediaries" work.</FONT></DIV> <DIV> </DIV> <DIV>You did not comment on all the drawbacks of using client-end-to-end = encryption in an organization-</DIV> <DIV>environment.</DIV> <DIV> </DIV> <DIV>If a project group involves very few people (two lawyers on = the same=20 case) that have exclusive</DIV> <DIV>rights to their information the situation may call for end-to-end=20 encryption.</DIV> <DIV> </DIV> <DIV>I.e. domain-PKI is definitely not only about security, but about = who is in=20 control (i.e. owns and is</DIV> <DIV>responsible for the information). If DoD builds on a model = where the=20 individual is the owner,</DIV> <DIV>I think that they pretty soon will get severe problems, as lost = private=20 keys can lead to information-</DIV> <DIV>loss in a way the paper-world have never seen. Then we are = into key=20 backup-schemes that</DIV> <DIV>if applied to individuals is a major problem. Applied to = domain-PKI=20 it is *almost* reasonable.</DIV> <DIV> </DIV> <DIV>Anders</DIV></FONT></DIV> <BLOCKQUOTE=20 style=3D"BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: = 0px; PADDING-LEFT: 5px; PADDING-RIGHT: 0px"> <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV> <DIV=20 style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: = black"><B>From:</B>=20 <A href=3D"mailto:chokhani@cygnacom.com" = title=3Dchokhani@cygnacom.com>Santosh=20 Chokhani</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20 href=3D"mailto:anders.rundgren@telia.com" = title=3Danders.rundgren@telia.com>Anders=20 Rundgren</A> ; <A href=3D"mailto:chokhani@cygnacom.com"=20 title=3Dchokhani@cygnacom.com>Santosh Chokhani</A> ; <A=20 href=3D"mailto:dwfilli@missi.ncsc.mil" = title=3Ddwfilli@missi.ncsc.mil>Fillingham,=20 David W.</A> ; <A href=3D"mailto:ietf-pkix@imc.org"=20 title=3Dietf-pkix@imc.org>PKIX-List</A> ; <A = href=3D"mailto:kpcm@kpcmwg.org"=20 title=3Dkpcm@kpcmwg.org>'KPCMWG'</A> ; <A = href=3D"mailto:DOD-BWG-TWG@kpcmwg.org"=20 title=3DDOD-BWG-TWG@kpcmwg.org>'DoD PKI TWG'</A> ; <A=20 href=3D"mailto:pki-twg@nist.gov" = title=3Dpki-twg@nist.gov>pki-twg@nist.gov</A> ;=20 <A href=3D"mailto:BridgeCA@kpcmwg.org" = title=3DBridgeCA@kpcmwg.org>'Bridge CA Mail=20 List'</A> ; <A href=3D"mailto:bcatest@anassoc.com"=20 title=3Dbcatest@anassoc.com>'BCA Integration'</A> ; <A=20 href=3D"mailto:scapps@radium.ncsc.mil" = title=3Dscapps@radium.ncsc.mil>'Steve=20 Capps'</A> ; <A href=3D"mailto:cjwagne@missi.ncsc.mil"=20 title=3Dcjwagne@missi.ncsc.mil>Wagner, Clark J.</A> ; <A=20 href=3D"mailto:judith.spencer@gsa.gov"=20 title=3Djudith.spencer@gsa.gov>judith.spencer@gsa.gov</A> ; <A=20 href=3D"mailto:Michelle.Moldenhauer@do.treas.gov"=20 = title=3DMichelle.Moldenhauer@do.treas.gov>Michelle.Moldenhauer@do.treas.g= ov</A>=20 ; <A href=3D"mailto:steve.hanna@sun.com" = title=3Dsteve.hanna@sun.com>'Steve Hanna=20 (SUN)'</A> ; <A href=3D"mailto:Susan.Dernik@baltimore.com"=20 title=3DSusan.Dernik@baltimore.com>'Susan Dernik'</A> ; <A=20 href=3D"mailto:ryounglove@lucent.com" = title=3Dryounglove@lucent.com>Roger=20 Younglove</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Tuesday, April 10, 2001 = 23:30</DIV> <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: DoD Bridge = Certification=20 Authority Phase II Demonstrations</DIV> <DIV><BR></DIV> <P><FONT size=3D2>Anders:</FONT> </P> <P><FONT size=3D2>I do not think you understand this. My = customers do not=20 want intermediate systems except the people working on the project to = access=20 the data.</FONT></P> <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT = size=3D2>From:=20 Anders Rundgren [<A=20 = href=3D"mailto:anders.rundgren@telia.com">mailto:anders.rundgren@telia.co= m</A>]</FONT>=20 <BR><FONT size=3D2>Sent: Tuesday, April 10, 2001 5:26 PM</FONT> = <BR><FONT=20 size=3D2>To: Santosh Chokhani; Fillingham, David W.; PKIX-List; = 'KPCMWG';=20 'DoD</FONT> <BR><FONT size=3D2>PKI TWG'; <A=20 href=3D"mailto:pki-twg@nist.gov">pki-twg@nist.gov</A>; 'Bridge CA Mail = List';=20 'BCA Integration';</FONT> <BR><FONT size=3D2>'Steve Capps'; Wagner, = Clark J.; <A=20 = href=3D"mailto:judith.spencer@gsa.gov">judith.spencer@gsa.gov</A>;</FONT>= =20 <BR><FONT size=3D2><A=20 = href=3D"mailto:Michelle.Moldenhauer@do.treas.gov">Michelle.Moldenhauer@do= .treas.gov</A>;=20 'Steve Hanna (SUN)'; 'Susan Dernik';</FONT> <BR><FONT size=3D2>Roger=20 Younglove</FONT> <BR><FONT size=3D2>Subject: Re: DoD Bridge = Certification=20 Authority Phase II Demonstrations</FONT> </P><BR> <P><FONT size=3D2>Santosh, </FONT></P> <P><FONT size=3D2>>Having looked at the papers you sent, I think = your=20 solutions may be ok as a B2B solution. </FONT></P> <P><FONT size=3D2>I believe so.</FONT> </P> <P><FONT size=3D2>>But, I see end to end security requiring PKI. = Even in our=20 company's case where </FONT><BR><FONT size=3D2>>we run independent = labs, do=20 PKI consulting and build PKI products, some of our lab = </FONT><BR><FONT=20 size=3D2>>customers when they send us documents over the Internet, = they want=20 only the lab </FONT><BR><FONT size=3D2>>personnel assigned to the = project to=20 read it. They do it using end-end encryption. </FONT><BR><FONT = size=3D2>>PKI=20 concepts were designed for this distributed, client centric model. = </FONT></P> <P><FONT size=3D2>Even in this example you have conflicts with = different=20 interests that may suggest that </FONT><BR><FONT size=3D2>a = domain-solution=20 could fit as well. Assume that more than one individual is = </FONT><BR><FONT=20 size=3D2>supposed to be able to access the sent document. In that case = it would=20 be more </FONT><BR><FONT size=3D2>appropriate to encrypt using a = domain public=20 key and let the receiver's local client file access </FONT><BR><FONT=20 size=3D2>system direct who is going to have access to the document. = Otherwise it=20 looks </FONT><BR><FONT size=3D2>like this document is not a part of = some=20 organization's activity and in that case </FONT><BR><FONT = size=3D2>domain-PKI=20 does of course not apply. In the senders end it may be in the = </FONT><BR><FONT=20 size=3D2>organization's interests to monitor all outgoing documents. = That is in=20 conflict </FONT><BR><FONT size=3D2>with the client doing the = encryption.=20 </FONT></P> <P><FONT size=3D2>And the very same problem is also valid for = archiving of=20 signed data from authorities. </FONT><BR><FONT size=3D2>Using = domain-PKI you get=20 it for free. Using client-PKI (only) you get less </FONT><BR><FONT=20 size=3D2>control which is bad as control probably was the reason for = adding PKI=20 in the first place! </FONT></P> <P><FONT size=3D2>And now the heat is on directories...</FONT> </P> <P><FONT size=3D2>An interesting side-effect of Purple-type of = solutions is that=20 [more or less] public directories</FONT> <BR><FONT size=3D2>holding = information=20 about employees become largely superfluous as all information = required</FONT>=20 <BR><FONT size=3D2>for a certain relation is in the tickets = themselves. =20 I.e. purchaser "profile" information is a</FONT> <BR><FONT = size=3D2>typical item=20 that now finally have gotten a suitable container to be transported = in.</FONT>=20 </P> <P><FONT size=3D2>/anders</FONT> </P></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0084_01C0C26E.1F962AA0-- Received: from smtp-1.llnl.gov (smtp-1.llnl.gov [128.115.250.81]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA16882 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 18:47:30 -0700 (PDT) Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-1.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id SAA21534; Tue, 10 Apr 2001 18:47:02 -0700 (PDT) Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id SAA01703; Tue, 10 Apr 2001 18:47:02 -0700 (PDT) Message-Id: <4.3.2.7.2.20010410182907.00b23ae0@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 10 Apr 2001 18:50:29 -0700 To: Ed Gerck <egerck@nma.com> From: Tony Bartoletti <azb@llnl.gov> Subject: Re: Meaning of Non-repudiation Cc: "David P. Kemp" <dpkemp@missi.ncsc.mil>, Bob Jueneman <bjueneman@novell.com>, Dave.Oshman@identrus.com, ietf-pkix@imc.org In-Reply-To: <3AD3946E.83F01B8C@nma.com> References: <4.3.2.7.2.20010406162323.00ae9dc0@poptop.llnl.gov> <4.3.2.7.2.20010409131329.00b04c30@poptop.llnl.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 04:17 PM 4/10/01 -0700, Ed Gerck wrote: >List: > >I think there is some agreement, on this page at least. What the current >NR bit is signaling is that there is (somewhere, not necessarily at the >CA) some proof of authentication. I suggested the name POA (proof >of authentication) at the last time we discussed this. The POA does not >have to be persistent, though -- it may be valid only for a short time >(in practice we find that a short time correlates well with higher >assurance), some time in the past. > >OTOH, we still have the pesky problem of denoting a service that >prevents the denial of an act, which prevention also needs to be >qualified. Preventing the denial of act X cannot be derived from >affirming act Y, usually, and thus non-repudiation is IMO a necessary >primitive in certification procedures, in the same way (and not less) >that authentication is. > >In particular, the oftentimes expressed idea that non-repudiation is a strong >form of authentication, or a persistent form of authentication, is possibly at >the root of this confusion. It is neither, as we can see by re-reading (if >we must) the NR thread in this listserv. So, if NR is missing (as it is >becoming >clearer) then we are also missing an important part of a our toolkit. Calling >the current NR-bit the POA-bit or the PDA-bit only solves the semantic >problem, not the technical problem. Not very useful, considering the other >semantic problems in PKIX/X.509 that are left untouched (let's talk about >"Distinguished Names"?). Hi Ed! Good call. (I guess I need to review those archives ... :) It would be nice to have concise definitions for PDA (Persistent Data Authentication) and POA (Proof of Authentication) in marginally technical (read: tangible) terms. Then, consideration of NR might be more clearly understood in contrast. When you say that POA need not require persistence, do you mean to imply that (given short-term POA,) persistence becomes a separate chain-of-custody issue? Do you feel that Tom Ginden's "Technical NR" provides a basis for POA/PDA ? Do you feel that there is anything else that a certificate could hold (and to which a CA would attest) that would move further in support of NR capability? Or is anything beyond a POA assurance the purview of an entirely independent service? Cheers! ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from taurus.hosting4u.net (taurus.hosting4u.net [209.15.2.33]) by above.proper.com (8.9.3/8.9.3) with SMTP id QAA08087 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 16:17:16 -0700 (PDT) Received: from nma.com ([63.204.17.82]) by taurus.hosting4u.net ; Tue, 10 Apr 2001 18:17:05 -0500 Message-ID: <3AD3946E.83F01B8C@nma.com> Date: Tue, 10 Apr 2001 16:17:02 -0700 From: Ed Gerck <egerck@nma.com> X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Tony Bartoletti <azb@llnl.gov> CC: "David P. Kemp" <dpkemp@missi.ncsc.mil>, Bob Jueneman <bjueneman@novell.com>, Dave.Oshman@identrus.com, ietf-pkix@imc.org Subject: Re: Meaning of Non-repudiation References: <4.3.2.7.2.20010406162323.00ae9dc0@poptop.llnl.gov> <4.3.2.7.2.20010409131329.00b04c30@poptop.llnl.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit List: I think there is some agreement, on this page at least. What the current NR bit is signaling is that there is (somewhere, not necessarily at the CA) some proof of authentication. I suggested the name POA (proof of authentication) at the last time we discussed this. The POA does not have to be persistent, though -- it may be valid only for a short time (in practice we find that a short time correlates well with higher assurance), some time in the past. OTOH, we still have the pesky problem of denoting a service that prevents the denial of an act, which prevention also needs to be qualified. Preventing the denial of act X cannot be derived from affirming act Y, usually, and thus non-repudiation is IMO a necessary primitive in certification procedures, in the same way (and not less) that authentication is. In particular, the oftentimes expressed idea that non-repudiation is a strong form of authentication, or a persistent form of authentication, is possibly at the root of this confusion. It is neither, as we can see by re-reading (if we must) the NR thread in this listserv. So, if NR is missing (as it is becoming clearer) then we are also missing an important part of a our toolkit. Calling the current NR-bit the POA-bit or the PDA-bit only solves the semantic problem, not the technical problem. Not very useful, considering the other semantic problems in PKIX/X.509 that are left untouched (let's talk about "Distinguished Names"?). Cheers, Ed Gerck Tony Bartoletti wrote: > At 02:00 PM 4/9/01 -0400, David P. Kemp wrote: > >Bob Jueneman wrote: > > > > > > And given that scenario, I continue to believe that the currently > > > ill-defined bit should be officially deprecated, and some other > > > attributes defined as necessary with a great deal more precision. > > > If ISO X.509 and/or the PKIX group refuses to deprecate the bit, > > > then certainly the user community should. IMHO, of course. > > > >And I continue to believe you are correct. NR should be deprecated, > >and replaced with a new name for bit 0: "Persistent Data > >Authentication", which would have the property that was once > >called "Technical NR". > > I have to agree. The greatest utility of this bit, a quality over which > the CA actually has some control, is the commitment to provide for a degree > of data-persistence. If such a revision would occur, these discussions > could actually address something tangible. > > ___tony___ > > Tony Bartoletti 925-422-3881 <azb@llnl.gov> > Information Operations, Warfare and Assurance Center > Lawrence Livermore National Laboratory > Livermore, CA 94551-9900 Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA01952 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 14:39:25 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <2VHDBVBJ>; Tue, 10 Apr 2001 17:38:57 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CDD91@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Anders Rundgren <anders.rundgren@telia.com>, Santosh Chokhani <chokhani@cygnacom.com>, "Fillingham, David W." <dwfilli@missi.ncsc.mil>, PKIX-List <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, pki-twg@nist.gov, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner, Clark J." <cjwagne@missi.ncsc.mil>, judith.spencer@gsa.gov, Michelle.Moldenhauer@do.treas.gov, "'Steve Hanna (SUN)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com>, Roger Younglove <ryounglove@lucent.com> Subject: RE: DoD Bridge Certification Authority Phase II Demonstrations Date: Tue, 10 Apr 2001 17:30:26 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C205.75010500" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C205.75010500 Content-Type: text/plain; charset="iso-8859-1" Anders: I do not think you understand this. My customers do not want intermediate systems except the people working on the project to access the data. -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@telia.com] Sent: Tuesday, April 10, 2001 5:26 PM To: Santosh Chokhani; Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD PKI TWG'; pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA Integration'; 'Steve Capps'; Wagner, Clark J.; judith.spencer@gsa.gov; Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna (SUN)'; 'Susan Dernik'; Roger Younglove Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations Santosh, >Having looked at the papers you sent, I think your solutions may be ok as a B2B solution. I believe so. >But, I see end to end security requiring PKI. Even in our company's case where >we run independent labs, do PKI consulting and build PKI products, some of our lab >customers when they send us documents over the Internet, they want only the lab >personnel assigned to the project to read it. They do it using end-end encryption. >PKI concepts were designed for this distributed, client centric model. Even in this example you have conflicts with different interests that may suggest that a domain-solution could fit as well. Assume that more than one individual is supposed to be able to access the sent document. In that case it would be more appropriate to encrypt using a domain public key and let the receiver's local client file access system direct who is going to have access to the document. Otherwise it looks like this document is not a part of some organization's activity and in that case domain-PKI does of course not apply. In the senders end it may be in the organization's interests to monitor all outgoing documents. That is in conflict with the client doing the encryption. And the very same problem is also valid for archiving of signed data from authorities. Using domain-PKI you get it for free. Using client-PKI (only) you get less control which is bad as control probably was the reason for adding PKI in the first place! And now the heat is on directories... An interesting side-effect of Purple-type of solutions is that [more or less] public directories holding information about employees become largely superfluous as all information required for a certain relation is in the tickets themselves. I.e. purchaser "profile" information is a typical item that now finally have gotten a suitable container to be transported in. /anders ------_=_NextPart_001_01C0C205.75010500 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: DoD Bridge Certification Authority Phase II = Demonstrations</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Anders:</FONT> </P> <P><FONT SIZE=3D2>I do not think you understand this. My = customers do not want intermediate systems except the people working on = the project to access the data.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Anders Rundgren [<A = HREF=3D"mailto:anders.rundgren@telia.com">mailto:anders.rundgren@telia.c= om</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Tuesday, April 10, 2001 5:26 PM</FONT> <BR><FONT SIZE=3D2>To: Santosh Chokhani; Fillingham, David W.; = PKIX-List; 'KPCMWG'; 'DoD</FONT> <BR><FONT SIZE=3D2>PKI TWG'; pki-twg@nist.gov; 'Bridge CA Mail List'; = 'BCA Integration';</FONT> <BR><FONT SIZE=3D2>'Steve Capps'; Wagner, Clark J.; = judith.spencer@gsa.gov;</FONT> <BR><FONT SIZE=3D2>Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna = (SUN)'; 'Susan Dernik';</FONT> <BR><FONT SIZE=3D2>Roger Younglove</FONT> <BR><FONT SIZE=3D2>Subject: Re: DoD Bridge Certification Authority = Phase II Demonstrations</FONT> </P> <BR> <P><FONT SIZE=3D2>Santosh, </FONT> </P> <P><FONT SIZE=3D2>>Having looked at the papers you sent, I think = your solutions may be ok as a B2B solution. </FONT> </P> <P><FONT SIZE=3D2>I believe so.</FONT> </P> <P><FONT SIZE=3D2>>But, I see end to end security requiring PKI. = Even in our company's case where </FONT> <BR><FONT SIZE=3D2>>we run independent labs, do PKI consulting and = build PKI products, some of our lab </FONT> <BR><FONT SIZE=3D2>>customers when they send us documents over the = Internet, they want only the lab </FONT> <BR><FONT SIZE=3D2>>personnel assigned to the project to read it. = They do it using end-end encryption. </FONT> <BR><FONT SIZE=3D2>>PKI concepts were designed for this distributed, = client centric model. </FONT> </P> <P><FONT SIZE=3D2>Even in this example you have conflicts with = different interests that may suggest that </FONT> <BR><FONT SIZE=3D2>a domain-solution could fit as well. Assume that = more than one individual is </FONT> <BR><FONT SIZE=3D2>supposed to be able to access the sent document. In = that case it would be more </FONT> <BR><FONT SIZE=3D2>appropriate to encrypt using a domain public key and = let the receiver's local client file access </FONT> <BR><FONT SIZE=3D2>system direct who is going to have access to the = document. Otherwise it looks </FONT> <BR><FONT SIZE=3D2>like this document is not a part of some = organization's activity and in that case </FONT> <BR><FONT SIZE=3D2>domain-PKI does of course not apply. In the senders = end it may be in the </FONT> <BR><FONT SIZE=3D2>organization's interests to monitor all outgoing = documents. That is in conflict </FONT> <BR><FONT SIZE=3D2>with the client doing the encryption. </FONT> </P> <P><FONT SIZE=3D2>And the very same problem is also valid for archiving = of signed data from authorities. </FONT> <BR><FONT SIZE=3D2>Using domain-PKI you get it for free. Using = client-PKI (only) you get less </FONT> <BR><FONT SIZE=3D2>control which is bad as control probably was the = reason for adding PKI in the first place! </FONT> </P> <P><FONT SIZE=3D2>And now the heat is on directories...</FONT> </P> <P><FONT SIZE=3D2>An interesting side-effect of Purple-type of = solutions is that [more or less] public directories</FONT> <BR><FONT SIZE=3D2>holding information about employees become largely = superfluous as all information required</FONT> <BR><FONT SIZE=3D2>for a certain relation is in the tickets = themselves. I.e. purchaser "profile" information is = a</FONT> <BR><FONT SIZE=3D2>typical item that now finally have gotten a suitable = container to be transported in.</FONT> </P> <P><FONT SIZE=3D2>/anders</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0C205.75010500-- Received: from maila.telia.com (maila.telia.com [194.22.194.231]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA00938 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 14:28:27 -0700 (PDT) Received: from d1o69.telia.com (d1o69.telia.com [62.20.144.241]) by maila.telia.com (8.9.3/8.9.3) with ESMTP id XAA10187; Tue, 10 Apr 2001 23:27:56 +0200 (CEST) Received: from mega (t2o69p79.telia.com [62.20.144.199]) by d1o69.telia.com (8.10.2/8.10.1) with SMTP id f3ALRsa01203; Tue, 10 Apr 2001 23:27:54 +0200 (CEST) Message-ID: <003701c0c204$d4e10bb0$0200a8c0@vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Santosh Chokhani" <chokhani@cygnacom.com>, "Fillingham, David W." <dwfilli@missi.ncsc.mil>, "PKIX-List" <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, <pki-twg@nist.gov>, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner, Clark J." <cjwagne@missi.ncsc.mil>, <judith.spencer@gsa.gov>, <Michelle.Moldenhauer@do.treas.gov>, "'Steve Hanna \(SUN\)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com>, "Roger Younglove" <ryounglove@lucent.com> References: <8D7EC1912E25D411A32100D0B76953977CDD80@scygmxs01.cygnacom.com> Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations Date: Tue, 10 Apr 2001 23:25:53 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id OAA00939 Santosh, >Having looked at the papers you sent, I think your solutions may be ok as a B2B solution. I believe so. >But, I see end to end security requiring PKI. Even in our company's case where >we run independent labs, do PKI consulting and build PKI products, some of our lab >customers when they send us documents over the Internet, they want only the lab >personnel assigned to the project to read it. They do it using end-end encryption. >PKI concepts were designed for this distributed, client centric model. Even in this example you have conflicts with different interests that may suggest that a domain-solution could fit as well. Assume that more than one individual is supposed to be able to access the sent document. In that case it would be more appropriate to encrypt using a domain public key and let the receiver's local client file access system direct who is going to have access to the document. Otherwise it looks like this document is not a part of some organization's activity and in that case domain-PKI does of course not apply. In the senders end it may be in the organization's interests to monitor all outgoing documents. That is in conflict with the client doing the encryption. And the very same problem is also valid for archiving of signed data from authorities. Using domain-PKI you get it for free. Using client-PKI (only) you get less control which is bad as control probably was the reason for adding PKI in the first place! And now the heat is on directories... An interesting side-effect of Purple-type of solutions is that [more or less] public directories holding information about employees become largely superfluous as all information required for a certain relation is in the tickets themselves. I.e. purchaser "profile" information is a typical item that now finally have gotten a suitable container to be transported in. /anders Received: from mclean5-mail.usae.bah.com (mclean5-mail.usae.bah.com [156.80.5.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA26202 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 13:33:29 -0700 (PDT) Received: from bah.com ([134.205.161.104]) by mclean5-mail.usae.bah.com (Netscape Messaging Server 4.15) with ESMTP id GBLFRW00.UQU; Tue, 10 Apr 2001 16:33:32 -0400 Message-ID: <3AD36E1C.868AD26D@bah.com> Date: Tue, 10 Apr 2001 16:33:32 -0400 From: "Frank Lawrence" <frank_lawrence@bah.com> X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Anders Rundgren <anders.rundgren@telia.com> CC: PKIX-List <ietf-pkix@imc.org> Subject: Re: Domain-PKI. Was: DoD Bridge Certification Authority Phase II Demonstrations References: <8D7EC1912E25D411A32100D0B76953977CDD31@scygmxs01.cygnacom.com> <4.2.2.20010410090827.00d70630@POP7.ins.com> <014d01c0c1df$aebe0390$0500a8c0@arport> <3AD34590.72533654@bah.com> <012201c0c1f5$9f92cc00$0200a8c0@vincent.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Embedded stuff below: Anders Rundgren wrote: > > The problem that I see with the Purple model is that there is a requirement for > > explicit trust between the "partners". Known partners are nice but does not solve > > the broader problem of extending trust. > > Now you hit a weak point in PKI in general. What do we mean by trust? That the > entity is the one they are claiming to be? I do not belie (PKI is a religion?) > that it is enough that you have a certificate from a trusted CA. Because if you want > to conduct business you may actually be more interested in knowing that a buyer > is capable of paying or that the supplier delivers. Such information can sometimes be > obtained from TTP's specializing in such data (e.g. D & B). By identifying the entity > with their organization certificate you have the "perfect handle" for perfoming such > queries. And how much trust you have in an unkown organization is up to every > partner to decide. I.e. a CA <> God! > I agree this is the generic problem with PKI as implemented in the commercial world where there is no control of the issuing process. The certificate policy in use at any CA is, in general, very weak. A strong (and enforced) certificate policy provide better assurance. The stronger the mechanisms (such as hardware token vice storing keys on hard drive) the higher the assurance level. > > > Works fine as long as the number of partners is small, but is combinatorially > > explosive as the number of partners becomes large. > > No, domain-PKI follows a linear scale as partners are autonomous. I.e. domain-PKI > is simply a way for an organization to sign messages using a digital version of their > company paper. But unlike the paper-version, the digital version is usually issued by > a TTP and is extremely hard to forge. > Each organization of N must maintain n-1 relationships if the they all must have trust with each other. If I remember my analysis of algorithms class correctly (it has been several years!), that is N^n-1 relationships, which I do not believe is linear. > > > The ability to manage that > > large number of trust relationships becomes just as difficult as the bridge CA > > problem. The "unwieldy" PKI created by DoD elminates that problem, at least within > > DoD where there are hundreds (maybe thousands?) of "partner" domains. At least > > within DoD there is an understanding of the level of trust involved in getting a > > certificate. > > Many companies have more than 10000 suppliers, domain-PKI adds little > to the complexity (in principal at least). And it definitely beats current > "state-of-the-art-solutions" using user-ID passwords on partner sites. Agree that userid and password is not a good solution. Its the "in principle" I am concern with. If all 10000 were issued by someone they all trust, then the maintenance of the relationships is definitiely simpler. In the commercial world, that is probably NOT realistic. In an organization with several thousand domains IN it (like DoD), it certainly has its advantages, especially when you allocate the time and resources needed to have a high assurance issuance policy. > > > > The current HTTPS model is a bad example of trust because there is no (valid) > > presumption of trust between a web server and a client. SSL encrypts the pipe but > > there is no method for determining if the client or the server is who they claim to > > be. Trivial to spoof either (or both) although the pipe is secure from > > observation. Even IPSEC based authentication (a step above the SSL model) does not > > provide any assurance that the claimed user is who they say they are. Unless there > > is a trust model that extends across the network, in a scalable manner, then the > > relying party is left holding the bag. > > Client-PKI does not make you safe from impersonators, or does it? If you trust the CA and the user maintains control of the private identity key then yes. Who do you trust and why is the critical issue. Most organizations do not have the discipline to make and enforce a high assurance certificate policy. > > > > Finally, to trust a domain, you must understand how that domain issues > > certificates. If there is no policy which tells a relying party what the level of > > assurance is involved in the creation of the certificate, then the level of trust > > you place in that certificate is zero. > > If you refer to the Purple tickets they are no different than purchase orders (which > BTW is sort of a certificate). If you trust the purchase orders you ought to be able to > trust tickets as they are created about the same way by the very same system > run by the very same organization and staff. > I think a lawyer would tell you that you trust in the purchase order comes from the wet signature on the purchgase order, not the form itself. If taken to court, the signature will be the subject of the discussion, not the form. If the purple ticket is issued without any authentication required for the person who gets the ticket, that is like setting a stack of signed blank forms at the receptionists desk! If I hack a local client, does the server provide appropriate credentials when I go out and order things which are not required? Is the company which owns the server liable for the orders placed? > > But the motives for domain-PKI have so many more elements that I could go on > the whole night to describe them all but I think it is better to go through the > references instead of just repeating myself. > > ==================================================== > With the exception of end-to-end authentication, domain-PKI IMO seems to > beat client-based PKIs for B2B by a mile. Regarding end-to-end authentication > of Purple tickets (and Shibboleth and SAML dittos), I have BTW a few suggestions > that I would like to discuss with interested parties. It looks like this indeed can be > solved in a very convenient way (no local client configuration) but it requires an upgraded > browser. > ==================================================== > > Anders Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA25468 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 13:21:10 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <2VHDBT6J>; Tue, 10 Apr 2001 16:20:41 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CDD81@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Frank Lawrence <frank_lawrence@bah.com>, Anders Rundgren <anders.rundgren@telia.com> Cc: Santosh Chokhani <chokhani@cygnacom.com>, "Fillingham David W." <dwfilli@missi.ncsc.mil>, PKIX-List <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, pki-twg@nist.gov, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, * ALL FIREBURST USERS * <all@missi.ncsc.mil>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner Clark J." <cjwagne@missi.ncsc.mil>, judith.spencer@gsa.gov, Michelle.Moldenhauer@do.treas.gov, "'Steve Hanna (SUN)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com>, Roger Younglove <ryounglove@lucent.com> Subject: RE: DoD Bridge Certification Authority Phase II Demonstrations Date: Tue, 10 Apr 2001 16:12:09 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C1FA.855FB280" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C1FA.855FB280 Content-Type: text/plain; charset="iso-8859-1" Larry: 1. Trust between two clients is required regardless of the model. It could be explicit (cross certification) or indirect (Bridge CA). The effort involved is about the same. 2. Bridge CA does NOT have combinatorial explosion since it scales linearly. N folks need N agreements with the Bridge as opposed to n*(n-1)/2. 3. Look at the purple model. All it is doing is letting the organization server sign the PO etc. as opposed to Purchasing Officer. It is not necessarily SSL. We could argue as to how to tighten the server authentication process. -----Original Message----- From: Frank Lawrence [mailto:frank_lawrence@bah.com] Sent: Tuesday, April 10, 2001 1:41 PM To: Anders Rundgren Cc: Santosh Chokhani; Fillingham David W.; PKIX-List; 'KPCMWG'; 'DoD PKI TWG'; pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA Integration'; * ALL FIREBURST USERS *; 'Steve Capps'; Wagner Clark J.; judith.spencer@gsa.gov; Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna (SUN)'; 'Susan Dernik'; Roger Younglove Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations I will take a shot of the problem with the purple model. The problem that I see with the Purple model is that there is a requirement for explicit trust between the "partners". Known partners are nice but does not solve the broader problem of extending trust. Works fine as long as the number of partners is small, but is combinatorially explosive as the number of partners becomes large. The ability to manage that large number of trust relationships becomes just as difficult as the bridge CA problem. The "unwieldy" PKI created by DoD elminates that problem, at least within DoD where there are hundreds (maybe thousands?) of "partner" domains. At least within DoD there is an understanding of the level of trust involved in getting a certificate. The current HTTPS model is a bad example of trust because there is no (valid) presumption of trust between a web server and a client. SSL encrypts the pipe but there is no method for determining if the client or the server is who they claim to be. Trivial to spoof either (or both) although the pipe is secure from observation. Even IPSEC based authentication (a step above the SSL model) does not provide any assurance that the claimed user is who they say they are. Unless there is a trust model that extends across the network, in a scalable manner, then the relying party is left holding the bag. Finally, to trust a domain, you must understand how that domain issues certificates. If there is no policy which tells a relying party what the level of assurance is involved in the creation of the certificate, then the level of trust you place in that certificate is zero. Anders Rundgren wrote: > Roger, > > >IMHO, when you have multiple PKIs with in any industry such as the > >Automotive (ie. ANX) or the Government, cross certification become a > >problem because the certificate chain of trust becomes so unwieldy and > >revocation of a PKI is also a problem. The Bridge scenario solves this > >problem. It is not the only solution but the simplest with a number of > >existing PKIs. > > Agreed, Bridge CAs solves (some of) the problems created by > unwieldy PKIs such as those created by DoD. > > Domain-PKI does not requires such solutions as it is much simpler > to create and maintain. 100 millions users of Internet use it today > when they address an https URL. That's simplicity IMHO. > Applied to B2B it gets just slightly more complicated. > > Anders > > At 05:21 AM 04/10/2001 , Anders Rundgren wrote: > >Santosh, > >Domain (server-based) PKI offers persistent signatures for non-repudiation > >at a fraction > >of the cost (and inconvenience) that inter-organization client-based > >signatures introduce. > >The need for bridge-CAs using domain-PKI is IMO very limited as the number > >of CAs is > >reduced by several orders of magnitude by such approaches. 5-10 CAs > >worldwide is my guess. > > > >I do have read the paper by Bill Burr. Did you read about Purple? I.e. do > >you see a problem with this model? > > > >BTW, I am a (currently only lurking due to high work-load) member of the > >OASIS Security Services TC where > >domain-based solutions are standardized. I have never ever seen such an > >enormous committee activity so domain > >security is indeed red-hot. > > > >Internet2 with their Shibboleth distributed multi-campus authentication > >system will be based on domain-PKI. > > > >Personally I expect the next version of OBI (Open Buying on the Internet) > >to be entirely based > >on this concept by throwing out the inter-organization client-certs (that > >never worked, so just about > >everybody turned to user-ID/passwords in spite of not being a part of the > >standard). > > > >VISA's coming 3D Secure credit-card payment system is also based on > >domain-PKI. > > > >Due to this, I think that DoD (and similar organizations all over the > >globe) should very carefully evaluate the > >domain security alternative before they do any new investments in CA systems. > > > >Regards > >Anders > >----- Original Message ----- > >From: Santosh Chokhani > >To: Anders Rundgren ; Fillingham, David W. ; PKIX-List ; 'KPCMWG' ; 'DoD > >PKI TWG' ; pki-twg@nist.gov ; 'Bridge CA Mail List' ; 'BCA > >Integration' ; * ALL FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. > >; judith.spencer@gsa.gov ; > >Michelle.Moldenhauer@do.treas.gov ; 'Steve Hanna (SUN)' ; 'Susan Dernik' > >Sent: Monday, April 09, 2001 22:39 > >Subject: RE: DoD Bridge Certification Authority Phase II Demonstrations > > > > > >Anders: > >I think Bridge technology can be helpful to a vertical segment such as > >banking, health care, automotive industry etc. in order to > >facilitate secure e-commerce among the trading partners where persistent > >digital signature for non-repudiation may be required. > >Also, given how organizations manage their Web sites and we hear about Web > >server break-in, persistent encryption (beyond SSL > >transport) may call for interoperable, inter-domain PKI. Again Bridge CA > >can help. > >Actually, I can see the benefits of layers (strata) of Bridge CAs, e.g., > >Bridge CAs from various vertical segments themselves > >connecting to a Omni-Bridge. In that case, the Bridge CAs will be > >Principal CAs. > >I assume you have had a chance to review the excellent paper on the Bridge > >concept developed by Bill Burr. > >-----Original Message----- > >From: Anders Rundgren [mailto:anders.rundgren@telia.com] > >Sent: Monday, April 09, 2001 2:08 PM > >To: Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD PKI TWG'; > >pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA Integration'; * ALL > >FIREBURST USERS *; 'Steve Capps'; Wagner, Clark J.; > >judith.spencer@gsa.gov; Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna > >(SUN)'; 'Susan Dernik' > >Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations > > > > > >David, > >This is indeed an ambitious project. Unfortunately I doubt that the Bridge > >model has any relevance in > >the private sector that for inter-organization communication, is more > >likely to deploy domain-based > >PKI-solutions, that have the major advantage of already being supported by > >global TTPs which makes > >domain security solutions useful for organizations of any size. I.e. > >VeriSign's issuance of web-server > >certificates is "approximately" what is needed. > >That domain security is incompatible with most current digital signature > >laws is a pity. Particularly for > >the lawyers who created them. :-) > >Using domain security, tracing, message archiving, and user-control is > >essentially built-in. > >A further advantage of domain security models is that client security > >solutions can develop in a > >different pace at each organization. As they have for current > >Internet-banks that is so far the only > >large-scale (almost) secure multi-organization transaction-environment on > >the Internet. > >The question that comes to my mind is: Will all Governments in the world > >continue to adopt the > >"All-speak-with-all-PKI" approach in spite of the fact that the private > >sector probably have shunned it > >due to complexity, privacy concerns, lack of control, and cost? > >Regard > >Anders Rundgren > >X-OBI read: http://www.x-obi.com/purple run: http://buyer.x-obi.com > > > > > > > >----- Original Message ----- > >From: Fillingham, David W. > >To: 'ietf-pkix@imc.org' ; 'KPCMWG' ; 'DoD PKI TWG' ; 'pki-twg@nist.gov' ; > >'Bridge CA Mail List' ; 'BCA Integration' ; * ALL > >FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. ; > >'judith.spencer@gsa.gov' ; 'Michelle.Moldenhauer@do.treas.gov' ; 'Steve Hanna > >(SUN)' ; 'Susan Dernik' > >Sent: Friday, April 06, 2001 16:48 > >Subject: DoD Bridge Certification Authority Phase II Demonstrations > > > > > >For the last few years, the National Security Agency has led the > >development of Bridge Certification Authority (BCA) technology > >demonstrations. In 1999, Phase One of the Department of Defense BCA > >Technology Demonstration showed the technical feasibility of > >achieving signed e-mail interoperability using multi-vendor > >cross-certification in conjunction with chained directory systems. > > > >Phase Two of the demonstration is now ready to be shown. Phase Two of the > >DoD Bridge CA Phase II Technology Demonstration includes: > > > >Technologies: > > > >-- Certificate chain building in complex certificate graphs; > >-- Integration of both mesh-style cross-certified PKIs and hierarchical PKIs; > >-- Multi-signature/hash algorithm processing in certificate chains; > >-- Certificate acceptance/rejection based on Certificate Policy > >processing, including policy mapping; > >-- Transitive trust limitation using Name Constraints processing; > >-- Access Control using X.509 compliant attribute certificates (same > >attribute certificates used for e-mail and web based access > >control); > >-- E-mail access control using S/MIME V3 labeling; > >-- E-mail encryption using public key certificates authenticated via a > >Bridge Certification Authority; > >-- Border Directories; > >-- Multivendor directory interoperation via X.500 chaining; and, > >-- Transparent sharing of certificate revocation information across > >several PKIs using products of multiple PKI vendors. > > > >Client Applications: > > > >-- Baltimore Technologies MailSecure enabled Microsoft Outlook > >-- Entrust Enabled Microsoft Outlook > >-- Getronics S/MIME Freeware Library, Certificate Management Library, and > >Access Control Library enabled Qualcomm Eudora > >-- Getronics Certificate Management Library and Access Control Library > >enabled Netscape Web Server > > > >Freeware Libraries: > > > >-- Cygnacom Certificate Path Development Library > > <http://www.cygnacom.com/products/index.htm> > >-- Getronics S/MIME (Version 3) Freeware Library > > <http://www.getronicsgov.com/hot/sfl_home.htm> > >-- Getronics Certificate Management Library > > <http://www.getronicsgov.com/hot/cml_home.htm> > >-- Getronics Access Control Library > > <http://www.getronicsgov.com/hot/acl_home.htm> > >CA vendor interoperability demonstrations: > > > >-- Baltimore Technologies > >-- Entrust Technologies > >-- Motorola > >-- SPYRUS > > > >Directory Interoperability: > >-- Entrust ICL > >-- Entegrity Safepages Directory > >Demonstrations will be held at the following locations and dates (note > >that you MUST REGISTER to attend! Registration information > >is provided below): > > > >---------- > >CygnaCom > >Suite 100 West > >7927 Jones Branch Dr. > >McLean, Virginia > > > >Directions to CygnaCom are located > >at: <http://www.cygnacom.com/contact/directions.htm> > > > >26 April 2001 - 0900 > > > >26 April 2001 - 1300 > > > >16 May 2001 - 0900 > > > >16 May 2001 - 1300 > > > >--------- > >Getronics Government Solutions > >141 National Business Parkway, Suite 210 > >Annapolis Junction, Maryland > > > > From Washington DC: Take I-95 north; take MD Rt 32 east exit; take Dorsey > >Run exit; at stop sign turn left on Dorsey Run; at stop light turn right on > >Guilford Road which becomes National Business Pkwy. > > > > From Baltimore: Take BW Parkway (295) south; take MD Rt 32 west exit; stay > >in right lane of the exit which runs into National Business Pkwy; make a > >right on National Business Pkwy. > > > >30 April 2001 - 1300 > > > >8 May 2001 - 0900 > > > >8 May 2001 - 1300 > > > >24 May 2001 - 0900 > > > >24 May 2001 - 1300 > > > >--------- > > > >All showings last about half a day - with a mixture of conference room > >briefings and laboratory demonstrations. > > > >We are limited by available demonstration space to an absolute maximum of > >20 participants at each showing. > > > >IMPORTANT: PLEASE REGISTER WITH LISA FAULKNER (llfaulk@missi.ncsc.mil > ><mailto:llfaulk@missi.ncsc.mil>) AND MYSELF > >(dwfilli@missi.ncsc.mil <mailto:dwfilli@missi.ncsc.mil>) IF YOU PLAN TO > >ATTEND. IF YOU DO NOT REGISTER TO ATTEND, YOU WILL NOT BE > >ADMITTED TO THE DEMONSTRATION. > > > >Please provide the following information to register: > > > >-- Name > >-- Organization > >-- E-mail address > >-- Date and time of the demonstration showing you wish to attend (with > >alternates, if possible) > > > >We look forward to seeing you at the demonstration! > > > >Dave Fillingham > >NSA > > -------- > TTFN > Roger W. Younglove, CISSP > Distinguished Member of Consulting Staff > Lucent Worldwide Services--Information Security > 100 Galleria Officentre, Ste. 220 > Southfield, MI 48034-8428 > Numeric page: 888.935.6755 > E-mail page: > page_roger_younglove@ins.com > eFax number: 413.425.5368 > www.lucent.com/netcare ------_=_NextPart_001_01C0C1FA.855FB280 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: DoD Bridge Certification Authority Phase II = Demonstrations</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Larry:</FONT> </P> <P><FONT SIZE=3D2>1. Trust between two clients is required = regardless of the model. It could be explicit (cross = certification) or indirect (Bridge CA). The effort involved is = about the same.</FONT></P> <P><FONT SIZE=3D2>2. Bridge CA does NOT have combinatorial = explosion since it scales linearly. N folks need N agreements = with the Bridge as opposed to n*(n-1)/2.</FONT></P> <P><FONT SIZE=3D2>3. Look at the purple model. All it is = doing is letting the organization server sign the PO etc. as opposed to = Purchasing Officer. It is not necessarily SSL. We could = argue as to how to tighten the server authentication = process.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Frank Lawrence [<A = HREF=3D"mailto:frank_lawrence@bah.com">mailto:frank_lawrence@bah.com</A>= ]</FONT> <BR><FONT SIZE=3D2>Sent: Tuesday, April 10, 2001 1:41 PM</FONT> <BR><FONT SIZE=3D2>To: Anders Rundgren</FONT> <BR><FONT SIZE=3D2>Cc: Santosh Chokhani; Fillingham David W.; = PKIX-List; 'KPCMWG'; 'DoD PKI</FONT> <BR><FONT SIZE=3D2>TWG'; pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA = Integration'; * ALL</FONT> <BR><FONT SIZE=3D2>FIREBURST USERS *; 'Steve Capps'; Wagner Clark = J.;</FONT> <BR><FONT SIZE=3D2>judith.spencer@gsa.gov; = Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna</FONT> <BR><FONT SIZE=3D2>(SUN)'; 'Susan Dernik'; Roger Younglove</FONT> <BR><FONT SIZE=3D2>Subject: Re: DoD Bridge Certification Authority = Phase II Demonstrations</FONT> </P> <BR> <P><FONT SIZE=3D2>I will take a shot of the problem with the purple = model.</FONT> </P> <P><FONT SIZE=3D2>The problem that I see with the Purple model is that = there is a requirement for</FONT> <BR><FONT SIZE=3D2>explicit trust between the = "partners". Known partners are nice but does not = solve</FONT> <BR><FONT SIZE=3D2>the broader problem of extending trust.</FONT> </P> <P><FONT SIZE=3D2>Works fine as long as the number of partners is = small, but is combinatorially</FONT> <BR><FONT SIZE=3D2>explosive as the number of partners becomes = large. The ability to manage that</FONT> <BR><FONT SIZE=3D2>large number of trust relationships becomes just as = difficult as the bridge CA</FONT> <BR><FONT SIZE=3D2>problem. The "unwieldy" PKI created = by DoD elminates that problem, at least within</FONT> <BR><FONT SIZE=3D2>DoD where there are hundreds (maybe thousands?) of = "partner" domains. At least</FONT> <BR><FONT SIZE=3D2>within DoD there is an understanding of the level of = trust involved in getting a</FONT> <BR><FONT SIZE=3D2>certificate.</FONT> </P> <P><FONT SIZE=3D2>The current HTTPS model is a bad example of trust = because there is no (valid)</FONT> <BR><FONT SIZE=3D2>presumption of trust between a web server and a = client. SSL encrypts the pipe but</FONT> <BR><FONT SIZE=3D2>there is no method for determining if the client or = the server is who they claim to</FONT> <BR><FONT SIZE=3D2>be. Trivial to spoof either (or both) although = the pipe is secure from</FONT> <BR><FONT SIZE=3D2>observation. Even IPSEC based authentication = (a step above the SSL model) does not</FONT> <BR><FONT SIZE=3D2>provide any assurance that the claimed user is who = they say they are. Unless there</FONT> <BR><FONT SIZE=3D2>is a trust model that extends across the network, in = a scalable manner, then the</FONT> <BR><FONT SIZE=3D2>relying party is left holding the bag.</FONT> </P> <P><FONT SIZE=3D2>Finally, to trust a domain, you must understand how = that domain issues</FONT> <BR><FONT SIZE=3D2>certificates. If there is no policy which = tells a relying party what the level of</FONT> <BR><FONT SIZE=3D2>assurance is involved in the creation of the = certificate, then the level of trust</FONT> <BR><FONT SIZE=3D2>you place in that certificate is zero.</FONT> </P> <P><FONT SIZE=3D2>Anders Rundgren wrote:</FONT> </P> <P><FONT SIZE=3D2>> Roger,</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> >IMHO, when you have multiple PKIs with in = any industry such as the</FONT> <BR><FONT SIZE=3D2>> >Automotive (ie. ANX) or the Government, = cross certification become a</FONT> <BR><FONT SIZE=3D2>> >problem because the certificate chain of = trust becomes so unwieldy and</FONT> <BR><FONT SIZE=3D2>> >revocation of a PKI is also a problem. The = Bridge scenario solves this</FONT> <BR><FONT SIZE=3D2>> >problem. It is not the only solution but = the simplest with a number of</FONT> <BR><FONT SIZE=3D2>> >existing PKIs.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Agreed, Bridge CAs solves (some of) the = problems created by</FONT> <BR><FONT SIZE=3D2>> unwieldy PKIs such as those created by = DoD.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Domain-PKI does not requires such solutions as = it is much simpler</FONT> <BR><FONT SIZE=3D2>> to create and maintain. 100 millions = users of Internet use it today</FONT> <BR><FONT SIZE=3D2>> when they address an https URL. That's = simplicity IMHO.</FONT> <BR><FONT SIZE=3D2>> Applied to B2B it gets just slightly more = complicated.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Anders</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> At 05:21 AM 04/10/2001 , Anders Rundgren = wrote:</FONT> <BR><FONT SIZE=3D2>> >Santosh,</FONT> <BR><FONT SIZE=3D2>> >Domain (server-based) PKI offers persistent = signatures for non-repudiation</FONT> <BR><FONT SIZE=3D2>> >at a fraction</FONT> <BR><FONT SIZE=3D2>> >of the cost (and inconvenience) that = inter-organization client-based</FONT> <BR><FONT SIZE=3D2>> >signatures introduce.</FONT> <BR><FONT SIZE=3D2>> >The need for bridge-CAs using domain-PKI is = IMO very limited as the number</FONT> <BR><FONT SIZE=3D2>> >of CAs is</FONT> <BR><FONT SIZE=3D2>> >reduced by several orders of magnitude by = such approaches. 5-10 CAs</FONT> <BR><FONT SIZE=3D2>> >worldwide is my guess.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >I do have read the paper by Bill Burr. Did = you read about Purple? I.e. do</FONT> <BR><FONT SIZE=3D2>> >you see a problem with this model?</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >BTW, I am a (currently only lurking due to = high work-load) member of the</FONT> <BR><FONT SIZE=3D2>> >OASIS Security Services TC where</FONT> <BR><FONT SIZE=3D2>> >domain-based solutions are standardized. I = have never ever seen such an</FONT> <BR><FONT SIZE=3D2>> >enormous committee activity so = domain</FONT> <BR><FONT SIZE=3D2>> >security is indeed red-hot.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Internet2 with their Shibboleth distributed = multi-campus authentication</FONT> <BR><FONT SIZE=3D2>> >system will be based on domain-PKI.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Personally I expect the next version of OBI = (Open Buying on the Internet)</FONT> <BR><FONT SIZE=3D2>> >to be entirely based</FONT> <BR><FONT SIZE=3D2>> >on this concept by throwing out the = inter-organization client-certs (that</FONT> <BR><FONT SIZE=3D2>> >never worked, so just about</FONT> <BR><FONT SIZE=3D2>> >everybody turned to user-ID/passwords in = spite of not being a part of the</FONT> <BR><FONT SIZE=3D2>> >standard).</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >VISA's coming 3D Secure credit-card payment = system is also based on</FONT> <BR><FONT SIZE=3D2>> >domain-PKI.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Due to this, I think that DoD (and similar = organizations all over the</FONT> <BR><FONT SIZE=3D2>> >globe) should very carefully evaluate = the</FONT> <BR><FONT SIZE=3D2>> >domain security alternative before they do = any new investments in CA systems.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Regards</FONT> <BR><FONT SIZE=3D2>> >Anders</FONT> <BR><FONT SIZE=3D2>> >----- Original Message -----</FONT> <BR><FONT SIZE=3D2>> >From: Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>> >To: Anders Rundgren ; Fillingham, David W. = ; PKIX-List ; 'KPCMWG' ; 'DoD</FONT> <BR><FONT SIZE=3D2>> >PKI TWG' ; pki-twg@nist.gov ; 'Bridge CA = Mail List' ; 'BCA</FONT> <BR><FONT SIZE=3D2>> >Integration' ; * ALL FIREBURST USERS * ; = 'Steve Capps' ; Wagner, Clark J.</FONT> <BR><FONT SIZE=3D2>> >; judith.spencer@gsa.gov ;</FONT> <BR><FONT SIZE=3D2>> >Michelle.Moldenhauer@do.treas.gov ; 'Steve = Hanna (SUN)' ; 'Susan Dernik'</FONT> <BR><FONT SIZE=3D2>> >Sent: Monday, April 09, 2001 22:39</FONT> <BR><FONT SIZE=3D2>> >Subject: RE: DoD Bridge Certification = Authority Phase II Demonstrations</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Anders:</FONT> <BR><FONT SIZE=3D2>> >I think Bridge technology can be helpful to = a vertical segment such as</FONT> <BR><FONT SIZE=3D2>> >banking, health care, automotive industry = etc. in order to</FONT> <BR><FONT SIZE=3D2>> >facilitate secure e-commerce among the = trading partners where persistent</FONT> <BR><FONT SIZE=3D2>> >digital signature for non-repudiation may = be required.</FONT> <BR><FONT SIZE=3D2>> >Also, given how organizations manage their = Web sites and we hear about Web</FONT> <BR><FONT SIZE=3D2>> >server break-in, persistent encryption = (beyond SSL</FONT> <BR><FONT SIZE=3D2>> >transport) may call for interoperable, = inter-domain PKI. Again Bridge CA</FONT> <BR><FONT SIZE=3D2>> >can help.</FONT> <BR><FONT SIZE=3D2>> >Actually, I can see the benefits of layers = (strata) of Bridge CAs, e.g.,</FONT> <BR><FONT SIZE=3D2>> >Bridge CAs from various vertical segments = themselves</FONT> <BR><FONT SIZE=3D2>> >connecting to a Omni-Bridge. In that = case, the Bridge CAs will be</FONT> <BR><FONT SIZE=3D2>> >Principal CAs.</FONT> <BR><FONT SIZE=3D2>> >I assume you have had a chance to review = the excellent paper on the Bridge</FONT> <BR><FONT SIZE=3D2>> >concept developed by Bill Burr.</FONT> <BR><FONT SIZE=3D2>> >-----Original Message-----</FONT> <BR><FONT SIZE=3D2>> >From: Anders Rundgren [<A = HREF=3D"mailto:anders.rundgren@telia.com">mailto:anders.rundgren@telia.c= om</A>]</FONT> <BR><FONT SIZE=3D2>> >Sent: Monday, April 09, 2001 2:08 PM</FONT> <BR><FONT SIZE=3D2>> >To: Fillingham, David W.; PKIX-List; = 'KPCMWG'; 'DoD PKI TWG';</FONT> <BR><FONT SIZE=3D2>> >pki-twg@nist.gov; 'Bridge CA Mail List'; = 'BCA Integration'; * ALL</FONT> <BR><FONT SIZE=3D2>> >FIREBURST USERS *; 'Steve Capps'; Wagner, = Clark J.;</FONT> <BR><FONT SIZE=3D2>> >judith.spencer@gsa.gov; = Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna</FONT> <BR><FONT SIZE=3D2>> >(SUN)'; 'Susan Dernik'</FONT> <BR><FONT SIZE=3D2>> >Subject: Re: DoD Bridge Certification = Authority Phase II Demonstrations</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >David,</FONT> <BR><FONT SIZE=3D2>> >This is indeed an ambitious project. = Unfortunately I doubt that the Bridge</FONT> <BR><FONT SIZE=3D2>> >model has any relevance in</FONT> <BR><FONT SIZE=3D2>> >the private sector that for = inter-organization communication, is more</FONT> <BR><FONT SIZE=3D2>> >likely to deploy domain-based</FONT> <BR><FONT SIZE=3D2>> >PKI-solutions, that have the major = advantage of already being supported by</FONT> <BR><FONT SIZE=3D2>> >global TTPs which makes</FONT> <BR><FONT SIZE=3D2>> >domain security solutions useful for = organizations of any size. I.e.</FONT> <BR><FONT SIZE=3D2>> >VeriSign's issuance of web-server</FONT> <BR><FONT SIZE=3D2>> >certificates is "approximately" = what is needed.</FONT> <BR><FONT SIZE=3D2>> >That domain security is incompatible with = most current digital signature</FONT> <BR><FONT SIZE=3D2>> >laws is a pity. Particularly = for</FONT> <BR><FONT SIZE=3D2>> >the lawyers who created them. = :-)</FONT> <BR><FONT SIZE=3D2>> >Using domain security, tracing, message = archiving, and user-control is</FONT> <BR><FONT SIZE=3D2>> >essentially built-in.</FONT> <BR><FONT SIZE=3D2>> >A further advantage of domain security = models is that client security</FONT> <BR><FONT SIZE=3D2>> >solutions can develop in a</FONT> <BR><FONT SIZE=3D2>> >different pace at each organization. = As they have for current</FONT> <BR><FONT SIZE=3D2>> >Internet-banks that is so far the = only</FONT> <BR><FONT SIZE=3D2>> >large-scale (almost) secure = multi-organization transaction-environment on</FONT> <BR><FONT SIZE=3D2>> >the Internet.</FONT> <BR><FONT SIZE=3D2>> >The question that comes to my mind is: Will = all Governments in the world</FONT> <BR><FONT SIZE=3D2>> >continue to adopt the</FONT> <BR><FONT SIZE=3D2>> >"All-speak-with-all-PKI" approach = in spite of the fact that the private</FONT> <BR><FONT SIZE=3D2>> >sector probably have shunned it</FONT> <BR><FONT SIZE=3D2>> >due to complexity, privacy concerns, lack = of control, and cost?</FONT> <BR><FONT SIZE=3D2>> >Regard</FONT> <BR><FONT SIZE=3D2>> >Anders Rundgren</FONT> <BR><FONT SIZE=3D2>> >X-OBI read: <A = HREF=3D"http://www.x-obi.com/purple" = TARGET=3D"_blank">http://www.x-obi.com/purple</A> run: <A = HREF=3D"http://buyer.x-obi.com" = TARGET=3D"_blank">http://buyer.x-obi.com</A></FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >----- Original Message -----</FONT> <BR><FONT SIZE=3D2>> >From: Fillingham, David W.</FONT> <BR><FONT SIZE=3D2>> >To: 'ietf-pkix@imc.org' ; 'KPCMWG' ; 'DoD = PKI TWG' ; 'pki-twg@nist.gov' ;</FONT> <BR><FONT SIZE=3D2>> >'Bridge CA Mail List' ; 'BCA Integration' ; = * ALL</FONT> <BR><FONT SIZE=3D2>> >FIREBURST USERS * ; 'Steve Capps' ; Wagner, = Clark J. ;</FONT> <BR><FONT SIZE=3D2>> >'judith.spencer@gsa.gov' ; = 'Michelle.Moldenhauer@do.treas.gov' ; 'Steve Hanna</FONT> <BR><FONT SIZE=3D2>> >(SUN)' ; 'Susan Dernik'</FONT> <BR><FONT SIZE=3D2>> >Sent: Friday, April 06, 2001 16:48</FONT> <BR><FONT SIZE=3D2>> >Subject: DoD Bridge Certification Authority = Phase II Demonstrations</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >For the last few years, the National = Security Agency has led the</FONT> <BR><FONT SIZE=3D2>> >development of Bridge Certification = Authority (BCA) technology</FONT> <BR><FONT SIZE=3D2>> >demonstrations. In 1999, Phase One of = the Department of Defense BCA</FONT> <BR><FONT SIZE=3D2>> >Technology Demonstration showed the = technical feasibility of</FONT> <BR><FONT SIZE=3D2>> >achieving signed e-mail interoperability = using multi-vendor</FONT> <BR><FONT SIZE=3D2>> >cross-certification in conjunction with = chained directory systems.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Phase Two of the demonstration is now ready = to be shown. Phase Two of the</FONT> <BR><FONT SIZE=3D2>> >DoD Bridge CA Phase II Technology = Demonstration includes:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Technologies:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >-- Certificate chain building in = complex certificate graphs;</FONT> <BR><FONT SIZE=3D2>> >-- Integration of both mesh-style = cross-certified PKIs and hierarchical PKIs;</FONT> <BR><FONT SIZE=3D2>> >-- Multi-signature/hash algorithm = processing in certificate chains;</FONT> <BR><FONT SIZE=3D2>> >-- Certificate acceptance/rejection = based on Certificate Policy</FONT> <BR><FONT SIZE=3D2>> >processing, including policy = mapping;</FONT> <BR><FONT SIZE=3D2>> >-- Transitive trust limitation using = Name Constraints processing;</FONT> <BR><FONT SIZE=3D2>> >-- Access Control using X.509 = compliant attribute certificates (same</FONT> <BR><FONT SIZE=3D2>> >attribute certificates used for e-mail and = web based access</FONT> <BR><FONT SIZE=3D2>> >control);</FONT> <BR><FONT SIZE=3D2>> >-- E-mail access control using S/MIME = V3 labeling;</FONT> <BR><FONT SIZE=3D2>> >-- E-mail encryption using public key = certificates authenticated via a</FONT> <BR><FONT SIZE=3D2>> >Bridge Certification Authority;</FONT> <BR><FONT SIZE=3D2>> >-- Border Directories;</FONT> <BR><FONT SIZE=3D2>> >-- Multivendor directory = interoperation via X.500 chaining; and,</FONT> <BR><FONT SIZE=3D2>> >-- Transparent sharing of certificate = revocation information across</FONT> <BR><FONT SIZE=3D2>> >several PKIs using products of = multiple PKI vendors.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Client Applications:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >-- Baltimore Technologies MailSecure = enabled Microsoft Outlook</FONT> <BR><FONT SIZE=3D2>> >-- Entrust Enabled Microsoft = Outlook</FONT> <BR><FONT SIZE=3D2>> >-- Getronics S/MIME Freeware Library, = Certificate Management Library, and</FONT> <BR><FONT SIZE=3D2>> >Access Control Library enabled Qualcomm = Eudora</FONT> <BR><FONT SIZE=3D2>> >-- Getronics Certificate Management = Library and Access Control Library</FONT> <BR><FONT SIZE=3D2>> >enabled Netscape Web Server</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Freeware Libraries:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >-- Cygnacom Certificate Path = Development Library</FONT> <BR><FONT SIZE=3D2>> > <<A = HREF=3D"http://www.cygnacom.com/products/index.htm" = TARGET=3D"_blank">http://www.cygnacom.com/products/index.htm</A>></FO= NT> <BR><FONT SIZE=3D2>> >-- Getronics S/MIME (Version 3) = Freeware Library</FONT> <BR><FONT SIZE=3D2>> > <<A = HREF=3D"http://www.getronicsgov.com/hot/sfl_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/sfl_home.htm</A>></= FONT> <BR><FONT SIZE=3D2>> >-- Getronics Certificate Management = Library</FONT> <BR><FONT SIZE=3D2>> > <<A = HREF=3D"http://www.getronicsgov.com/hot/cml_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/cml_home.htm</A>></= FONT> <BR><FONT SIZE=3D2>> >-- Getronics Access Control Library</FONT> <BR><FONT SIZE=3D2>> = > <<A = HREF=3D"http://www.getronicsgov.com/hot/acl_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/acl_home.htm</A>></= FONT> <BR><FONT SIZE=3D2>> >CA vendor interoperability = demonstrations:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >-- Baltimore Technologies</FONT> <BR><FONT SIZE=3D2>> >-- Entrust Technologies</FONT> <BR><FONT SIZE=3D2>> >-- Motorola</FONT> <BR><FONT SIZE=3D2>> >-- SPYRUS</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Directory Interoperability:</FONT> <BR><FONT SIZE=3D2>> >-- Entrust ICL</FONT> <BR><FONT SIZE=3D2>> >-- Entegrity Safepages = Directory</FONT> <BR><FONT SIZE=3D2>> >Demonstrations will be held at the = following locations and dates (note</FONT> <BR><FONT SIZE=3D2>> >that you MUST REGISTER to attend! = Registration information</FONT> <BR><FONT SIZE=3D2>> >is provided below):</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >----------</FONT> <BR><FONT SIZE=3D2>> >CygnaCom</FONT> <BR><FONT SIZE=3D2>> >Suite 100 West</FONT> <BR><FONT SIZE=3D2>> >7927 Jones Branch Dr.</FONT> <BR><FONT SIZE=3D2>> >McLean, Virginia</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Directions to CygnaCom are located</FONT> <BR><FONT SIZE=3D2>> >at: <<A = HREF=3D"http://www.cygnacom.com/contact/directions.htm" = TARGET=3D"_blank">http://www.cygnacom.com/contact/directions.htm</A>>= </FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >26 April 2001 - 0900</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >26 April 2001 - 1300</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >16 May 2001 - 0900</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >16 May 2001 - 1300</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >---------</FONT> <BR><FONT SIZE=3D2>> >Getronics Government Solutions</FONT> <BR><FONT SIZE=3D2>> >141 National Business Parkway, Suite = 210</FONT> <BR><FONT SIZE=3D2>> >Annapolis Junction, Maryland</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > From Washington DC: Take I-95 north; take = MD Rt 32 east exit; take Dorsey</FONT> <BR><FONT SIZE=3D2>> >Run exit; at stop sign turn left on Dorsey = Run; at stop light turn right on</FONT> <BR><FONT SIZE=3D2>> >Guilford Road which becomes National = Business Pkwy.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > From Baltimore: Take BW Parkway (295) = south; take MD Rt 32 west exit; stay</FONT> <BR><FONT SIZE=3D2>> >in right lane of the exit which runs into = National Business Pkwy; make a</FONT> <BR><FONT SIZE=3D2>> >right on National Business Pkwy.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >30 April 2001 - 1300</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >8 May 2001 - 0900</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >8 May 2001 - 1300</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >24 May 2001 - 0900</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >24 May 2001 - 1300</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >---------</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >All showings last about half a day - with a = mixture of conference room</FONT> <BR><FONT SIZE=3D2>> >briefings and laboratory = demonstrations.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >We are limited by available demonstration = space to an absolute maximum of</FONT> <BR><FONT SIZE=3D2>> >20 participants at each showing.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >IMPORTANT: PLEASE REGISTER WITH LISA = FAULKNER (llfaulk@missi.ncsc.mil</FONT> <BR><FONT SIZE=3D2>> ><<A = HREF=3D"mailto:llfaulk@missi.ncsc.mil">mailto:llfaulk@missi.ncsc.mil</A>= >) AND MYSELF</FONT> <BR><FONT SIZE=3D2>> >(dwfilli@missi.ncsc.mil <<A = HREF=3D"mailto:dwfilli@missi.ncsc.mil">mailto:dwfilli@missi.ncsc.mil</A>= >) IF YOU PLAN TO</FONT> <BR><FONT SIZE=3D2>> >ATTEND. IF YOU DO NOT REGISTER TO = ATTEND, YOU WILL NOT BE</FONT> <BR><FONT SIZE=3D2>> >ADMITTED TO THE DEMONSTRATION.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Please provide the following information to = register:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >-- Name</FONT> <BR><FONT SIZE=3D2>> >-- Organization</FONT> <BR><FONT SIZE=3D2>> >-- E-mail address</FONT> <BR><FONT SIZE=3D2>> >-- Date and time of the demonstration = showing you wish to attend (with</FONT> <BR><FONT SIZE=3D2>> >alternates, if possible)</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >We look forward to seeing you at the = demonstration!</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Dave Fillingham</FONT> <BR><FONT SIZE=3D2>> >NSA</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> --------</FONT> <BR><FONT SIZE=3D2>> TTFN</FONT> <BR><FONT SIZE=3D2>> Roger W. Younglove, CISSP</FONT> <BR><FONT SIZE=3D2>> Distinguished Member of Consulting Staff</FONT> <BR><FONT SIZE=3D2>> Lucent Worldwide Services--Information = Security</FONT> <BR><FONT SIZE=3D2>> 100 Galleria Officentre, Ste. 220</FONT> <BR><FONT SIZE=3D2>> Southfield, MI 48034-8428</FONT> <BR><FONT SIZE=3D2>> Numeric page: 888.935.6755</FONT> <BR><FONT SIZE=3D2>> E-mail page:</FONT> <BR><FONT SIZE=3D2>> page_roger_younglove@ins.com</FONT> <BR><FONT SIZE=3D2>> eFax number: 413.425.5368</FONT> <BR><FONT SIZE=3D2>> www.lucent.com/netcare</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0C1FA.855FB280-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA24969 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 13:16:55 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <2VHDBTYD>; Tue, 10 Apr 2001 16:16:25 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CDD80@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Anders Rundgren <anders.rundgren@telia.com>, Santosh Chokhani <chokhani@cygnacom.com>, "Fillingham, David W." <dwfilli@missi.ncsc.mil>, PKIX-List <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, pki-twg@nist.gov, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, * ALL FIREBURST USERS * <all@missi.ncsc.mil>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner, Clark J." <cjwagne@missi.ncsc.mil>, judith.spencer@gsa.gov, Michelle.Moldenhauer@do.treas.gov, "'Steve Hanna (SUN)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com>, Roger Younglove <ryounglove@lucent.com> Subject: RE: DoD Bridge Certification Authority Phase II Demonstrations Date: Tue, 10 Apr 2001 16:07:53 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C1F9.ECD51960" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C1F9.ECD51960 Content-Type: text/plain; charset="iso-8859-1" Anders: Having looked at the papers you sent, I think your solutions may be ok as a B2B solution. But, I see end to end security requiring PKI. Even in our company's case where we run independent labs, do PKI consulting and build PKI products, some of our lab customers when they send us documents over the Internet, they want only the lab personnel assigned to the project to read it. They do it using end-end encryption. PKI concepts were designed for this distributed, client centric model. In my mind, depending on the business climate, one of the following offers more advantages over the others and is hence appropriate: Trust anchors list Hierarchy Bridge Bilateral cross certification Purple Model ONE SHOE DOES NOT FIT ALL -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@telia.com] Sent: Tuesday, April 10, 2001 1:00 PM To: Santosh Chokhani; Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD PKI TWG'; pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA Integration'; * ALL FIREBURST USERS *; 'Steve Capps'; Wagner, Clark J.; judith.spencer@gsa.gov; Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna (SUN)'; 'Susan Dernik'; Roger Younglove Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations Roger, >IMHO, when you have multiple PKIs with in any industry such as the >Automotive (ie. ANX) or the Government, cross certification become a >problem because the certificate chain of trust becomes so unwieldy and >revocation of a PKI is also a problem. The Bridge scenario solves this >problem. It is not the only solution but the simplest with a number of >existing PKIs. Agreed, Bridge CAs solves (some of) the problems created by unwieldy PKIs such as those created by DoD. Domain-PKI does not requires such solutions as it is much simpler to create and maintain. 100 millions users of Internet use it today when they address an https URL. That's simplicity IMHO. Applied to B2B it gets just slightly more complicated. Anders At 05:21 AM 04/10/2001 , Anders Rundgren wrote: >Santosh, >Domain (server-based) PKI offers persistent signatures for non-repudiation >at a fraction >of the cost (and inconvenience) that inter-organization client-based >signatures introduce. >The need for bridge-CAs using domain-PKI is IMO very limited as the number >of CAs is >reduced by several orders of magnitude by such approaches. 5-10 CAs >worldwide is my guess. > >I do have read the paper by Bill Burr. Did you read about Purple? I.e. do >you see a problem with this model? > >BTW, I am a (currently only lurking due to high work-load) member of the >OASIS Security Services TC where >domain-based solutions are standardized. I have never ever seen such an >enormous committee activity so domain >security is indeed red-hot. > >Internet2 with their Shibboleth distributed multi-campus authentication >system will be based on domain-PKI. > >Personally I expect the next version of OBI (Open Buying on the Internet) >to be entirely based >on this concept by throwing out the inter-organization client-certs (that >never worked, so just about >everybody turned to user-ID/passwords in spite of not being a part of the >standard). > >VISA's coming 3D Secure credit-card payment system is also based on >domain-PKI. > >Due to this, I think that DoD (and similar organizations all over the >globe) should very carefully evaluate the >domain security alternative before they do any new investments in CA systems. > >Regards >Anders >----- Original Message ----- >From: Santosh Chokhani >To: Anders Rundgren ; Fillingham, David W. ; PKIX-List ; 'KPCMWG' ; 'DoD >PKI TWG' ; pki-twg@nist.gov ; 'Bridge CA Mail List' ; 'BCA >Integration' ; * ALL FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. >; judith.spencer@gsa.gov ; >Michelle.Moldenhauer@do.treas.gov ; 'Steve Hanna (SUN)' ; 'Susan Dernik' >Sent: Monday, April 09, 2001 22:39 >Subject: RE: DoD Bridge Certification Authority Phase II Demonstrations > > >Anders: >I think Bridge technology can be helpful to a vertical segment such as >banking, health care, automotive industry etc. in order to >facilitate secure e-commerce among the trading partners where persistent >digital signature for non-repudiation may be required. >Also, given how organizations manage their Web sites and we hear about Web >server break-in, persistent encryption (beyond SSL >transport) may call for interoperable, inter-domain PKI. Again Bridge CA >can help. >Actually, I can see the benefits of layers (strata) of Bridge CAs, e.g., >Bridge CAs from various vertical segments themselves >connecting to a Omni-Bridge. In that case, the Bridge CAs will be >Principal CAs. >I assume you have had a chance to review the excellent paper on the Bridge >concept developed by Bill Burr. >-----Original Message----- >From: Anders Rundgren [mailto:anders.rundgren@telia.com] >Sent: Monday, April 09, 2001 2:08 PM >To: Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD PKI TWG'; >pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA Integration'; * ALL >FIREBURST USERS *; 'Steve Capps'; Wagner, Clark J.; >judith.spencer@gsa.gov; Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna >(SUN)'; 'Susan Dernik' >Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations > > >David, >This is indeed an ambitious project. Unfortunately I doubt that the Bridge >model has any relevance in >the private sector that for inter-organization communication, is more >likely to deploy domain-based >PKI-solutions, that have the major advantage of already being supported by >global TTPs which makes >domain security solutions useful for organizations of any size. I.e. >VeriSign's issuance of web-server >certificates is "approximately" what is needed. >That domain security is incompatible with most current digital signature >laws is a pity. Particularly for >the lawyers who created them. :-) >Using domain security, tracing, message archiving, and user-control is >essentially built-in. >A further advantage of domain security models is that client security >solutions can develop in a >different pace at each organization. As they have for current >Internet-banks that is so far the only >large-scale (almost) secure multi-organization transaction-environment on >the Internet. >The question that comes to my mind is: Will all Governments in the world >continue to adopt the >"All-speak-with-all-PKI" approach in spite of the fact that the private >sector probably have shunned it >due to complexity, privacy concerns, lack of control, and cost? >Regard >Anders Rundgren >X-OBI read: http://www.x-obi.com/purple run: http://buyer.x-obi.com > > > >----- Original Message ----- >From: Fillingham, David W. >To: 'ietf-pkix@imc.org' ; 'KPCMWG' ; 'DoD PKI TWG' ; 'pki-twg@nist.gov' ; >'Bridge CA Mail List' ; 'BCA Integration' ; * ALL >FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. ; >'judith.spencer@gsa.gov' ; 'Michelle.Moldenhauer@do.treas.gov' ; 'Steve Hanna >(SUN)' ; 'Susan Dernik' >Sent: Friday, April 06, 2001 16:48 >Subject: DoD Bridge Certification Authority Phase II Demonstrations > > >For the last few years, the National Security Agency has led the >development of Bridge Certification Authority (BCA) technology >demonstrations. In 1999, Phase One of the Department of Defense BCA >Technology Demonstration showed the technical feasibility of >achieving signed e-mail interoperability using multi-vendor >cross-certification in conjunction with chained directory systems. > >Phase Two of the demonstration is now ready to be shown. Phase Two of the >DoD Bridge CA Phase II Technology Demonstration includes: > >Technologies: > >-- Certificate chain building in complex certificate graphs; >-- Integration of both mesh-style cross-certified PKIs and hierarchical PKIs; >-- Multi-signature/hash algorithm processing in certificate chains; >-- Certificate acceptance/rejection based on Certificate Policy >processing, including policy mapping; >-- Transitive trust limitation using Name Constraints processing; >-- Access Control using X.509 compliant attribute certificates (same >attribute certificates used for e-mail and web based access >control); >-- E-mail access control using S/MIME V3 labeling; >-- E-mail encryption using public key certificates authenticated via a >Bridge Certification Authority; >-- Border Directories; >-- Multivendor directory interoperation via X.500 chaining; and, >-- Transparent sharing of certificate revocation information across >several PKIs using products of multiple PKI vendors. > >Client Applications: > >-- Baltimore Technologies MailSecure enabled Microsoft Outlook >-- Entrust Enabled Microsoft Outlook >-- Getronics S/MIME Freeware Library, Certificate Management Library, and >Access Control Library enabled Qualcomm Eudora >-- Getronics Certificate Management Library and Access Control Library >enabled Netscape Web Server > >Freeware Libraries: > >-- Cygnacom Certificate Path Development Library > <http://www.cygnacom.com/products/index.htm> >-- Getronics S/MIME (Version 3) Freeware Library > <http://www.getronicsgov.com/hot/sfl_home.htm> >-- Getronics Certificate Management Library > <http://www.getronicsgov.com/hot/cml_home.htm> >-- Getronics Access Control Library > <http://www.getronicsgov.com/hot/acl_home.htm> >CA vendor interoperability demonstrations: > >-- Baltimore Technologies >-- Entrust Technologies >-- Motorola >-- SPYRUS > >Directory Interoperability: >-- Entrust ICL >-- Entegrity Safepages Directory >Demonstrations will be held at the following locations and dates (note >that you MUST REGISTER to attend! Registration information >is provided below): > >---------- >CygnaCom >Suite 100 West >7927 Jones Branch Dr. >McLean, Virginia > >Directions to CygnaCom are located >at: <http://www.cygnacom.com/contact/directions.htm> > >26 April 2001 - 0900 > >26 April 2001 - 1300 > >16 May 2001 - 0900 > >16 May 2001 - 1300 > >--------- >Getronics Government Solutions >141 National Business Parkway, Suite 210 >Annapolis Junction, Maryland > > From Washington DC: Take I-95 north; take MD Rt 32 east exit; take Dorsey >Run exit; at stop sign turn left on Dorsey Run; at stop light turn right on >Guilford Road which becomes National Business Pkwy. > > From Baltimore: Take BW Parkway (295) south; take MD Rt 32 west exit; stay >in right lane of the exit which runs into National Business Pkwy; make a >right on National Business Pkwy. > >30 April 2001 - 1300 > >8 May 2001 - 0900 > >8 May 2001 - 1300 > >24 May 2001 - 0900 > >24 May 2001 - 1300 > >--------- > >All showings last about half a day - with a mixture of conference room >briefings and laboratory demonstrations. > >We are limited by available demonstration space to an absolute maximum of >20 participants at each showing. > >IMPORTANT: PLEASE REGISTER WITH LISA FAULKNER (llfaulk@missi.ncsc.mil ><mailto:llfaulk@missi.ncsc.mil>) AND MYSELF >(dwfilli@missi.ncsc.mil <mailto:dwfilli@missi.ncsc.mil>) IF YOU PLAN TO >ATTEND. IF YOU DO NOT REGISTER TO ATTEND, YOU WILL NOT BE >ADMITTED TO THE DEMONSTRATION. > >Please provide the following information to register: > >-- Name >-- Organization >-- E-mail address >-- Date and time of the demonstration showing you wish to attend (with >alternates, if possible) > >We look forward to seeing you at the demonstration! > >Dave Fillingham >NSA -------- TTFN Roger W. Younglove, CISSP Distinguished Member of Consulting Staff Lucent Worldwide Services--Information Security 100 Galleria Officentre, Ste. 220 Southfield, MI 48034-8428 Numeric page: 888.935.6755 E-mail page: page_roger_younglove@ins.com eFax number: 413.425.5368 www.lucent.com/netcare ------_=_NextPart_001_01C0C1F9.ECD51960 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: DoD Bridge Certification Authority Phase II = Demonstrations</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Anders:</FONT> </P> <P><FONT SIZE=3D2>Having looked at the papers you sent, I think your = solutions may be ok as a B2B solution.</FONT> </P> <P><FONT SIZE=3D2>But, I see end to end security requiring PKI. = Even in our company's case where we run independent labs, do PKI = consulting and build PKI products, some of our lab customers when they = send us documents over the Internet, they want only the lab personnel = assigned to the project to read it. They do it using end-end = encryption. PKI concepts were designed for this distributed, = client centric model.</FONT></P> <P><FONT SIZE=3D2>In my mind, depending on the business climate, one of = the following offers more advantages over the others and is hence = appropriate:</FONT></P> <P><FONT SIZE=3D2>Trust anchors list</FONT> <BR><FONT SIZE=3D2>Hierarchy</FONT> <BR><FONT SIZE=3D2>Bridge</FONT> <BR><FONT SIZE=3D2>Bilateral cross certification</FONT> <BR><FONT SIZE=3D2>Purple Model</FONT> </P> <P><FONT SIZE=3D2>ONE SHOE DOES NOT FIT ALL</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Anders Rundgren [<A = HREF=3D"mailto:anders.rundgren@telia.com">mailto:anders.rundgren@telia.c= om</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Tuesday, April 10, 2001 1:00 PM</FONT> <BR><FONT SIZE=3D2>To: Santosh Chokhani; Fillingham, David W.; = PKIX-List; 'KPCMWG'; 'DoD</FONT> <BR><FONT SIZE=3D2>PKI TWG'; pki-twg@nist.gov; 'Bridge CA Mail List'; = 'BCA Integration'; *</FONT> <BR><FONT SIZE=3D2>ALL FIREBURST USERS *; 'Steve Capps'; Wagner, Clark = J.;</FONT> <BR><FONT SIZE=3D2>judith.spencer@gsa.gov; = Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna</FONT> <BR><FONT SIZE=3D2>(SUN)'; 'Susan Dernik'; Roger Younglove</FONT> <BR><FONT SIZE=3D2>Subject: Re: DoD Bridge Certification Authority = Phase II Demonstrations</FONT> </P> <BR> <P><FONT SIZE=3D2>Roger,</FONT> </P> <P><FONT SIZE=3D2>>IMHO, when you have multiple PKIs with in any = industry such as the </FONT> <BR><FONT SIZE=3D2>>Automotive (ie. ANX) or the Government, cross = certification become a </FONT> <BR><FONT SIZE=3D2>>problem because the certificate chain of trust = becomes so unwieldy and </FONT> <BR><FONT SIZE=3D2>>revocation of a PKI is also a problem. The = Bridge scenario solves this </FONT> <BR><FONT SIZE=3D2>>problem. It is not the only solution but the = simplest with a number of </FONT> <BR><FONT SIZE=3D2>>existing PKIs.</FONT> </P> <P><FONT SIZE=3D2>Agreed, Bridge CAs solves (some of) the problems = created by</FONT> <BR><FONT SIZE=3D2>unwieldy PKIs such as those created by DoD.</FONT> </P> <P><FONT SIZE=3D2>Domain-PKI does not requires such solutions as it is = much simpler</FONT> <BR><FONT SIZE=3D2>to create and maintain. 100 millions users of = Internet use it today</FONT> <BR><FONT SIZE=3D2>when they address an https URL. That's = simplicity IMHO.</FONT> <BR><FONT SIZE=3D2>Applied to B2B it gets just slightly more = complicated.</FONT> </P> <P><FONT SIZE=3D2>Anders</FONT> </P> <P><FONT SIZE=3D2>At 05:21 AM 04/10/2001 , Anders Rundgren = wrote:</FONT> <BR><FONT SIZE=3D2>>Santosh,</FONT> <BR><FONT SIZE=3D2>>Domain (server-based) PKI offers persistent = signatures for non-repudiation </FONT> <BR><FONT SIZE=3D2>>at a fraction</FONT> <BR><FONT SIZE=3D2>>of the cost (and inconvenience) that = inter-organization client-based </FONT> <BR><FONT SIZE=3D2>>signatures introduce.</FONT> <BR><FONT SIZE=3D2>>The need for bridge-CAs using domain-PKI is IMO = very limited as the number </FONT> <BR><FONT SIZE=3D2>>of CAs is</FONT> <BR><FONT SIZE=3D2>>reduced by several orders of magnitude by such = approaches. 5-10 CAs </FONT> <BR><FONT SIZE=3D2>>worldwide is my guess.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>I do have read the paper by Bill Burr. Did you = read about Purple? I.e. do </FONT> <BR><FONT SIZE=3D2>>you see a problem with this model?</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>BTW, I am a (currently only lurking due to high = work-load) member of the </FONT> <BR><FONT SIZE=3D2>>OASIS Security Services TC where</FONT> <BR><FONT SIZE=3D2>>domain-based solutions are standardized. I have = never ever seen such an </FONT> <BR><FONT SIZE=3D2>>enormous committee activity so domain</FONT> <BR><FONT SIZE=3D2>>security is indeed red-hot.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Internet2 with their Shibboleth distributed = multi-campus authentication </FONT> <BR><FONT SIZE=3D2>>system will be based on domain-PKI.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Personally I expect the next version of OBI = (Open Buying on the Internet) </FONT> <BR><FONT SIZE=3D2>>to be entirely based</FONT> <BR><FONT SIZE=3D2>>on this concept by throwing out the = inter-organization client-certs (that </FONT> <BR><FONT SIZE=3D2>>never worked, so just about</FONT> <BR><FONT SIZE=3D2>>everybody turned to user-ID/passwords in spite = of not being a part of the </FONT> <BR><FONT SIZE=3D2>>standard).</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>VISA's coming 3D Secure credit-card payment = system is also based on </FONT> <BR><FONT SIZE=3D2>>domain-PKI.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Due to this, I think that DoD (and similar = organizations all over the </FONT> <BR><FONT SIZE=3D2>>globe) should very carefully evaluate the</FONT> <BR><FONT SIZE=3D2>>domain security alternative before they do any = new investments in CA systems.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Regards</FONT> <BR><FONT SIZE=3D2>>Anders</FONT> <BR><FONT SIZE=3D2>>----- Original Message -----</FONT> <BR><FONT SIZE=3D2>>From: Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>>To: Anders Rundgren ; Fillingham, David W. ; = PKIX-List ; 'KPCMWG' ; 'DoD </FONT> <BR><FONT SIZE=3D2>>PKI TWG' ; pki-twg@nist.gov ; 'Bridge CA Mail = List' ; 'BCA</FONT> <BR><FONT SIZE=3D2>>Integration' ; * ALL FIREBURST USERS * ; 'Steve = Capps' ; Wagner, Clark J. </FONT> <BR><FONT SIZE=3D2>>; judith.spencer@gsa.gov ;</FONT> <BR><FONT SIZE=3D2>>Michelle.Moldenhauer@do.treas.gov ; 'Steve Hanna = (SUN)' ; 'Susan Dernik'</FONT> <BR><FONT SIZE=3D2>>Sent: Monday, April 09, 2001 22:39</FONT> <BR><FONT SIZE=3D2>>Subject: RE: DoD Bridge Certification Authority = Phase II Demonstrations</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Anders:</FONT> <BR><FONT SIZE=3D2>>I think Bridge technology can be helpful to a = vertical segment such as </FONT> <BR><FONT SIZE=3D2>>banking, health care, automotive industry etc. = in order to</FONT> <BR><FONT SIZE=3D2>>facilitate secure e-commerce among the trading = partners where persistent </FONT> <BR><FONT SIZE=3D2>>digital signature for non-repudiation may be = required.</FONT> <BR><FONT SIZE=3D2>>Also, given how organizations manage their Web = sites and we hear about Web </FONT> <BR><FONT SIZE=3D2>>server break-in, persistent encryption (beyond = SSL</FONT> <BR><FONT SIZE=3D2>>transport) may call for interoperable, = inter-domain PKI. Again Bridge CA </FONT> <BR><FONT SIZE=3D2>>can help.</FONT> <BR><FONT SIZE=3D2>>Actually, I can see the benefits of layers = (strata) of Bridge CAs, e.g., </FONT> <BR><FONT SIZE=3D2>>Bridge CAs from various vertical segments = themselves</FONT> <BR><FONT SIZE=3D2>>connecting to a Omni-Bridge. In that case, = the Bridge CAs will be </FONT> <BR><FONT SIZE=3D2>>Principal CAs.</FONT> <BR><FONT SIZE=3D2>>I assume you have had a chance to review the = excellent paper on the Bridge </FONT> <BR><FONT SIZE=3D2>>concept developed by Bill Burr.</FONT> <BR><FONT SIZE=3D2>>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>>From: Anders Rundgren [<A = HREF=3D"mailto:anders.rundgren@telia.com">mailto:anders.rundgren@telia.c= om</A>]</FONT> <BR><FONT SIZE=3D2>>Sent: Monday, April 09, 2001 2:08 PM</FONT> <BR><FONT SIZE=3D2>>To: Fillingham, David W.; PKIX-List; 'KPCMWG'; = 'DoD PKI TWG';</FONT> <BR><FONT SIZE=3D2>>pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA = Integration'; * ALL</FONT> <BR><FONT SIZE=3D2>>FIREBURST USERS *; 'Steve Capps'; Wagner, Clark = J.;</FONT> <BR><FONT SIZE=3D2>>judith.spencer@gsa.gov; = Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna</FONT> <BR><FONT SIZE=3D2>>(SUN)'; 'Susan Dernik'</FONT> <BR><FONT SIZE=3D2>>Subject: Re: DoD Bridge Certification Authority = Phase II Demonstrations</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>David,</FONT> <BR><FONT SIZE=3D2>>This is indeed an ambitious project. = Unfortunately I doubt that the Bridge </FONT> <BR><FONT SIZE=3D2>>model has any relevance in</FONT> <BR><FONT SIZE=3D2>>the private sector that for inter-organization = communication, is more </FONT> <BR><FONT SIZE=3D2>>likely to deploy domain-based</FONT> <BR><FONT SIZE=3D2>>PKI-solutions, that have the major advantage of = already being supported by </FONT> <BR><FONT SIZE=3D2>>global TTPs which makes</FONT> <BR><FONT SIZE=3D2>>domain security solutions useful for = organizations of any size. I.e. </FONT> <BR><FONT SIZE=3D2>>VeriSign's issuance of web-server</FONT> <BR><FONT SIZE=3D2>>certificates is "approximately" what = is needed.</FONT> <BR><FONT SIZE=3D2>>That domain security is incompatible with most = current digital signature </FONT> <BR><FONT SIZE=3D2>>laws is a pity. Particularly for</FONT> <BR><FONT SIZE=3D2>>the lawyers who created them. :-)</FONT> <BR><FONT SIZE=3D2>>Using domain security, tracing, message = archiving, and user-control is </FONT> <BR><FONT SIZE=3D2>>essentially built-in.</FONT> <BR><FONT SIZE=3D2>>A further advantage of domain security models is = that client security </FONT> <BR><FONT SIZE=3D2>>solutions can develop in a</FONT> <BR><FONT SIZE=3D2>>different pace at each organization. As = they have for current </FONT> <BR><FONT SIZE=3D2>>Internet-banks that is so far the only</FONT> <BR><FONT SIZE=3D2>>large-scale (almost) secure multi-organization = transaction-environment on </FONT> <BR><FONT SIZE=3D2>>the Internet.</FONT> <BR><FONT SIZE=3D2>>The question that comes to my mind is: Will all = Governments in the world </FONT> <BR><FONT SIZE=3D2>>continue to adopt the</FONT> <BR><FONT SIZE=3D2>>"All-speak-with-all-PKI" approach in = spite of the fact that the private </FONT> <BR><FONT SIZE=3D2>>sector probably have shunned it</FONT> <BR><FONT SIZE=3D2>>due to complexity, privacy concerns, lack of = control, and cost?</FONT> <BR><FONT SIZE=3D2>>Regard</FONT> <BR><FONT SIZE=3D2>>Anders Rundgren</FONT> <BR><FONT SIZE=3D2>>X-OBI read: <A = HREF=3D"http://www.x-obi.com/purple" = TARGET=3D"_blank">http://www.x-obi.com/purple</A> run: <A = HREF=3D"http://buyer.x-obi.com" = TARGET=3D"_blank">http://buyer.x-obi.com</A></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>----- Original Message -----</FONT> <BR><FONT SIZE=3D2>>From: Fillingham, David W.</FONT> <BR><FONT SIZE=3D2>>To: 'ietf-pkix@imc.org' ; 'KPCMWG' ; 'DoD PKI = TWG' ; 'pki-twg@nist.gov' ; </FONT> <BR><FONT SIZE=3D2>>'Bridge CA Mail List' ; 'BCA Integration' ; * = ALL</FONT> <BR><FONT SIZE=3D2>>FIREBURST USERS * ; 'Steve Capps' ; Wagner, = Clark J. ; </FONT> <BR><FONT SIZE=3D2>>'judith.spencer@gsa.gov' ; = 'Michelle.Moldenhauer@do.treas.gov' ; 'Steve Hanna</FONT> <BR><FONT SIZE=3D2>>(SUN)' ; 'Susan Dernik'</FONT> <BR><FONT SIZE=3D2>>Sent: Friday, April 06, 2001 16:48</FONT> <BR><FONT SIZE=3D2>>Subject: DoD Bridge Certification Authority = Phase II Demonstrations</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>For the last few years, the National Security = Agency has led the </FONT> <BR><FONT SIZE=3D2>>development of Bridge Certification Authority = (BCA) technology</FONT> <BR><FONT SIZE=3D2>>demonstrations. In 1999, Phase One of the = Department of Defense BCA </FONT> <BR><FONT SIZE=3D2>>Technology Demonstration showed the technical = feasibility of</FONT> <BR><FONT SIZE=3D2>>achieving signed e-mail interoperability using = multi-vendor </FONT> <BR><FONT SIZE=3D2>>cross-certification in conjunction with chained = directory systems.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Phase Two of the demonstration is now ready to = be shown. Phase Two of the </FONT> <BR><FONT SIZE=3D2>>DoD Bridge CA Phase II Technology Demonstration = includes:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Technologies:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>-- Certificate chain building in complex = certificate graphs;</FONT> <BR><FONT SIZE=3D2>>-- Integration of both mesh-style = cross-certified PKIs and hierarchical PKIs;</FONT> <BR><FONT SIZE=3D2>>-- Multi-signature/hash algorithm = processing in certificate chains;</FONT> <BR><FONT SIZE=3D2>>-- Certificate acceptance/rejection based = on Certificate Policy </FONT> <BR><FONT SIZE=3D2>>processing, including policy mapping;</FONT> <BR><FONT SIZE=3D2>>-- Transitive trust limitation using Name = Constraints processing;</FONT> <BR><FONT SIZE=3D2>>-- Access Control using X.509 compliant = attribute certificates (same </FONT> <BR><FONT SIZE=3D2>>attribute certificates used for e-mail and web = based access</FONT> <BR><FONT SIZE=3D2>>control);</FONT> <BR><FONT SIZE=3D2>>-- E-mail access control using S/MIME V3 = labeling;</FONT> <BR><FONT SIZE=3D2>>-- E-mail encryption using public key = certificates authenticated via a </FONT> <BR><FONT SIZE=3D2>>Bridge Certification Authority;</FONT> <BR><FONT SIZE=3D2>>-- Border Directories;</FONT> <BR><FONT SIZE=3D2>>-- Multivendor directory interoperation = via X.500 chaining; and,</FONT> <BR><FONT SIZE=3D2>>-- Transparent sharing of certificate = revocation information across </FONT> <BR><FONT SIZE=3D2>>several PKIs using products of multiple = PKI vendors.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Client Applications:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>-- Baltimore Technologies MailSecure = enabled Microsoft Outlook</FONT> <BR><FONT SIZE=3D2>>-- Entrust Enabled Microsoft = Outlook</FONT> <BR><FONT SIZE=3D2>>-- Getronics S/MIME Freeware Library, = Certificate Management Library, and </FONT> <BR><FONT SIZE=3D2>>Access Control Library enabled Qualcomm = Eudora</FONT> <BR><FONT SIZE=3D2>>-- Getronics Certificate Management = Library and Access Control Library </FONT> <BR><FONT SIZE=3D2>>enabled Netscape Web Server</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Freeware Libraries:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>-- Cygnacom Certificate Path Development = Library</FONT> <BR><FONT SIZE=3D2>> <<A = HREF=3D"http://www.cygnacom.com/products/index.htm" = TARGET=3D"_blank">http://www.cygnacom.com/products/index.htm</A>></FO= NT> <BR><FONT SIZE=3D2>>-- Getronics S/MIME (Version 3) Freeware = Library</FONT> <BR><FONT SIZE=3D2>> <<A = HREF=3D"http://www.getronicsgov.com/hot/sfl_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/sfl_home.htm</A>></= FONT> <BR><FONT SIZE=3D2>>-- Getronics Certificate Management = Library</FONT> <BR><FONT SIZE=3D2>> <<A = HREF=3D"http://www.getronicsgov.com/hot/cml_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/cml_home.htm</A>></= FONT> <BR><FONT SIZE=3D2>>-- Getronics Access Control Library</FONT> <BR><FONT = SIZE=3D2>>  = ; <<A HREF=3D"http://www.getronicsgov.com/hot/acl_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/acl_home.htm</A>></= FONT> <BR><FONT SIZE=3D2>>CA vendor interoperability = demonstrations:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>-- Baltimore Technologies</FONT> <BR><FONT SIZE=3D2>>-- Entrust Technologies</FONT> <BR><FONT SIZE=3D2>>-- Motorola</FONT> <BR><FONT SIZE=3D2>>-- SPYRUS</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Directory Interoperability:</FONT> <BR><FONT SIZE=3D2>>-- Entrust ICL</FONT> <BR><FONT SIZE=3D2>>-- Entegrity Safepages Directory</FONT> <BR><FONT SIZE=3D2>>Demonstrations will be held at the following = locations and dates (note </FONT> <BR><FONT SIZE=3D2>>that you MUST REGISTER to attend! = Registration information</FONT> <BR><FONT SIZE=3D2>>is provided below):</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>----------</FONT> <BR><FONT SIZE=3D2>>CygnaCom</FONT> <BR><FONT SIZE=3D2>>Suite 100 West</FONT> <BR><FONT SIZE=3D2>>7927 Jones Branch Dr.</FONT> <BR><FONT SIZE=3D2>>McLean, Virginia</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Directions to CygnaCom are located </FONT> <BR><FONT SIZE=3D2>>at: <<A = HREF=3D"http://www.cygnacom.com/contact/directions.htm" = TARGET=3D"_blank">http://www.cygnacom.com/contact/directions.htm</A>>= </FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>26 April 2001 - 0900</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>26 April 2001 - 1300</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>16 May 2001 - 0900</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>16 May 2001 - 1300</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>---------</FONT> <BR><FONT SIZE=3D2>>Getronics Government Solutions</FONT> <BR><FONT SIZE=3D2>>141 National Business Parkway, Suite 210</FONT> <BR><FONT SIZE=3D2>>Annapolis Junction, Maryland</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> From Washington DC: Take I-95 north; take MD Rt = 32 east exit; take Dorsey</FONT> <BR><FONT SIZE=3D2>>Run exit; at stop sign turn left on Dorsey Run; = at stop light turn right on</FONT> <BR><FONT SIZE=3D2>>Guilford Road which becomes National Business = Pkwy.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> From Baltimore: Take BW Parkway (295) south; = take MD Rt 32 west exit; stay</FONT> <BR><FONT SIZE=3D2>>in right lane of the exit which runs into = National Business Pkwy; make a</FONT> <BR><FONT SIZE=3D2>>right on National Business Pkwy.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>30 April 2001 - 1300</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>8 May 2001 - 0900</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>8 May 2001 - 1300</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>24 May 2001 - 0900</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>24 May 2001 - 1300</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>---------</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>All showings last about half a day - with a = mixture of conference room </FONT> <BR><FONT SIZE=3D2>>briefings and laboratory demonstrations.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>We are limited by available demonstration space = to an absolute maximum of </FONT> <BR><FONT SIZE=3D2>>20 participants at each showing.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>IMPORTANT: PLEASE REGISTER WITH LISA = FAULKNER (llfaulk@missi.ncsc.mil </FONT> <BR><FONT SIZE=3D2>><<A = HREF=3D"mailto:llfaulk@missi.ncsc.mil">mailto:llfaulk@missi.ncsc.mil</A>= >) AND MYSELF</FONT> <BR><FONT SIZE=3D2>>(dwfilli@missi.ncsc.mil <<A = HREF=3D"mailto:dwfilli@missi.ncsc.mil">mailto:dwfilli@missi.ncsc.mil</A>= >) IF YOU PLAN TO </FONT> <BR><FONT SIZE=3D2>>ATTEND. IF YOU DO NOT REGISTER TO ATTEND, = YOU WILL NOT BE</FONT> <BR><FONT SIZE=3D2>>ADMITTED TO THE DEMONSTRATION.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Please provide the following information to = register:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>-- Name</FONT> <BR><FONT SIZE=3D2>>-- Organization</FONT> <BR><FONT SIZE=3D2>>-- E-mail address</FONT> <BR><FONT SIZE=3D2>>-- Date and time of the demonstration = showing you wish to attend (with </FONT> <BR><FONT SIZE=3D2>>alternates, if possible)</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>We look forward to seeing you at the = demonstration!</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Dave Fillingham</FONT> <BR><FONT SIZE=3D2>>NSA</FONT> </P> <P><FONT SIZE=3D2>--------</FONT> <BR><FONT SIZE=3D2>TTFN</FONT> <BR><FONT SIZE=3D2>Roger W. Younglove, CISSP</FONT> <BR><FONT SIZE=3D2>Distinguished Member of Consulting Staff</FONT> <BR><FONT SIZE=3D2>Lucent Worldwide Services--Information = Security</FONT> <BR><FONT SIZE=3D2>100 Galleria Officentre, Ste. 220</FONT> <BR><FONT SIZE=3D2>Southfield, MI 48034-8428</FONT> <BR><FONT SIZE=3D2>Numeric page: 888.935.6755</FONT> <BR><FONT SIZE=3D2>E-mail page:</FONT> <BR><FONT SIZE=3D2>page_roger_younglove@ins.com</FONT> <BR><FONT SIZE=3D2>eFax number: 413.425.5368</FONT> <BR><FONT SIZE=3D2>www.lucent.com/netcare</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0C1F9.ECD51960-- Received: from maila.telia.com (maila.telia.com [194.22.194.231]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA21506 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 12:39:04 -0700 (PDT) Received: from d1o69.telia.com (d1o69.telia.com [62.20.144.241]) by maila.telia.com (8.9.3/8.9.3) with ESMTP id VAA19316; Tue, 10 Apr 2001 21:39:05 +0200 (CEST) Received: from mega (t4o69p113.telia.com [62.20.145.233]) by d1o69.telia.com (8.10.2/8.10.1) with SMTP id f3AJd3a06045; Tue, 10 Apr 2001 21:39:04 +0200 (CEST) Message-ID: <012201c0c1f5$9f92cc00$0200a8c0@vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Frank Lawrence" <frank_lawrence@bah.com> Cc: "PKIX-List" <ietf-pkix@imc.org> References: <8D7EC1912E25D411A32100D0B76953977CDD31@scygmxs01.cygnacom.com> <4.2.2.20010410090827.00d70630@POP7.ins.com> <014d01c0c1df$aebe0390$0500a8c0@arport> <3AD34590.72533654@bah.com> Subject: Domain-PKI. Was: DoD Bridge Certification Authority Phase II Demonstrations Date: Tue, 10 Apr 2001 21:37:04 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id MAA21509 Frank, > I will take a shot of the problem with the purple model. Thanx for taking on the challenge! Even the Sun has its flaws. But that does not make domain-PKI useless. Domain PKI references: Purple (X-OBI's domain-PKI authentication system): Read: http://www.x-obi.com/purple Run: http://buyer.x-obi.com Why client-certificates have no [direct] use in B2B: http://www.mobilephones-tng.com/papers/obi-2.1-sec.doc S/MIME for domains: http://www.ietf.org/internet-drafts/draft-ietf-smime-domsec-08.txt OAISIS Security Services: http://www.oasis-open.org/committees/security/ VISA's 3D SET (that though will be replaced by 3D Secure which so far I cannot disclose info about): http://www.visa.com/pd/eu_shop/merchants/3d_set/main.html#threedomain Early mobile phone concept based on domain-PKI and client-PKI in a "combo" http://www.mobilephones-tng.com Internet2's Shibboleth inter-campus web-authentication system: http://middleware.internet2.edu/shibboleth/ > The problem that I see with the Purple model is that there is a requirement for > explicit trust between the "partners". Known partners are nice but does not solve > the broader problem of extending trust. Now you hit a weak point in PKI in general. What do we mean by trust? That the entity is the one they are claiming to be? I do not belie (PKI is a religion?) that it is enough that you have a certificate from a trusted CA. Because if you want to conduct business you may actually be more interested in knowing that a buyer is capable of paying or that the supplier delivers. Such information can sometimes be obtained from TTP's specializing in such data (e.g. D & B). By identifying the entity with their organization certificate you have the "perfect handle" for perfoming such queries. And how much trust you have in an unkown organization is up to every partner to decide. I.e. a CA <> God! > Works fine as long as the number of partners is small, but is combinatorially > explosive as the number of partners becomes large. No, domain-PKI follows a linear scale as partners are autonomous. I.e. domain-PKI is simply a way for an organization to sign messages using a digital version of their company paper. But unlike the paper-version, the digital version is usually issued by a TTP and is extremely hard to forge. > The ability to manage that > large number of trust relationships becomes just as difficult as the bridge CA > problem. The "unwieldy" PKI created by DoD elminates that problem, at least within > DoD where there are hundreds (maybe thousands?) of "partner" domains. At least > within DoD there is an understanding of the level of trust involved in getting a > certificate. Many companies have more than 10000 suppliers, domain-PKI adds little to the complexity (in principal at least). And it definitely beats current "state-of-the-art-solutions" using user-ID passwords on partner sites. > The current HTTPS model is a bad example of trust because there is no (valid) > presumption of trust between a web server and a client. SSL encrypts the pipe but > there is no method for determining if the client or the server is who they claim to > be. Trivial to spoof either (or both) although the pipe is secure from > observation. Even IPSEC based authentication (a step above the SSL model) does not > provide any assurance that the claimed user is who they say they are. Unless there > is a trust model that extends across the network, in a scalable manner, then the > relying party is left holding the bag. Client-PKI does not make you safe from impersonators, or does it? > Finally, to trust a domain, you must understand how that domain issues > certificates. If there is no policy which tells a relying party what the level of > assurance is involved in the creation of the certificate, then the level of trust > you place in that certificate is zero. If you refer to the Purple tickets they are no different than purchase orders (which BTW is sort of a certificate). If you trust the purchase orders you ought to be able to trust tickets as they are created about the same way by the very same system run by the very same organization and staff. But the motives for domain-PKI have so many more elements that I could go on the whole night to describe them all but I think it is better to go through the references instead of just repeating myself. ==================================================== With the exception of end-to-end authentication, domain-PKI IMO seems to beat client-based PKIs for B2B by a mile. Regarding end-to-end authentication of Purple tickets (and Shibboleth and SAML dittos), I have BTW a few suggestions that I would like to discuss with interested parties. It looks like this indeed can be solved in a very convenient way (no local client configuration) but it requires an upgraded browser. ==================================================== Anders Received: from mclean5-mail.usae.bah.com (mclean5-mail.usae.bah.com [156.80.5.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA13153 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 10:40:31 -0700 (PDT) Received: from bah.com ([134.205.161.104]) by mclean5-mail.usae.bah.com (Netscape Messaging Server 4.15) with ESMTP id GBL7RK00.JPS; Tue, 10 Apr 2001 13:40:32 -0400 Message-ID: <3AD34590.72533654@bah.com> Date: Tue, 10 Apr 2001 13:40:33 -0400 From: "Frank Lawrence" <frank_lawrence@bah.com> X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Anders Rundgren <anders.rundgren@telia.com> CC: Santosh Chokhani <chokhani@cygnacom.com>, "Fillingham David W." <dwfilli@missi.ncsc.mil>, PKIX-List <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, pki-twg@nist.gov, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, * ALL FIREBURST USERS * <all@missi.ncsc.mil>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner Clark J." <cjwagne@missi.ncsc.mil>, judith.spencer@gsa.gov, Michelle.Moldenhauer@do.treas.gov, "'Steve Hanna (SUN)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com>, Roger Younglove <ryounglove@lucent.com> Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations References: <8D7EC1912E25D411A32100D0B76953977CDD31@scygmxs01.cygnacom.com> <4.2.2.20010410090827.00d70630@POP7.ins.com> <014d01c0c1df$aebe0390$0500a8c0@arport> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I will take a shot of the problem with the purple model. The problem that I see with the Purple model is that there is a requirement for explicit trust between the "partners". Known partners are nice but does not solve the broader problem of extending trust. Works fine as long as the number of partners is small, but is combinatorially explosive as the number of partners becomes large. The ability to manage that large number of trust relationships becomes just as difficult as the bridge CA problem. The "unwieldy" PKI created by DoD elminates that problem, at least within DoD where there are hundreds (maybe thousands?) of "partner" domains. At least within DoD there is an understanding of the level of trust involved in getting a certificate. The current HTTPS model is a bad example of trust because there is no (valid) presumption of trust between a web server and a client. SSL encrypts the pipe but there is no method for determining if the client or the server is who they claim to be. Trivial to spoof either (or both) although the pipe is secure from observation. Even IPSEC based authentication (a step above the SSL model) does not provide any assurance that the claimed user is who they say they are. Unless there is a trust model that extends across the network, in a scalable manner, then the relying party is left holding the bag. Finally, to trust a domain, you must understand how that domain issues certificates. If there is no policy which tells a relying party what the level of assurance is involved in the creation of the certificate, then the level of trust you place in that certificate is zero. Anders Rundgren wrote: > Roger, > > >IMHO, when you have multiple PKIs with in any industry such as the > >Automotive (ie. ANX) or the Government, cross certification become a > >problem because the certificate chain of trust becomes so unwieldy and > >revocation of a PKI is also a problem. The Bridge scenario solves this > >problem. It is not the only solution but the simplest with a number of > >existing PKIs. > > Agreed, Bridge CAs solves (some of) the problems created by > unwieldy PKIs such as those created by DoD. > > Domain-PKI does not requires such solutions as it is much simpler > to create and maintain. 100 millions users of Internet use it today > when they address an https URL. That's simplicity IMHO. > Applied to B2B it gets just slightly more complicated. > > Anders > > At 05:21 AM 04/10/2001 , Anders Rundgren wrote: > >Santosh, > >Domain (server-based) PKI offers persistent signatures for non-repudiation > >at a fraction > >of the cost (and inconvenience) that inter-organization client-based > >signatures introduce. > >The need for bridge-CAs using domain-PKI is IMO very limited as the number > >of CAs is > >reduced by several orders of magnitude by such approaches. 5-10 CAs > >worldwide is my guess. > > > >I do have read the paper by Bill Burr. Did you read about Purple? I.e. do > >you see a problem with this model? > > > >BTW, I am a (currently only lurking due to high work-load) member of the > >OASIS Security Services TC where > >domain-based solutions are standardized. I have never ever seen such an > >enormous committee activity so domain > >security is indeed red-hot. > > > >Internet2 with their Shibboleth distributed multi-campus authentication > >system will be based on domain-PKI. > > > >Personally I expect the next version of OBI (Open Buying on the Internet) > >to be entirely based > >on this concept by throwing out the inter-organization client-certs (that > >never worked, so just about > >everybody turned to user-ID/passwords in spite of not being a part of the > >standard). > > > >VISA's coming 3D Secure credit-card payment system is also based on > >domain-PKI. > > > >Due to this, I think that DoD (and similar organizations all over the > >globe) should very carefully evaluate the > >domain security alternative before they do any new investments in CA systems. > > > >Regards > >Anders > >----- Original Message ----- > >From: Santosh Chokhani > >To: Anders Rundgren ; Fillingham, David W. ; PKIX-List ; 'KPCMWG' ; 'DoD > >PKI TWG' ; pki-twg@nist.gov ; 'Bridge CA Mail List' ; 'BCA > >Integration' ; * ALL FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. > >; judith.spencer@gsa.gov ; > >Michelle.Moldenhauer@do.treas.gov ; 'Steve Hanna (SUN)' ; 'Susan Dernik' > >Sent: Monday, April 09, 2001 22:39 > >Subject: RE: DoD Bridge Certification Authority Phase II Demonstrations > > > > > >Anders: > >I think Bridge technology can be helpful to a vertical segment such as > >banking, health care, automotive industry etc. in order to > >facilitate secure e-commerce among the trading partners where persistent > >digital signature for non-repudiation may be required. > >Also, given how organizations manage their Web sites and we hear about Web > >server break-in, persistent encryption (beyond SSL > >transport) may call for interoperable, inter-domain PKI. Again Bridge CA > >can help. > >Actually, I can see the benefits of layers (strata) of Bridge CAs, e.g., > >Bridge CAs from various vertical segments themselves > >connecting to a Omni-Bridge. In that case, the Bridge CAs will be > >Principal CAs. > >I assume you have had a chance to review the excellent paper on the Bridge > >concept developed by Bill Burr. > >-----Original Message----- > >From: Anders Rundgren [mailto:anders.rundgren@telia.com] > >Sent: Monday, April 09, 2001 2:08 PM > >To: Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD PKI TWG'; > >pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA Integration'; * ALL > >FIREBURST USERS *; 'Steve Capps'; Wagner, Clark J.; > >judith.spencer@gsa.gov; Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna > >(SUN)'; 'Susan Dernik' > >Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations > > > > > >David, > >This is indeed an ambitious project. Unfortunately I doubt that the Bridge > >model has any relevance in > >the private sector that for inter-organization communication, is more > >likely to deploy domain-based > >PKI-solutions, that have the major advantage of already being supported by > >global TTPs which makes > >domain security solutions useful for organizations of any size. I.e. > >VeriSign's issuance of web-server > >certificates is "approximately" what is needed. > >That domain security is incompatible with most current digital signature > >laws is a pity. Particularly for > >the lawyers who created them. :-) > >Using domain security, tracing, message archiving, and user-control is > >essentially built-in. > >A further advantage of domain security models is that client security > >solutions can develop in a > >different pace at each organization. As they have for current > >Internet-banks that is so far the only > >large-scale (almost) secure multi-organization transaction-environment on > >the Internet. > >The question that comes to my mind is: Will all Governments in the world > >continue to adopt the > >"All-speak-with-all-PKI" approach in spite of the fact that the private > >sector probably have shunned it > >due to complexity, privacy concerns, lack of control, and cost? > >Regard > >Anders Rundgren > >X-OBI read: http://www.x-obi.com/purple run: http://buyer.x-obi.com > > > > > > > >----- Original Message ----- > >From: Fillingham, David W. > >To: 'ietf-pkix@imc.org' ; 'KPCMWG' ; 'DoD PKI TWG' ; 'pki-twg@nist.gov' ; > >'Bridge CA Mail List' ; 'BCA Integration' ; * ALL > >FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. ; > >'judith.spencer@gsa.gov' ; 'Michelle.Moldenhauer@do.treas.gov' ; 'Steve Hanna > >(SUN)' ; 'Susan Dernik' > >Sent: Friday, April 06, 2001 16:48 > >Subject: DoD Bridge Certification Authority Phase II Demonstrations > > > > > >For the last few years, the National Security Agency has led the > >development of Bridge Certification Authority (BCA) technology > >demonstrations. In 1999, Phase One of the Department of Defense BCA > >Technology Demonstration showed the technical feasibility of > >achieving signed e-mail interoperability using multi-vendor > >cross-certification in conjunction with chained directory systems. > > > >Phase Two of the demonstration is now ready to be shown. Phase Two of the > >DoD Bridge CA Phase II Technology Demonstration includes: > > > >Technologies: > > > >-- Certificate chain building in complex certificate graphs; > >-- Integration of both mesh-style cross-certified PKIs and hierarchical PKIs; > >-- Multi-signature/hash algorithm processing in certificate chains; > >-- Certificate acceptance/rejection based on Certificate Policy > >processing, including policy mapping; > >-- Transitive trust limitation using Name Constraints processing; > >-- Access Control using X.509 compliant attribute certificates (same > >attribute certificates used for e-mail and web based access > >control); > >-- E-mail access control using S/MIME V3 labeling; > >-- E-mail encryption using public key certificates authenticated via a > >Bridge Certification Authority; > >-- Border Directories; > >-- Multivendor directory interoperation via X.500 chaining; and, > >-- Transparent sharing of certificate revocation information across > >several PKIs using products of multiple PKI vendors. > > > >Client Applications: > > > >-- Baltimore Technologies MailSecure enabled Microsoft Outlook > >-- Entrust Enabled Microsoft Outlook > >-- Getronics S/MIME Freeware Library, Certificate Management Library, and > >Access Control Library enabled Qualcomm Eudora > >-- Getronics Certificate Management Library and Access Control Library > >enabled Netscape Web Server > > > >Freeware Libraries: > > > >-- Cygnacom Certificate Path Development Library > > <http://www.cygnacom.com/products/index.htm> > >-- Getronics S/MIME (Version 3) Freeware Library > > <http://www.getronicsgov.com/hot/sfl_home.htm> > >-- Getronics Certificate Management Library > > <http://www.getronicsgov.com/hot/cml_home.htm> > >-- Getronics Access Control Library > > <http://www.getronicsgov.com/hot/acl_home.htm> > >CA vendor interoperability demonstrations: > > > >-- Baltimore Technologies > >-- Entrust Technologies > >-- Motorola > >-- SPYRUS > > > >Directory Interoperability: > >-- Entrust ICL > >-- Entegrity Safepages Directory > >Demonstrations will be held at the following locations and dates (note > >that you MUST REGISTER to attend! Registration information > >is provided below): > > > >---------- > >CygnaCom > >Suite 100 West > >7927 Jones Branch Dr. > >McLean, Virginia > > > >Directions to CygnaCom are located > >at: <http://www.cygnacom.com/contact/directions.htm> > > > >26 April 2001 - 0900 > > > >26 April 2001 - 1300 > > > >16 May 2001 - 0900 > > > >16 May 2001 - 1300 > > > >--------- > >Getronics Government Solutions > >141 National Business Parkway, Suite 210 > >Annapolis Junction, Maryland > > > > From Washington DC: Take I-95 north; take MD Rt 32 east exit; take Dorsey > >Run exit; at stop sign turn left on Dorsey Run; at stop light turn right on > >Guilford Road which becomes National Business Pkwy. > > > > From Baltimore: Take BW Parkway (295) south; take MD Rt 32 west exit; stay > >in right lane of the exit which runs into National Business Pkwy; make a > >right on National Business Pkwy. > > > >30 April 2001 - 1300 > > > >8 May 2001 - 0900 > > > >8 May 2001 - 1300 > > > >24 May 2001 - 0900 > > > >24 May 2001 - 1300 > > > >--------- > > > >All showings last about half a day - with a mixture of conference room > >briefings and laboratory demonstrations. > > > >We are limited by available demonstration space to an absolute maximum of > >20 participants at each showing. > > > >IMPORTANT: PLEASE REGISTER WITH LISA FAULKNER (llfaulk@missi.ncsc.mil > ><mailto:llfaulk@missi.ncsc.mil>) AND MYSELF > >(dwfilli@missi.ncsc.mil <mailto:dwfilli@missi.ncsc.mil>) IF YOU PLAN TO > >ATTEND. IF YOU DO NOT REGISTER TO ATTEND, YOU WILL NOT BE > >ADMITTED TO THE DEMONSTRATION. > > > >Please provide the following information to register: > > > >-- Name > >-- Organization > >-- E-mail address > >-- Date and time of the demonstration showing you wish to attend (with > >alternates, if possible) > > > >We look forward to seeing you at the demonstration! > > > >Dave Fillingham > >NSA > > -------- > TTFN > Roger W. Younglove, CISSP > Distinguished Member of Consulting Staff > Lucent Worldwide Services--Information Security > 100 Galleria Officentre, Ste. 220 > Southfield, MI 48034-8428 > Numeric page: 888.935.6755 > E-mail page: > page_roger_younglove@ins.com > eFax number: 413.425.5368 > www.lucent.com/netcare Received: from mailb.telia.com (root@mailb.telia.com [194.22.194.6]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA09466 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 09:08:14 -0700 (PDT) Received: from arport ([212.181.94.147]) by mailb.telia.com (8.9.3/8.9.3) with SMTP id SAA16121; Tue, 10 Apr 2001 18:08:03 +0200 (CEST) Message-ID: <014d01c0c1df$aebe0390$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Santosh Chokhani" <chokhani@cygnacom.com>, "Fillingham, David W." <dwfilli@missi.ncsc.mil>, "PKIX-List" <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, <pki-twg@nist.gov>, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, "* ALL FIREBURST USERS *" <all@missi.ncsc.mil>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner, Clark J." <cjwagne@missi.ncsc.mil>, <judith.spencer@gsa.gov>, <Michelle.Moldenhauer@do.treas.gov>, "'Steve Hanna \(SUN\)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com>, "Roger Younglove" <ryounglove@lucent.com> References: <8D7EC1912E25D411A32100D0B76953977CDD31@scygmxs01.cygnacom.com> <4.2.2.20010410090827.00d70630@POP7.ins.com> Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations Date: Tue, 10 Apr 2001 18:59:59 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Roger, >IMHO, when you have multiple PKIs with in any industry such as the >Automotive (ie. ANX) or the Government, cross certification become a >problem because the certificate chain of trust becomes so unwieldy and >revocation of a PKI is also a problem. The Bridge scenario solves this >problem. It is not the only solution but the simplest with a number of >existing PKIs. Agreed, Bridge CAs solves (some of) the problems created by unwieldy PKIs such as those created by DoD. Domain-PKI does not requires such solutions as it is much simpler to create and maintain. 100 millions users of Internet use it today when they address an https URL. That's simplicity IMHO. Applied to B2B it gets just slightly more complicated. Anders At 05:21 AM 04/10/2001 , Anders Rundgren wrote: >Santosh, >Domain (server-based) PKI offers persistent signatures for non-repudiation >at a fraction >of the cost (and inconvenience) that inter-organization client-based >signatures introduce. >The need for bridge-CAs using domain-PKI is IMO very limited as the number >of CAs is >reduced by several orders of magnitude by such approaches. 5-10 CAs >worldwide is my guess. > >I do have read the paper by Bill Burr. Did you read about Purple? I.e. do >you see a problem with this model? > >BTW, I am a (currently only lurking due to high work-load) member of the >OASIS Security Services TC where >domain-based solutions are standardized. I have never ever seen such an >enormous committee activity so domain >security is indeed red-hot. > >Internet2 with their Shibboleth distributed multi-campus authentication >system will be based on domain-PKI. > >Personally I expect the next version of OBI (Open Buying on the Internet) >to be entirely based >on this concept by throwing out the inter-organization client-certs (that >never worked, so just about >everybody turned to user-ID/passwords in spite of not being a part of the >standard). > >VISA's coming 3D Secure credit-card payment system is also based on >domain-PKI. > >Due to this, I think that DoD (and similar organizations all over the >globe) should very carefully evaluate the >domain security alternative before they do any new investments in CA systems. > >Regards >Anders >----- Original Message ----- >From: Santosh Chokhani >To: Anders Rundgren ; Fillingham, David W. ; PKIX-List ; 'KPCMWG' ; 'DoD >PKI TWG' ; pki-twg@nist.gov ; 'Bridge CA Mail List' ; 'BCA >Integration' ; * ALL FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. >; judith.spencer@gsa.gov ; >Michelle.Moldenhauer@do.treas.gov ; 'Steve Hanna (SUN)' ; 'Susan Dernik' >Sent: Monday, April 09, 2001 22:39 >Subject: RE: DoD Bridge Certification Authority Phase II Demonstrations > > >Anders: >I think Bridge technology can be helpful to a vertical segment such as >banking, health care, automotive industry etc. in order to >facilitate secure e-commerce among the trading partners where persistent >digital signature for non-repudiation may be required. >Also, given how organizations manage their Web sites and we hear about Web >server break-in, persistent encryption (beyond SSL >transport) may call for interoperable, inter-domain PKI. Again Bridge CA >can help. >Actually, I can see the benefits of layers (strata) of Bridge CAs, e.g., >Bridge CAs from various vertical segments themselves >connecting to a Omni-Bridge. In that case, the Bridge CAs will be >Principal CAs. >I assume you have had a chance to review the excellent paper on the Bridge >concept developed by Bill Burr. >-----Original Message----- >From: Anders Rundgren [mailto:anders.rundgren@telia.com] >Sent: Monday, April 09, 2001 2:08 PM >To: Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD PKI TWG'; >pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA Integration'; * ALL >FIREBURST USERS *; 'Steve Capps'; Wagner, Clark J.; >judith.spencer@gsa.gov; Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna >(SUN)'; 'Susan Dernik' >Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations > > >David, >This is indeed an ambitious project. Unfortunately I doubt that the Bridge >model has any relevance in >the private sector that for inter-organization communication, is more >likely to deploy domain-based >PKI-solutions, that have the major advantage of already being supported by >global TTPs which makes >domain security solutions useful for organizations of any size. I.e. >VeriSign's issuance of web-server >certificates is "approximately" what is needed. >That domain security is incompatible with most current digital signature >laws is a pity. Particularly for >the lawyers who created them. :-) >Using domain security, tracing, message archiving, and user-control is >essentially built-in. >A further advantage of domain security models is that client security >solutions can develop in a >different pace at each organization. As they have for current >Internet-banks that is so far the only >large-scale (almost) secure multi-organization transaction-environment on >the Internet. >The question that comes to my mind is: Will all Governments in the world >continue to adopt the >"All-speak-with-all-PKI" approach in spite of the fact that the private >sector probably have shunned it >due to complexity, privacy concerns, lack of control, and cost? >Regard >Anders Rundgren >X-OBI read: http://www.x-obi.com/purple run: http://buyer.x-obi.com > > > >----- Original Message ----- >From: Fillingham, David W. >To: 'ietf-pkix@imc.org' ; 'KPCMWG' ; 'DoD PKI TWG' ; 'pki-twg@nist.gov' ; >'Bridge CA Mail List' ; 'BCA Integration' ; * ALL >FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. ; >'judith.spencer@gsa.gov' ; 'Michelle.Moldenhauer@do.treas.gov' ; 'Steve Hanna >(SUN)' ; 'Susan Dernik' >Sent: Friday, April 06, 2001 16:48 >Subject: DoD Bridge Certification Authority Phase II Demonstrations > > >For the last few years, the National Security Agency has led the >development of Bridge Certification Authority (BCA) technology >demonstrations. In 1999, Phase One of the Department of Defense BCA >Technology Demonstration showed the technical feasibility of >achieving signed e-mail interoperability using multi-vendor >cross-certification in conjunction with chained directory systems. > >Phase Two of the demonstration is now ready to be shown. Phase Two of the >DoD Bridge CA Phase II Technology Demonstration includes: > >Technologies: > >-- Certificate chain building in complex certificate graphs; >-- Integration of both mesh-style cross-certified PKIs and hierarchical PKIs; >-- Multi-signature/hash algorithm processing in certificate chains; >-- Certificate acceptance/rejection based on Certificate Policy >processing, including policy mapping; >-- Transitive trust limitation using Name Constraints processing; >-- Access Control using X.509 compliant attribute certificates (same >attribute certificates used for e-mail and web based access >control); >-- E-mail access control using S/MIME V3 labeling; >-- E-mail encryption using public key certificates authenticated via a >Bridge Certification Authority; >-- Border Directories; >-- Multivendor directory interoperation via X.500 chaining; and, >-- Transparent sharing of certificate revocation information across >several PKIs using products of multiple PKI vendors. > >Client Applications: > >-- Baltimore Technologies MailSecure enabled Microsoft Outlook >-- Entrust Enabled Microsoft Outlook >-- Getronics S/MIME Freeware Library, Certificate Management Library, and >Access Control Library enabled Qualcomm Eudora >-- Getronics Certificate Management Library and Access Control Library >enabled Netscape Web Server > >Freeware Libraries: > >-- Cygnacom Certificate Path Development Library > <http://www.cygnacom.com/products/index.htm> >-- Getronics S/MIME (Version 3) Freeware Library > <http://www.getronicsgov.com/hot/sfl_home.htm> >-- Getronics Certificate Management Library > <http://www.getronicsgov.com/hot/cml_home.htm> >-- Getronics Access Control Library > <http://www.getronicsgov.com/hot/acl_home.htm> >CA vendor interoperability demonstrations: > >-- Baltimore Technologies >-- Entrust Technologies >-- Motorola >-- SPYRUS > >Directory Interoperability: >-- Entrust ICL >-- Entegrity Safepages Directory >Demonstrations will be held at the following locations and dates (note >that you MUST REGISTER to attend! Registration information >is provided below): > >---------- >CygnaCom >Suite 100 West >7927 Jones Branch Dr. >McLean, Virginia > >Directions to CygnaCom are located >at: <http://www.cygnacom.com/contact/directions.htm> > >26 April 2001 - 0900 > >26 April 2001 - 1300 > >16 May 2001 - 0900 > >16 May 2001 - 1300 > >--------- >Getronics Government Solutions >141 National Business Parkway, Suite 210 >Annapolis Junction, Maryland > > From Washington DC: Take I-95 north; take MD Rt 32 east exit; take Dorsey >Run exit; at stop sign turn left on Dorsey Run; at stop light turn right on >Guilford Road which becomes National Business Pkwy. > > From Baltimore: Take BW Parkway (295) south; take MD Rt 32 west exit; stay >in right lane of the exit which runs into National Business Pkwy; make a >right on National Business Pkwy. > >30 April 2001 - 1300 > >8 May 2001 - 0900 > >8 May 2001 - 1300 > >24 May 2001 - 0900 > >24 May 2001 - 1300 > >--------- > >All showings last about half a day - with a mixture of conference room >briefings and laboratory demonstrations. > >We are limited by available demonstration space to an absolute maximum of >20 participants at each showing. > >IMPORTANT: PLEASE REGISTER WITH LISA FAULKNER (llfaulk@missi.ncsc.mil ><mailto:llfaulk@missi.ncsc.mil>) AND MYSELF >(dwfilli@missi.ncsc.mil <mailto:dwfilli@missi.ncsc.mil>) IF YOU PLAN TO >ATTEND. IF YOU DO NOT REGISTER TO ATTEND, YOU WILL NOT BE >ADMITTED TO THE DEMONSTRATION. > >Please provide the following information to register: > >-- Name >-- Organization >-- E-mail address >-- Date and time of the demonstration showing you wish to attend (with >alternates, if possible) > >We look forward to seeing you at the demonstration! > >Dave Fillingham >NSA -------- TTFN Roger W. Younglove, CISSP Distinguished Member of Consulting Staff Lucent Worldwide Services--Information Security 100 Galleria Officentre, Ste. 220 Southfield, MI 48034-8428 Numeric page: 888.935.6755 E-mail page: page_roger_younglove@ins.com eFax number: 413.425.5368 www.lucent.com/netcare Received: from dtctxexchims05.ins.com ([208.164.93.100]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA04880 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 08:39:11 -0700 (PDT) Received: from cpxuser (PPPa3-ResaleDialinx80018-1R7282.dialinx.net [4.48.36.64]) by dtctxexchims05.ins.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 210KNC81; Tue, 10 Apr 2001 10:34:26 -0500 Message-Id: <4.2.2.20010410090827.00d70630@POP7.ins.com> X-Sender: youngl_r@POP7.ins.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 10 Apr 2001 09:14:58 -0400 To: "Anders Rundgren" <anders.rundgren@telia.com>, "Santosh Chokhani" <chokhani@cygnacom.com>, "Fillingham, David W." <dwfilli@missi.ncsc.mil>, "PKIX-List" <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, <pki-twg@nist.gov>, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, "* ALL FIREBURST USERS *" <all@missi.ncsc.mil>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner, Clark J." <cjwagne@missi.ncsc.mil>, <judith.spencer@gsa.gov>, <Michelle.Moldenhauer@do.treas.gov>, "'Steve Hanna \(SUN\)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com> From: Roger Younglove <ryounglove@lucent.com> Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations In-Reply-To: <002101c0c19f$a3e1d0e0$0500a8c0@arport> References: <8D7EC1912E25D411A32100D0B76953977CDD31@scygmxs01.cygnacom.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed IMHO, when you have multiple PKIs with in any industry such as the Automotive (ie. ANX) or the Government, cross certification become a problem because the certificate chain of trust becomes so unwieldy and revocation of a PKI is also a problem. The Bridge scenario solves this problem. It is not the only solution but the simplest with a number of existing PKIs. At 05:21 AM 04/10/2001 , Anders Rundgren wrote: >Santosh, >Domain (server-based) PKI offers persistent signatures for non-repudiation >at a fraction >of the cost (and inconvenience) that inter-organization client-based >signatures introduce. >The need for bridge-CAs using domain-PKI is IMO very limited as the number >of CAs is >reduced by several orders of magnitude by such approaches. 5-10 CAs >worldwide is my guess. > >I do have read the paper by Bill Burr. Did you read about Purple? I.e. do >you see a problem with this model? > >BTW, I am a (currently only lurking due to high work-load) member of the >OASIS Security Services TC where >domain-based solutions are standardized. I have never ever seen such an >enormous committee activity so domain >security is indeed red-hot. > >Internet2 with their Shibboleth distributed multi-campus authentication >system will be based on domain-PKI. > >Personally I expect the next version of OBI (Open Buying on the Internet) >to be entirely based >on this concept by throwing out the inter-organization client-certs (that >never worked, so just about >everybody turned to user-ID/passwords in spite of not being a part of the >standard). > >VISA's coming 3D Secure credit-card payment system is also based on >domain-PKI. > >Due to this, I think that DoD (and similar organizations all over the >globe) should very carefully evaluate the >domain security alternative before they do any new investments in CA systems. > >Regards >Anders >----- Original Message ----- >From: Santosh Chokhani >To: Anders Rundgren ; Fillingham, David W. ; PKIX-List ; 'KPCMWG' ; 'DoD >PKI TWG' ; pki-twg@nist.gov ; 'Bridge CA Mail List' ; 'BCA >Integration' ; * ALL FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. >; judith.spencer@gsa.gov ; >Michelle.Moldenhauer@do.treas.gov ; 'Steve Hanna (SUN)' ; 'Susan Dernik' >Sent: Monday, April 09, 2001 22:39 >Subject: RE: DoD Bridge Certification Authority Phase II Demonstrations > > >Anders: >I think Bridge technology can be helpful to a vertical segment such as >banking, health care, automotive industry etc. in order to >facilitate secure e-commerce among the trading partners where persistent >digital signature for non-repudiation may be required. >Also, given how organizations manage their Web sites and we hear about Web >server break-in, persistent encryption (beyond SSL >transport) may call for interoperable, inter-domain PKI. Again Bridge CA >can help. >Actually, I can see the benefits of layers (strata) of Bridge CAs, e.g., >Bridge CAs from various vertical segments themselves >connecting to a Omni-Bridge. In that case, the Bridge CAs will be >Principal CAs. >I assume you have had a chance to review the excellent paper on the Bridge >concept developed by Bill Burr. >-----Original Message----- >From: Anders Rundgren [mailto:anders.rundgren@telia.com] >Sent: Monday, April 09, 2001 2:08 PM >To: Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD PKI TWG'; >pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA Integration'; * ALL >FIREBURST USERS *; 'Steve Capps'; Wagner, Clark J.; >judith.spencer@gsa.gov; Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna >(SUN)'; 'Susan Dernik' >Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations > > >David, >This is indeed an ambitious project. Unfortunately I doubt that the Bridge >model has any relevance in >the private sector that for inter-organization communication, is more >likely to deploy domain-based >PKI-solutions, that have the major advantage of already being supported by >global TTPs which makes >domain security solutions useful for organizations of any size. I.e. >VeriSign's issuance of web-server >certificates is "approximately" what is needed. >That domain security is incompatible with most current digital signature >laws is a pity. Particularly for >the lawyers who created them. :-) >Using domain security, tracing, message archiving, and user-control is >essentially built-in. >A further advantage of domain security models is that client security >solutions can develop in a >different pace at each organization. As they have for current >Internet-banks that is so far the only >large-scale (almost) secure multi-organization transaction-environment on >the Internet. >The question that comes to my mind is: Will all Governments in the world >continue to adopt the >"All-speak-with-all-PKI" approach in spite of the fact that the private >sector probably have shunned it >due to complexity, privacy concerns, lack of control, and cost? >Regard >Anders Rundgren >X-OBI read: http://www.x-obi.com/purple run: http://buyer.x-obi.com > > > >----- Original Message ----- >From: Fillingham, David W. >To: 'ietf-pkix@imc.org' ; 'KPCMWG' ; 'DoD PKI TWG' ; 'pki-twg@nist.gov' ; >'Bridge CA Mail List' ; 'BCA Integration' ; * ALL >FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. ; >'judith.spencer@gsa.gov' ; 'Michelle.Moldenhauer@do.treas.gov' ; 'Steve Hanna >(SUN)' ; 'Susan Dernik' >Sent: Friday, April 06, 2001 16:48 >Subject: DoD Bridge Certification Authority Phase II Demonstrations > > >For the last few years, the National Security Agency has led the >development of Bridge Certification Authority (BCA) technology >demonstrations. In 1999, Phase One of the Department of Defense BCA >Technology Demonstration showed the technical feasibility of >achieving signed e-mail interoperability using multi-vendor >cross-certification in conjunction with chained directory systems. > >Phase Two of the demonstration is now ready to be shown. Phase Two of the >DoD Bridge CA Phase II Technology Demonstration includes: > >Technologies: > >-- Certificate chain building in complex certificate graphs; >-- Integration of both mesh-style cross-certified PKIs and hierarchical PKIs; >-- Multi-signature/hash algorithm processing in certificate chains; >-- Certificate acceptance/rejection based on Certificate Policy >processing, including policy mapping; >-- Transitive trust limitation using Name Constraints processing; >-- Access Control using X.509 compliant attribute certificates (same >attribute certificates used for e-mail and web based access >control); >-- E-mail access control using S/MIME V3 labeling; >-- E-mail encryption using public key certificates authenticated via a >Bridge Certification Authority; >-- Border Directories; >-- Multivendor directory interoperation via X.500 chaining; and, >-- Transparent sharing of certificate revocation information across >several PKIs using products of multiple PKI vendors. > >Client Applications: > >-- Baltimore Technologies MailSecure enabled Microsoft Outlook >-- Entrust Enabled Microsoft Outlook >-- Getronics S/MIME Freeware Library, Certificate Management Library, and >Access Control Library enabled Qualcomm Eudora >-- Getronics Certificate Management Library and Access Control Library >enabled Netscape Web Server > >Freeware Libraries: > >-- Cygnacom Certificate Path Development Library > <http://www.cygnacom.com/products/index.htm> >-- Getronics S/MIME (Version 3) Freeware Library > <http://www.getronicsgov.com/hot/sfl_home.htm> >-- Getronics Certificate Management Library > <http://www.getronicsgov.com/hot/cml_home.htm> >-- Getronics Access Control Library > <http://www.getronicsgov.com/hot/acl_home.htm> >CA vendor interoperability demonstrations: > >-- Baltimore Technologies >-- Entrust Technologies >-- Motorola >-- SPYRUS > >Directory Interoperability: >-- Entrust ICL >-- Entegrity Safepages Directory >Demonstrations will be held at the following locations and dates (note >that you MUST REGISTER to attend! Registration information >is provided below): > >---------- >CygnaCom >Suite 100 West >7927 Jones Branch Dr. >McLean, Virginia > >Directions to CygnaCom are located >at: <http://www.cygnacom.com/contact/directions.htm> > >26 April 2001 - 0900 > >26 April 2001 - 1300 > >16 May 2001 - 0900 > >16 May 2001 - 1300 > >--------- >Getronics Government Solutions >141 National Business Parkway, Suite 210 >Annapolis Junction, Maryland > > From Washington DC: Take I-95 north; take MD Rt 32 east exit; take Dorsey >Run exit; at stop sign turn left on Dorsey Run; at stop light turn right on >Guilford Road which becomes National Business Pkwy. > > From Baltimore: Take BW Parkway (295) south; take MD Rt 32 west exit; stay >in right lane of the exit which runs into National Business Pkwy; make a >right on National Business Pkwy. > >30 April 2001 - 1300 > >8 May 2001 - 0900 > >8 May 2001 - 1300 > >24 May 2001 - 0900 > >24 May 2001 - 1300 > >--------- > >All showings last about half a day - with a mixture of conference room >briefings and laboratory demonstrations. > >We are limited by available demonstration space to an absolute maximum of >20 participants at each showing. > >IMPORTANT: PLEASE REGISTER WITH LISA FAULKNER (llfaulk@missi.ncsc.mil ><mailto:llfaulk@missi.ncsc.mil>) AND MYSELF >(dwfilli@missi.ncsc.mil <mailto:dwfilli@missi.ncsc.mil>) IF YOU PLAN TO >ATTEND. IF YOU DO NOT REGISTER TO ATTEND, YOU WILL NOT BE >ADMITTED TO THE DEMONSTRATION. > >Please provide the following information to register: > >-- Name >-- Organization >-- E-mail address >-- Date and time of the demonstration showing you wish to attend (with >alternates, if possible) > >We look forward to seeing you at the demonstration! > >Dave Fillingham >NSA -------- TTFN Roger W. Younglove, CISSP Distinguished Member of Consulting Staff Lucent Worldwide Services--Information Security 100 Galleria Officentre, Ste. 220 Southfield, MI 48034-8428 Numeric page: 888.935.6755 E-mail page: page_roger_younglove@ins.com eFax number: 413.425.5368 www.lucent.com/netcare Received: from wfhqex05.gfgsi.com (netva01.getronicsgov.com [206.137.100.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA28032 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 07:17:26 -0700 (PDT) Received: by wfhqex05.gfgsi.com with Internet Mail Service (5.5.2650.21) id <H95FXG6R>; Tue, 10 Apr 2001 10:18:24 -0400 Message-ID: <0B95FB5619B3D411817E006008A59259692963@wfhqex06.gfgsi.com> From: "Pawling, John" <John.Pawling@GetronicsGov.com> To: "ietf-pkix@imc. org (E-mail)" <ietf-pkix@imc.org> Subject: Comments to PKIX AC profile Date: Tue, 10 Apr 2001 10:18:17 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" All, In a separate message, Stephen Henson reported an incompatibility between the Attribute Certificate (AC) ASN.1 syntaxes defined in the PKIX AC Profile for Authorization <draft-ietf-pkix-ac509prof-06.txt> and draft 2000 X.509 Recommendation (4th Edition, Draft V7, 23 Feb 2001). The PKIX AC Profile, Appendix B, ASN.1 module includes "DEFINITIONS EXPLICIT TAGS ::=", but the 2000 X.509 Recommendation ASN.1 module defining the AC syntax includes "DEFINITIONS IMPLICIT TAGS ::=". Recommend that the PKIX AC Profile should be changed so that the AC ASN.1 syntax is equivalent (i.e. produces the identical ASN.1 hex encoding) to that defined in the draft 2000 X.509 Recommendation. This could be accomplished by moving the AC syntax definition (and component syntax definitions) from the existing Appendix B module to a new ASN.1 module that includes "DEFINITIONS IMPLICIT TAGS ::=". That is the strategy used in the draft 2000 X.509 Recommendation. Also, recommend that ac509prof-06 file should be changed so that the Clearance attribute ASN.1 syntax defined in Appendix B is equivalent to that defined in X.501. X.501 defines the Clearance attribute syntax using AUTOMATIC TAGS. The Clearance attribute syntax in the PKIX AC profile should be changed as follows to be consistent with X.501: Clearance ::= SEQUENCE { policyId [0] OBJECT IDENTIFIER, classList [1] ClassList DEFAULT {unclassified}, securityCategories [2] SET OF SecurityCategory OPTIONAL } =========================================== John Pawling, John.Pawling@GetronicsGov.com Getronics Government Solutions, LLC =========================================== Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA12701 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 04:04:37 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA10891; Tue, 10 Apr 2001 07:04:36 -0400 (EDT) Message-Id: <200104101104.HAA10891@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-new-part1-06.txt Date: Tue, 10 Apr 2001 07:04:36 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Certificate and CRL Profile Author(s) : R. Housley, W. Ford, W. Polk, D. Solo Filename : draft-ietf-pkix-new-part1-06.txt Pages : 119 Date : 09-Apr-01 This is the fourth draft of a specification based upon RFC 2459. When complete, this specification will obsolete RFC 2459. This specification includes minor edits and clarifications. The most notable departures from RFC 2459 are found in Section 6, Path Validation. In RFC 2459, the reader was expected to augment the path validation algorithm, which concentrated upon policy processing, with information embedded in earlier sections. For example, parameter inheritance is discussed in Section 7, Algorithm Support, and can certainly affect the validity of a certification path. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-new-part1-06.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-new-part1-06.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-new-part1-06.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20010409100754.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-new-part1-06.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-new-part1-06.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20010409100754.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from tama3.tas.ntt.co.jp (tama3.tas.ntt.co.jp [192.68.248.40]) by above.proper.com (8.9.3/8.9.3) with ESMTP id BAA28771 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 01:53:48 -0700 (PDT) Received: from nttmail.ecl.ntt.co.jp (nttmail.tas.ntt.co.jp [192.68.248.11]) by tama3.tas.ntt.co.jp (8.9.3+3.2W/3.7W/01/21/00) with ESMTP id RAA01164 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 17:53:42 +0900 (JST) (envelope-from odahara@dsa.isl.ntt.co.jp) Received: from dsa.isl.ntt.co.jp by nttmail.ecl.ntt.co.jp (8.9.3+3.2W/3.7W/03/21/01) with ESMTP id RAA27848 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 17:53:40 +0900 (JST) (envelope-from odahara@dsa.isl.ntt.co.jp) Received: from cats by dsa.isl.ntt.co.jp (8.9.3/isl-2.0) id RAA13812; Tue, 10 Apr 2001 17:53:39 +0900 (JST) Date: Tue, 10 Apr 2001 17:55:46 +0900 From: Hideyuki Odahara <odahara@dsa.isl.ntt.co.jp> To: ietf-pkix@imc.org Subject: attributes in AC Message-Id: <20010410173741.DB73.ODAHARA@dsa.isl.ntt.co.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-2022-JP" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.00.03 Please teach me the difference of the use of "Service Authentication Infomation" and "Access Identity" in Attribute Certificate, and how to use the "Access Identity" attribute if you have any concrete example. It is described that "this is a different use to that intended for the svceAuthInfo attribute discribed in 4.4.1 above." at the page 19 in the internet-draft(draft-ietf-pkix-ac509prof). But there is no example what situation does it suit. thanks ---------- Hideyuki Odahara $B!'(B odahara@dsa.isl.ntt.co.jp Received: from mailb.telia.com (root@mailb.telia.com [194.22.194.6]) by above.proper.com (8.9.3/8.9.3) with ESMTP id BAA24587 for <ietf-pkix@imc.org>; Tue, 10 Apr 2001 01:29:46 -0700 (PDT) Received: from arport ([212.181.94.147]) by mailb.telia.com (8.9.3/8.9.3) with SMTP id KAA24050; Tue, 10 Apr 2001 10:29:36 +0200 (CEST) Message-ID: <002101c0c19f$a3e1d0e0$0500a8c0@arport> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Santosh Chokhani" <chokhani@cygnacom.com>, "Fillingham, David W." <dwfilli@missi.ncsc.mil>, "PKIX-List" <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, <pki-twg@nist.gov>, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, "* ALL FIREBURST USERS *" <all@missi.ncsc.mil>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner, Clark J." <cjwagne@missi.ncsc.mil>, <judith.spencer@gsa.gov>, <Michelle.Moldenhauer@do.treas.gov>, "'Steve Hanna \(SUN\)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com> References: <8D7EC1912E25D411A32100D0B76953977CDD31@scygmxs01.cygnacom.com> Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations Date: Tue, 10 Apr 2001 11:21:31 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Santosh, Domain (server-based) PKI offers persistent signatures for non-repudiation at a fraction of the cost (and inconvenience) that inter-organization client-based signatures introduce. The need for bridge-CAs using domain-PKI is IMO very limited as the number of CAs is reduced by several orders of magnitude by such approaches. 5-10 CAs worldwide is my guess. I do have read the paper by Bill Burr. Did you read about Purple? I.e. do you see a problem with this model? BTW, I am a (currently only lurking due to high work-load) member of the OASIS Security Services TC where domain-based solutions are standardized. I have never ever seen such an enormous committee activity so domain security is indeed red-hot. Internet2 with their Shibboleth distributed multi-campus authentication system will be based on domain-PKI. Personally I expect the next version of OBI (Open Buying on the Internet) to be entirely based on this concept by throwing out the inter-organization client-certs (that never worked, so just about everybody turned to user-ID/passwords in spite of not being a part of the standard). VISA's coming 3D Secure credit-card payment system is also based on domain-PKI. Due to this, I think that DoD (and similar organizations all over the globe) should very carefully evaluate the domain security alternative before they do any new investments in CA systems. Regards Anders ----- Original Message ----- From: Santosh Chokhani To: Anders Rundgren ; Fillingham, David W. ; PKIX-List ; 'KPCMWG' ; 'DoD PKI TWG' ; pki-twg@nist.gov ; 'Bridge CA Mail List' ; 'BCA Integration' ; * ALL FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. ; judith.spencer@gsa.gov ; Michelle.Moldenhauer@do.treas.gov ; 'Steve Hanna (SUN)' ; 'Susan Dernik' Sent: Monday, April 09, 2001 22:39 Subject: RE: DoD Bridge Certification Authority Phase II Demonstrations Anders: I think Bridge technology can be helpful to a vertical segment such as banking, health care, automotive industry etc. in order to facilitate secure e-commerce among the trading partners where persistent digital signature for non-repudiation may be required. Also, given how organizations manage their Web sites and we hear about Web server break-in, persistent encryption (beyond SSL transport) may call for interoperable, inter-domain PKI. Again Bridge CA can help. Actually, I can see the benefits of layers (strata) of Bridge CAs, e.g., Bridge CAs from various vertical segments themselves connecting to a Omni-Bridge. In that case, the Bridge CAs will be Principal CAs. I assume you have had a chance to review the excellent paper on the Bridge concept developed by Bill Burr. -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@telia.com] Sent: Monday, April 09, 2001 2:08 PM To: Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD PKI TWG'; pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA Integration'; * ALL FIREBURST USERS *; 'Steve Capps'; Wagner, Clark J.; judith.spencer@gsa.gov; Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna (SUN)'; 'Susan Dernik' Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations David, This is indeed an ambitious project. Unfortunately I doubt that the Bridge model has any relevance in the private sector that for inter-organization communication, is more likely to deploy domain-based PKI-solutions, that have the major advantage of already being supported by global TTPs which makes domain security solutions useful for organizations of any size. I.e. VeriSign's issuance of web-server certificates is "approximately" what is needed. That domain security is incompatible with most current digital signature laws is a pity. Particularly for the lawyers who created them. :-) Using domain security, tracing, message archiving, and user-control is essentially built-in. A further advantage of domain security models is that client security solutions can develop in a different pace at each organization. As they have for current Internet-banks that is so far the only large-scale (almost) secure multi-organization transaction-environment on the Internet. The question that comes to my mind is: Will all Governments in the world continue to adopt the "All-speak-with-all-PKI" approach in spite of the fact that the private sector probably have shunned it due to complexity, privacy concerns, lack of control, and cost? Regard Anders Rundgren X-OBI read: http://www.x-obi.com/purple run: http://buyer.x-obi.com ----- Original Message ----- From: Fillingham, David W. To: 'ietf-pkix@imc.org' ; 'KPCMWG' ; 'DoD PKI TWG' ; 'pki-twg@nist.gov' ; 'Bridge CA Mail List' ; 'BCA Integration' ; * ALL FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. ; 'judith.spencer@gsa.gov' ; 'Michelle.Moldenhauer@do.treas.gov' ; 'Steve Hanna (SUN)' ; 'Susan Dernik' Sent: Friday, April 06, 2001 16:48 Subject: DoD Bridge Certification Authority Phase II Demonstrations For the last few years, the National Security Agency has led the development of Bridge Certification Authority (BCA) technology demonstrations. In 1999, Phase One of the Department of Defense BCA Technology Demonstration showed the technical feasibility of achieving signed e-mail interoperability using multi-vendor cross-certification in conjunction with chained directory systems. Phase Two of the demonstration is now ready to be shown. Phase Two of the DoD Bridge CA Phase II Technology Demonstration includes: Technologies: -- Certificate chain building in complex certificate graphs; -- Integration of both mesh-style cross-certified PKIs and hierarchical PKIs; -- Multi-signature/hash algorithm processing in certificate chains; -- Certificate acceptance/rejection based on Certificate Policy processing, including policy mapping; -- Transitive trust limitation using Name Constraints processing; -- Access Control using X.509 compliant attribute certificates (same attribute certificates used for e-mail and web based access control); -- E-mail access control using S/MIME V3 labeling; -- E-mail encryption using public key certificates authenticated via a Bridge Certification Authority; -- Border Directories; -- Multivendor directory interoperation via X.500 chaining; and, -- Transparent sharing of certificate revocation information across several PKIs using products of multiple PKI vendors. Client Applications: -- Baltimore Technologies MailSecure enabled Microsoft Outlook -- Entrust Enabled Microsoft Outlook -- Getronics S/MIME Freeware Library, Certificate Management Library, and Access Control Library enabled Qualcomm Eudora -- Getronics Certificate Management Library and Access Control Library enabled Netscape Web Server Freeware Libraries: -- Cygnacom Certificate Path Development Library <http://www.cygnacom.com/products/index.htm> -- Getronics S/MIME (Version 3) Freeware Library <http://www.getronicsgov.com/hot/sfl_home.htm> -- Getronics Certificate Management Library <http://www.getronicsgov.com/hot/cml_home.htm> -- Getronics Access Control Library <http://www.getronicsgov.com/hot/acl_home.htm> CA vendor interoperability demonstrations: -- Baltimore Technologies -- Entrust Technologies -- Motorola -- SPYRUS Directory Interoperability: -- Entrust ICL -- Entegrity Safepages Directory Demonstrations will be held at the following locations and dates (note that you MUST REGISTER to attend! Registration information is provided below): ---------- CygnaCom Suite 100 West 7927 Jones Branch Dr. McLean, Virginia Directions to CygnaCom are located at: <http://www.cygnacom.com/contact/directions.htm> 26 April 2001 - 0900 26 April 2001 - 1300 16 May 2001 - 0900 16 May 2001 - 1300 --------- Getronics Government Solutions 141 National Business Parkway, Suite 210 Annapolis Junction, Maryland >From Washington DC: Take I-95 north; take MD Rt 32 east exit; take Dorsey Run exit; at stop sign turn left on Dorsey Run; at stop light turn right on Guilford Road which becomes National Business Pkwy. >From Baltimore: Take BW Parkway (295) south; take MD Rt 32 west exit; stay in right lane of the exit which runs into National Business Pkwy; make a right on National Business Pkwy. 30 April 2001 - 1300 8 May 2001 - 0900 8 May 2001 - 1300 24 May 2001 - 0900 24 May 2001 - 1300 --------- All showings last about half a day - with a mixture of conference room briefings and laboratory demonstrations. We are limited by available demonstration space to an absolute maximum of 20 participants at each showing. IMPORTANT: PLEASE REGISTER WITH LISA FAULKNER (llfaulk@missi.ncsc.mil <mailto:llfaulk@missi.ncsc.mil>) AND MYSELF (dwfilli@missi.ncsc.mil <mailto:dwfilli@missi.ncsc.mil>) IF YOU PLAN TO ATTEND. IF YOU DO NOT REGISTER TO ATTEND, YOU WILL NOT BE ADMITTED TO THE DEMONSTRATION. Please provide the following information to register: -- Name -- Organization -- E-mail address -- Date and time of the demonstration showing you wish to attend (with alternates, if possible) We look forward to seeing you at the demonstration! Dave Fillingham NSA Received: from tufan.tsk.mil.tr (tufan.tsk.mil.tr [212.50.38.5]) by above.proper.com (8.9.3/8.9.3) with ESMTP id WAA25912 for <ietf-pkix@imc.org>; Mon, 9 Apr 2001 22:47:04 -0700 (PDT) Received: from yengec (192.168.1.1 [192.168.1.1]) by tufan.tsk.mil.tr with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id H946ZZ3D; Tue, 10 Apr 2001 08:47:05 +0300 From: "Erdal YILDIZ" <eyildiz@tsk.mil.tr> To: <ietf-pkix@imc.org> Subject: X.509 2000 Version Date: Tue, 10 Apr 2001 00:33:03 +0300 Message-ID: <NEBBKOICGMPMBALHDEHHAEEACAAA.eyildiz@tsk.mil.tr> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-9" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Hi All; I am looking for X.509 2000 Version documentation. If some one help me, I will be really very appreciated. Thanks Erdal YILDIZ Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA00908 for <ietf-pkix@imc.org>; Mon, 9 Apr 2001 13:48:19 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <2S5ST36K>; Mon, 9 Apr 2001 16:47:50 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CDD31@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Anders Rundgren <anders.rundgren@telia.com>, "Fillingham, David W." <dwfilli@missi.ncsc.mil>, PKIX-List <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, pki-twg@nist.gov, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, * ALL FIREBURST USERS * <all@missi.ncsc.mil>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner, Clark J." <cjwagne@missi.ncsc.mil>, judith.spencer@gsa.gov, Michelle.Moldenhauer@do.treas.gov, "'Steve Hanna (SUN)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com> Subject: RE: DoD Bridge Certification Authority Phase II Demonstrations Date: Mon, 9 Apr 2001 16:39:16 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0C135.2520D4F0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0C135.2520D4F0 Content-Type: text/plain; charset="iso-8859-1" Anders: I think Bridge technology can be helpful to a vertical segment such as banking, health care, automotive industry etc. in order to facilitate secure e-commerce among the trading partners where persistent digital signature for non-repudiation may be required. Also, given how organizations manage their Web sites and we hear about Web server break-in, persistent encryption (beyond SSL transport) may call for interoperable, inter-domain PKI. Again Bridge CA can help. Actually, I can see the benefits of layers (strata) of Bridge CAs, e.g., Bridge CAs from various vertical segments themselves connecting to a Omni-Bridge. In that case, the Bridge CAs will be Principal CAs. I assume you have had a chance to review the excellent paper on the Bridge concept developed by Bill Burr. -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@telia.com] Sent: Monday, April 09, 2001 2:08 PM To: Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD PKI TWG'; pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA Integration'; * ALL FIREBURST USERS *; 'Steve Capps'; Wagner, Clark J.; judith.spencer@gsa.gov; Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna (SUN)'; 'Susan Dernik' Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations David, This is indeed an ambitious project. Unfortunately I doubt that the Bridge model has any relevance in the private sector that for inter-organization communication, is more likely to deploy domain-based PKI-solutions, that have the major advantage of already being supported by global TTPs which makes domain security solutions useful for organizations of any size. I.e. VeriSign's issuance of web-server certificates is "approximately" what is needed. That domain security is incompatible with most current digital signature laws is a pity. Particularly for the lawyers who created them. :-) Using domain security, tracing, message archiving, and user-control is essentially built-in. A further advantage of domain security models is that client security solutions can develop in a different pace at each organization. As they have for current Internet-banks that is so far the only large-scale (almost) secure multi-organization transaction-environment on the Internet. The question that comes to my mind is: Will all Governments in the world continue to adopt the "All-speak-with-all-PKI" approach in spite of the fact that the private sector probably have shunned it due to complexity, privacy concerns, lack of control, and cost? Regard Anders Rundgren X-OBI read: http://www.x-obi.com/purple run: http://buyer.x-obi.com ----- Original Message ----- From: Fillingham, David W. To: 'ietf-pkix@imc.org' ; 'KPCMWG' ; 'DoD PKI TWG' ; 'pki-twg@nist.gov' ; 'Bridge CA Mail List' ; 'BCA Integration' ; * ALL FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. ; 'judith.spencer@gsa.gov' ; 'Michelle.Moldenhauer@do.treas.gov' ; 'Steve Hanna (SUN)' ; 'Susan Dernik' Sent: Friday, April 06, 2001 16:48 Subject: DoD Bridge Certification Authority Phase II Demonstrations For the last few years, the National Security Agency has led the development of Bridge Certification Authority (BCA) technology demonstrations. In 1999, Phase One of the Department of Defense BCA Technology Demonstration showed the technical feasibility of achieving signed e-mail interoperability using multi-vendor cross-certification in conjunction with chained directory systems. Phase Two of the demonstration is now ready to be shown. Phase Two of the DoD Bridge CA Phase II Technology Demonstration includes: Technologies: -- Certificate chain building in complex certificate graphs; -- Integration of both mesh-style cross-certified PKIs and hierarchical PKIs; -- Multi-signature/hash algorithm processing in certificate chains; -- Certificate acceptance/rejection based on Certificate Policy processing, including policy mapping; -- Transitive trust limitation using Name Constraints processing; -- Access Control using X.509 compliant attribute certificates (same attribute certificates used for e-mail and web based access control); -- E-mail access control using S/MIME V3 labeling; -- E-mail encryption using public key certificates authenticated via a Bridge Certification Authority; -- Border Directories; -- Multivendor directory interoperation via X.500 chaining; and, -- Transparent sharing of certificate revocation information across several PKIs using products of multiple PKI vendors. Client Applications: -- Baltimore Technologies MailSecure enabled Microsoft Outlook -- Entrust Enabled Microsoft Outlook -- Getronics S/MIME Freeware Library, Certificate Management Library, and Access Control Library enabled Qualcomm Eudora -- Getronics Certificate Management Library and Access Control Library enabled Netscape Web Server Freeware Libraries: -- Cygnacom Certificate Path Development Library <http://www.cygnacom.com/products/index.htm> -- Getronics S/MIME (Version 3) Freeware Library <http://www.getronicsgov.com/hot/sfl_home.htm> -- Getronics Certificate Management Library <http://www.getronicsgov.com/hot/cml_home.htm> -- Getronics Access Control Library <http://www.getronicsgov.com/hot/acl_home.htm> CA vendor interoperability demonstrations: -- Baltimore Technologies -- Entrust Technologies -- Motorola -- SPYRUS Directory Interoperability: -- Entrust ICL -- Entegrity Safepages Directory Demonstrations will be held at the following locations and dates (note that you MUST REGISTER to attend! Registration information is provided below): ---------- CygnaCom Suite 100 West 7927 Jones Branch Dr. McLean, Virginia Directions to CygnaCom are located at: <http://www.cygnacom.com/contact/directions.htm> 26 April 2001 - 0900 26 April 2001 - 1300 16 May 2001 - 0900 16 May 2001 - 1300 --------- Getronics Government Solutions 141 National Business Parkway, Suite 210 Annapolis Junction, Maryland >From Washington DC: Take I-95 north; take MD Rt 32 east exit; take Dorsey Run exit; at stop sign turn left on Dorsey Run; at stop light turn right on Guilford Road which becomes National Business Pkwy. >From Baltimore: Take BW Parkway (295) south; take MD Rt 32 west exit; stay in right lane of the exit which runs into National Business Pkwy; make a right on National Business Pkwy. 30 April 2001 - 1300 8 May 2001 - 0900 8 May 2001 - 1300 24 May 2001 - 0900 24 May 2001 - 1300 --------- All showings last about half a day - with a mixture of conference room briefings and laboratory demonstrations. We are limited by available demonstration space to an absolute maximum of 20 participants at each showing. IMPORTANT: PLEASE REGISTER WITH LISA FAULKNER (llfaulk@missi.ncsc.mil <mailto:llfaulk@missi.ncsc.mil>) AND MYSELF (dwfilli@missi.ncsc.mil <mailto:dwfilli@missi.ncsc.mil>) IF YOU PLAN TO ATTEND. IF YOU DO NOT REGISTER TO ATTEND, YOU WILL NOT BE ADMITTED TO THE DEMONSTRATION. Please provide the following information to register: -- Name -- Organization -- E-mail address -- Date and time of the demonstration showing you wish to attend (with alternates, if possible) We look forward to seeing you at the demonstration! Dave Fillingham NSA ------_=_NextPart_001_01C0C135.2520D4F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: DoD Bridge Certification Authority Phase II = Demonstrations</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Anders:</FONT> </P> <P><FONT SIZE=3D2>I think Bridge technology can be helpful to a = vertical segment such as banking, health care, automotive industry etc. = in order to facilitate secure e-commerce among the trading partners = where persistent digital signature for non-repudiation may be = required.</FONT></P> <P><FONT SIZE=3D2>Also, given how organizations manage their Web sites = and we hear about Web server break-in, persistent encryption (beyond = SSL transport) may call for interoperable, inter-domain PKI. = Again Bridge CA can help.</FONT></P> <P><FONT SIZE=3D2>Actually, I can see the benefits of layers (strata) = of Bridge CAs, e.g., Bridge CAs from various vertical segments = themselves connecting to a Omni-Bridge. In that case, the Bridge = CAs will be Principal CAs.</FONT></P> <P><FONT SIZE=3D2>I assume you have had a chance to review the = excellent paper on the Bridge concept developed by Bill Burr.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Anders Rundgren [<A = HREF=3D"mailto:anders.rundgren@telia.com">mailto:anders.rundgren@telia.c= om</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Monday, April 09, 2001 2:08 PM</FONT> <BR><FONT SIZE=3D2>To: Fillingham, David W.; PKIX-List; 'KPCMWG'; 'DoD = PKI TWG';</FONT> <BR><FONT SIZE=3D2>pki-twg@nist.gov; 'Bridge CA Mail List'; 'BCA = Integration'; * ALL</FONT> <BR><FONT SIZE=3D2>FIREBURST USERS *; 'Steve Capps'; Wagner, Clark = J.;</FONT> <BR><FONT SIZE=3D2>judith.spencer@gsa.gov; = Michelle.Moldenhauer@do.treas.gov; 'Steve Hanna</FONT> <BR><FONT SIZE=3D2>(SUN)'; 'Susan Dernik'</FONT> <BR><FONT SIZE=3D2>Subject: Re: DoD Bridge Certification Authority = Phase II Demonstrations</FONT> </P> <BR> <P><FONT SIZE=3D2>David, </FONT> <BR><FONT SIZE=3D2>This is indeed an ambitious project. Unfortunately I = doubt that the Bridge model has any relevance in </FONT> <BR><FONT SIZE=3D2>the private sector that for inter-organization = communication, is more likely to deploy domain-based </FONT> <BR><FONT SIZE=3D2>PKI-solutions, that have the major advantage of = already being supported by global TTPs which makes</FONT> <BR><FONT SIZE=3D2>domain security solutions useful for organizations = of any size. I.e. VeriSign's issuance of web-server</FONT> <BR><FONT SIZE=3D2>certificates is "approximately" what is = needed. </FONT> </P> <P><FONT SIZE=3D2>That domain security is incompatible with most = current digital signature laws is a pity. Particularly for</FONT> <BR><FONT SIZE=3D2>the lawyers who created them. :-)</FONT> </P> <P><FONT SIZE=3D2>Using domain security, tracing, message archiving, = and user-control is essentially built-in.</FONT> </P> <P><FONT SIZE=3D2>A further advantage of domain security models is that = client security solutions can develop in a</FONT> <BR><FONT SIZE=3D2>different pace at each organization. As they = have for current Internet-banks that is so far the only</FONT> <BR><FONT SIZE=3D2>large-scale (almost) secure multi-organization = transaction-environment on the Internet.</FONT> </P> <P><FONT SIZE=3D2>The question that comes to my mind is: Will all = Governments in the world continue to adopt the</FONT> <BR><FONT SIZE=3D2>"All-speak-with-all-PKI" approach in spite = of the fact that the private sector probably have shunned it</FONT> <BR><FONT SIZE=3D2>due to complexity, privacy concerns, lack of = control, and cost?</FONT> </P> <P><FONT SIZE=3D2>Regard</FONT> <BR><FONT SIZE=3D2>Anders Rundgren</FONT> <BR><FONT SIZE=3D2>X-OBI read: <A = HREF=3D"http://www.x-obi.com/purple" = TARGET=3D"_blank">http://www.x-obi.com/purple</A> run: <A = HREF=3D"http://buyer.x-obi.com" = TARGET=3D"_blank">http://buyer.x-obi.com</A> </FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>----- Original Message ----- </FONT> <BR><FONT SIZE=3D2>From: Fillingham, David W. </FONT> <BR><FONT SIZE=3D2>To: 'ietf-pkix@imc.org' ; 'KPCMWG' ; 'DoD PKI TWG' ; = 'pki-twg@nist.gov' ; 'Bridge CA Mail List' ; 'BCA Integration' ; * ALL = FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. ; = 'judith.spencer@gsa.gov' ; 'Michelle.Moldenhauer@do.treas.gov' ; 'Steve = Hanna (SUN)' ; 'Susan Dernik' </FONT></P> <P><FONT SIZE=3D2>Sent: Friday, April 06, 2001 16:48</FONT> <BR><FONT SIZE=3D2>Subject: DoD Bridge Certification Authority Phase II = Demonstrations</FONT> </P> <BR> <P><FONT SIZE=3D2>For the last few years, the National Security Agency = has led the development of Bridge Certification Authority (BCA) = technology demonstrations. In 1999, Phase One of the Department = of Defense BCA Technology Demonstration showed the technical = feasibility of achieving signed e-mail interoperability using = multi-vendor cross-certification in conjunction with chained directory = systems.</FONT></P> <P><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>Phase Two of the demonstration is now ready to be = shown. Phase Two of the DoD Bridge CA Phase II Technology = Demonstration includes: </FONT></P> <P><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>Technologies: </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>-- Certificate chain building in complex = certificate graphs; </FONT> <BR><FONT SIZE=3D2>-- Integration of both mesh-style = cross-certified PKIs and hierarchical PKIs; </FONT> <BR><FONT SIZE=3D2>-- Multi-signature/hash algorithm processing = in certificate chains; </FONT> <BR><FONT SIZE=3D2>-- Certificate acceptance/rejection based on = Certificate Policy processing, including policy mapping;</FONT> <BR><FONT SIZE=3D2>-- Transitive trust limitation using Name = Constraints processing;</FONT> <BR><FONT SIZE=3D2>-- Access Control using X.509 compliant = attribute certificates (same attribute certificates used for e-mail and = web based access control);</FONT></P> <P><FONT SIZE=3D2>-- E-mail access control using S/MIME V3 = labeling;</FONT> <BR><FONT SIZE=3D2>-- E-mail encryption using public key = certificates authenticated via a Bridge Certification Authority;</FONT> <BR><FONT SIZE=3D2>-- Border Directories;</FONT> <BR><FONT SIZE=3D2>-- Multivendor directory interoperation via = X.500 chaining; and, </FONT> <BR><FONT SIZE=3D2>-- Transparent sharing of certificate = revocation information across several PKIs using products of = multiple PKI vendors.</FONT></P> <P><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>Client Applications: </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>-- Baltimore Technologies MailSecure enabled = Microsoft Outlook </FONT> <BR><FONT SIZE=3D2>-- Entrust Enabled Microsoft Outlook</FONT> <BR><FONT SIZE=3D2>-- Getronics S/MIME Freeware Library, = Certificate Management Library, and Access Control Library enabled = Qualcomm Eudora</FONT></P> <P><FONT SIZE=3D2>-- Getronics Certificate Management Library and = Access Control Library enabled Netscape Web Server </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>Freeware Libraries: </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>-- Cygnacom Certificate Path Development = Library </FONT> <BR><FONT SIZE=3D2> <<A = HREF=3D"http://www.cygnacom.com/products/index.htm" = TARGET=3D"_blank">http://www.cygnacom.com/products/index.htm</A>> = </FONT> <BR><FONT SIZE=3D2>-- Getronics S/MIME (Version 3) Freeware = Library </FONT> <BR><FONT SIZE=3D2> <<A = HREF=3D"http://www.getronicsgov.com/hot/sfl_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/sfl_home.htm</A>> = </FONT> <BR><FONT SIZE=3D2>-- Getronics Certificate Management Library = </FONT> <BR><FONT SIZE=3D2> <<A = HREF=3D"http://www.getronicsgov.com/hot/cml_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/cml_home.htm</A>> = </FONT> <BR><FONT SIZE=3D2>-- Getronics Access Control Library </FONT> <BR><FONT = SIZE=3D2> <<A = HREF=3D"http://www.getronicsgov.com/hot/acl_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/acl_home.htm</A>> = </FONT> <BR><FONT SIZE=3D2>CA vendor interoperability demonstrations: </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>-- Baltimore Technologies</FONT> <BR><FONT SIZE=3D2>-- Entrust Technologies</FONT> <BR><FONT SIZE=3D2>-- Motorola</FONT> <BR><FONT SIZE=3D2>-- SPYRUS </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>Directory Interoperability: </FONT> <BR><FONT SIZE=3D2>-- Entrust ICL </FONT> <BR><FONT SIZE=3D2>-- Entegrity Safepages Directory </FONT> <BR><FONT SIZE=3D2>Demonstrations will be held at the following = locations and dates (note that you MUST REGISTER to attend! = Registration information is provided below):</FONT></P> <P><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>---------- </FONT> <BR><FONT SIZE=3D2>CygnaCom </FONT> <BR><FONT SIZE=3D2>Suite 100 West </FONT> <BR><FONT SIZE=3D2>7927 Jones Branch Dr.</FONT> <BR><FONT SIZE=3D2>McLean, Virginia </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>Directions to CygnaCom are located at: <<A = HREF=3D"http://www.cygnacom.com/contact/directions.htm" = TARGET=3D"_blank">http://www.cygnacom.com/contact/directions.htm</A>>= </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>26 April 2001 - 0900 </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>26 April 2001 - 1300 </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>16 May 2001 - 0900 </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>16 May 2001 - 1300 </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>--------- </FONT> <BR><FONT SIZE=3D2>Getronics Government Solutions </FONT> <BR><FONT SIZE=3D2>141 National Business Parkway, Suite 210 </FONT> <BR><FONT SIZE=3D2>Annapolis Junction, Maryland </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>From Washington DC: Take I-95 north; take MD Rt 32 = east exit; take Dorsey </FONT> <BR><FONT SIZE=3D2>Run exit; at stop sign turn left on Dorsey Run; at = stop light turn right on </FONT> <BR><FONT SIZE=3D2>Guilford Road which becomes National Business Pkwy. = </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>From Baltimore: Take BW Parkway (295) south; take MD = Rt 32 west exit; stay </FONT> <BR><FONT SIZE=3D2>in right lane of the exit which runs into National = Business Pkwy; make a </FONT> <BR><FONT SIZE=3D2>right on National Business Pkwy. </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>30 April 2001 - 1300 </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>8 May 2001 - 0900 </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>8 May 2001 - 1300 </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>24 May 2001 - 0900 </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>24 May 2001 - 1300 </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>--------- </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>All showings last about half a day - with a mixture = of conference room briefings and laboratory demonstrations. </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>We are limited by available demonstration space to = an absolute maximum of 20 participants at each showing. </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>IMPORTANT: PLEASE REGISTER WITH LISA FAULKNER = (llfaulk@missi.ncsc.mil <<A = HREF=3D"mailto:llfaulk@missi.ncsc.mil">mailto:llfaulk@missi.ncsc.mil</A>= >) AND MYSELF (dwfilli@missi.ncsc.mil <<A = HREF=3D"mailto:dwfilli@missi.ncsc.mil">mailto:dwfilli@missi.ncsc.mil</A>= >) IF YOU PLAN TO ATTEND. IF YOU DO NOT REGISTER TO ATTEND, = YOU WILL NOT BE ADMITTED TO THE DEMONSTRATION.</FONT></P> <P><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>Please provide the following information to = register: </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>-- Name </FONT> <BR><FONT SIZE=3D2>-- Organization </FONT> <BR><FONT SIZE=3D2>-- E-mail address </FONT> <BR><FONT SIZE=3D2>-- Date and time of the demonstration showing = you wish to attend (with alternates, if possible) </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>We look forward to seeing you at the demonstration! = </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>Dave Fillingham </FONT> <BR><FONT SIZE=3D2>NSA </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0C135.2520D4F0-- Received: from smtp-2.llnl.gov (smtp-2.llnl.gov [128.115.250.82]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA28712 for <ietf-pkix@imc.org>; Mon, 9 Apr 2001 13:16:19 -0700 (PDT) Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-2.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id NAA01611; Mon, 9 Apr 2001 13:15:47 -0700 (PDT) Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id NAA29768; Mon, 9 Apr 2001 13:15:47 -0700 (PDT) Message-Id: <4.3.2.7.2.20010409131329.00b04c30@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 09 Apr 2001 13:19:36 -0700 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> From: Tony Bartoletti <azb@llnl.gov> Subject: Re: Meaning of Non-repudiation Cc: Bob Jueneman <bjueneman@novell.com>, Dave.Oshman@identrus.com, ietf-pkix@imc.org In-Reply-To: <200104091802.OAA03222@stingray.missi.ncsc.mil> References: <4.3.2.7.2.20010406162323.00ae9dc0@poptop.llnl.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 02:00 PM 4/9/01 -0400, David P. Kemp wrote: >Bob Jueneman wrote: > > > > And given that scenario, I continue to believe that the currently > > ill-defined bit should be officially deprecated, and some other > > attributes defined as necessary with a great deal more precision. > > If ISO X.509 and/or the PKIX group refuses to deprecate the bit, > > then certainly the user community should. IMHO, of course. > >And I continue to believe you are correct. NR should be deprecated, >and replaced with a new name for bit 0: "Persistent Data >Authentication", which would have the property that was once >called "Technical NR". I have to agree. The greatest utility of this bit, a quality over which the CA actually has some control, is the commitment to provide for a degree of data-persistence. If such a revision would occur, these discussions could actually address something tangible. ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from marcy.adiron.com (root@[128.230.111.5]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA24264 for <ietf-pkix@imc.org>; Mon, 9 Apr 2001 12:28:34 -0700 (PDT) Received: from localhost (polar@localhost) by marcy.adiron.com (8.10.2/8.10.2) with ESMTP id f39JM6k06315; Mon, 9 Apr 2001 19:22:06 GMT X-Authentication-Warning: marcy.adiron.com: polar owned process doing -bs Date: Mon, 9 Apr 2001 15:22:06 -0400 (EDT) From: Polar Humenn <polar@adiron.com> To: Aram Perez <aram@pacbell.net> cc: Bob Jueneman <bjueneman@novell.com>, <Dave.Oshman@identrus.com>, <ietf-pkix@imc.org> Subject: Re: Meaning of Non-repudiation In-Reply-To: <B6F3990F.3D9B%aram@pacbell.net> Message-ID: <Pine.LNX.4.33.0104091103200.17352-100000@marcy.adiron.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Sun, 8 Apr 2001, Aram Perez wrote: > The problem is that nothing prevents me (or any other person) from having > more than one certificate for my public key. So I can have one certificate > with NR and the other without NR. Isn't it really worse than that? Nothing prevents your public key being associated with any other name (DN), keyCertSsign bit, any other certificate extension, Novel Security Attributes, or otherwise. The only thing that makes the certificate somewhat believable is *your* trust in holder of the private key that signed the thing. Isn't a certificate is merely nothing but a another generic document that is "loosely" signed by a private key? That document can mean anything to the "relying" party. The certificate key usage bits, extensions, or even the associated DNs are meaningless without an agreement of interpretation between all three parties involved (CA included), and probably (as Bob frequently notes) their lawyers, and subsequent judges and juries, as well. What does it matter if it's called nonRepudiation, or keyCertSign, or digitalSignature? I do not see carrying much weight to the key usage bits at all. I cannot see how or why it really plays a part any validation process. BTW, I find it really bizarre that the digitalSignature bit alone says that this key, which happens to be in this certificate, is allowed to sign ****ANY**** document EXCEPT for a document that just happens to look like an X.509 Certificate or CRL. It's as if the X.509 certificate or CRL were the strongest documents in the world one can sign! Is this correct? Cheers, -Polar > > so that the system software can't > > sign two or more things after the key is unlocked. The bit could also be used > > to bring up various dire warnings, cautioning the user to be really, really > > sure that he knows what he is doing, thereby confirming the user's conscious > > and willing intent. > > > > Of course this same meaning could be applied to a bit in an attribute > > associated with the private key > > I agree that this is where it belongs, but the few crypto APIs (partial > list: PKCS#11 and CDSA) that support private key attributes treat the > attributes as optional and don't define a specific NR attribute. > > Regards, > Aram Perez > > [snip] > Received: from smtp-2.llnl.gov (smtp-2.llnl.gov [128.115.250.82]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA20801 for <ietf-pkix@imc.org>; Mon, 9 Apr 2001 11:43:13 -0700 (PDT) Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-2.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id LAA25118; Mon, 9 Apr 2001 11:42:46 -0700 (PDT) Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id LAA03055; Mon, 9 Apr 2001 11:42:46 -0700 (PDT) Message-Id: <4.3.2.7.2.20010409105227.00af8e20@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 09 Apr 2001 11:46:34 -0700 To: "Bob Jueneman" <bjueneman@novell.com>, <Dave.Oshman@identrus.com>, <ietf-pkix@imc.org> From: Tony Bartoletti <azb@llnl.gov> Subject: Re: Meaning of Non-repudiation In-Reply-To: <sacef234.007@prv-mail20.provo.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 10:55 AM 4/7/01 -0600, Bob Jueneman wrote: >Although I enjoyed Tony's tongue-in-cheek usage scenario, I'm not sure >that I agree with his assumption that it is the issuing CA that is driving >this -- I don't view this as being a CA-centric issue. Yes, I agree that >the CA COULD define the meaning of the bit in it's CPS and CP, but WILL >they -- that is the question. and if they do, is it enforceable against >the CA, or only against the subscriber -- that is the issue. > >In particular, I do NOT think that the NR bit says something very >noteworthy about what the CA is going to do or not do. Instead, I believe >the NR bit is exclusively saying something about the signing party's >behavior. It seems pretty unlikely that the CA (or some independent >auditing group) is going to actually go out to the subscriber's premises >and investigate their practices, not to mention intrusive. And I don't >think that the NR bit should be construed as implying something about how >the CA is going to keep CRL records until infinity, etc. > >So at best the NR bit is a representation made by the subscriber to the >world via the CA. In this case the CA is essentially acting as the >trusted publisher of a Legal Notice in the paper. The CA/publisher is not >necessarily itself guaranteeing the correctness or truthfulness of the >notice, only that it is printed verbatim as received from the >subscriber. Of course if the CA wants to get into the insurance business, >or the notary business, or some other business that involves guaranteeing >either the user's behavior or the particular transaction, that is a >completely different matter, and one that I don't believe could or should >be inferred from the NR bit. Bob, In essence, I agree with you. The most that any CA can (currently) say about a certificate issued with NR=1 is "The subscriber asked that this bit be set." (One would hope that the subscriber is NOT issued a NR=1 certificate when this was NOT asked for.) I was certainly not imagining that the CA would perform any "follow-through" on the key usage, but a CA that required the "subscriber affidavit of NR responsibility" is a possibility, and would mean something more than "they asked to set this bit, whatever it means." A reputable CA should not issue to me a certificate as Bob Jueneman <bjueneman@novell.com> simply because I ask for it. Why should things be any different for a request that NR=1? I would prefer they go further still, and accommodate the "Technical Non-Repudiation" assurances described in Tom Ginden's draft. By issuing a certificate, a CA should be providing something more than the assurance that "string X has been cryptographically bound to string Y, under our CA-key". Reading Aram's comment, though, (multiple certification of a single key,) things get muddier still. ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from mailg.telia.com (mailg.telia.com [194.22.194.26]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA18697 for <ietf-pkix@imc.org>; Mon, 9 Apr 2001 11:09:58 -0700 (PDT) Received: from mega (t4o69p87.telia.com [62.20.145.207]) by mailg.telia.com (8.11.2/8.11.0) with SMTP id f39I9ob04664; Mon, 9 Apr 2001 20:09:50 +0200 (CEST) Message-ID: <004a01c0c120$0172f840$0200a8c0@vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Fillingham, David W." <dwfilli@missi.ncsc.mil>, "PKIX-List" <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, <pki-twg@nist.gov>, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, "* ALL FIREBURST USERS *" <all@missi.ncsc.mil>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner, Clark J." <cjwagne@missi.ncsc.mil>, <judith.spencer@gsa.gov>, <Michelle.Moldenhauer@do.treas.gov>, "'Steve Hanna \(SUN\)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com> References: <200104061445.KAA15247@stingray.missi.ncsc.mil> Subject: Re: DoD Bridge Certification Authority Phase II Demonstrations Date: Mon, 9 Apr 2001 20:07:51 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id LAA18698 David, This is indeed an ambitious project. Unfortunately I doubt that the Bridge model has any relevance in the private sector that for inter-organization communication, is more likely to deploy domain-based PKI-solutions, that have the major advantage of already being supported by global TTPs which makes domain security solutions useful for organizations of any size. I.e. VeriSign's issuance of web-server certificates is "approximately" what is needed. That domain security is incompatible with most current digital signature laws is a pity. Particularly for the lawyers who created them. :-) Using domain security, tracing, message archiving, and user-control is essentially built-in. A further advantage of domain security models is that client security solutions can develop in a different pace at each organization. As they have for current Internet-banks that is so far the only large-scale (almost) secure multi-organization transaction-environment on the Internet. The question that comes to my mind is: Will all Governments in the world continue to adopt the "All-speak-with-all-PKI" approach in spite of the fact that the private sector probably have shunned it due to complexity, privacy concerns, lack of control, and cost? Regard Anders Rundgren X-OBI read: http://www.x-obi.com/purple run: http://buyer.x-obi.com ----- Original Message ----- From: Fillingham, David W. To: 'ietf-pkix@imc.org' ; 'KPCMWG' ; 'DoD PKI TWG' ; 'pki-twg@nist.gov' ; 'Bridge CA Mail List' ; 'BCA Integration' ; * ALL FIREBURST USERS * ; 'Steve Capps' ; Wagner, Clark J. ; 'judith.spencer@gsa.gov' ; 'Michelle.Moldenhauer@do.treas.gov' ; 'Steve Hanna (SUN)' ; 'Susan Dernik' Sent: Friday, April 06, 2001 16:48 Subject: DoD Bridge Certification Authority Phase II Demonstrations For the last few years, the National Security Agency has led the development of Bridge Certification Authority (BCA) technology demonstrations. In 1999, Phase One of the Department of Defense BCA Technology Demonstration showed the technical feasibility of achieving signed e-mail interoperability using multi-vendor cross-certification in conjunction with chained directory systems. Phase Two of the demonstration is now ready to be shown. Phase Two of the DoD Bridge CA Phase II Technology Demonstration includes: Technologies: -- Certificate chain building in complex certificate graphs; -- Integration of both mesh-style cross-certified PKIs and hierarchical PKIs; -- Multi-signature/hash algorithm processing in certificate chains; -- Certificate acceptance/rejection based on Certificate Policy processing, including policy mapping; -- Transitive trust limitation using Name Constraints processing; -- Access Control using X.509 compliant attribute certificates (same attribute certificates used for e-mail and web based access control); -- E-mail access control using S/MIME V3 labeling; -- E-mail encryption using public key certificates authenticated via a Bridge Certification Authority; -- Border Directories; -- Multivendor directory interoperation via X.500 chaining; and, -- Transparent sharing of certificate revocation information across several PKIs using products of multiple PKI vendors. Client Applications: -- Baltimore Technologies MailSecure enabled Microsoft Outlook -- Entrust Enabled Microsoft Outlook -- Getronics S/MIME Freeware Library, Certificate Management Library, and Access Control Library enabled Qualcomm Eudora -- Getronics Certificate Management Library and Access Control Library enabled Netscape Web Server Freeware Libraries: -- Cygnacom Certificate Path Development Library <http://www.cygnacom.com/products/index.htm> -- Getronics S/MIME (Version 3) Freeware Library <http://www.getronicsgov.com/hot/sfl_home.htm> -- Getronics Certificate Management Library <http://www.getronicsgov.com/hot/cml_home.htm> -- Getronics Access Control Library <http://www.getronicsgov.com/hot/acl_home.htm> CA vendor interoperability demonstrations: -- Baltimore Technologies -- Entrust Technologies -- Motorola -- SPYRUS Directory Interoperability: -- Entrust ICL -- Entegrity Safepages Directory Demonstrations will be held at the following locations and dates (note that you MUST REGISTER to attend! Registration information is provided below): ---------- CygnaCom Suite 100 West 7927 Jones Branch Dr. McLean, Virginia Directions to CygnaCom are located at: <http://www.cygnacom.com/contact/directions.htm> 26 April 2001 - 0900 26 April 2001 - 1300 16 May 2001 - 0900 16 May 2001 - 1300 --------- Getronics Government Solutions 141 National Business Parkway, Suite 210 Annapolis Junction, Maryland >From Washington DC: Take I-95 north; take MD Rt 32 east exit; take Dorsey Run exit; at stop sign turn left on Dorsey Run; at stop light turn right on Guilford Road which becomes National Business Pkwy. >From Baltimore: Take BW Parkway (295) south; take MD Rt 32 west exit; stay in right lane of the exit which runs into National Business Pkwy; make a right on National Business Pkwy. 30 April 2001 - 1300 8 May 2001 - 0900 8 May 2001 - 1300 24 May 2001 - 0900 24 May 2001 - 1300 --------- All showings last about half a day - with a mixture of conference room briefings and laboratory demonstrations. We are limited by available demonstration space to an absolute maximum of 20 participants at each showing. IMPORTANT: PLEASE REGISTER WITH LISA FAULKNER (llfaulk@missi.ncsc.mil <mailto:llfaulk@missi.ncsc.mil>) AND MYSELF (dwfilli@missi.ncsc.mil <mailto:dwfilli@missi.ncsc.mil>) IF YOU PLAN TO ATTEND. IF YOU DO NOT REGISTER TO ATTEND, YOU WILL NOT BE ADMITTED TO THE DEMONSTRATION. Please provide the following information to register: -- Name -- Organization -- E-mail address -- Date and time of the demonstration showing you wish to attend (with alternates, if possible) We look forward to seeing you at the demonstration! Dave Fillingham NSA Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA17849 for <ietf-pkix@imc.org>; Mon, 9 Apr 2001 11:02:34 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id OAA03226; Mon, 9 Apr 2001 14:02:06 -0400 (EDT) Message-Id: <200104091802.OAA03222@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Mon, 09 Apr 2001 14:00:39 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: Tony Bartoletti <azb@llnl.gov> CC: Bob Jueneman <bjueneman@novell.com>, Dave.Oshman@identrus.com, ietf-pkix@imc.org Subject: Re: Meaning of Non-repudiation References: <4.3.2.7.2.20010406162323.00ae9dc0@poptop.llnl.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Tony Bartoletti wrote: > > (I feel as a moth drawn to a flame.) How true - sigh :-(. Bob Jueneman wrote: > > And given that scenario, I continue to believe that the currently > ill-defined bit should be officially deprecated, and some other > attributes defined as necessary with a great deal more precision. > If ISO X.509 and/or the PKIX group refuses to deprecate the bit, > then certainly the user community should. IMHO, of course. And I continue to believe you are correct. NR should be deprecated, and replaced with a new name for bit 0: "Persistent Data Authentication", which would have the property that was once called "Technical NR". As the HAK remark 13.48 says, "A fundamental distinction exists between a party A being able to convince itself of the validity of a digital signature 's' at a point in time t0, and that party being able to convince others at some time t1 >= t0 that 's' was valid at time t0." It is reasonable for certificates to contain keys marked for various cryptographic purposes, and "Persistent Data Authentication" and "Entity Authentication" are two distinct purposes suitable for being so marked. Philip Hallam-Baker wrote: > At the meeting the strongest statement that could be agreed upon > concerning the non repudiation bit was: > > 1) The setting of the non repudiation bit in the certificate was > a necessary but not sufficient condition for a relying party to > consider a signature to have the non-repudiation property. Without delving too deeply (and this moth refuses to delve any deeper), the "PDA" bit is not inconsistent with the ABA statement. Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA13809 for <ietf-pkix@imc.org>; Mon, 9 Apr 2001 09:32:01 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id KAA15251; Fri, 6 Apr 2001 10:45:59 -0400 (EDT) Message-Id: <200104061445.KAA15247@stingray.missi.ncsc.mil> From: "Fillingham, David W." <dwfilli@missi.ncsc.mil> To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org>, "'KPCMWG'" <kpcm@kpcmwg.org>, "'DoD PKI TWG'" <DOD-BWG-TWG@kpcmwg.org>, "'pki-twg@nist.gov'" <pki-twg@nist.gov>, "'Bridge CA Mail List'" <BridgeCA@kpcmwg.org>, "'BCA Integration'" <bcatest@anassoc.com>, * ALL FIREBURST USERS * <all@missi.ncsc.mil>, "'Steve Capps'" <scapps@radium.ncsc.mil>, "Wagner, Clark J." <cjwagne@missi.ncsc.mil>, "'judith.spencer@gsa.gov'" <judith.spencer@gsa.gov>, "'Michelle.Moldenhauer@do.treas.gov'" <Michelle.Moldenhauer@do.treas.gov>, "'Steve Hanna (SUN)'" <steve.hanna@sun.com>, "'Susan Dernik'" <Susan.Dernik@baltimore.com> Subject: DoD Bridge Certification Authority Phase II Demonstrations Date: Fri, 6 Apr 2001 10:48:51 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="------------InterScan_NT_MIME_Boundary" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --------------InterScan_NT_MIME_Boundary Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0BEA8.B1B9C960" ------_=_NextPart_001_01C0BEA8.B1B9C960 Content-Type: text/plain; charset="ISO-8859-1" For the last few years, the National Security Agency has led the development of Bridge Certification Authority (BCA) technology demonstrations. In 1999, Phase One of the Department of Defense BCA Technology Demonstration showed the technical feasibility of achieving signed e-mail interoperability using multi-vendor cross-certification in conjunction with chained directory systems. Phase Two of the demonstration is now ready to be shown. Phase Two of the DoD Bridge CA Phase II Technology Demonstration includes: Technologies: -- Certificate chain building in complex certificate graphs; -- Integration of both mesh-style cross-certified PKIs and hierarchical PKIs; -- Multi-signature/hash algorithm processing in certificate chains; -- Certificate acceptance/rejection based on Certificate Policy processing, including policy mapping; -- Transitive trust limitation using Name Constraints processing; -- Access Control using X.509 compliant attribute certificates (same attribute certificates used for e-mail and web based access control); -- E-mail access control using S/MIME V3 labeling; -- E-mail encryption using public key certificates authenticated via a Bridge Certification Authority; -- Border Directories; -- Multivendor directory interoperation via X.500 chaining; and, -- Transparent sharing of certificate revocation information across several PKIs using products of multiple PKI vendors. Client Applications: -- Baltimore Technologies MailSecure enabled Microsoft Outlook -- Entrust Enabled Microsoft Outlook -- Getronics S/MIME Freeware Library, Certificate Management Library, and Access Control Library enabled Qualcomm Eudora -- Getronics Certificate Management Library and Access Control Library enabled Netscape Web Server Freeware Libraries: -- Cygnacom Certificate Path Development Library <http://www.cygnacom.com/products/index.htm> -- Getronics S/MIME (Version 3) Freeware Library <http://www.getronicsgov.com/hot/sfl_home.htm> -- Getronics Certificate Management Library <http://www.getronicsgov.com/hot/cml_home.htm> -- Getronics Access Control Library <http://www.getronicsgov.com/hot/acl_home.htm> CA vendor interoperability demonstrations: -- Baltimore Technologies -- Entrust Technologies -- Motorola -- SPYRUS Directory Interoperability: -- Entrust ICL -- Entegrity Safepages Directory Demonstrations will be held at the following locations and dates (note that you MUST REGISTER to attend! Registration information is provided below): ---------- CygnaCom Suite 100 West 7927 Jones Branch Dr. McLean, Virginia Directions to CygnaCom are located at: <http://www.cygnacom.com/contact/directions.htm> 26 April 2001 - 0900 26 April 2001 - 1300 16 May 2001 - 0900 16 May 2001 - 1300 --------- Getronics Government Solutions 141 National Business Parkway, Suite 210 Annapolis Junction, Maryland >From Washington DC: Take I-95 north; take MD Rt 32 east exit; take Dorsey Run exit; at stop sign turn left on Dorsey Run; at stop light turn right on Guilford Road which becomes National Business Pkwy. >From Baltimore: Take BW Parkway (295) south; take MD Rt 32 west exit; stay in right lane of the exit which runs into National Business Pkwy; make a right on National Business Pkwy. 30 April 2001 - 1300 8 May 2001 - 0900 8 May 2001 - 1300 24 May 2001 - 0900 24 May 2001 - 1300 --------- All showings last about half a day - with a mixture of conference room briefings and laboratory demonstrations. We are limited by available demonstration space to an absolute maximum of 20 participants at each showing. IMPORTANT: PLEASE REGISTER WITH LISA FAULKNER (llfaulk@missi.ncsc.mil <mailto:llfaulk@missi.ncsc.mil>) AND MYSELF (dwfilli@missi.ncsc.mil <mailto:dwfilli@missi.ncsc.mil>) IF YOU PLAN TO ATTEND. IF YOU DO NOT REGISTER TO ATTEND, YOU WILL NOT BE ADMITTED TO THE DEMONSTRATION. Please provide the following information to register: -- Name -- Organization -- E-mail address -- Date and time of the demonstration showing you wish to attend (with alternates, if possible) We look forward to seeing you at the demonstration! Dave Fillingham NSA ------_=_NextPart_001_01C0BEA8.B1B9C960 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3DISO-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>DoD Bridge Certification Authority Phase II = Demonstrations</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2 FACE=3D"Arial">For the last few years, the National = Security Agency has led the development of Bridge Certification = Authority (BCA) technology demonstrations. In 1999, Phase One of = the Department of Defense BCA Technology Demonstration showed the = technical feasibility of achieving signed e-mail interoperability using = multi-vendor cross-certification in conjunction with chained directory = systems.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Phase Two of the demonstration is now = ready to be shown. Phase Two of the DoD Bridge CA Phase II = Technology Demonstration includes: </FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Technologies: </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Certificate chain building = in complex certificate graphs;</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Integration of both = mesh-style cross-certified PKIs and hierarchical PKIs;</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Multi-signature/hash = algorithm processing in certificate chains;</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Certificate = acceptance/rejection based on Certificate Policy processing, including = policy mapping;<BR> -- Transitive trust limitation using Name Constraints = processing;<BR> -- Access Control using X.509 compliant attribute certificates = (same attribute certificates used for e-mail and web based access = control);</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">-- E-mail access control using = S/MIME V3 labeling;<BR> -- E-mail encryption using public key certificates authenticated = via a Bridge Certification Authority;<BR> -- Border Directories;<BR> -- Multivendor directory interoperation via X.500 chaining; = and,</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Transparent sharing of = certificate revocation information across several PKIs using = products of multiple PKI vendors.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Client Applications: </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Baltimore Technologies = MailSecure enabled Microsoft Outlook</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Entrust Enabled Microsoft = Outlook<BR> -- Getronics S/MIME Freeware Library, Certificate Management = Library, and Access Control Library enabled Qualcomm Eudora<BR> -- Getronics Certificate Management Library and Access Control = Library enabled Netscape Web Server</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Freeware Libraries:</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Cygnacom Certificate Path = Development Library</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> <<A = HREF=3D"http://www.cygnacom.com/products/index.htm" = TARGET=3D"_blank">http://www.cygnacom.com/products/index.htm</A>></FO= NT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">-- Getronics S/MIME (Version 3) = Freeware Library</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> <<A = HREF=3D"http://www.getronicsgov.com/hot/sfl_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/sfl_home.htm</A>></= FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">-- Getronics Certificate = Management Library</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> <<A = HREF=3D"http://www.getronicsgov.com/hot/cml_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/cml_home.htm</A>></= FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">-- Getronics Access Control = Library</FONT> <BR><FONT SIZE=3D2 = FACE=3D"Arial"> = <<A HREF=3D"http://www.getronicsgov.com/hot/acl_home.htm" = TARGET=3D"_blank">http://www.getronicsgov.com/hot/acl_home.htm</A>></= FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">CA vendor interoperability = demonstrations: </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Baltimore Technologies<BR> -- Entrust Technologies<BR> -- Motorola<BR> -- SPYRUS </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Directory Interoperability:</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">-- Entrust ICL</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Entegrity Safepages = Directory</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Demonstrations will be held at the = following locations and dates (note that you MUST REGISTER to = attend! Registration information is provided below):</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">----------</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">CygnaCom</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Suite 100 West</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">7927 Jones Branch Dr.<BR> McLean, Virginia</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Directions to CygnaCom are located = at: <U> <<A = HREF=3D"http://www.cygnacom.com/contact/directions.htm" = TARGET=3D"_blank">http://www.cygnacom.com/contact/directions.htm</A>>= </U> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">26 April 2001 - 0900</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">26 April 2001 - 1300</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">16 May 2001 - 0900</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">16 May 2001 - 1300</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">---------</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Getronics Government Solutions</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">141 National Business Parkway, Suite = 210</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Annapolis Junction, Maryland</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">From Washington DC: Take I-95 north; = take MD Rt 32 east exit; take Dorsey</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Run exit; at stop sign turn left on = Dorsey Run; at stop light turn right on</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Guilford Road which becomes National = Business Pkwy. </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">From Baltimore: Take BW Parkway (295) = south; take MD Rt 32 west exit; stay</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">in right lane of the exit which runs = into National Business Pkwy; make a</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">right on National Business = Pkwy.</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">30 April 2001 - 1300</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">8 May 2001 - 0900</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">8 May 2001 - 1300</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">24 May 2001 - 0900</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">24 May 2001 - 1300 </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">---------</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">All showings last about half a day - = with a mixture of conference room briefings and laboratory = demonstrations.</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">We are limited by available = demonstration space to an absolute maximum of 20 participants at each = showing. </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">IMPORTANT: PLEASE REGISTER WITH = LISA FAULKNER (</FONT><U><FONT SIZE=3D2 = FACE=3D"Arial">llfaulk@missi.ncsc.mil <<A = HREF=3D"mailto:llfaulk@missi.ncsc.mil">mailto:llfaulk@missi.ncsc.mil</A>= ></FONT></U><FONT SIZE=3D2 FACE=3D"Arial">) AND MYSELF = (</FONT><U><FONT SIZE=3D2 FACE=3D"Arial">dwfilli@missi.ncsc.mil <<A = HREF=3D"mailto:dwfilli@missi.ncsc.mil">mailto:dwfilli@missi.ncsc.mil</A>= ></FONT></U><FONT SIZE=3D2 FACE=3D"Arial">) IF YOU PLAN TO = ATTEND. IF YOU DO NOT REGISTER TO ATTEND, YOU WILL NOT BE = ADMITTED TO THE DEMONSTRATION.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Please provide the following = information to register:</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Name</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Organization</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- E-mail address</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">-- Date and time of the = demonstration showing you wish to attend (with alternates, if = possible)</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">We look forward to seeing you at the = demonstration!</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Dave Fillingham</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">NSA</FONT> </P> <BR> </BODY> </HTML> ------_=_NextPart_001_01C0BEA8.B1B9C960-- --------------InterScan_NT_MIME_Boundary-- Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA13074 for <ietf-pkix@imc.org>; Mon, 9 Apr 2001 03:50:13 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA02550; Mon, 9 Apr 2001 06:50:13 -0400 (EDT) Message-Id: <200104091050.GAA02550@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-time-stamp-14.txt Date: Mon, 09 Apr 2001 06:50:12 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Time Stamp Protocols (TSP) Author(s) : C. Adams, P. Cain, D. Pinkas, R. Zuccherato Filename : draft-ietf-pkix-time-stamp-14.txt Pages : 26 Date : 06-Apr-01 A time stamping service supports assertions of proof that a datum existed before a particular time. This document describes the format of a request sent to a Time Stamping Authority (TSA) and of the response that is returned. It also establishes several security- relevant requirements for TSA operation, with regards to processing requests to generate responses. A TSA may be operated as a Trusted Third Party (TTP) service, though other operational models may be appropriate, e.g. an organization might require a TSA for internal time stamping purposes. Non-repudiation services [ISONR] require the ability to establish the existence of data before specified times. This protocol may be used as a building block to support such services. An example of how to prove that a digital signature was generated during the validity period of a public key certificate is given in an annex. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-time-stamp-14.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-time-stamp-14.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-time-stamp-14.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20010406125113.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-time-stamp-14.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-time-stamp-14.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20010406125113.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by above.proper.com (8.9.3/8.9.3) with ESMTP id VAA22377 for <ietf-pkix@imc.org>; Sun, 8 Apr 2001 21:47:33 -0700 (PDT) Received: from [207.214.213.241] by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0GBI00KTWDAZEB@mta5.snfc21.pbi.net> for ietf-pkix@imc.org; Sun, 8 Apr 2001 21:47:25 -0700 (PDT) Date: Sun, 08 Apr 2001 21:47:19 -0700 From: Aram Perez <aram@pacbell.net> Subject: Re: Meaning of Non-repudiation In-reply-to: <sacde629.080@prv-mail20.provo.novell.com> To: Bob Jueneman <bjueneman@novell.com>, Dave.Oshman@identrus.com, ietf-pkix@imc.org Message-id: <B6F3990F.3D9B%aram@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Bob Jueneman wrote: > Alas, poor Dave, you have fallen into the black hole of PKI, from which there > is no escape. > > Having written several megabytes of e-mails on the subject over the last ten > years or so, and having read countless more on this topic from others on this > list and elsewhere, if you were merely some grad student trying to get a crib > for a term paper, or if your company were one of the few remaining dot coms no > one ever heard of, I would refer you to the archives, probably starting with > Tom Ginden's RFC. But you are not, and Identrus is at least potentially a > very major player in this space, so you deserve a more extensive reply. Be > careful what you ask for! Dave should read the archives, specially since he is from Identrus. > > The one sentence answer, IMHO, is that the NR bit in X.509 is neither > necessary, nor sufficient, nor entirely useless; I agree with most of what you wrote except, as I have previously stated, I strongly believe the bit is useless. More below... [snip] > > So if the bit is neither necessary nor sufficient, is it completely useless? > Maybe, but I believe that an argument could still be made for it, as a API > signal to the originator's software. > > What I would like to see the bit used for at this late date is to serve as a > signal to the signing party's software that this certificate, and therefore > the associated private key, is something special, and that particular care > should be taken with it. For example, it would be reasonable to use this as a > signal within a smart card that the PIN or other identifier must be reentered > every single time the private key is used, The problem is that nothing prevents me (or any other person) from having more than one certificate for my public key. So I can have one certificate with NR and the other without NR. > so that the system software can't > sign two or more things after the key is unlocked. The bit could also be used > to bring up various dire warnings, cautioning the user to be really, really > sure that he knows what he is doing, thereby confirming the user's conscious > and willing intent. > > Of course this same meaning could be applied to a bit in an attribute > associated with the private key I agree that this is where it belongs, but the few crypto APIs (partial list: PKCS#11 and CDSA) that support private key attributes treat the attributes as optional and don't define a specific NR attribute. Regards, Aram Perez [snip] Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA29654 for <ietf-pkix@imc.org>; Sat, 7 Apr 2001 09:56:17 -0700 (PDT) Received: from INET-PRV-MTA by prv-mail20.provo.novell.com with Novell_GroupWise; Sat, 07 Apr 2001 10:55:48 -0600 Message-Id: <sacef234.006@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 6.0 Date: Sat, 07 Apr 2001 10:55:44 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <Dave.Oshman@identrus.com>, <ietf-pkix@imc.org>, <azb@llnl.gov> Subject: Re: Meaning of Non-repudiation Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=_5F04A784.5E3F2BA8" This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --=_5F04A784.5E3F2BA8 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Although I enjoyed Tony's tongue-in-cheek usage scenario, I'm not sure = that I agree with his assumption that it is the issuing CA that is driving = this -- I don't view this as being a CA-centric issue. Yes, I agree that = the CA COULD define the meaning of the bit in it's CPS and CP, but WILL = they -- that is the question. and if they do, is it enforceable against = the CA, or only against the subscriber -- that is the issue. In particular, I do NOT think that the NR bit says something very = noteworthy about what the CA is going to do or not do. Instead, I believe = the NR bit is exclusively saying something about the signing party's = behavior. It seems pretty unlikely that the CA (or some independent = auditing group) is going to actually go out to the subscriber's premises = and investigate their practices, not to mention intrusive. And I don't = think that the NR bit should be construed as implying something about how = the CA is going to keep CRL records until infinity, etc. So at best the NR bit is a representation made by the subscriber to the = world via the CA. In this case the CA is essentially acting as the = trusted publisher of a Legal Notice in the paper. The CA/publisher is not = necessarily itself guaranteeing the correctness or truthfulness of the = notice, only that it is printed verbatim as received from the subscriber. = Of course if the CA wants to get into the insurance business, or the = notary business, or some other business that involves guaranteeing either = the user's behavior or the particular transaction, that is a completely = different matter, and one that I don't believe could or should be inferred = from the NR bit. So if the NR bit is a representation made by the subscriber, essentially = in the form of a Legal Notice, then what specifically is being represented?= Well, in an ideal world, the subscriber would have a Subscriber Usage = Statement that would be similar to the Certification Practice Statement of = a CA. In one of the first implementations I did of PKI, back when I was = with CSC, I included exactly that -- a set of representations as to what = the subscriber would or would not agree to, digitally signed and made = available as an Affidavit of Legal Mark. Basically the Affidavit said "I = am going to honor the herein described electronic process as though it = were in every respect my legal mark or signature, subject to the following = caveats and conditions." If necessary, that affidavit could be printed = and signed with a wet signature. Of course if we could come to some reasonable agreement as to what a = reasonable set of caveats and conditions might be -- not their values, = just the semantic definitions -- then it would be possible codify those = values in the certificate, as a representation made to the CA-as-publisher.= I've tried to do some of that in the Certificate Quality portion of = Novell Security Attributes, but it just describes the technical conditions = associated with the certificate -- key quality, class of user, etc. -- and = not the conditions under which the subscriber would agree to be bound. So = there would be a lot more work required to implement such a concept in a = way that wouldn't require reading a huge document along with every = subscriber's signature. >From this perspective, the thought of trying to condense all of that kind = of information into a one-size-fits-all single bit, called nonRepudiation, = would be truly laughable, if it weren't so naive and arrogant at the same = time. But to get back to the real world, I recently saw an very interesting = device being made by Sony, the FIU-710 Fingerprint Identification Unit. = This isn't a plug for Sony -- other people may well make something = similar, and their's might be better, cheaper, or just different -- I = don't know. I'm merely describing it for people who may not have seem = something similar. But the Sony unit is getting a lot closer to something that I think we = need, and might be deserving of being represented with the NR bit. = According to the spec, the stand-alone unit is 54x85 mm and 9.5 mm thick. = It plugs into a computer via a USB port or serial cable. It has a = fingerprint scanner capable of 1 second registration time and less than = one second verification time, with the fingerprint recognition circuitry = embedded in the device. The false acceptance rate is .008% or less, with a = false rejection rate of 4% or less. In addition the unit contains 512KB of user memory and is PKCS#11 = compliant, able to generate and store up to 1024-bit RSA keys. It can also = encrypt files with DES and triple-DES, and can store passwords lists, user = profiles, and other data, and can support up to eight applications in one = session. According to a vendor (Saflink Corp.) that is marketing the device and = their software as an authentication method for our NMAS authentication = framework, the tamper-proof unit is supposed to be certified as FIPS 140-1 = level three or better, some time in the next year, although I haven't seen = that in writing anywhere. The most important point, however, is that here is a tamper-proof device = that is the equivalent of a smart card or a PCMCIA card in terms of its = cryptographic capabilities, and in addition it has a biometric device = built-in that is capable of locking the private keys so that they cannot = be accessed without fingerprint identification. Assuming all this is true = and that the device has the necessary configuration flexibility to support = this, this would go a very long way towards satisfying several elements = that might reasonably be required for nonrepudiation, including biometric = identification of the user for every NR signature operation. Because I = don't have a trusted display device, I still don't know that what was = signed was really what I intended, but at least I can be certain that I = only signed one thing, and that goes a long way. I wouldn't go so far as what Tony suggests in terms of using it at a kiosk = -- the unit may be tamper-proof, but that doesn't prevent the entire unit = from being physically substituted, as in the "fake ATM" ploy. But that = unit, in combination with an operating system that was accredited at the = C2 level of trust (and properly installed, which is harder), would go a = long, long way in the desired direction. To get back to Dave's question, though, at least we reach this nirvana = state, I would suggest that he be very wary of generating or accepting a = certificate that has his name on it in combination with the NR bit, = because some judge somewhere might somehow come to the conclusion that the = NR bit actually means something. On the other hand, if I were a relying = party I certainly wouldn't put much if any credence in a transaction that = was verified against a certificate containing the NR bit, because some = other judge might decide that the NR bit meant nothing at all. And given that scenario, I continue to believe that the currently = ill-defined bit should be officially deprecated, and some other attributes = defined as necessary with a great deal more precision. If ISO X.509 = and/or the PKIX group refuses to deprecate the bit, then certainly the = user community should. IMHO, of course. Regards, Bob Robert R. Jueneman Security Architect Novell, Inc -- the leading provider of Net services software >>> Tony Bartoletti <azb@llnl.gov> 04/06/01 06:24PM >>> At 03:52 PM 4/6/01 -0600, Bob Jueneman wrote: >Alas, poor Dave, you have fallen into the black hole of PKI, from = which=20 >there is no escape. Also Known As, the point of No Return (NR). (I feel as a moth drawn to a flame.) I think Bob has laid out the issues very nicely regarding the (lack of)=20 necessity, sufficiency, and (arguable) usefulness of the "NR" bit. My feeling is that if the NR bit says anything at all, it is the issuing = CA=20 that is speaking. I cannot go to a (reputable) CA, and ask for a key to = be=20 certified with any attributes of my choosing. There is some understanding= =20 (modulo CP/CPS) that the CA "stands behind" the attributes contained in = the=20 certificates they issue, at least in terms of their having followed = their=20 (self-defined) process. (Beats me just what this is worth...). The most I can hope is that, at some future point, the PKI Protocol = Players=20 come to agree upon some common standard of certificate issuance processing= =20 "guaranteed" by inclusion of the set NR bit. Even then, it will be = little=20 more than one more piece of evidence that may be provided in case of a = dispute. I have thought about how far one could really go, in making the NR-bit=20 stand for what folks naively expect it to be. My "program" addresses = both=20 issuance and usage. (It may seem "humorous", but I wonder how far off = this=20 will really be.) Issuance of NR-bit Certificates: -------------------------------- The NR-bit Certificate shall contain or reference: 1. The CA-signed audio file of the certificate subject, reading aloud = the=20 CA's CP/CPS verbatim, and correctly responding to several randomly = selected=20 questions about this material. 2. The CA-signed photograph of the certificate subject shaking hands = with=20 the CA president under a banner that reads "Another Satisfied NR Customer".= Usage of NR-bit Signature Keys: ------------------------------- These keys will be contained in biometrically-sensitive key-cards that = self=20 destruct under reasonable signs of tampering. The keys/key-cards can be used in any of the "Signature Kiosks" that we=20 expect will replace the common "auto-teller" machines. These kiosks = will=20 be operated by the major banks, and serve as "secured web portals". = Users=20 will be able to insert their NR key-card to conduct transactions that = would=20 otherwise require the presence of two witnesses and a roomful of lawyers. Prior to reaching the "signature preparation phase" of a transaction, = the=20 terms of agreement may be perused at the user's leisure. To enter the=20 "signature preparation phase", the user must place their thumb, palm, = or=20 otherwise previously-registered part of their warm body in full contact=20 with the key-card's "bio-read" surface, so that authentication and=20 biometric stress data can be recorded. The user is then presented with = 5=20 randomly selected multiple-choice questions about the terms of the=20 transaction. The user must answer all questions correctly in order to=20 proceed to the actual signature phase. Note: The card will refuse to unlock the contained NR-key if: a. Bio-authentication fails (fingerprint, DNA-read, etc). b. Excessive alcohol or other mind-altering elements are detected. c. Skin-galvanic properties detect undue psychological stress. Once all of these simple measures are in place, you will be able to = walk=20 down any city street, stop at a signature kiosk, withdraw some cash,=20 purchase some postage stamps, and close escrow on that house you've = been=20 eyeing... ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 --=_5F04A784.5E3F2BA8 Content-Type: text/plain Content-Disposition: attachment; filename="Bob Jueneman.vcf" BEGIN:VCARD VERSION:2.1 X-GWTYPE:USER FN:Bob Jueneman TEL;WORK:01-801/861-7387 ORG:Novell Inc. -- the leading provider of Net services software;DS eBusiness Solutions TEL;PREF;FAX:01-801/861-2522 EMAIL;WORK;PREF;NGW:BJUENEMAN@novell.com N:Jueneman;Bob TITLE:Consultant Engineer ADR;INTL;WORK;PARCEL;POSTAL:;;Novell, Inc.\n1800 South Novell Place\n;Provo;Utah;84606;USA LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Bob Jueneman=0A= Novell, Inc.=0A= 1800 South Novell Place=0A= =0A= Provo, Utah 84606=0A= USA LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Bob Jueneman=0A= Novell, Inc.=0A= 1800 South Novell Place=0A= =0A= Provo, Utah 84606 X-GWUSERID:BJUENEMAN END:VCARD BEGIN:VCARD VERSION:2.1 X-GWTYPE:USER FN:Robert R. Jueneman TEL;WORK:01-801/861-7387 ORG:Novell, Inc.;DS eBusiness Solutions TEL;PREF;FAX:01-801/861-2522 EMAIL;WORK;PREF;NGW:BJUENEMAN@novell.com N:Jueneman;Bob TITLE:Consultant Engineer ADR;INTL;WORK;PARCEL;POSTAL:;PRV-F331;122 E. 1700 South;Provo;Utah;84606;USA LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Robert R. Jueneman=0A= PRV-F331=0A= 122 E. 1700 South=0A= Provo, Utah 84606=0A= USA LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Robert R. Jueneman=0A= PRV-F331=0A= 122 E. 1700 South=0A= Provo, Utah 84606 TEL;HOME:1-801-765-4378 TEL;CELL:1-801-361-1410 TEL;PREF:1-801-861-7387, 1-800-453-1267 X-GWUSERID:BJUENEMAN END:VCARD --=_5F04A784.5E3F2BA8-- Received: from smtp-1.llnl.gov (smtp-1.llnl.gov [128.115.250.81]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA10409 for <ietf-pkix@imc.org>; Fri, 6 Apr 2001 17:20:53 -0700 (PDT) Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-1.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id RAA27215; Fri, 6 Apr 2001 17:20:26 -0700 (PDT) Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id RAA18141; Fri, 6 Apr 2001 17:20:26 -0700 (PDT) Message-Id: <4.3.2.7.2.20010406162323.00ae9dc0@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 06 Apr 2001 17:24:20 -0700 To: "Bob Jueneman" <bjueneman@novell.com>, <Dave.Oshman@identrus.com>, <ietf-pkix@imc.org> From: Tony Bartoletti <azb@llnl.gov> Subject: Re: Meaning of Non-repudiation In-Reply-To: <sacde629.080@prv-mail20.provo.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed At 03:52 PM 4/6/01 -0600, Bob Jueneman wrote: >Alas, poor Dave, you have fallen into the black hole of PKI, from which >there is no escape. Also Known As, the point of No Return (NR). (I feel as a moth drawn to a flame.) I think Bob has laid out the issues very nicely regarding the (lack of) necessity, sufficiency, and (arguable) usefulness of the "NR" bit. My feeling is that if the NR bit says anything at all, it is the issuing CA that is speaking. I cannot go to a (reputable) CA, and ask for a key to be certified with any attributes of my choosing. There is some understanding (modulo CP/CPS) that the CA "stands behind" the attributes contained in the certificates they issue, at least in terms of their having followed their (self-defined) process. (Beats me just what this is worth...). The most I can hope is that, at some future point, the PKI Protocol Players come to agree upon some common standard of certificate issuance processing "guaranteed" by inclusion of the set NR bit. Even then, it will be little more than one more piece of evidence that may be provided in case of a dispute. I have thought about how far one could really go, in making the NR-bit stand for what folks naively expect it to be. My "program" addresses both issuance and usage. (It may seem "humorous", but I wonder how far off this will really be.) Issuance of NR-bit Certificates: -------------------------------- The NR-bit Certificate shall contain or reference: 1. The CA-signed audio file of the certificate subject, reading aloud the CA's CP/CPS verbatim, and correctly responding to several randomly selected questions about this material. 2. The CA-signed photograph of the certificate subject shaking hands with the CA president under a banner that reads "Another Satisfied NR Customer". Usage of NR-bit Signature Keys: ------------------------------- These keys will be contained in biometrically-sensitive key-cards that self destruct under reasonable signs of tampering. The keys/key-cards can be used in any of the "Signature Kiosks" that we expect will replace the common "auto-teller" machines. These kiosks will be operated by the major banks, and serve as "secured web portals". Users will be able to insert their NR key-card to conduct transactions that would otherwise require the presence of two witnesses and a roomful of lawyers. Prior to reaching the "signature preparation phase" of a transaction, the terms of agreement may be perused at the user's leisure. To enter the "signature preparation phase", the user must place their thumb, palm, or otherwise previously-registered part of their warm body in full contact with the key-card's "bio-read" surface, so that authentication and biometric stress data can be recorded. The user is then presented with 5 randomly selected multiple-choice questions about the terms of the transaction. The user must answer all questions correctly in order to proceed to the actual signature phase. Note: The card will refuse to unlock the contained NR-key if: a. Bio-authentication fails (fingerprint, DNA-read, etc). b. Excessive alcohol or other mind-altering elements are detected. c. Skin-galvanic properties detect undue psychological stress. Once all of these simple measures are in place, you will be able to walk down any city street, stop at a signature kiosk, withdraw some cash, purchase some postage stamps, and close escrow on that house you've been eyeing... ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by above.proper.com (8.9.3/8.9.3) with SMTP id OAA01988 for <ietf-pkix@imc.org>; Fri, 6 Apr 2001 14:53:00 -0700 (PDT) Received: from INET-PRV-Message_Server by prv-mail20.provo.novell.com with Novell_GroupWise; Fri, 06 Apr 2001 15:52:09 -0600 Message-Id: <sacde629.080@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 5.5.5.1 Date: Fri, 06 Apr 2001 15:52:01 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <Dave.Oshman@identrus.com>, <ietf-pkix@imc.org> Subject: Re: Meaning of Non-repudiation Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id OAA01990 Alas, poor Dave, you have fallen into the black hole of PKI, from which there is no escape. Having written several megabytes of e-mails on the subject over the last ten years or so, and having read countless more on this topic from others on this list and elsewhere, if you were merely some grad student trying to get a crib for a term paper, or if your company were one of the few remaining dot coms no one ever heard of, I would refer you to the archives, probably starting with Tom Ginden's RFC. But you are not, and Identrus is at least potentially a very major player in this space, so you deserve a more extensive reply. Be careful what you ask for! The one sentence answer, IMHO, is that the NR bit in X.509 is neither necessary, nor sufficient, nor entirely useless; nor is any given set of proposed semantics agreed upon by any particular group of lawyers, technologists, or relying parties. -- at least if the number of people in the group exceeds three. As you may have noticed, the 2459 definition of NR is very nearly circular, except for the fact that "non-repudiation service" is not defined or agreed to by anyone, at least in any meaningful sense. Why do I say that the NR bit is not necessary? Because, at least in the US, the marvelously muddled eSign legislation says that parties can agree to just about anything, probably including smoke signals, as a legally binding signature if they choose to do so. On the other hand, absent such an agreement in advance, there is no clear standard as to what is or should be required to make a digital signature legally binding. and enforceable. OK, why is the bit not sufficient? That's even clearer. Despite what technologists might think there is (almost) no such thing as nonrepudiation, as your legal counsel has undoubtedly already advised you. Physical duress, fraud, incompetence, lack of authority or agency, illegality of the act -- all these things and more are examples of why any agreement, signed or not, can be repudiated or made invalid. Now with respect to a digital signature itself, there are a number of other defenses that might be possible, including the lack of knowledge that anything was being signed at all (a malevolent program was executed which caused some thing to be signed that the user was not aware of); insufficient protection given to a key that was not intended for important legal matters, allowing the key to be compromised; incorrect binding of a name to a key (that's my name, but that's not my key) by the CA; lack of archived CRL or OCSP checking by the relying party, making it impossible to prove that the signature was ostensibly valid at the time of issuance. So if the bit is neither necessary nor sufficient, is it completely useless? Maybe, but I believe that an argument could still be made for it, as a API signal to the originator's software. What I would like to see the bit used for at this late date is to serve as a signal to the signing party's software that this certificate, and therefore the associated private key, is something special, and that particular care should be taken with it. For example, it would be reasonable to use this as a signal within a smart card that the PIN or other identifier must be reentered every single time the private key is used, so that the system software can't sign two or more things after the key is unlocked. The bit could also be used to bring up various dire warnings, cautioning the user to be really, really sure that he knows what he is doing, thereby confirming the user's conscious and willing intent. Of course this same meaning could be applied to a bit in an attribute associated with the private key -- it wouldn't have to appear in the certificate. But if such a use for the NR bit were to become widespread, it would at least serve some useful purpose, as it would help to rebut the argument "but I didn't know I was signing anything at all, much less something this important." Now there are some people whom I respect that would argue that nothing is going to be settled in this area until some legal ruling is upheld with respect to the matter. My general feeling, however, is "God forbid!" I'm sure you're aware of the saying "hard cases make bad law." The only thing that I can imagine that would be worse than the demonstrated impossibility of having to educate entire House and Senate, plus their respective staffs, about PKI would be the prospect of some randomly chosen plaintiff's attorney and some other randomly chosen defense attorney arguing the fine points of PKI in front of a clueless judge and an equally clueless jury, and having the outcome of that process end up setting a national precedent. Ouch! What we need in this environment is the equivalent of the Generally Accepted Accounting Principles, which are rules adopted by accountants and auditors on behalf of the people who pay them to make sure that some company isn't playing fast and loose with the facts. We don't necessarily need a law, or a definitive court case -- we just need a sufficient strong set of customers who can step up and say "do it this way, or we aren't going to believe you" and make it stick. So far, no constituency has developed that has that amount of clout, and both the legal and the technical community have sort of agreed to duck the issue for now. SSL, for which perhaps 97% of all certificates have issued, doesn't sign documents, and the use within the S/MIME community has so far been quite slow to pick up. Perhaps Identrus and their community of interest will eventually be able to marshal that amount of clout and make it stick -- I rather hope so. But I am afraid that if you look to the existing stakeholders for a definitive agreement, you are going to be waiting a long, long time. Regards, Bob >I am trying to clarify the meaning of non-repudiation (as defined by the >technology standards) for our legal counsel. 2459 says this about >non-repudiation: > The nonRepudiation bit is asserted when the subject public key is > used to verify digital signatures used to provide a non- > repudiation service which protects against the signing entity > falsely denying some action, excluding certificate or CRL signing. > >The question is what does "some action" mean? Is the action merely signing >the transaction? Or, is the action perhaps committing to the terms described >in the signed transaction? > >To rephrase: Is non-repudiation stating simply that I, Dave Oshman, signed >this document? Or, is it supposed to mean that I, Dave Oshman, attest that I >am committing myself (or my company) to the terms described herein? > >Is this more clearly defined in X.813 (ITU-T Recommendation X.8131) | >ISO/IEC 10181-3:...1), Information technology - Open Systems Interconnection >- Security Frameworks in Open Systems - Non-repudiation framework)? Can >anyone snip a description of non-repudiation from X.813? >Thanks! >Dave Oshman >Senior Vice President >Technology >Identrus LLC Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA20713 for <ietf-pkix@imc.org>; Fri, 6 Apr 2001 12:09:45 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GBD00I01X85L8@ext-mail.valicert.com> for ietf-pkix@imc.org; Fri, 6 Apr 2001 12:09:41 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GBD00IH0X856H@ext-mail.valicert.com>; Fri, 06 Apr 2001 12:09:41 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26NZRH>; Fri, 06 Apr 2001 12:09:06 -0700 Content-return: allowed Date: Fri, 06 Apr 2001 12:09:04 -0700 From: Peter Williams <peterw@valicert.com> Subject: RE: Meaning of Non-repudiation To: "'Philip Hallam-Baker'" <pbaker@verisign.com>, ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E182C1D@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Phillip, This is intended as a pleasant message, before the PKI movement's annual festival during which we can analyse the previous year's concrete accomplishments and look forward to enhancing privacy in email: A valid implication of your expert group's statement is: that the IESG was wrong to have passed RFC 1421/1422, which seemed to claim to standardize a mechanism for providing a proof of origin with non-repudiation service. IESG was wrong as there was no NR bit in the certificate of the day, and, therefore, the 1421/1422 mechanism for providing the claimed service was not adequate. As this implication seems very far fetched indeed (as IESG are infallible) it makes me doubt the validity of the expert group's very proper assertion. Lets try to find evidence for the contrary position - which would support IESG decisions: "Certificates are used in PEM to provide the originator of a message with the (authenticated) public component of each recipient and to provide each recipient with the (authenticated) public component of the originator. " [RFC 1422] "Authentication, integrity, and (when asymmetric key management is employed) non-repudiation of origin services are applied to all PEM messages; confidentiality services are optionally selectable." [ RFC 1421] By focusing on authenticated public component, 1421/1422 removes from the notion of verification of digital signatures any requirement to consider certificates. The phrase "Asymmetric key management" is declared to be the (only) condition for provision of the non-repudiation with origin service. Indeed, 1422 never mentions the term "repudiation": the architecture provides only for the distribution of authenticated public components. Indeed, 1422 makes no claim to support the non-repudiation of origin service declared in 1421. It goes out of its way to limit its support to data origin authentication. In summary, the "Certificate-based key distribution" specification of 1422 does not claim to be "Asymmetric key management". By inference, 1422 support for 1421 does not provide for non-repudiation of origin. Also by inference, certificates alone are not sufficient for non-repudiation - assuming 1422's avoidance of listing support for 1421's non-repudiation of origin service was deliberate. RFC 1422 apparently contrasts with RFC 3039, which introduces a format-profile of certs that specifically claims to support an identification service, suitable for a public non-repudiation service. But again, we note, 3039 does not claim that certificates are necessary for non-repudiation - only, that conforming certificate schemes provide for the necessary assurance for the "identification facility" used in providing a non-repudiation service. In this, 3038 is compatible with 1422, in that certificate-assured identification is a common element for both the data origin authentication facility that 1422 does list as supporting, and the "public" non-repudiation service that 3038 supports. Other PKIX documents introduce bizzare, non-normative notions that we should probably ignore: "Users of public key-based systems must be confident that, any time they rely on a public key, the subject that they are communicating with owns the associated private key [...]" in case anyone claims that PKIX is self-contradictory. This quote from a PKIX theory I-D introduces the strange idea of "relying on" public keys, and introduces a (legal) contingency concerning "ownership". Though strange, it is interesting to note the compatibility of the PKIX theory with 1422, in its focus on public keys rather than certificates. In conclusion, I can view the RFC/ID evidence as supporting either position - for or against the experts statement that certificates and a given signal are necessary for non-repudiation. PKIX and historical IETF PKI standards-track works are apparently very carefully worded to offer NO support for a formal claim of providing non-repudiation on the basis that (a) certificates are used and/or (b) that particular certificate processing is used. Bringing the issue uptodate for the NR-relevant protocols that Internet subscribers use, we note that S/MIME v2 has a largely PEM compatible model: non-repudiation of origin is a result of "using digital signatures." To test the experts groups assertion seems to depend upon the definition of a digital signature. And on that there seems to be NO consensus in the statutory (legal) world we live in on the matter of any *necessary* relationship to certificates - as another essay on the definitions used in a statute to which IESG refers might show. Peter. -----Original Message----- From: Philip Hallam-Baker [mailto:pbaker@verisign.com] Sent: Friday, April 06, 2001 9:09 AM To: ietf-pkix@imc.org Subject: RE: Meaning of Non-repudiation I am confused here. Last washington IETF myself, Russ, Denis and Tim were taken in a black limosine off to a meeting of the joint ABA-New world order PKI working group being chaired by Michael Baum. We had a six hour dicussion of the non repudiation bit puctuated only by the stream of liveried servants dishing out foie gras, oysters and caviar to the lawyers. At the end of the meeting Tim recieved a signed and sealed statement from Michael himself stating that we did not need to discuss the topic ever again. I hope that Tim has not lost the statement. At the meeting the strongest statement that could be agreed upon concerning the non repudiation bit was: 1) The setting of the non repudiation bit in the certificate was a necessary but not sufficient condition for a relying party to consider a signature to have the non-repudiation property. Beyond that there was considerable dispute as to the legal and technical issues. I believe that the utility of the bit is limited to identifying keys which are considered (for whatever reason) repudiable. Beyond that non-repudiation is not a binary quality, there will always be degrees of repudiation contol and the degree of control provided in a specific circumstance is ultimately determined by the CP and CPS. Trying to condense that down to a single bit is futile. There is a utility in leaving the non-repudiation bit clear in a certificate for a cable modem, 802.11b card, SSL server or the like. Unfortunately the people who are most concerned about the bit tend to want it for an affirmation that non-repudiation services be provided. One solution would be to call it the 'repudiation bit' and state that when clear repudiability was asserted. Phill Phillip Hallam-Baker Principal Scientist VeriSign Inc. pbaker@verisign.com 781 245 6996 x227 Received: from mtiwmhc22.worldnet.att.net (mtiwmhc22.worldnet.att.net [204.127.131.47]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA17497 for <ietf-pkix@imc.org>; Fri, 6 Apr 2001 11:14:59 -0700 (PDT) Received: from barth ([12.82.138.241]) by mtiwmhc22.worldnet.att.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010406181428.IQMZ18668.mtiwmhc22.worldnet.att.net@barth>; Fri, 6 Apr 2001 18:14:28 +0000 From: "Dr. JohnDavid Hascup" <jdhascup@att.net> To: "Philip Hallam-Baker" <pbaker@verisign.com>, <ietf-pkix@imc.org> Subject: RE: Meaning of Non-repudiation Date: Fri, 6 Apr 2001 11:13:46 -0700 Message-ID: <LOBBLCKKJBEHIDHDEPBBMEKOCDAA.jdhascup@att.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0038_01C0BE8A.A5EB4F00" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <2F3EC696EAEED311BB2D009027C3F4F40154C90D@vhqpostal.verisign.com> Importance: Normal This is a multi-part message in MIME format. ------=_NextPart_000_0038_01C0BE8A.A5EB4F00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Meaning of Non-repudiationThanks Phil, I do remember there being that discussion in DC and also much more prior on the list. I just remember that it seemed the lawyers wanted it their way and that the bit would be insufficent in-and-of-itself for their usage. If my message caused a misunderstanding beyond that, mea culpa. JohnDavid -----Original Message----- From: Philip Hallam-Baker [mailto:pbaker@verisign.com] Sent: Friday, April 06, 2001 9:09 AM To: ietf-pkix@imc.org Subject: RE: Meaning of Non-repudiation I am confused here. Last washington IETF myself, Russ, Denis and Tim were taken in a black limosine off to a meeting of the joint ABA-New world order PKI working group being chaired by Michael Baum. We had a six hour dicussion of the non repudiation bit puctuated only by the stream of liveried servants dishing out foie gras, oysters and caviar to the lawyers. At the end of the meeting Tim recieved a signed and sealed statement from Michael himself stating that we did not need to discuss the topic ever again. I hope that Tim has not lost the statement. At the meeting the strongest statement that could be agreed upon concerning the non repudiation bit was: 1) The setting of the non repudiation bit in the certificate was a necessary but not sufficient condition for a relying party to consider a signature to have the non-repudiation property. Beyond that there was considerable dispute as to the legal and technical issues. I believe that the utility of the bit is limited to identifying keys which are considered (for whatever reason) repudiable. Beyond that non-repudiation is not a binary quality, there will always be degrees of repudiation contol and the degree of control provided in a specific circumstance is ultimately determined by the CP and CPS. Trying to condense that down to a single bit is futile. There is a utility in leaving the non-repudiation bit clear in a certificate for a cable modem, 802.11b card, SSL server or the like. Unfortunately the people who are most concerned about the bit tend to want it for an affirmation that non-repudiation services be provided. One solution would be to call it the 'repudiation bit' and state that when clear repudiability was asserted. Phill Phillip Hallam-Baker Principal Scientist VeriSign Inc. pbaker@verisign.com 781 245 6996 x227 Dr. JohnDavid Hascup Senior Security Architect ELF Technologies ------=_NextPart_000_0038_01C0BE8A.A5EB4F00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML xmlns=3D"http://www.w3.org/TR/REC-html40" xmlns:o =3D=20 "urn:schemas-microsoft-com:office:office" xmlns:w =3D=20 "urn:schemas-microsoft-com:office:word"><HEAD><TITLE>Meaning of = Non-repudiation</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3DWord.Document name=3DProgId> <META content=3D"MSHTML 5.50.4611.1300" name=3DGENERATOR> <META content=3D"Microsoft Word 9" name=3DOriginator><LINK=20 href=3D"cid:filelist.xml@01C0BE78.DA4D0ED0" rel=3DFile-List><!--[if gte = mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:Zoom>0</w:Zoom> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> </w:WordDocument> </xml><![endif]--> <STYLE>@font-face { font-family: Comic Sans MS; } @font-face { font-family: Tahoma; } P.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; = mso-style-parent: ""; mso-pagination: widow-orphan; = mso-fareast-font-family: "Times New Roman" } LI.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; = mso-style-parent: ""; mso-pagination: widow-orphan; = mso-fareast-font-family: "Times New Roman" } DIV.MsoNormal { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; = mso-style-parent: ""; mso-pagination: widow-orphan; = mso-fareast-font-family: "Times New Roman" } H1 { FONT-WEIGHT: bold; FONT-SIZE: 16pt; MARGIN: 12pt 0in 3pt; FONT-FAMILY: = Arial; mso-pagination: widow-orphan; mso-style-next: Normal; = mso-outline-level: 1; mso-font-kerning: 16.0pt } P.MsoAutoSig { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; = mso-pagination: widow-orphan; mso-fareast-font-family: "Times New Roman" } LI.MsoAutoSig { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; = mso-pagination: widow-orphan; mso-fareast-font-family: "Times New Roman" } DIV.MsoAutoSig { FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"; = mso-pagination: widow-orphan; mso-fareast-font-family: "Times New Roman" } P { FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: = "Times New Roman"; mso-pagination: widow-orphan; = mso-fareast-font-family: "Times New Roman"; mso-margin-top-alt: auto; = mso-margin-bottom-alt: auto } SPAN.EmailStyle16 { COLOR: navy; mso-style-type: personal-reply; mso-ansi-font-size: = 12.0pt; mso-ascii-font-family: "Comic Sans MS"; mso-hansi-font-family: = "Comic Sans MS"; mso-bidi-font-family: Arial } P.Heading1NoTOC { FONT-WEIGHT: bold; FONT-SIZE: 14pt; MARGIN: 12pt 0in 3pt; FONT-FAMILY: = Arial; TEXT-ALIGN: center; mso-style-parent: "Heading 1"; = mso-pagination: widow-orphan; mso-fareast-font-family: "Times New = Roman"; mso-outline-level: 1; mso-font-kerning: 14.0pt; = mso-bidi-font-family: "Times New Roman"; mso-style-name: "Heading 1 No = TOC"; mso-bidi-font-size: 10.0pt; mso-bidi-font-weight: normal } LI.Heading1NoTOC { FONT-WEIGHT: bold; FONT-SIZE: 14pt; MARGIN: 12pt 0in 3pt; FONT-FAMILY: = Arial; TEXT-ALIGN: center; mso-style-parent: "Heading 1"; = mso-pagination: widow-orphan; mso-fareast-font-family: "Times New = Roman"; mso-outline-level: 1; mso-font-kerning: 14.0pt; = mso-bidi-font-family: "Times New Roman"; mso-style-name: "Heading 1 No = TOC"; mso-bidi-font-size: 10.0pt; mso-bidi-font-weight: normal } DIV.Heading1NoTOC { FONT-WEIGHT: bold; FONT-SIZE: 14pt; MARGIN: 12pt 0in 3pt; FONT-FAMILY: = Arial; TEXT-ALIGN: center; mso-style-parent: "Heading 1"; = mso-pagination: widow-orphan; mso-fareast-font-family: "Times New = Roman"; mso-outline-level: 1; mso-font-kerning: 14.0pt; = mso-bidi-font-family: "Times New Roman"; mso-style-name: "Heading 1 No = TOC"; mso-bidi-font-size: 10.0pt; mso-bidi-font-weight: normal } P.TableText { FONT-SIZE: 10pt; MARGIN: 3pt 0in; LINE-HEIGHT: 110%; FONT-FAMILY: = "Times New Roman"; mso-pagination: widow-orphan lines-together; = mso-fareast-font-family: "Times New Roman"; mso-font-kerning: 10.0pt; = mso-style-name: "Table Text" } LI.TableText { FONT-SIZE: 10pt; MARGIN: 3pt 0in; LINE-HEIGHT: 110%; FONT-FAMILY: = "Times New Roman"; mso-pagination: widow-orphan lines-together; = mso-fareast-font-family: "Times New Roman"; mso-font-kerning: 10.0pt; = mso-style-name: "Table Text" } DIV.TableText { FONT-SIZE: 10pt; MARGIN: 3pt 0in; LINE-HEIGHT: 110%; FONT-FAMILY: = "Times New Roman"; mso-pagination: widow-orphan lines-together; = mso-fareast-font-family: "Times New Roman"; mso-font-kerning: 10.0pt; = mso-style-name: "Table Text" } DIV.Section1 { page: Section1 } </STYLE> </HEAD> <BODY lang=3DEN-US style=3D"tab-interval: .5in"> <DIV><SPAN class=3D050370718-06042001><FONT face=3DArial color=3D#0000ff = size=3D2>Thanks=20 Phil, I do remember there being that discussion in DC and also much more = prior=20 on the list. I just remember that it seemed the lawyers wanted it their = way and=20 that the bit would be insufficent in-and-of-itself for their=20 usage.</FONT></SPAN></DIV> <DIV><SPAN class=3D050370718-06042001><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D050370718-06042001><FONT face=3DArial color=3D#0000ff = size=3D2>If my=20 message caused a misunderstanding beyond that, mea=20 culpa.</FONT></SPAN></DIV> <DIV><SPAN class=3D050370718-06042001></SPAN> </DIV> <DIV><SPAN class=3D050370718-06042001><FONT face=3DArial color=3D#0000ff = size=3D2>JohnDavid</FONT> </SPAN></DIV> <DIV><SPAN class=3D050370718-06042001><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Philip = Hallam-Baker=20 [mailto:pbaker@verisign.com]<BR><B>Sent:</B> Friday, April 06, 2001 = 9:09=20 AM<BR><B>To:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: Meaning of=20 Non-repudiation<BR><BR></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D677224615-06042001>I am=20 confused here. Last washington IETF myself, Russ, Denis and Tim were = taken in=20 a black limosine off to a meeting of the joint ABA-New world order PKI = working=20 group being chaired by Michael Baum. We had a six hour dicussion of = the non=20 repudiation bit puctuated only by the stream of liveried servants = dishing=20 out foie gras, oysters and caviar to the lawyers. At the end = of the=20 meeting Tim recieved a signed and sealed statement from Michael = himself=20 stating that we did not need to discuss the topic ever again. I hope = that Tim=20 has not lost the statement.</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D677224615-06042001></SPAN></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D677224615-06042001>At=20 the meeting the strongest statement that could be agreed upon = concerning the=20 non repudiation bit was:</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D677224615-06042001></SPAN></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D677224615-06042001>1)=20 The setting of the non repudiation bit in the certificate was a = necessary but=20 not sufficient condition for a relying party to consider a signature=20 to have the non-repudiation property.</SPAN></FONT></DIV> <DIV> </DIV> <DIV> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D677224615-06042001>Beyond that there was considerable dispute = as to the=20 legal and technical issues. I believe that the utility of the bit is = limited=20 to identifying keys which are considered (for whatever reason) = repudiable.=20 Beyond that non-repudiation is not a binary quality, there will always = be=20 degrees of repudiation contol and the degree of control provided in a = specific=20 circumstance is ultimately determined by the CP and CPS. Trying = to=20 condense that down to a single bit is futile.</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D677224615-06042001></SPAN></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D677224615-06042001>There is a utility in leaving the = non-repudiation bit=20 clear in a certificate for a cable modem, 802.11b card, SSL server or = the=20 like.</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D677224615-06042001>Unfortunately the people who are most = concerned about=20 the bit tend to want it for an affirmation that non-repudiation = services be=20 provided.</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D677224615-06042001>One=20 solution would be to call it the 'repudiation bit' and state that when = clear=20 repudiability was asserted.</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D677224615-06042001> =20 Phill</SPAN></FONT></DIV> <P><FONT size=3D2>Phillip Hallam-Baker<BR>Principal = Scientist<BR>VeriSign=20 Inc.<BR>pbaker@verisign.com<BR>781 245 6996 x227<BR><BR><SPAN=20 class=3D050370718-06042001><FONT face=3DArial color=3D#0000ff>Dr. = JohnDavid=20 Hascup<BR>Senior Security Architect<BR>ELF=20 Technologies</FONT></SPAN></FONT></P> <P><FONT size=3D2><SPAN class=3D050370718-06042001><FONT face=3DArial=20 color=3D#0000ff> </FONT></SPAN></FONT><![if = !supportEmptyParas]><![endif]><![if !supportEmptyParas]><![endif]><![if = !supportEmptyParas]><![endif]><![if !supportEmptyParas]><![endif]><![if = !supportEmptyParas]><![endif]><![if = !supportEmptyParas]><![endif]></P></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0038_01C0BE8A.A5EB4F00-- Received: from pigeon.verisign.com (pigeon.verisign.com [208.206.241.106]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA15289 for <ietf-pkix@imc.org>; Fri, 6 Apr 2001 10:32:05 -0700 (PDT) Received: from postal-gw1.verisign.com (verisign.com [63.104.27.101]) by pigeon.verisign.com (8.9.3/BCH1.7.1) with ESMTP id KAA15196; Fri, 6 Apr 2001 10:23:55 -0700 (PDT) Received: by postal-gw.verisign.com with Internet Mail Service (5.5.2650.21) id <HQK2RHZQ>; Fri, 6 Apr 2001 10:29:45 -0700 Message-ID: <2F3EC696EAEED311BB2D009027C3F4F40154C90F@vhqpostal.verisign.com> From: Philip Hallam-Baker <pbaker@verisign.com> To: "'Carlin Covey'" <ccovey@cylink.com>, ietf-pkix@imc.org Subject: RE: Meaning of Non-repudiation Date: Fri, 6 Apr 2001 10:29:14 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C0BEBF.19D82300" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C0BEBF.19D82300 Content-Type: text/plain; charset="iso-8859-1" > From: Carlin Covey [mailto:ccovey@cylink.com] > Philip Hallam-Baker wrote > "... We had a six hour discussion of the > non-repudiation bit .... > At the end of the meeting Tim received a signed and > sealed statement > from Michael [Baum] himself stating that we did not > need to discuss > the topic ever again. ..." > > Was the non-repudiation bit set in the certificate used to sign that > statement? Damn! You are right! If the lawyers want to discuss the issue again they are going to have to share the foix gras and caviar this time and not keep it to themselves! Phillip Hallam-Baker Principal Scientist VeriSign Inc. pbaker@verisign.com 781 245 6996 x227 ------_=_NextPart_000_01C0BEBF.19D82300 Content-Type: application/octet-stream; name="Phillip Hallam-Baker (E-mail).vcf" Content-Disposition: attachment; filename="Phillip Hallam-Baker (E-mail).vcf" BEGIN:VCARD VERSION:2.1 N:Hallam-Baker;Phillip FN:Phillip Hallam-Baker (E-mail) ORG:VeriSign TITLE:Principal Consultant TEL;WORK;VOICE:(781) 245-6996 x227 EMAIL;PREF;INTERNET:hallam@verisign.com REV:20010214T163732Z END:VCARD ------_=_NextPart_000_01C0BEBF.19D82300-- Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA13302 for <ietf-pkix@imc.org>; Fri, 6 Apr 2001 09:34:00 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id SAA34502 for <ietf-pkix@imc.org>; Fri, 6 Apr 2001 18:33:24 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id SAA18000 for <ietf-pkix@imc.org>; Fri, 6 Apr 2001 18:33:26 +0200 Message-ID: <3ACDEFD6.B2A59CCD@bull.net> Date: Fri, 06 Apr 2001 18:33:26 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: pkix <ietf-pkix@imc.org> Subject: Changes to the TSP document Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit The TSP document has got an extensive review at the IESG level. In particular Marcus Leech on March 08, noticed the typo that had been advertised on the PKIX mailing list by Bernd Matthes from Celo Communications GmbH on January, 23. "4. A client application using application using only a nonce ..." This proves that the document has been carefully read by the IESG members. Once upon a time I was joking that an obvious error should be left in every document to make sure that it had been read. :-) Other comments came from the IESG about some changes in Annexes E and F. It has been requested to change the wording of the reference to son-of-2459 in APPENDIX E: Access descriptors for timeStamping. [This annex describes an extension based on the SIA extension that will be defined in the "son-of-RFC2459". Since at the time of publication of this document, "son-of-RFC2459" is not yet available, its description is placed in an informative annex. This annex will become normative, when this document will move from Proposed Standard to Standard.] Proposed change: " The contents of this annex will eventually become incorporated into the son-of-RFC2459 document, at which time this annex will no longer be needed. A future version of this document will likely omit this annex and refer to son-of-RFC2459 directly." In annex F, although there are MIME registration templates, they were not clearly in an IANA considerations section. The header has been added, as well as some additional text. Although these changes could have been made during the 48 hours notice time before the document is posted by the IETF editor, I have produced a new version that incorporates all the changes that have been requested up to now. This new version has been posted to the web editor and should be published soon. I have also clarified one sentence in the introduction section, reusing the first sentence from the abstract: "A time stamping service supports assertions of proof that a datum existed *before* a particular time." Old sentence: The TSA's role is to time stamp a datum to establish evidence indicating the time *at* which the datum existed. New sentence: The TSA's role is to time stamp a datum to establish evidence indicating that a datum existed *before* a particular time. I do hope that this will be the last version before the document is finally transformed into an RFC. Denis TSP lead editor. Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA12379 for <ietf-pkix@imc.org>; Fri, 6 Apr 2001 09:21:55 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 2LAWZDS0; Fri, 6 Apr 2001 09:17:57 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: <ietf-pkix@imc.org> Subject: RE: Meaning of Non-repudiation Date: Fri, 6 Apr 2001 09:18:53 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGIELHCDAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <2F3EC696EAEED311BB2D009027C3F4F40154C90D@vhqpostal.verisign.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Philip Hallam-Baker wrote "... We had a six hour discussion of the non-repudiation bit .... At the end of the meeting Tim received a signed and sealed statement from Michael [Baum] himself stating that we did not need to discuss the topic ever again. ..." Was the non-repudiation bit set in the certificate used to sign that statement? Received: from pigeon.verisign.com (pigeon.verisign.com [208.206.241.106]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA11479 for <ietf-pkix@imc.org>; Fri, 6 Apr 2001 09:10:59 -0700 (PDT) Received: from postal-gw1.verisign.com (verisign.com [63.104.27.101]) by pigeon.verisign.com (8.9.3/BCH1.7.1) with ESMTP id JAA10501 for <ietf-pkix@imc.org>; Fri, 6 Apr 2001 09:03:16 -0700 (PDT) Received: by postal-gw.verisign.com with Internet Mail Service (5.5.2650.21) id <HQK2RGLH>; Fri, 6 Apr 2001 09:09:06 -0700 Message-ID: <2F3EC696EAEED311BB2D009027C3F4F40154C90D@vhqpostal.verisign.com> From: Philip Hallam-Baker <pbaker@verisign.com> To: ietf-pkix@imc.org Subject: RE: Meaning of Non-repudiation Date: Fri, 6 Apr 2001 09:08:35 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C0BEB3.D54BC530" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C0BEB3.D54BC530 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0BEB3.D54BC530" ------_=_NextPart_001_01C0BEB3.D54BC530 Content-Type: text/plain; charset="iso-8859-1" I am confused here. Last washington IETF myself, Russ, Denis and Tim were taken in a black limosine off to a meeting of the joint ABA-New world order PKI working group being chaired by Michael Baum. We had a six hour dicussion of the non repudiation bit puctuated only by the stream of liveried servants dishing out foie gras, oysters and caviar to the lawyers. At the end of the meeting Tim recieved a signed and sealed statement from Michael himself stating that we did not need to discuss the topic ever again. I hope that Tim has not lost the statement. At the meeting the strongest statement that could be agreed upon concerning the non repudiation bit was: 1) The setting of the non repudiation bit in the certificate was a necessary but not sufficient condition for a relying party to consider a signature to have the non-repudiation property. Beyond that there was considerable dispute as to the legal and technical issues. I believe that the utility of the bit is limited to identifying keys which are considered (for whatever reason) repudiable. Beyond that non-repudiation is not a binary quality, there will always be degrees of repudiation contol and the degree of control provided in a specific circumstance is ultimately determined by the CP and CPS. Trying to condense that down to a single bit is futile. There is a utility in leaving the non-repudiation bit clear in a certificate for a cable modem, 802.11b card, SSL server or the like. Unfortunately the people who are most concerned about the bit tend to want it for an affirmation that non-repudiation services be provided. One solution would be to call it the 'repudiation bit' and state that when clear repudiability was asserted. Phill Phillip Hallam-Baker Principal Scientist VeriSign Inc. pbaker@verisign.com 781 245 6996 x227 ------_=_NextPart_001_01C0BEB3.D54BC530 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML xmlns=3D"http://www.w3.org/TR/REC-html40" xmlns:o =3D=20 "urn:schemas-microsoft-com:office:office" xmlns:w =3D=20 "urn:schemas-microsoft-com:office:word"><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <TITLE>Meaning of Non-repudiation</TITLE> <META content=3DWord.Document name=3DProgId> <META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR> <META content=3D"Microsoft Word 9" name=3DOriginator><LINK=20 href=3D"cid:filelist.xml@01C0BE78.DA4D0ED0" rel=3DFile-List><!--[if gte = mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:Zoom>0</w:Zoom> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> </w:WordDocument> </xml><![endif]--> <STYLE>@font-face { font-family: Comic Sans MS; } @font-face { font-family: Tahoma; } P.MsoNormal { FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; = mso-style-parent: ""; mso-pagination: widow-orphan; = mso-fareast-font-family: "Times New Roman" } LI.MsoNormal { FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; = mso-style-parent: ""; mso-pagination: widow-orphan; = mso-fareast-font-family: "Times New Roman" } DIV.MsoNormal { FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; = mso-style-parent: ""; mso-pagination: widow-orphan; = mso-fareast-font-family: "Times New Roman" } H1 { FONT-FAMILY: Arial; FONT-SIZE: 16pt; FONT-WEIGHT: bold; MARGIN: 12pt = 0in 3pt; mso-pagination: widow-orphan; mso-style-next: Normal; = mso-outline-level: 1; mso-font-kerning: 16.0pt } P.MsoAutoSig { FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; = mso-pagination: widow-orphan; mso-fareast-font-family: "Times New = Roman" } LI.MsoAutoSig { FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; = mso-pagination: widow-orphan; mso-fareast-font-family: "Times New = Roman" } DIV.MsoAutoSig { FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; = mso-pagination: widow-orphan; mso-fareast-font-family: "Times New = Roman" } P { FONT-FAMILY: "Times New Roman"; FONT-SIZE: 12pt; MARGIN-LEFT: 0in; = MARGIN-RIGHT: 0in; mso-margin-top-alt: auto; mso-margin-bottom-alt: = auto; mso-pagination: widow-orphan; mso-fareast-font-family: "Times New = Roman" } SPAN.EmailStyle16 { COLOR: navy; mso-style-type: personal-reply; mso-ansi-font-size: = 12.0pt; mso-ascii-font-family: "Comic Sans MS"; mso-hansi-font-family: = "Comic Sans MS"; mso-bidi-font-family: Arial } P.Heading1NoTOC { FONT-FAMILY: Arial; FONT-SIZE: 14pt; FONT-WEIGHT: bold; MARGIN: 12pt = 0in 3pt; TEXT-ALIGN: center; mso-style-parent: "Heading 1"; = mso-pagination: widow-orphan; mso-fareast-font-family: "Times New = Roman"; mso-outline-level: 1; mso-font-kerning: 14.0pt; = mso-bidi-font-family: "Times New Roman"; mso-style-name: "Heading 1 No = TOC"; mso-bidi-font-size: 10.0pt; mso-bidi-font-weight: normal } LI.Heading1NoTOC { FONT-FAMILY: Arial; FONT-SIZE: 14pt; FONT-WEIGHT: bold; MARGIN: 12pt = 0in 3pt; TEXT-ALIGN: center; mso-style-parent: "Heading 1"; = mso-pagination: widow-orphan; mso-fareast-font-family: "Times New = Roman"; mso-outline-level: 1; mso-font-kerning: 14.0pt; = mso-bidi-font-family: "Times New Roman"; mso-style-name: "Heading 1 No = TOC"; mso-bidi-font-size: 10.0pt; mso-bidi-font-weight: normal } DIV.Heading1NoTOC { FONT-FAMILY: Arial; FONT-SIZE: 14pt; FONT-WEIGHT: bold; MARGIN: 12pt = 0in 3pt; TEXT-ALIGN: center; mso-style-parent: "Heading 1"; = mso-pagination: widow-orphan; mso-fareast-font-family: "Times New = Roman"; mso-outline-level: 1; mso-font-kerning: 14.0pt; = mso-bidi-font-family: "Times New Roman"; mso-style-name: "Heading 1 No = TOC"; mso-bidi-font-size: 10.0pt; mso-bidi-font-weight: normal } P.TableText { FONT-FAMILY: "Times New Roman"; FONT-SIZE: 10pt; LINE-HEIGHT: 110%; = MARGIN: 3pt 0in; mso-pagination: widow-orphan lines-together; = mso-fareast-font-family: "Times New Roman"; mso-font-kerning: 10.0pt; = mso-style-name: "Table Text" } LI.TableText { FONT-FAMILY: "Times New Roman"; FONT-SIZE: 10pt; LINE-HEIGHT: 110%; = MARGIN: 3pt 0in; mso-pagination: widow-orphan lines-together; = mso-fareast-font-family: "Times New Roman"; mso-font-kerning: 10.0pt; = mso-style-name: "Table Text" } DIV.TableText { FONT-FAMILY: "Times New Roman"; FONT-SIZE: 10pt; LINE-HEIGHT: 110%; = MARGIN: 3pt 0in; mso-pagination: widow-orphan lines-together; = mso-fareast-font-family: "Times New Roman"; mso-font-kerning: 10.0pt; = mso-style-name: "Table Text" } DIV.Section1 { page: Section1 } </STYLE> </HEAD> <BODY lang=3DEN-US style=3D"tab-interval: .5in"> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D677224615-06042001>I am=20 confused here. Last washington IETF myself, Russ, Denis and Tim were = taken in a=20 black limosine off to a meeting of the joint ABA-New world order PKI = working=20 group being chaired by Michael Baum. We had a six hour dicussion of the = non=20 repudiation bit puctuated only by the stream of liveried servants = dishing=20 out foie gras, oysters and caviar to the lawyers. At the end = of the=20 meeting Tim recieved a signed and sealed statement from Michael = himself=20 stating that we did not need to discuss the topic ever again. I hope = that Tim=20 has not lost the statement.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D677224615-06042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D677224615-06042001>At the=20 meeting the strongest statement that could be agreed upon concerning = the non=20 repudiation bit was:</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D677224615-06042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D677224615-06042001>1) The=20 setting of the non repudiation bit in the certificate was a necessary = but not=20 sufficient condition for a relying party to consider a signature = to have=20 the non-repudiation property.</SPAN></FONT></DIV> <DIV> </DIV> <DIV> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D677224615-06042001>Beyond=20 that there was considerable dispute as to the legal and technical = issues. I=20 believe that the utility of the bit is limited to identifying keys = which are=20 considered (for whatever reason) repudiable. Beyond that = non-repudiation is not=20 a binary quality, there will always be degrees of repudiation contol = and the=20 degree of control provided in a specific circumstance is = ultimately=20 determined by the CP and CPS. Trying to condense that down to a single = bit is=20 futile.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D677224615-06042001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D677224615-06042001>There=20 is a utility in leaving the non-repudiation bit clear in a certificate = for a=20 cable modem, 802.11b card, SSL server or the like.</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D677224615-06042001>Unfortunately the people who are most = concerned about=20 the bit tend to want it for an affirmation that non-repudiation = services be=20 provided.</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D677224615-06042001>One=20 solution would be to call it the 'repudiation bit' and state that when = clear=20 repudiability was asserted.</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D677224615-06042001> =20 Phill</SPAN></FONT></DIV> <P><FONT size=3D2>Phillip Hallam-Baker<BR>Principal = Scientist<BR>VeriSign=20 Inc.<BR>pbaker@verisign.com<BR>781 245 6996 x227<BR></FONT></P><![if = !supportEmptyParas]><![endif]><![if !supportEmptyParas]><![endif]><![if = !supportEmptyParas]><![endif]><![if !supportEmptyParas]><![endif]><![if = !supportEmptyParas]><![endif]><![if = !supportEmptyParas]><![endif]></BODY></HTML> ------_=_NextPart_001_01C0BEB3.D54BC530-- ------_=_NextPart_000_01C0BEB3.D54BC530 Content-Type: application/octet-stream; name="Phillip Hallam-Baker (E-mail).vcf" Content-Disposition: attachment; filename="Phillip Hallam-Baker (E-mail).vcf" BEGIN:VCARD VERSION:2.1 N:Hallam-Baker;Phillip FN:Phillip Hallam-Baker (E-mail) ORG:VeriSign TITLE:Principal Consultant TEL;WORK;VOICE:(781) 245-6996 x227 EMAIL;PREF;INTERNET:hallam@verisign.com REV:20010214T163732Z END:VCARD ------_=_NextPart_000_01C0BEB3.D54BC530-- Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA24578 for <ietf-pkix@imc.org>; Fri, 6 Apr 2001 06:17:24 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id JAA13232 for <ietf-pkix@imc.org>; Fri, 6 Apr 2001 09:16:55 -0400 (EDT) Message-Id: <200104061316.JAA13228@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Fri, 06 Apr 2001 09:14:56 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: A standard encoding for Certification Paths References: <200104060149.SAA06547@shorter.eng.sun.com> <kjelv6r9k3.fsf@romeo.rtfm.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Eric Rescorla wrote: > Jeff Nisewanger <Jeff.Nisewanger@Sun.COM> writes: > > It is true that TLS does not use a higher level ASN.1 structure > > but it also doesn't literally stream or concatenate the DER encoded > > certificates together. Instead, it wraps the individual DER certificate > > encodings into a sequence using its own TLS encoding scheme. The peer TLS > > implementation then decodes and unwraps the individual DER encoded > > certificates in the chain and then perhaps hands the individual DER > > encodings to an X.509 toolkit. > > Quite so. Any other approach would require that the TLS toolkit > be able to itself parse ASN.1. This would be very inconvenient. Perhaps "distasteful" to those of a certain philosophical bent, but certainly not "inconvenient". The amount of code required to take a bytestream of BER/DER* objects and return a list of Length-Value's pointing to each object is trivial, and the API for such code is as simple as, say, strtok(). * Note, an X.509 certificate is encoded using BER, even though the to-be-signed portion is DER. Received: from gull.mail.pas.earthlink.net (gull.mail.pas.earthlink.net [207.217.121.85]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA23546 for <ietf-pkix@imc.org>; Fri, 6 Apr 2001 05:50:03 -0700 (PDT) Received: from chrisf (1Cust68.tnt5.clearwater.fl.da.uu.net [63.25.149.68]) by gull.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with SMTP id FAA29661; Fri, 6 Apr 2001 05:49:57 -0700 (PDT) From: "Christopher S. Francis" <chris.francis@wetstonetech.com> To: "Dr. JohnDavid Hascup" <jdhascup@att.net>, "Dave Oshman" <Dave.Oshman@identrus.com>, <ietf-pkix@imc.org> Subject: RE: Meaning of Non-repudiation Date: Fri, 6 Apr 2001 09:06:27 -0400 Message-ID: <NEBBKNLKHMMPAKLAPDMDEEHOCDAA.chris.francis@wetstonetech.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0004_01C0BE78.DCDE19F0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal In-Reply-To: <LOBBLCKKJBEHIDHDEPBBEEJPCDAA.jdhascup@att.net> This is a multi-part message in MIME format. ------=_NextPart_000_0004_01C0BE78.DCDE19F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Dr. Hascup, ItÂ’s not clear to me why you feel that the policies of the RP regarding the meaning of the non-repudiation bit are the primary factor in defining the meaning of non-repudiation in that environment. IÂ’m not a lawyer, but it seems to me that, although the RPÂ’s policy plays a role, the primary definition of what non-repudiation means in a particular environment should come from the published policies of the signer. If I sign something, shouldnÂ’t my policy state whether a RP should interpret my signature as an endorsement of the contents of whatever I signed? Chris Francis -----Original Message----- From: Dr. JohnDavid Hascup [mailto:jdhascup@att.net] Sent: Thursday, April 05, 2001 1:15 PM To: Dave Oshman; ietf-pkix@imc.org Subject: RE: Meaning of Non-repudiation Dave -----Original Message----- From: Dave Oshman [mailto:Dave.Oshman@identrus.com] Sent: Thursday, April 05, 2001 9:24 AM To: ietf-pkix@imc.org Subject: Meaning of Non-repudiation I am trying to clarify the meaning of non-repudiation (as defined by the technology standards) for our legal counsel. 2459 says this about non-repudiation: [JDH] this is the abyss of PKI. Having spent over three years working with legal counsel on how to understand non-repudiation I have yet to find a viable "legal" interpretation of the technological protocol. I think the past year Tom Grindin was developing a "technical non-repudiation" draft which I think has lapsed as of the past meeting in Minneapolis. It was an attempt to ground non-repudiation with a meaning that would be "legal" neutral but protocol specific. The nonRepudiation bit is asserted when the subject public key is used to verify digital signatures used to provide a non- repudiation service which protects against the signing entity falsely denying some action, excluding certificate or CRL signing. The question is what does "some action" mean? Is the action merely signing the transaction? Or, is the action perhaps committing to the terms described in the signed transaction? To rephrase: Is non-repudiation stating simply that I, Dave Oshman, signed this document? Or, is it supposed to mean that I, Dave Oshman, attest that I am committing myself (or my company) to the terms described herein? [JDH] IMO "legal" non-repudiation must be set via the entire environment of the PKI as specifically defined in whatever policies the RP sets. This means that it is the RP's use of the bit or non-use that is important. The reason I felt this was due to the fact that once the question enters the court it, the technical setting of the bit is not what is important but rather the interpretation placed upon it by the RP and thus the EE. Apart from a "clear stated policy" of what the RP intends for it's understanding of non-repudiation the technical aspects are meaningless. The asserting of the bit must be given meaning in the context of the environment and cannot have a meaning legally apart from that environment. Therefore, your second meaning can only be grounded in the policies set by the environment in which you are signing and not in the technical underlying protocol. As for the first, at most, one can argue that the cert granted to you signed. This is why we had such a difficult time moving "technical" non-repudiation into a legal context. What is the legal relationship between the certificate and the person to whom the cert was issued. The protocol can offer forensic evidence regarding the relationship and the actions of the cert but in and of itself offers no legal meaning. Is this more clearly defined in X.813 (ITU-T Recommendation X.8131) | ISO/IEC 10181-3:...1), Information technology - Open Systems Interconnection - Security Frameworks in Open Systems - Non-repudiation framework)? Can anyone snip a description of non-repudiation from X.813? Thanks! Dave Oshman Senior Vice President Technology Identrus LLC Dr. JohnDavid Hascup Senior Security Architect ELF Technologies ------=_NextPart_000_0004_01C0BE78.DCDE19F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <meta name=3DProgId content=3DWord.Document> <meta name=3DGenerator content=3D"Microsoft Word 9"> <meta name=3DOriginator content=3D"Microsoft Word 9"> <link rel=3DFile-List href=3D"cid:filelist.xml@01C0BE78.DA4D0ED0"> <title>Meaning of Non-repudiation</title> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:Zoom>0</w:Zoom> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> </w:WordDocument> </xml><![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:"Comic Sans MS"; panose-1:3 15 7 2 3 3 2 2 2 4; mso-font-charset:0; mso-generic-font-family:script; mso-font-pitch:variable; mso-font-signature:647 0 0 0 159 0;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:553679495 -2147483648 8 0 66047 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} h1 {mso-style-next:Normal; margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; mso-pagination:widow-orphan; page-break-after:avoid; mso-outline-level:1; font-size:16.0pt; font-family:Arial; mso-font-kerning:16.0pt; font-weight:bold;} p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig {margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} p {margin-right:0in; mso-margin-top-alt:auto; mso-margin-bottom-alt:auto; margin-left:0in; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} span.EmailStyle16 {mso-style-type:personal-reply; mso-ansi-font-size:12.0pt; mso-ascii-font-family:"Comic Sans MS"; mso-hansi-font-family:"Comic Sans MS"; mso-bidi-font-family:Arial; color:navy;} p.Heading1NoTOC, li.Heading1NoTOC, div.Heading1NoTOC {mso-style-name:"Heading 1 No TOC"; mso-style-parent:"Heading 1"; margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; text-align:center; mso-pagination:widow-orphan; page-break-after:avoid; mso-outline-level:1; font-size:14.0pt; mso-bidi-font-size:10.0pt; font-family:Arial; mso-fareast-font-family:"Times New Roman"; mso-bidi-font-family:"Times New Roman"; mso-font-kerning:14.0pt; font-weight:bold; mso-bidi-font-weight:normal;} p.TableText, li.TableText, div.TableText {mso-style-name:"Table Text"; margin-top:3.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; line-height:110%; mso-pagination:widow-orphan lines-together; font-size:10.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman"; mso-font-kerning:10.0pt;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US style=3D'tab-interval:.5in'> <div class=3DSection1> <p class=3DMsoNormal><span class=3DEmailStyle16><font size=3D3 = color=3Dnavy face=3D"Comic Sans MS"><span = style=3D'font-size:12.0pt;font-family:"Comic Sans MS"'>Dr. Hascup,<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle16><font size=3D3 = color=3Dnavy face=3D"Comic Sans MS"><span = style=3D'font-size:12.0pt;font-family:"Comic Sans MS"'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle16><font size=3D3 = color=3Dnavy face=3D"Comic Sans MS"><span = style=3D'font-size:12.0pt;font-family:"Comic Sans MS"'>It’s not clear to me why you feel that the policies of the RP regarding the = meaning of the non-repudiation bit are the primary factor in defining the = meaning of non-repudiation in that environment.<span style=3D"mso-spacerun: = yes"> </span>I’m not a lawyer, but it seems to me that, although the = RP’s policy plays a role, the primary definition of what non-repudiation means in a particular environment should come from the published policies of the = signer.<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle16><font size=3D3 = color=3Dnavy face=3D"Comic Sans MS"><span = style=3D'font-size:12.0pt;font-family:"Comic Sans MS"'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle16><font size=3D3 = color=3Dnavy face=3D"Comic Sans MS"><span = style=3D'font-size:12.0pt;font-family:"Comic Sans MS"'>If I sign something, shouldn’t my policy state whether a RP should = interpret my signature as an endorsement of the contents of whatever I signed?<span style=3D"mso-spacerun: yes"> = </span><o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle16><font size=3D3 = color=3Dnavy face=3D"Comic Sans MS"><span = style=3D'font-size:12.0pt;font-family:"Comic Sans MS"'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle16><font size=3D3 = color=3Dnavy face=3D"Comic Sans MS"><span = style=3D'font-size:12.0pt;font-family:"Comic Sans MS"'>Chris Francis<o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle16><font size=3D3 = color=3Dnavy face=3D"Comic Sans MS"><span = style=3D'font-size:12.0pt;font-family:"Comic Sans MS"'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p> <p class=3DMsoNormal><span class=3DEmailStyle16><font size=3D3 = color=3Dnavy face=3D"Comic Sans MS"><span = style=3D'font-size:12.0pt;font-family:"Comic Sans MS"'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = color=3Dblack face=3DTahoma><span = style=3D'font-size:10.0pt;font-family:Tahoma;color:black'>-----Original Message-----<br> <b><span style=3D'font-weight:bold'>From:</span></b> Dr. JohnDavid = Hascup [mailto:jdhascup@att.net]<br> <b><span style=3D'font-weight:bold'>Sent:</span></b> Thursday, April 05, = 2001 1:15 PM<br> <b><span style=3D'font-weight:bold'>To:</span></b> Dave Oshman; = ietf-pkix@imc.org<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> RE: Meaning of Non-repudiation</span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><![if = !supportEmptyParas]> <![endif]><o:p></o:p></span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = color=3Dblue face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial;color:blue'>Dave</span></font= ><font color=3Dblack><span = style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><= /p> <p class=3DMsoNormal = style=3D'mso-margin-top-alt:auto;margin-bottom:12.0pt; margin-left:1.0in'><font size=3D2 color=3Dblack face=3DTahoma><span = style=3D'font-size: 10.0pt;font-family:Tahoma;color:black'>-----Original Message-----<br> <b><span style=3D'font-weight:bold'>From:</span></b> Dave Oshman [mailto:Dave.Oshman@identrus.com]<br> <b><span style=3D'font-weight:bold'>Sent:</span></b> Thursday, April 05, = 2001 9:24 AM<br> <b><span style=3D'font-weight:bold'>To:</span></b> ietf-pkix@imc.org<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> Meaning of Non-repudiation</span></font><font color=3Dblack><span = style=3D'color:black; mso-color-alt:windowtext'><o:p></o:p></span></font></p> <p style=3D'margin-left:1.0in'><font size=3D2 color=3Dblack = face=3D"Times New Roman"><span style=3D'font-size:10.0pt;color:black'>I am trying to clarify the = meaning of non-repudiation (as defined by the technology standards) for our legal = counsel. 2459 says this about non-repudiation:<br> </span></font><font size=3D2 color=3Dblue face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial;color:blue'>[JDH] this is the abyss of PKI. = Having spent over three years working with legal counsel on how to understand non-repudiation I have yet to find a viable "legal" = interpretation of the technological protocol. I think the past year Tom Grindin was developing a "technical non-repudiation" draft which = I think has lapsed as of the past meeting in Minneapolis. It was an attempt to = ground non-repudiation with a meaning that would be "legal" neutral but protocol = specific.</span></font><font color=3Dblack><span = style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><= /p> <p style=3D'margin-left:1.0in'><font size=3D2 color=3Dblack = face=3D"Times New Roman"><span style=3D'font-size:10.0pt;color:black'> The nonRepudiation bit is asserted when the subject public key = is</span></font><font color=3Dblack><span style=3D'color:black'> <br> </span></font><font size=3D2 color=3Dblack><span = style=3D'font-size:10.0pt; color:black'> used to verify digital = signatures used to provide a non-</span></font><font color=3Dblack><span = style=3D'color:black'> <br> </span></font><font size=3D2 color=3Dblack><span = style=3D'font-size:10.0pt; color:black'> repudiation service which = protects against the signing entity</span></font><font color=3Dblack><span style=3D'color:black'> <br> </span></font><font size=3D2 color=3Dblack><span = style=3D'font-size:10.0pt; color:black'> falsely denying some action, excluding certificate or CRL signing.</span></font><font = color=3Dblack><span style=3D'color:black'> </span></font><font color=3Dblack><span = style=3D'color:black; mso-color-alt:windowtext'><o:p></o:p></span></font></p> <p style=3D'margin-left:1.0in'><font size=3D2 color=3Dblack = face=3D"Times New Roman"><span style=3D'font-size:10.0pt;color:black'>The question is what does = "some action" mean? Is the action merely signing the transaction? Or, is = the action perhaps committing to the terms described in the signed = transaction?</span></font><font color=3Dblack><span = style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><= /p> <p style=3D'margin-left:1.0in'><font size=3D2 color=3Dblack = face=3D"Times New Roman"><span style=3D'font-size:10.0pt;color:black'>To rephrase: Is non-repudiation = stating simply that I, Dave Oshman, signed this document? Or, is it supposed to = mean that I, Dave Oshman, attest that I am committing myself (or my company) = to the terms described herein?<br> </span></font><font size=3D2 color=3Dblue face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial;color:blue'>[JDH] IMO "legal" = non-repudiation must be set via the entire environment of the PKI as specifically = defined in whatever policies the RP sets. This means that it is the RP's use of the = bit or non-use that is important. The reason I felt this was due to the fact = that once the question enters the court it, the technical setting of the bit is = not what is important but rather the interpretation placed upon it by the RP and = thus the EE. Apart from a "clear stated policy" of what the RP = intends for it's understanding of non-repudiation the technical aspects are = meaningless. The asserting of the bit must be given meaning in the context of the environment and cannot have a meaning legally apart from that environment. Therefore, your second meaning can only be grounded in = the policies set by the environment in which you are signing and not in the technical underlying protocol. As for the first, at most, one can argue = that the cert granted to you signed. This is why we had such a difficult time = moving "technical" non-repudiation into a legal context. What is the = legal relationship between the certificate and the person to whom the cert was issued. The protocol can offer forensic evidence regarding the = relationship and the actions of the cert but in and of itself offers no legal = meaning.</span></font><font color=3Dblack><span = style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><= /p> <p style=3D'margin-left:1.0in'><font size=3D3 color=3Dblack = face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'> </span></font><font = color=3Dblack><span style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><= /p> <p style=3D'margin-left:1.0in'><font size=3D2 color=3Dblack = face=3D"Times New Roman"><span style=3D'font-size:10.0pt;color:black'>Is this more clearly defined in = X.813 (ITU-T Recommendation X.8131) | ISO/IEC 10181-3:...1), Information = technology - Open Systems Interconnection - Security Frameworks in Open Systems - Non-repudiation framework)? Can anyone snip a description of = non-repudiation from X.813?</span></font><font color=3Dblack><span = style=3D'color:black;mso-color-alt: windowtext'><o:p></o:p></span></font></p> <p style=3D'margin-left:1.0in'><font size=3D2 color=3Dblack = face=3D"Times New Roman"><span style=3D'font-size:10.0pt;color:black'>Thanks!</span></font><font = color=3Dblack><span style=3D'color:black'> <br> </span></font><font size=3D2 color=3Dblack><span = style=3D'font-size:10.0pt; color:black'>Dave Oshman </span></font><font color=3Dblack><span style=3D'color:black'><br> </span></font><font size=3D2 color=3Dblack><span = style=3D'font-size:10.0pt; color:black'>Senior Vice President </span></font><font = color=3Dblack><span style=3D'color:black'><br> </span></font><font size=3D2 color=3Dblack><span = style=3D'font-size:10.0pt; color:black'>Technology </span></font><font color=3Dblack><span = style=3D'color: black'><br> </span></font><font size=3D2 color=3Dblack><span = style=3D'font-size:10.0pt; color:black'>Identrus LLC</span></font><font color=3Dblack><span style=3D'color:black'> </span></font><font color=3Dblack><span = style=3D'color:black; mso-color-alt:windowtext'><o:p></o:p></span></font></p> <p class=3DMsoNormal = style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto; margin-left:1.0in'><font size=3D2 color=3Dblue face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:blue'>Dr. JohnDavid = Hascup</span></font><font color=3Dblack><span = style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><= /p> <p class=3DMsoNormal = style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto; margin-left:1.0in'><font size=3D2 color=3Dblue face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:blue'>Senior Security = Architect</span></font><font color=3Dblack><span = style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><= /p> <p class=3DMsoNormal = style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto; margin-left:1.0in'><font size=3D2 color=3Dblue face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:blue'>ELF Technologies</span></font><font color=3Dblack><span = style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><= /p> </div> </body> </html> ------=_NextPart_000_0004_01C0BE78.DCDE19F0-- Received: from romeo.rtfm.com ([198.144.203.242]) by above.proper.com (8.9.3/8.9.3) with ESMTP id UAA04754 for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 20:23:10 -0700 (PDT) Received: (ekr@localhost) by romeo.rtfm.com (8.9.3/8.6.4) id UAA13485; Thu, 5 Apr 2001 20:28:29 -0700 (PDT) Sender: ekr@rtfm.com To: Jeff Nisewanger <Jeff.Nisewanger@Sun.COM> Cc: povey@dstc.qut.edu.au, ietf-pkix@imc.org Subject: Re: A standard encoding for Certification Paths References: <200104060149.SAA06547@shorter.eng.sun.com> Reply-to: EKR <ekr@rtfm.com> Mime-Version: 1.0 (generated by tm-edit 7.108) Content-Type: text/plain; charset=US-ASCII From: Eric Rescorla <ekr@speedy.rtfm.com> Date: 05 Apr 2001 20:28:28 -0700 In-Reply-To: Jeff Nisewanger's message of "Thu, 5 Apr 2001 18:49:28 -0700 (PDT)" Message-ID: <kjelv6r9k3.fsf@romeo.rtfm.com> Lines: 28 X-Mailer: Gnus v5.6.45/XEmacs 20.4 - "Emerald" Jeff Nisewanger <Jeff.Nisewanger@Sun.COM> writes: > Dean Povey writes: > > Degenerate PKCS#7/CMS SignedData indeed seems to be the most common > > method to pass around cert paths, which although something of an > > insanity is a small insanity in a very large universe of insanities. > > SEQUENCE OF Certificate is also not uncommon, and Polar's method of > > just streaming the Certificates without wrapping them up in a higher > > level ASN.1 structure is the way it is done in SSL/TLS. > > > It is true that TLS does not use a higher level ASN.1 structure > but it also doesn't literally stream or concatenate the DER encoded > certificates together. Instead, it wraps the individual DER certificate > encodings into a sequence using its own TLS encoding scheme. The peer TLS > implementation then decodes and unwraps the individual DER encoded > certificates in the chain and then perhaps hands the individual DER > encodings to an X.509 toolkit. Quite so. Any other approach would require that the TLS toolkit be able to itself parse ASN.1. This would be very inconvenient. Note that from an encoding perspective a BER encoding of a SEQUENCE or SET OF certificates can be formed by concatenating them and then adding the tag and length. DER of SET OF is slightly trickier because you have to sort them but then again you rarely have to encode DER. Certainly you never do for S/MIME which is generally BER encoded. -Ekr Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA02750 for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 18:49:25 -0700 (PDT) Received: from shorter.eng.sun.com ([129.144.251.35]) by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id SAA27119; Thu, 5 Apr 2001 18:49:29 -0700 (PDT) Received: from crypto (crypto [129.144.250.112]) by shorter.eng.sun.com (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with SMTP id SAA06547; Thu, 5 Apr 2001 18:49:28 -0700 (PDT) Message-Id: <200104060149.SAA06547@shorter.eng.sun.com> Date: Thu, 5 Apr 2001 18:49:28 -0700 (PDT) From: Jeff Nisewanger <Jeff.Nisewanger@Sun.COM> Reply-To: Jeff Nisewanger <Jeff.Nisewanger@Sun.COM> Subject: Re: A standard encoding for Certification Paths To: povey@dstc.qut.edu.au Cc: ietf-pkix@imc.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: 5lWTq1QFiggjKFgK0W+jRg== X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.3.5 SunOS 5.7 sun4u sparc Polar Humenn writes: > I believe the lowest common denominator for a sequence of certificates is > exactly that, a stream of ASN.1 Certificate encodings. > Dean Povey writes: > Degenerate PKCS#7/CMS SignedData indeed seems to be the most common > method to pass around cert paths, which although something of an > insanity is a small insanity in a very large universe of insanities. > SEQUENCE OF Certificate is also not uncommon, and Polar's method of > just streaming the Certificates without wrapping them up in a higher > level ASN.1 structure is the way it is done in SSL/TLS. It is true that TLS does not use a higher level ASN.1 structure but it also doesn't literally stream or concatenate the DER encoded certificates together. Instead, it wraps the individual DER certificate encodings into a sequence using its own TLS encoding scheme. The peer TLS implementation then decodes and unwraps the individual DER encoded certificates in the chain and then perhaps hands the individual DER encodings to an X.509 toolkit. Jeff Received: from hamster.gadens.com.au (ns.gadens.com.au [203.18.88.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA26869 for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 16:44:50 -0700 (PDT) Received: from exchange.gadens.com.au ([10.1.8.3]) by hamster.gadens.com.au (8.11.0/8.11.0) with ESMTP id f35NYK262364; Fri, 6 Apr 2001 09:34:21 +1000 (EST) (envelope-from AMcCullagh@exchange.gadens.com.au) Received: by exchange.gadens.com.au with Internet Mail Service (5.5.2653.19) id <12HF5WPD>; Fri, 6 Apr 2001 09:49:24 +1000 Message-ID: <C7006C79F23FD411AFCC00E018C353B43BCBD1@exchange.gadens.com.au> From: Adrian McCullagh <AMcCullagh@exchange.gadens.com.au> To: "'Dave Oshman'" <Dave.Oshman@identrus.com>, ietf-pkix@imc.org Subject: RE: Meaning of Non-repudiation Date: Fri, 6 Apr 2001 09:49:13 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C0BE2B.043EA760" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C0BE2B.043EA760 Content-Type: text/plain; charset="iso-8859-1" Dave, I wrote a paper on Non-repudiation which was published in the journal "first Monday". First Monday is published by University of Chicago. I enclose a copy for your perusal which may assist in your deliberations. Adrian McCullagh Director of Electronic CommerceTel: 617 3231 1522 Gadens Lawyers Fax: 617 3229 5850 level 39 Central Plaza 1 345 Queen Street Brisbane Australia 4000 Ph. D. Candidate Thesis "The Incorporation of Trust Strategies in Digital Signature Regimes for Elec. Comm." Information Security Research Centre Queensland University of Technology This message is confidential and privileged. It is solely intended for the person or persons named in this message. If this message is received by anyone not named in this message then the sender does not relinquish any rights of confidentiality or legal privilege as regards to the contents of this email. If you are not named in this email then would you please contact the sender and destroy all copies of this email. I thank you for your assistance. -----Original Message----- From: Dave Oshman [mailto:Dave.Oshman@identrus.com] Sent: Friday, April 06, 2001 2:24 AM To: ietf-pkix@imc.org Subject: Meaning of Non-repudiation I am trying to clarify the meaning of non-repudiation (as defined by the technology standards) for our legal counsel. 2459 says this about non-repudiation: The nonRepudiation bit is asserted when the subject public key is used to verify digital signatures used to provide a non- repudiation service which protects against the signing entity falsely denying some action, excluding certificate or CRL signing. The question is what does "some action" mean? Is the action merely signing the transaction? Or, is the action perhaps committing to the terms described in the signed transaction? To rephrase: Is non-repudiation stating simply that I, Dave Oshman, signed this document? Or, is it supposed to mean that I, Dave Oshman, attest that I am committing myself (or my company) to the terms described herein? Is this more clearly defined in X.813 (ITU-T Recommendation X.8131) | ISO/IEC 10181-3:...1), Information technology - Open Systems Interconnection - Security Frameworks in Open Systems - Non-repudiation framework)? Can anyone snip a description of non-repudiation from X.813? Thanks! Dave Oshman Senior Vice President Technology Identrus LLC ------_=_NextPart_000_01C0BE2B.043EA760 Content-Type: application/msword; name="Non Repudiation.doc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Non Repudiation.doc" 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAlwAAAAAAAAAA EAAAmQAAAAEAAAD+////AAAAAJUAAACWAAAA//////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////s pcEAcQAJBAAACBK/AAAAAAAAEAAAAAAABAAAb5EAAA4AYmpianQrdCsAAAAAAAAAAAAAAAAAAAAA AAAJBBYAQLwAABZBAQAWQQEA5mwAAAAAAACCAAAAAAAAAAAAAAAGIAAAAAAAAAAAAAD//w8AAAAA AAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAAAAAAAAAAAAF0AAAAAAJAPAAAAAAAAkA8AAJAP AAAAAAAAkA8AAAAAAAC+EAAAAAAAAL4QAAAAAAAAvhAAABQAAAAAAAAAAAAAANIQAAAAAAAA0hAA AAAAAADSEAAAAAAAANIQAAA4AAAAChEAADQAAAA+EQAAVAAAANIQAAAAAAAAlDYAAHYCAAC2EQAA AAAAALYRAAA6AAAA8BEAAAAAAADwEQAAAAAAAHISAAAAAAAAchIAAK4AAAAgEwAANAAAAFQTAAAc AAAAlScAAAIAAACXJwAAAAAAAJcnAAAAAAAAlycAAEgAAADfJwAAUAcAAC8vAABQBwAAfzYAAAAA AAAKOQAA9AEAAP46AADqAAAAfzYAABUAAAAAAAAAAAAAAAAAAAAAAAAAvhAAAAAAAABwEwAAAAAA AAAAAAAAAAAAAAAAAAAAAAByEgAAAAAAAHISAAAAAAAAcBMAAAAAAABwEwAAAAAAAH82AAAAAAAA aBQAAAAAAACQDwAAsgAAAEIQAAB8AAAA8BEAAIIAAAAAAAAAAAAAAHISAAAAAAAAthEAAAAAAABo FAAAAAAAAGgUAAAAAAAAaBQAAAAAAABwEwAAlAAAAL4QAAAAAAAAchIAAAAAAAC+EAAAAAAAAHIS AAAAAAAA/SYAAJgAAAAAAAAAAAAAAAAAAAAAAAAA0hAAAAAAAADSEAAAAAAAAJAPAAAAAAAAkA8A AAAAAAC+EAAAAAAAAL4QAAAAAAAAcBMAAAAAAACVJwAAAAAAAGgUAAAYBwAAaBQAAAAAAACAGwAA pgEAAOMhAAD2BAAAvhAAAAAAAAC+EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/SYAAAAAAAByEgAAAAAAAJIRAAAkAAAA8CsrynhG vwHSEAAAAAAAANIQAAAAAAAABBQAAGQAAADZJgAAJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATk9O LVJFUFVESUFUSU9OIElOIFRIRSBESUdJVEFMIEVOVklST05NRU5UIA1CWQ1BZHJpYW4gTWNDdWxs YWdoDU5hdGlvbmFsIERpcmVjdG9yIEVsZWN0cm9uaWMgQ29tbWVyY2UNR2FkZW5zIExhd3llcnMN UGguIEQuICBDYW5kaWRhdGUNSW5mb3JtYXRpb24gU2VjdXJpdHkgUmVzZWFyY2ggQ2VudGVyDVF1 ZWVuc2xhbmQgVW5pdmVyc2l0eSBvZiBUZWNobm9sb2d5DVBoLiAgMDcgMzIzMSAxNTIyDUVtYWls OiAgYW1jY3VsbGFnaEBnYWRlbnMuY29tLmF1DUFuZA1Qcm9mZXNzb3IgV2lsbGlhbSBDYWVsbGkN SGVhZCBvZiBTY2hvb2wNU2Nob29sIG9mIERhdGEgQ29tbXVuaWNhdGlvbnMNUXVlZW5zbGFuZCBV bml2ZXJzaXR5IG9mIFRlY2hub2xvZ3kNUGguICAwNyAzODY0IDI3NTINRW1haWw6ICB3Y2FlbGxp QHF1dC5lZHUuYXUNDE5PTi1SRVBVRElBVElPTiBJTiBUSEUgRElHSVRBTCBFTlZJUk9OTUVOVCgN DZMgVGhlIHRpbWVzIHRoZXkgYXJlIGEgY2hhbmdpbpIglA1Cb2IgRHlsYW4NSW50cm9kdWN0aW9u DVRoZSBpbnZlc3RtZW50IGNvbW11bml0eSBpbiBtYW55IGluc3RhbmNlcyBoYXMgdHJhZGl0aW9u YWxseSByZWxpZWQgaGVhdmlseSBvbiBmYWNlIHRvIGZhY2UgY29tbXVuaWNhdGlvbnMuIFdpdGgg dGhlIGFkdmVudCBvZiBuZXcgZGlnaXRhbCBzaWduYXR1cmUgdGVjaG5vbG9neSwgZmFjZSB0byBm YWNlIGNvbW11bmljYXRpb24gYXMgYSBtYW5uZXIgb2YgZG9pbmcgYnVzaW5lc3Mgd2lsbCBpbiB0 aGUgbm90IHRvbyBkaXN0YW50IGZ1dHVyZSBiZWNvbWUgdGhlIGV4Y2VwdGlvbiBhcyBvcHBvc2Vk IHRvIHRoZSBub3JtLiAgIFRoZSB0eXJhbm55IG9mIGRpc3RhbmNlIGZvciBlZmZlY3RpbmcgYnVz aW5lc3Mgd2lsbCBiZSBvdmVyY29tZSwgc28gYXMgdG8gZW5oYW5jZSB0aGUgZWZmaWNpZW5jaWVz IG9mIGJ1c2luZXNzLiAgIFRoaXMgaXMgb25lIG9mIHRoZSBwcmltYXJ5IGFkdmFudGFnZXMgb2Yg ZWxlY3Ryb25pYyBjb21tZXJjZS4gDUVsZWN0cm9uaWMgQ29tbWVyY2UgaXMgYWZmZWN0aW5nIGFs bCBpbmR1c3RyeSBzZWN0b3JzLiBUaGUgaW52ZXN0bWVudC9maW5hbmNlIGNvbW11bml0eSBoYXMs IG1vcmUgdGhhbiBhbnkgb3RoZXIgY29tbXVuaXR5LCBpbmNyZWFzaW5nbHkgYmVjb21pbmcgZGVw ZW5kZW50IHVwb24gdGVjaG5vbG9neSBhcyBhIGZvdW5kYXRpb24gZm9yIGl0cyBidXNpbmVzcyBz dXJ2aXZhbC4gICBNdWNoIG9mIHRoaXMgaW5mbHVlbmNlIGhhcyBjZW50ZXJlZCB1cG9uIHRoZSBj b3N0IHNhdmluZ3MgdGhhdCBjYW4gYXJpc2UgdGhyb3VnaCB0aGUgdXNlIG9mIHRlY2hub2xvZ3ku ICBUaGVyZSBoYXZlIGJlZW4gbWFueSByZXBvcnRzIGRlYWxpbmcgd2l0aCB0aGUgaW5mbHVlbmNl IHRoYXQgZWxlY3Ryb25pYyBjb21tZXJjZSBpcyBoYXZpbmcgb24gdGhlIGdlbmVyYWwgZWNvbm9t eS4gIFRoZSBiYW5raW5nIGluZHVzdHJ5LCB0aGUgc2VjdXJpdGllcyBpbmR1c3RyeSBhbmQgdGhl IGluc3VyYW5jZSBpbmR1c3RyeSBoYXZlIGVhY2ggaW4gcmVjZW50IHRpbWVzIHRha2VuIGEgc3Bl Y2lmaWMgaW50ZXJlc3QgaW4gZWxlY3Ryb25pYyBjb21tZXJjZSBhbmQgdGhlIGJlbmVmaXRzIHRo YXQgbWF5IGJlIGF2YWlsYWJsZSB0byB0aGVtIGVpdGhlciBpbmRpdmlkdWFsbHkgb3IgY3Jvc3Mg c2VjdGlvbmFsbHkuICANRnVuZGFtZW50YWxseSwgZWxlY3Ryb25pYyBjb21tZXJjZSBpbnZvbHZl cyB0aGUgdXNlIG9mIHJlbW90ZSBjb21tdW5pY2F0aW9ucyBhbmQgdGhlcmVmb3JlIG5lY2Vzc2l0 YXRlcyB0aGUgcGFydGllcyB0byBhdXRoZW50aWNhdGUgb25lIGFub3RoZXICLiAgT25lIG9mIHRo ZSBwcmltYXJ5IHRlY2hub2xvZ2llcyBwcm9wb3NlZCB0byBlZmZlY3QgYXV0aGVudGljYXRpb24g aXMgZGlnaXRhbCBzaWduYXR1cmUgdGVjaG5vbG9neSwgd2hpY2ggc29tZSBjb21tZW50YXRvcnMg aGF2ZSBpZGVudGlmaWVkLCBwcm92aWRlcyB0aGUgaW52ZXN0bWVudC9maW5hbmNlIGNvbW11bml0 eSB3aXRoIHN1YnN0YW50aWFsIGNvc3QgZWZmaWNpZW5jaWVzAi4gICBBIGZ1cnRoZXIgY2xhaW1l ZCBhZHZhbnRhZ2Ugb2YgZGlnaXRhbCBzaWduYXR1cmUgdGVjaG5vbG9neSBjb25jZXJucyB0aGUg aXNzdWUgb2YgIm5vbh5yZXB1ZGlhdGlvbiIgY2xhaW1lZCBieSB0aGUgcmVseWluZyBwYXJ0eSBv ZiBhIGRpZ2l0YWxseSBzaWduZWQgZG9jdW1lbnQgYWdhaW5zdCB0aGUgYWxsZWdlZCBzaWduZXIg b2YgdGhlIGVsZWN0cm9uaWMgZG9jdW1lbnQuAg1UaGUgaXNzdWUgaXMgLSB3aGF0IGRvZXMgdGhl IHRlcm0gIm5vbh5yZXB1ZGlhdGlvbiIgcmVhbGx5IG1lYW4/ICBUaGlzIHBhcGVyIHdpbGwgb25s eSBkZWFsIHdpdGggdGhlIGluY29uc2lzdGVuY3kgdGhhdCBoYXMgYXJpc2VuIGJldHdlZW4gdGhl IGNyeXB0byBtZWFuaW5nIGFuZCB0aGUgbGVnYWwgbWVhbmluZy4gIEluIHNvIGRvaW5nIHRoaXMg cGFwZXIgZGVhbHMgd2l0aCB0aGUgZm9sbG93aW5nIGlzc3VlczoNdGhlIGxlZ2FsIG1lYW5pbmcg b2Ygk25vbi1yZXB1ZGlhdGlvbpQgOw10aGUgY3J5cHRvIG1lYW5pbmcgb2Ygk25vbi1yZXB1ZGlh dGlvbpQ7DXRoZSBVTkNJVFJBTCBNb2RlbCBMYXcgYW5kIHRoZSBvbnVzIG9mIHByb29mIGlzc3Vl IHVuZGVyIEFydGljbGUgMTM7DXRoZSB0ZWNobmljYWwgdnVsbmVyYWJpbGl0aWVzIGluIGFkb3B0 aW5nIEFydGljbGUgMTMNVHJ1c3RlZCBzeXN0ZW1zIGFzIGEgYmFzaXMgdG8gc3VwcG9ydCB0aGUg Q29tbW9uIExhdyBwb3NpdGlvbg1Db25jbHVzaW9uIA1UaGlzIHBhcGVyIHdpbGwgc2hvdyB0aGF0 IGxhdyBtYWtlcnMgYXJvdW5kIHRoZSB3b3JsZCBhcmUgYmVpbmcgY29uZnVzZWQgYnkgdGhlc2Ug ZGVmaW5pdGlvbnMgYW5kIGFyZSBpbiB0dXJuIGNyZWF0aW5nIGEgZnVuZGFtZW50YWwgYW5kIG1h am9yIHByb2JsZW0gYnkgbm90IGFkZHJlc3NpbmcgdGhlIGlzc3VlIG9mICJ0cnVzdCIgYXQgdGhl IHNpZ25lcpJzIGVuZCBvZiB0aGUgZWxlY3Ryb25pYyBjb21tdW5pY2F0aW9uIHdpdGhpbiB0aGUg ZWxlY3Ryb25pYyBjb21tZXJjZSBlbnZpcm9ubWVudC4gIA1UcmFkaXRpb25hbCBMZWdhbCBtZWFu aW5nIG9mIJNOb24tcmVwdWRpYXRpb26UDVRoZXJlIGlzIGEgZGVmaW5pdGlvbmFsIGRpc3RpbmN0 aW9uIGJldHdlZW4gdGhlIGxlZ2FsIHVzZSBvZiB0aGUgdGVybSAibm9uHnJlcHVkaWF0aW9uIiBh bmQgdGhlIGNyeXB0by10ZWNobmljYWwgdXNlIG9mIHRoaXMgdGVybS4gICBJbiB0aGUgbGVnYWwg c2Vuc2UgYW4gYWxsZWdlZCBzaWduYXRvcnkgdG8gYSBkb2N1bWVudCBpcyBhbHdheXMgYWJsZSB0 byByZXB1ZGlhdGUgYSBzaWduYXR1cmUgdGhhdCBoYXMgYmVlbiBhdHRyaWJ1dGVkIHRvIGhpbS9o ZXIuAiAgVGhlIGJhc2lzIGZvciBhIHJlcHVkaWF0aW9uIG9mIGEgdHJhZGl0aW9uYWwgc2lnbmF0 dXJlIG1heSBpbmNsdWRlOg1UaGUgc2lnbmF0dXJlIGJlaW5nIGEgZm9yZ2VyeTsNVGhlIHNpZ25h dHVyZSBub3QgYmVpbmcgYSBmb3JnZXJ5LCBidXQgaGF2aW5nIGJlZW4gb2J0YWluZWQgdmlhOg1V bmNvbnNjaW9uYWJsZSBjb25kdWN0IGJ5IGEgcGFydHkgdG8gYSB0cmFuc2FjdGlvbjsCDUZyYXVk IGluc3RpZ2F0ZWQgYnkgYSB0aGlyZCBwYXJ0eTsCDVVuZHVlIGluZmx1ZW5jZSBleGVydGVkIGJ5 IGEgdGhpcmQgcGFydHkuAg1UaGVyZSBhcHBlYXJzIHRvIGJlIGEgbW92ZW1lbnQgd2l0aGluIHRo ZSBlbGVjdHJvbmljIGNvbW1lcmNlIGVudmlyb25tZW50IHRvIHRha2UgYXdheSB0aGVzZSBmdW5k YW1lbnRhbCByaWdodHMgdGhhdCBleGlzdCB3aXRoaW4gdGhlIGNvbW1vbiBsYXcganVyaXNkaWN0 aW9ucy4CICBUaGUgZ2VuZXJhbCBydWxlIG9mIGV2aWRlbmNlIGlzIHRoYXQgaWYgYSBwZXJzb24g ZGVuaWVzIGEgcGFydGljdWxhciBzaWduYXR1cmUgdGhlbiBpdCBmYWxscyB1cG9uIHRoZSByZWx5 aW5nIHBhcnR5IHRvIHByb3ZlIHRoYXQgdGhlIHNpZ25hdHVyZSBpcyB0cnVseSB0aGF0IG9mIHRo ZSBwZXJzb24gZGVueWluZyBpdAIuICAgSXQgc2hvdWxkIGJlIHVuZGVyc3Rvb2QgdGhhdCB0aGUg dGVybSCTZGVueZQgYW5kIHRoZSB0ZXJtIJNyZXB1ZGlhdGWUIGFyZSBzeW5vbnltb3VzIGFuZCB0 aGlzIHBvc2l0aW9uIGlzIHN1cHBvcnRlZCBieSBzdGFuZGFyZCBkaWN0aW9uYXJ5IGRlZmluaXRp b25zLgIgDUZ1cnRoZXJtb3JlLCB0aGUgY29tbW9uIGxhdyB0cnVzdCBtZWNoYW5pc20gZXN0YWJs aXNoZWQgdG8gb3ZlcmNvbWUgYSBmYWxzZSBjbGFpbSBvZiBub24tcmVwdWRpYXRpb24gaXMgd2l0 bmVzc2luZwIuICBUaGUgaW1wb3J0YW50IGFzcGVjdCBvZiB3aXRuZXNzaW5nIGlzIHRoYXQgaXQg aXMgZWZmZWN0ZWQgYXQgdGhlIHRpbWUgdGhlIHNpZ25hdHVyZSBpcyBiZWluZyBhZmZpeGVkLiAg IFRoYXQgaXMsIGJ5IGhhdmluZyBhbiBpbmRlcGVuZGVudCBhZHVsdCB3aXRuZXNzIHRoZSBzaWdu aW5nIG9mIHRoZSBkb2N1bWVudCB0aGF0IGlzIGV2aWRlbmNpbmcgdGhlIHRyYW5zYWN0aW9uIGJ5 IHRoZSBhbGxlZ2VkIHNpZ25hdG9yeSByZWR1Y2VzIHRoZSBhYmlsaXR5IG9mIHRoZSBhbGxlZ2Vk IHNpZ25hdG9yeSB0byBzdWNjZXNzZnVsbHkgZGVueSB0aGUgc2lnbmF0dXJlIGFzIGEgZm9yZ2Vy eSBhdCBhIGxhdGVyIGRhdGUuICBJdCBpcyBhbHdheXMgb3BlbiBmb3IgdGhlIGFsbGVnZWQgc2ln bmF0b3J5IHRvIGRlbnkgdGhlIHNpZ25hdHVyZSBvbiBvdGhlciBncm91bmRzIHN1Y2ggYXMgdGhv c2UgZW51bWVyYXRlZCBhYm92ZS4NVGhlIGlzc3VlIHRoYXQgYXJpc2VzIGlzIHdoZXRoZXIgYSBk aWdpdGFsIHNpZ25hdHVyZSBzaG91bGQgYmUgdHJlYXRlZCBkaWZmZXJlbnRseSB0byB0aGF0IG9m IGEgdHJhZGl0aW9uYWwgc2lnbmF0dXJlLiAgSXQgaXMgc3VibWl0dGVkIHRoYXQgdGhlIGxhdyBz aG91bGQgbm90IGluIHRoZSBlbGVjdHJvbmljIGNvbW1lcmNlIGVudmlyb25tZW50IGFsdGVyIHRo aXMgcG9zaXRpb24gYXMgcmVnYXJkcyB0byB0aGUgbGVnYWwgcmlnaHRzIG9mIHBhcnRpZXMgdG8g cmVwdWRpYXRlIGEgZGlnaXRhbCBzaWduYXR1cmUuAiAgR292ZXJubWVudHOSIHdvcmxkd2lkZSBo YXZlIGNvbnNpc3RlbnRseSBlc3BvdXNlZCB0aGlzIHBvc2l0aW9uAi4gIFRoZSBlbGVjdHJvbmlj IGNvbW1lcmNlIGVudmlyb25tZW50IHNob3VsZCBub3QgaGF2ZSBkaWZmZXJlbnQgcnVsZXMgdG8g dGhlIHJ1bGVzIHRoYXQgaGF2ZSBkZXZlbG9wZWQgb3ZlciBtYW55IGNlbnR1cmllcyBpbiB0aGUg cGFwZXItYmFzZWQgZW52aXJvbm1lbnQuIFRoZXNlIHJ1bGVzIGhhdmUgYmVlbiBkZXZlbG9wZWQg YW5kIGp1ZGljaWFsbHkgdGVzdGVkIHNvIGFzIG5vdCB0byBkaXNhZHZhbnRhZ2UgYW55IHBhcnR5 IHRvIHRyYW5zYWN0aW9uLg1UaGVyZSBpcyBhIGNsZWFyIGNvbnRyYWRpY3RvcnkgcG9zaXRpb24g YmV0d2VlbiB0aGUgdGVjaG5pY2FsIG1lYW5pbmcgYW5kIHRoZSBsZWdhbCBtZWFuaW5nIG9mIHRo ZSB0ZXJtICJub24tcmVwdWRpYXRpb24iIHdoZXJlIHRoZXJlIGlzIGEgY2xlYXIgY2FzZSBvZiBm b3JnZXJ5IGFzIHJlZ2FyZHMgdG8gYW4gYWxsZWdlZCBkaWdpdGFsIHNpZ25hdHVyZS4NSW4gdGhl IHRyYWRpdGlvbmFsIGxlZ2FsIHNlbnNlIHRoZSBvbnVzIG9mIHByb29mIGluIGEgY2FzZSBpbnZv bHZpbmcgYSBmb3JnZWQgcGFwZXItYmFzZWQgc2lnbmF0dXJlIGxpZXMgdXBvbiB0aGUgcGFydHkg d2lzaGluZyB0byByZWx5IHVwb24gdGhlIHNpZ25hdHVyZS4gIFRoZSByZWx5aW5nIHBhcnR5IGlu IHJlbGF0aW9uIHRvIGFuIGFsbGVnZWQgZm9yZ2VkIHNpZ25hdHVyZSBpcyByZXF1aXJlZCB0byBl c3RhYmxpc2g6DUluIGEgY2l2aWwgYWN0aW9uLCBvbiB0aGUgYmFsYW5jZSBvZiBwcm9iYWJpbGl0 aWVzOyBhbmQNSW4gYSBjcmltaW5hbCBhY3Rpb24sIGJleW9uZCByZWFzb25hYmxlIGRvdWJ0LA10 aGF0IHRoZSBzaWduYXR1cmUgaXMgbm90IGEgZm9yZ2VyeS4NVGhhdCBpcywgaWYgdGhlIGFsbGVn ZWQgc2lnbmF0b3J5IGRpc3B1dGVzIHRoZSBzaWduYXR1cmUgYXMgYmVsb25naW5nIHRvIGhpbS9o ZXIgdGhlbiB0aGUgb251cyBmYWxscyB1cG9uIHRoZSByZWx5aW5nIHBhcnR5IHRvIHByb3ZlIHRo YXQgdGhlIHNpZ25hdHVyZSBpcyBpbiBmYWN0IHRoYXQgb2YgdGhlIGFsbGVnZWQgc2lnbmF0b3J5 Lg1DcnlwdG8tdGVjaG5pY2FsIG1lYW5pbmcgb2Ygk25vbi1yZXB1ZGlhdGlvbpQNSW4gZ2VuZXJh bCB0ZXJtcywgdGhlIHRlcm0gIm5vbi1yZXB1ZGlhdGlvbiIgY3J5cHRvLXRlY2huaWNhbGx5IG1l YW5zOg1JbiBhdXRoZW50aWNhdGlvbiwgYSBzZXJ2aWNlIHRoYXQgcHJvdmlkZXMgcHJvb2Ygb2Yg dGhlIGludGVncml0eSBhbmQgb3JpZ2luIG9mIGRhdGEsIGJvdGggaW4gYW4gdW5mb3JnZWFibGUg cmVsYXRpb25zaGlwLCB3aGljaCBjYW4gYmUgdmVyaWZpZWQgYnkgYW55IHRoaXJkIHBhcnR5IGF0 IGFueSB0aW1lOyBvcg1JbiBhdXRoZW50aWNhdGlvbiwgYW4gYXV0aGVudGljYXRpb24gdGhhdCB3 aXRoIGhpZ2ggYXNzdXJhbmNlIGNhbiBiZSBhc3NlcnRlZCB0byBiZSBnZW51aW5lLCBhbmQgdGhh dCBjYW4gbm90IHN1YnNlcXVlbnRseSBiZSByZWZ1dGVkLiAoRW1waGFzaXMgYWRkZWQpAg1UaGUg dGVybSCTcmVmdXRlZJQgYWNjb3JkaW5nIHRvIHRoZSBTaG9ydGVyIE94Zm9yZCBEaWN0aW9uYXJ5 IGFsc28gbWVhbnMgYW1vbmcgb3RoZXIgdGhpbmdzIJNkZW55lC4gIEluIDE5OTgsIHRoZSBBdXN0 cmFsaWFuIEZlZGVyYWwgR292ZXJubWVudJJzIEVsZWN0cm9uaWMgQ29tbWVyY2UgRXhwZXJ0IEdy b3VwIGFkb3B0ZWQgYSB0ZWNobmljYWwgbWVhbmluZyBpbiBpdHMgcmVwb3J0IHRvIHRoZSBBdXN0 cmFsaWFuIEZlZGVyYWwgQXR0b3JuZXkgR2VuZXJhbCwgYnkgZGVmaW5pbmcgk05vbi1yZXB1ZGlh dGlvbpQgYXMgZm9sbG93czoNTm9uLXJlcHVkaWF0aW9uIGlzIGEgcHJvcGVydHkgYWNoaWV2ZWQg dGhyb3VnaCBjcnlwdG9ncmFwaGljIG1ldGhvZHMgd2hpY2ggcHJldmVudHMgYW4gaW5kaXZpZHVh bCBvciBlbnRpdHkgZnJvbSBkZW55aW5nIGhhdmluZyBwZXJmb3JtZWQgYSBwYXJ0aWN1bGFyIGFj dGlvbiByZWxhdGVkIHRvIGRhdGEgKHN1Y2ggYXMgbWVjaGFuaXNtcyBmb3Igbm9uLXJlamVjdGlv biBvciBhdXRob3JpdHkgKG9yaWdpbik7IGZvciBwcm9vZiBvZiBvYmxpZ2F0aW9uLCBpbnRlbnQs IG9yIGNvbW1pdG1lbnQ7IG9yIGZvciBwcm9vZiBvZiBvd25lcnNoaXApLgIoRW1waGFzaXMgYWRk ZWQpDUl0IGlzIHRoaXMgZGVuaWFsIG9mIHRoZSByaWdodCBvZiBiZWluZyBhYmxlIHRvIHJlcHVk aWF0ZQIgYSBkaWdpdGFsIHNpZ25hdHVyZSB0aGF0IGNhdXNlcyBncmVhdCBjb25jZXJuIGFuZCBp cyByZXN1bHRpbmcgaW4gYSBtaXNpbnRlcnByZXRhdGlvbiBvZiBpdHMgdXNlIHdpdGhpbiBkaWdp dGFsIHNpZ25hdHVyZSByZWdpbWVzLiBBZGRpdGlvbmFsbHksIHRoZSBkcmFmdCBzdGFuZGFyZCBm b3IgR3VpZGVsaW5lcyBmb3IgdGhlIHVzZSBhbmQgbWFuYWdlbWVudCBvZiBUcnVzdGVkIFRoaXJk IFBhcnR5IHNlcnZpY2VzIHRoYXQgaGFzIGJlZW4gcHJvbXVsZ2F0ZWQgYnkgdGhlIEludGVybmF0 aW9uYWwgU3RhbmRhcmRzIE9yZ2FuaXNhdGlvbiBhcyByZWdhcmRzIHRvIE5vbi1yZXB1ZGlhdGlv biBTZXJ2aWNlcwIgcHJvdmlkZXMgdGhhdDoNVFRQcyBtYXkgYmUgaW52b2x2ZWQgaW4gdGhlIHBy b3Zpc2lvbiBvZiBub24tcmVwdWRpYXRpb24gc2VydmljZXMsIGRlcGVuZGluZyBvbiB0aGUgbWVj aGFuaXNtcyB1c2VkIGFuZCB0aGUgbm9uLXJlcHVkaWF0aW9uIHBvbGljeSBpbiBmb3JjZS4gVGhl IHB1cnBvc2Ugb2Ygbm9uLXJlcHVkaWF0aW9uLCBpbiBjb25mb3JtYW5jZSB3aXRoIElTTy9JRUMg MTM4ODgtMSwgLTIgYW5kIC0zLCBpcyB0byBwcm92aWRlIHZlcmlmaWFibGUgcHJvb2Ygb3IgZXZp ZGVuY2UgcmVjb3JkaW5nIG9mIGRhdGEsIGJhc2VkIG9uIGNyeXB0b2dyYXBoaWMgY2hlY2sgdmFs dWVzIGdlbmVyYXRlZCBieSB1c2luZyBzeW1tZXRyaWMgb3IgYXN5bW1ldHJpYyBjcnlwdG9ncmFw aGljIHRlY2huaXF1ZXMsIG9mOg1BcHByb3ZhbCAtIE5vbi1yZXB1ZGlhdGlvbiBvZiBhcHByb3Zh bCBzZXJ2aWNlIHByb3ZpZGVzIHByb29mIG9mIHdob20gaXMgcmVzcG9uc2libGUgZm9yIGFwcHJv dmFsIG9mIHRoZSBjb250ZW50IG9mIGEgbWVzc2FnZTsNU2VuZGluZyAtIE5vbi1yZXB1ZGlhdGlv biBvZiBzZW5kaW5nIHNlcnZpY2UgcHJvdmlkZXMgcHJvb2Ygb2Ygd2hvIHNlbnQgYSBtZXNzYWdl Ow1PcmlnaW4gLSBOb24tcmVwdWRpYXRpb24gb2Ygb3JpZ2luIHNlcnZpY2UgaXMgYSBjb21iaW5h dGlvbiBvZiBhcHByb3ZhbCBhbmQgc2VuZGluZyBzZXJ2aWNlcyBhcyBpdCBwcm92aWRlcyBwcm9v ZiBvZiB3aG9tIGlzIHJlc3BvbnNpYmxlIGZvciBhcHByb3ZhbCBvZiB0aGUgY29udGVudCBhbmQg d2hvIHNlbnQgYSBtZXNzYWdlOw1TdWJtaXNzaW9uIC0gTm9uLXJlcHVkaWF0aW9uIG9mIHN1Ym1p c3Npb24gc2VydmljZSBwcm92aWRlcyBwcm9vZiB0aGF0IGEgZGVsaXZlcnkgYXV0aG9yaXR5IGhh cyBhY2NlcHRlZCBhIG1lc3NhZ2UgZm9yIHRyYW5zbWlzc2lvbjsNVHJhbnNwb3J0IC0gTm9uLXJl cHVkaWF0aW9uIG9mIHRyYW5zcG9ydCBzZXJ2aWNlIHByb3ZpZGVzIHByb29mIGZvciB0aGUgbWVz c2FnZSBvcmlnaW5hdG9yIHRoYXQgYSBkZWxpdmVyeSBhdXRob3JpdHkgaGFzIGRlbGl2ZXJlZCBh IG1lc3NhZ2UgdG8gdGhlIGludGVuZGVkIHJlY2lwaWVudDsNUmVjZWlwdCAtIE5vbi1yZXB1ZGlh dGlvbiBvZiByZWNlaXB0IHNlcnZpY2UgcHJvdmlkZXMgcHJvb2YgdGhhdCB0aGUgcmVjaXBpZW50 IHJlY2VpdmVkIGEgbWVzc2FnZTsNS25vd2xlZGdlIC0gTm9uLXJlcHVkaWF0aW9uIG9mIGtub3ds ZWRnZSBzZXJ2aWNlIHByb3ZpZGVzIHByb29mIHRoYXQgdGhlIHJlY2lwaWVudCByZWNvZ25pc2Vk IHRoZSBjb250ZW50IG9mIGEgcmVjZWl2ZWQgbWVzc2FnZTsgYW5kDURlbGl2ZXJ5IC0gTm9uLXJl cHVkaWF0aW9uIG9mIGRlbGl2ZXJ5IHNlcnZpY2UgaXMgYSBjb21iaW5hdGlvbiBvZiByZWNlaXB0 IGFuZCBrbm93bGVkZ2Ugc2VydmljZXMgYXMgaXQgcHJvdmlkZXMgcHJvb2YgdGhhdCB0aGUgcmVj aXBpZW50IHJlY2VpdmVkIGFuZCByZWNvZ25pc2VkIHRoZSBjb250ZW50IG9mIGEgbWVzc2FnZS4N SW4gdGhlIGVsZWN0cm9uaWMgY29tbWVyY2UgZW52aXJvbm1lbnQsIHRoZSB0ZWNobmljYWwgbWVh bmluZyBvZiB0aGUgdGVybSAiTm9uHnJlcHVkaWF0aW9uIiBlaXRoZXIgc2hpZnRzIHRoZSBvbnVz IG9mIHByb29mIGZyb20gdGhlIHJlY2lwaWVudCB0byB0aGUgYWxsZWdlZCBzaWduYXRvcnkgb3Ig ZW50aXJlbHkgZGVuaWVzIHRoZSBzaWduYXRvcnkgdGhlIHJpZ2h0IHRvIHJlcHVkaWF0ZSBhIGRp Z2l0YWwgc2lnbmF0dXJlLiAgVGhhdCBpcywgaWYgYSBkaWdpdGFsIHNpZ25hdHVyZSBpcyB2ZXJp ZmllZCBzbyBhcyB0byBpZGVudGlmeSB0aGUgb3duZXIgb2YgdGhlIHByaXZhdGUga2V5IHRoYXQg d2FzIHVzZWQgdG8gY3JlYXRlIHRoZSBkaWdpdGFsIHNpZ25hdHVyZSBpbiBxdWVzdGlvbiB0aGVu IGl0IGlzIHRoYXQgcGVyc29uIHdobyBoYXMgdGhlIG9udXMgb2YgcHJvdmluZyB0aGF0IGl0IGlz IG5vdCB0aGVpciBkaWdpdGFsIHNpZ25hdHVyZS4gIEhlbmNlLCB0aGVyZSBpcyBhIHNoaWZ0IGlu IHRoZSBidXJkZW4gb2YgcHJvb2YuICBUaGlzIGNyeXB0by10ZWNobmljYWwgcG9zaXRpb24gZG9l cyBub3QgY29ycmVzcG9uZCB3aXRoIHdoYXQgb2NjdXJzIGluIHRoZSBwYXBlci1iYXNlZCBlbnZp cm9ubWVudCBmb3IgdHJhZGl0aW9uYWwgc2lnbmF0dXJlcy4NU29tZSBjb21tZW50YXRvcnMgaGF2 ZSBnb25lIHNvIGZhciBhcyB0byBhZHZvY2F0ZSB0aGF0IGlmIHRoZSBkaWdpdGFsIHNpZ25hdHVy ZSBpcyB2ZXJpZmllZCB0aGVuIHRoZSBvd25lciBvZiB0aGUgcHJpdmF0ZSBrZXkgaXMgcHJldmVu dGVkIGZyb20gcmVwdWRpYXRpbmcgdGhlIGRpZ2l0YWwgc2lnbmF0dXJlLiAgVGhpcyBpcyBjbGVh cmx5IHRoZSBwb3NpdGlvbiB0YWtlbiBpbiB0aGUgc2Vjb25kIG1lYW5pbmcgYWJvdmUgb2YgdGhl IHRlcm0uDUl0IGlzIHN1Ym1pdHRlZCB0aGF0IHRoZSB0ZWNobmljYWwgbWVhbmluZyBvZiBub24t cmVwdWRpYXRpb24gaXMgd3JvbmcgYXMgaXQgZG9lcyBub3QgdGFrZSBhY2NvdW50IG9mIHRoZSBw b3NzaWJpbGl0eSBvZiBwcml2YXRlIGtleSB0aGVmdCBhbmQvb3IgaWxsaWNpdCB1c2FnZSBzbyBh cyB0byBlZmZlY3QgaWRlbnRpdHkgdGhlZnQuICBGdXJ0aGVybW9yZSwgdGhlIHRlY2huaWNhbCBt ZWFuaW5nIHJlbGF0ZXMgdG8gcG9zdCBzaWduYXR1cmUgZXZlbnRzIGFuZCBub3QgdG8gdGhlIGFj dHVhbCBzaWduaW5nIG1lY2hhbmlzbS4gIFRoYXQgaXMsIHRoZSB0cmFkaXRpb25hbCBjb25jZXB0 IG9mIHdpdG5lc3NpbmcgdGhlIGFmZml4YXRpb24gb2YgYSB0cmFkaXRpb25hbCBzaWduYXR1cmUg aXMgdG8gcmVkdWNlIHRoZSBpbmNpZGVuY2Ugb2YgZm9yZ2VkIHNpZ25hdHVyZXMuICBPbmUgb2Yg dGhlIHByaW1hcnkgcm9sZXMgb2YgdGhlIFRUUCBpcyB0byBlc3RhYmxpc2ggYSByZXBvc2l0b3J5 IG9mIGRpZ2l0YWwgY2VydGlmaWNhdGVzIHRoYXQgZW1ib2R5IHRoZSBwdWJsaWMga2V5IHRoYXQg Y29ycmVzcG9uZHMgdG8gdGhlIHByaXZhdGUga2V5IHVzZWQgdG8gZWZmZWN0IHRoZSBkaWdpdGFs IHNpZ25hdHVyZS4gVGhlIGNlcnRpZmljYXRlIGlzIHVzZWQgYnkgdGhlIHJlbHlpbmcgcGFydHkg dG8gdmVyaWZ5IHRoYXQgdGhlIGRpZ2l0YWwgc2lnbmF0dXJlIHdhcyBlZmZlY3RlZCB1c2luZyB0 aGUgcHJpdmF0ZSBrZXkgdGhhdCBjb3JyZXNwb25kcyB0byB0aGUgcHVibGljIGtleSB0aGF0IGlz IGVtYm9kaWVkIGluIHRoZSBkaWdpdGFsIGNlcnRpZmljYXRlLiAgSXRzIHVzYWdlIGRvZXMgbm90 IHJlbGF0ZSB0byB0aGUgc2lnbmluZyBwcm9jZXNzIGluIGFueSB3YXkuDUEgZnVydGhlciBjb21w bGljYXRpbmcgZmFjdG9yIGlzIHRoYXQgUkZDIDI0NTkgWzFdIHNwZWNpZmllcyBhIGJpdCB3aXRo aW4gdGhlIEtleVVzYWdlIGV4dGVuc2lvbiBjYWxsZWQgdGhlIE5vbnJlcHVkaWF0aW9uIGJpdC4g IFRoaXMgYml0IGlzICJhc3NlcnRlZCB3aGVuIHRoZSBzdWJqZWN0IHB1YmxpYyBrZXkgaXMgdXNl ZCB0byB2ZXJpZnkgZGlnaXRhbCBzaWduYXR1cmVzIHVzZWQgdG8gcHJvdmlkZSBhIG5vbi1yZXB1 ZGlhdGlvbiBzZXJ2aWNlIHdoaWNoIHByb3RlY3RzIGFnYWluc3QgdGhlIHNpZ25pbmcgZW50aXR5 IGZhbHNlbHkgZGVueWluZyBzb21lIGFjdGlvbiwgZXhjbHVkaW5nIGNlcnRpZmljYXRlIG9yIENS TCBzaWduaW5nIi4gICBJdCBpcyBkaWZmaWN1bHQgdG8gYWNjZXB0IHRoYXQgdGhlIHVzZSBvZiBh IHNpbmdsZSBiaXQgd2l0aGluIGFuIGV4dGVuc2lvbiBvZiBhIGRpZ2l0YWwgY2VydGlmaWNhdGUg Y2FuIHN1ZmZpY2llbnRseSBhdHRyaWJ1dGUgbm9uLXJlcHVkaWF0aW9uLiAgVGhlIHZlcmlmaWNh dGlvbiBvZiBhIGRpZ2l0YWwgc2lnbmF0dXJlIGRvZXMgbm90IGxvZ2ljYWxseSBwcm92ZSB0aGF0 IGlzIHdhcyB0aGUgYWxsZWdlZCBzaWduYXRvcnkgd2hvIGFjdHVhbGx5IGFmZml4ZWQgdGhlIGRp Z2l0YWwgc2lnbmF0dXJlLiAgVGhlIHZlcmlmaWNhdGlvbiBwcm9jZXNzIG9ubHkgZXN0YWJsaXNo ZXMgdGhhdCB0aGUgcHJpdmF0ZSBrZXkgb2YgdGhlIHBlcnNvbiB3aG9zZSBwdWJsaWMga2V5IGlz IHNwZWNpZmllZCBpbiB0aGUgZGlnaXRhbCBjZXJ0aWZpY2F0ZQIgd2FzIHVzZWQgdG8gYWZmaXgg dGhlIGRpZ2l0YWwgc2lnbmF0dXJlLiAgVGhpcyB2ZXJpZmljYXRpb24gcHJvY2VzcyBpcyBhIHBv c3Qgc2lnbmluZyBtZWNoYW5pc20gYW5kIGRvZXMgbm90IGNvcnJlc3BvbmQgdG8gdGhlIHRydXN0 ZWQgd2l0bmVzc2luZyBtZWNoYW5pc20gZXN0YWJsaXNoZWQgd2l0aGluIHRoZSB0cmFkaXRpb25h bCBzaWduYXR1cmUgZW52aXJvbm1lbnQuAg1JdCBpcyB0aGUgcHJvbXVsZ2F0aW9uIG9mIHRoZSB1 c2Ugb2YgdGhlIHRlcm0gbm9uLXJlcHVkaWF0aW9uIGFuZCBpdHMgbWVhbmluZyB3aXRoaW4gdGhl IHRlY2huaWNhbCBjb21tdW5pdHkgdGhhdCBpcyBjb25mdXNpbmcgdGhlIGxlZ2FsIHBvbGljeSBj b21tdW5pdHkuICBUaGlzIGNvbmZ1c2lvbiBhbHNvIGV4dGVuZCB0byB0aGUgcm9sZSBhbmQgdXNl IG9mIHRoZSBlbnRpdHkga25vd24gYXMgYSCTVHJ1c3RlZCBUaGlyZCBQYXJ0eZQgYXMgdGhpcyBw YXJ0eSBkb2VzIG5vdCBwYXJ0aWNpcGF0ZSBpbiB0aGUgc2lnbmluZyBwcm9jZXNzLiAgDVRoaXMg aXMgYmVzdCBpbGx1c3RyYXRlZCBieSB0aGUgcG9zaXRpb24gdGFrZW4gYnkgdGhlIGRyYWZ0ZXJz IG9mIHRoZSBVTkNJVFJBTCBNb2RlbCBMYXcuIA1VTkNJVFJBTCBNb2RlbCBMYXcgliBBcnRpY2xl IDEzAg1UaGVyZSBpcyBhIHN0cm9uZyBtb3ZlbWVudCBhdCBsYXcgZm9yIHRoZXJlIHRvIGJlIGVz dGFibGlzaGVkIGEgcmV2ZXJzYWwgb2YgdGhlIG9udXMgb2YgcHJvb2YgYXMgcmVnYXJkcyB0byBk aWdpdGFsIHNpZ25hdHVyZXMuICBUaGUgcG9zaXRpb24gYmVpbmcgcHJvbW90ZWQgaXMgZm9yIHRo ZSBhbGxlZ2VkIHNpZ25hdG9yeSB0byBoYXZlIHRoZSBvbnVzIG9mIHByb29mIGluIGVzdGFibGlz aGluZyB0aGF0IGhlL3NoZSBkaWQgbm90IGRpZ2l0YWxseSBzaWduIHRoZSBkb2N1bWVudC4gIA1U aGVyZSBhcmUgYXQgbGF3IG9ubHkgYSBmZXcgZXhhbXBsZXMgd2hlcmUgYSBkZWZlbmRhbnQgaGFz IGZyb20gdGhlIGNvbW1lbmNlbWVudCBvZiBhbiBhY3Rpb24gdGhlIG9udXMgb2YgcHJvb2YuICBJ biB0YXhhdGlvbiBjYXNlcywgaXQgaXMgY29tbW9uIGZvciB0aGUgb251cyBvZiBwcm9vZiB0byBs aWUgd2l0aCB0aGUgdGF4cGF5ZXIuICBBZnRlciBhbGwsIGl0IGlzIHRoZSB0YXhwYXllciB0aGF0 L3dobyBpcyBjbGFpbWluZyBhIHBhcnRpY3VsYXIgcG9zaXRpb24gYW5kIGFzIHN1Y2ggaXMgaW4g dGhlIGJldHRlciBwb3NpdGlvbiB0byBkaXNwcm92ZSB0aGUgcmV2ZW51ZSBjb2xsZWN0aW5nIGJv ZHkncyBjYXNlLg1Bbm90aGVyIGV4YW1wbGUsIG9mIHdoZXJlIHRoZSBvbnVzIG9mIHByb29mIGlz IHJldmVyc2VkLCBvY2N1cnMgd2hlbiB0aGUgcGxhaW50aWZmIGluIGEgbmVnbGlnZW5jZSBhY3Rp b24gcmVsaWVzIHVwb24gdGhlIGxlZ2FsIG1heGltIHJlcyBpcHNhIGxvcXVpdHVyAi4gDUluIGEg bmVnbGlnZW5jZSBhY3Rpb24sIHRoZSBwbGFpbnRpZmYgZ2VuZXJhbGx5IGhhcyB0aGUgb251cyBv ZiBwcm9vZiBpbiBlc3RhYmxpc2hpbmcgdGhhdCB0aGUgZGVmZW5kYW50IGZhaWxlZCB0byBtZWV0 IHRoZSBzdGFuZGFyZCBvZiBjYXJlIHJlcXVpcmVkIGJ5IGxhdy4gIFRoaXMgb251cyBvZiBwcm9v ZiBpcyBpbiBlZmZlY3Qgc2hpZnRlZCBpbiBjYXNlcyB3aGVyZSB0aGUgcGxhaW50aWZmIGlzIGFi bGUgdG8gZXN0YWJsaXNoIHRoYXQgdGhlIGV2ZW50IHdvdWxkIG5vdCBoYXZlIG9jY3VycmVkIGJ1 dCBmb3IgdGhlIG5lZ2xpZ2VuY2Ugb24gdGhlIHBhcnQgb2YgdGhlIGRlZmVuZGFudC4NSW4gc3Vj aCBjYXNlcywgaXQgaXMgZm9yIHRoZSBkZWZlbmRhbnQgdG8gdGVuZGVyIHN1Y2ggZXZpZGVuY2Ug YXMgdG8gZGlzcHJvdmUgbmVnbGlnZW5jZS4gIEhlbmNlLCB0aGVyZSBpcyBhIHNoaWZ0aW5nIG9m IGJ1cmRlbiBvZiBwcm9vZi4NSXQgaGFzIGJlZW4gcHJvcG9zZWQgYXMgcmVnYXJkcyB0byB0aGUg ZWxlY3Ryb25pYyBjb21tZXJjZSBlbnZpcm9ubWVudCBpbiB0aGUgVU5DSVRSQUwgRWxlY3Ryb25p YyBDb21tZXJjZSBNb2RlbCBMYXcsIEFydGljbGUgMTMgdGhhdCB0aGUgb251cyBvZiBwcm9vZiBz aG91bGQgbGllIHVwb24gdGhlIGFsbGVnZWQgc2lnbmF0b3J5IHRvIHNob3cgdGhhdCB0aGUgZGln aXRhbCBzaWduYXR1cmUgaXMgYSBmb3JnZXJ5LiAgDVRoaXMgaXMgY29udHJhcnkgdG8gdGhlIHBv c2l0aW9uIGluIHRoZSBwYXBlci1iYXNlZCBlbnZpcm9ubWVudC4NSW4gc3VtbWFyeSwgdGhlIHRo cmVlIHBvc2l0aW9ucyBhcmU6DSgJRWxlY3Ryb25pYyBDb21tZXJjZSBFbnZpcm9ubWVudCAoQXJ0 aWNsZSAxMyBNb2RlbCBMYXcpDU9udXMgb2YgcHJvb2YgaXMgdXBvbiB0aGUgc2lnbmF0b3J5IHRv IHByb3ZlIHRoYXQgdGhlIGRpZ2l0YWwgc2lnbmF0dXJlIGlzIGEgZm9yZ2VyeS4NRWxlY3Ryb25p YyBDb21tZXJjZSBFbnZpcm9ubWVudCAoU2VjdGlvbiAxNSBvZiB0aGUgRWxlY3Ryb25pYyBUcmFu c2FjdGlvbnMgQWN0IChDV1RIKSAxOTk5AikNVGhlIEVDRUcgaW4gaXRzIDE5OTggcmVwb3J0IHNw ZWNpZmljYWxseSByZWplY3RlZCBBcnRpY2xlIDEzLCBhcyB0aGUgZWxlY3Ryb25pYyBjb21tZXJj ZSBlbnZpcm9ubWVudCBzaG91bGQgbm90IGJlIGRpZmZlcmVudCB0byB0aGF0IG9mIHRoZSBwYXBl ci1iYXNlZCBlbnZpcm9ubWVudC4gIFNlY3Rpb24gMTUgcHJvdmlkZXMgdGhhdCBhIHBlcnNvbiBw dXJwb3J0aW5nIHRvIGJlIHRoZSBvcmlnaW5hdG9yIG9mIGEgZWxlY3Ryb25pYyBjb21tdW5pY2F0 aW9uIHdpbGwgb25seSBiZSBib3VuZCBieSB0aGUgZWxlY3Ryb25pYyBjb21tdW5pY2F0aW9uIGlm IGluIGZhY3QgdGhlIGVsZWN0cm9uaWMgY29tbXVuaWNhdGlvbiB3YXMgaW4gZmFjdCBzZW50IGJ5 IHRoYXQgcGVyc29uIHdpdGggdGhlaXIgYXV0aG9yaXR5LiAgVGhpcyBwb3NpdGlvbiBjb3JyZXNw b25kcyB3aXRoIHRoZSBjb21tb24gbGF3IHBvc2l0aW9uIGFuZCBhcyBzdWNoIHRoZSBvbnVzIG9m IHByb29mIHdpbGwgbGllIHdpdGggdGhlIHJlbHlpbmcgcGFydHkuDSgJUGFwZXIgQmFzZWQgRW52 aXJvbm1lbnQNT251cyBvZiBwcm9vZiBpcyB1cG9uIHRoZSByZWx5aW5nIHBhcnR5IHRvIHByb3Zl IHRoYXQgdGhlIHNpZ25hdHVyZSBpcyBub3QgYSBmb3JnZXJ5LiAgDUluIHRoZSBwYXBlci1iYXNl ZCBlbnZpcm9ubWVudCB0aGVyZSBleGlzdHMgYW4gYWJzb2x1dGUgdHJ1c3RlZCBzeXN0ZW0gYmVj YXVzZSB0aGUgc2lnbmF0b3J5IGlzIHBsYWNlZCBpbiB0aGUgcG9zaXRpb24gb2YgdG90YWwgY29u dHJvbCBvdmVyIHRoZSBzaWduaW5nIG1lY2hhbmlzbSBhbmQgdGhlIHNpZ25hdG9yeSBkb2VzIG5v dCBoYXZlIHRvIHJlbHkgb24gYW55IGV4dGVybmFsIGluZm9ybWF0aW9uIG9yIGJlbGllZiBpbiBv cmRlciB0byBhZmZpeCBoaXMvaGVyIHNpZ25hdHVyZS4gICBUaGUgc2FtZSBpcyBub3QgdHJ1ZSBp biB0aGUgZWxlY3Ryb25pYyBjb21tZXJjZSBlbnZpcm9ubWVudCBiZWNhdXNlIHRoZSBzaWduYXRv cnkgaGFzIHRvIHJlbHkgb24gdGhlIHNpZ25pbmcgbWVjaGFuaXNtIHRvIGFmZml4IGEgZGlnaXRh bCBzaWduYXR1cmUgb25seSBvbiB0aGUgaW50ZW5kZWQgZG9jdW1lbnQuICANVGVjaG5pY2FsIFZ1 bG5lcmFiaWxpdGllcyBvZiBBcnRpY2xlIDEzIGFuZCB0aGUgQ29tbW9uIExhdyBQb3NpdGlvbg1C b3RoIHRoZSBDb21tb24gTGF3IHBvc2l0aW9uIGFuZCB0aGUgQXJ0aWNsZSAxMyBwb3NpdGlvbiBp cyBpbiB0aGUgYXV0aG9yc5Igb3BpbmlvbiBub3Qgc3VzdGFpbmFibGUgdW5sZXNzIHRoZSBzaWdu aW5nIG1lY2hhbmlzbSBpcyBlZmZlY3RlZCB2aWEgYSB0cnVzdGVkIGVudmlyb25tZW50LiAgSW4g MTk4NCwgVGhvbXBzb24gc2hvd2VkIHRoYXQgbW9iaWxlIGNvZGUgd2FzIGEgbWFqb3IgcHJvYmxl bSBhbmQgdGhhdCBpdCB3YXMgcmVsYXRpdmVseSBlYXN5IHRvIGRldmVsb3AuAiANVGhlIGNvbmNl cm4gYWJvdXQgbW9iaWxlIGNvZGUgaXMgaW5jcmVhc2luZyBhbmQgd2lsbCBiZWNvbWUgYW4gZXZl biBncmVhdGVyIHByb2JsZW0gYmVjYXVzZSBvZiB0aGUgZGVwbG95bWVudCBvZiBBRFNMIHRlY2hu b2xvZ3kgYW5kIGNhYmxlIG1vZGVtIGFjY2Vzcy4gAiAgVGhlIHVzZSBvZiBBRFNMIHdpbGwgcGVy bWl0IHRoZSBnZW5lcmFsIHB1YmxpYyB0byBiZSBwZXJtYW5lbnRseSBjb25uZWN0ZWQgdG8gdGhl IEludGVybmV0LiAgVGhpcyB3aWxsIHJlc3VsdCBpbjoNUEOScyBoYXZpbmcgYSBwZXJtYW5lbnQg SVAgYWRkcmVzcyBpbnN0ZWFkIG9mIGJlaW5nIGFsbG9jYXRlZCBhIGR5bmFtaWMgSVAgYWRkcmVz cyBlYWNoIHRpbWUgdGhlIFBDIGlzIGNvbm5lY3RlZCB0byB0aGUgSW50ZXJuZXQuICBIYXZpbmcg YSBwZXJtYW5lbnQgSVAgYWRkcmVzcyBpbmNyZWFzZXMgdGhlIHZ1bG5lcmFiaWxpdHkgdG8gYXR0 YWNrcyBieSBoYWNrZXJzIGJlY2F1c2UgaXQgaW5jcmVhc2VzIHRoZSB0aW1lIGJ5IHdoaWNoIHRo ZSBoYWNrZXIgY2FuIGVmZmVjdCB0aGUgYXR0YWNrLiAgQSBkeW5hbWljIElQIGFkZHJlc3MgcmVk dWNlcyB0aGUgdGltZSBieSB3aGljaCBhIGhhY2tlciBjYW4gZWZmZWN0IGEgc3VjY2Vzc2Z1bCBh dHRhY2s7DVBDknMgdGhhdCBhcmUgbm90IGxvY2F0ZWQgYXQgY29tbWVyY2lhbCBjZW50ZXJzIGFu ZCB0aHVzIGJlaGluZCBhIHNlY3VyaXR5IGZpbHRlciBzdWNoIGFzIGEgZmlyZXdhbGwsIGJlY29t ZSBleHBvc2VkIHRvIHBvc3NpYmxlIGF0dGFja3MgYnkgaGFja2Vycy4CDVVuZm9ydHVuYXRlbHks IHRoZXJlIGRvZXMgbm90IGFwcGVhciB0byBiZSBhbnkgdHJ1c3R3b3J0aHkgZmlsdGVyaW5nIHRl Y2hub2xvZ3kgY29tbWVyY2lhbGx5IGF2YWlsYWJsZSB0aGF0IGNhbiByZXNpZGUgb24gUEOScy4g IFRoZXJlZm9yZSBzdWNoIFBDknMgYXJlIHZ1bG5lcmFibGUgdG8gYXR0YWNrLiAgT25lIG9mIHRo ZSBtb3JlIHByZXZhbGVudCBhdHRhY2tzIGluIHJlY2VudCB5ZWFycyBoYXMgYmVlbiB0aGUgdXNl IG9mIG1vYmlsZSBjb2RlIHN1Y2ggYXMgYSB0cm9qYW4gaG9yc2UgdG8gc3VycmVwdGl0aW91c2x5 IG9wZXJhdGUgY292ZXJ0bHkgb24gY29tcHV0ZXIgc3lzdGVtcy4NSXQgaXMgbm90IGRpZmZpY3Vs dCB0byBpbWFnaW5lIGEgdmlydXMvdHJvamFuIGhvcnNlIHRoYXQgaXMgZGVzaWduZWQgdG8gc3Rl YWwgcHJpdmF0ZSBrZXlzLiBUaGlzIGlzIHBhcnRpY3VsYXJseSBlYXN5IGlmIHRoZSBwcml2YXRl IGtleSBpcyBzdG9yZWQgaW4gYSBjb21tb25seSBrbm93biBmaWxlLCBzdWNoIGFzIJNQR1BQcml2 YXRlS2V5UmluZ5QuICAgVGhlIHZpcnVzL3Ryb2phbiBob3JzZSBjb3VsZCBiZSBhIFZpc3VhbCBC YXNpYyBtYWNybyB0aGF0IGlzIGF0dGFjaGVkIHRvIE1Td29yZCBkb2N1bWVudHMuICBJdHMgZnVu Y3Rpb24gY291bGQgYmUgdG8gc2VhcmNoIHRoZSBoYXJkLWRyaXZlIGZvciB0aGUgUEdQIHNlY3Jl dCBrZXkgcmluZyBhbmQgb25jZSBmb3VuZCB0aGUgdmlydXMvdHJvamFuIGhvcnNlIGNvdWxkIEZU UCB0aGUgcHJpdmF0ZSBrZXkgdG8gdGhlIHJlbW90ZSBsb2NhbGl0eQIuIFRoZSB2aXJ1cy90cm9q YW4gaG9yc2UgY291bGQgcGVyZm9ybSBpdHMgZnVuY3Rpb25zIHdpdGhvdXQgdGhlIGtub3dsZWRn ZSBvZiB0aGUgb3duZXIgb2YgdGhlIFBDLiAgVGhhdCBpcywgdGhlIHZpcnVzL3Ryb2phbiBob3Jz ZSBjb3VsZCB0dXJuIG9mZiBjZXJ0YWluIGRpc3BsYXkgZnVuY3Rpb25zIHNvIHRoYXQgbm8gZGlh bG9ndWUgYm94ZXMgYXJlIGRpc3BsYXllZC4gICBPbiBjb21wbGV0aW9uIG9mIHRoZSB0cmFuc2Zl ciB0aGUgdmlydXMvdHJvamFuIGhvcnNlIHRoZW4gY291bGQgY2hlY2sgdGhlIGFkZHJlc3MgYm9v ayBvbiB0aGUgdGFyZ2V0IFBDIGFuZCBzZW5kIGEgd29yZCBkb2N1bWVudCB3aXRoIGl0c2VsZiBh dHRhY2hlZCB0byA1IG90aGVyIHVuc3VzcGVjdGluZyBwZW9wbGUuICBGaW5hbGx5IHRoZSB2aXJ1 cy90cm9qYW4gaG9yc2UgY291bGQgZGVzdHJveSBpdHNlbGYgYW5kIGluIHRoZSBwcm9jZXNzIGRl bGV0ZSBhbnkgcmVsZXZhbnQgZW50cmllcyBpbiB0aGUgc2VudCBtYWlsIGZvbGRlci4gIFN1Y2gg YSB2aXJ1cy90cm9qYW4gaG9yc2Ugd291bGQgYmUgYSBjbGVhciB2aW9sYXRpb24gb2YgYSBwcm9w ZXJseSBmb3JtdWxhdGVkIHNlY3VyaXR5IHBvbGljeS4gIEZvciBleGFtcGxlLCBpZiBvYmplY3Qv YWN0aXZpdHkgbGFiZWxpbmcgc2VjdXJpdHkgbWVjaGFuaXNtIHBhcmFkaWdtIHdhcyBpbXBsZW1l bnRlZCB0aGVuIHRoZSB0cm9qYW4gd291bGQgbm90IGJlIGNhcGFibGUgb2YgcGVyZm9ybWluZyBp dHMgZnVuY3Rpb25zIGFzIHRoZSB0cm9qYW4gaG9yc2Ugd291bGQgbm90IGJlIHJlY29nbmlzZWQg YnkgdGhlIHNlY3VyaXR5IGtlcm5lbCBhcyBhIHZhbGlkIHN1YmplY3QsIGEgdmFsaWQgb2JqZWN0 IG9yIGEgdmFsaWQgYWN0aXZpdHkCLg1TaGFtaXIgYW5kIFZhbiBTb21lcmVuAiBoYXZlIHByb3Bv c2VkIGEgbW9iaWxlIGNvZGUgYXR0YWNrIHRoYXQgaXMga25vd24gYXMgdGhlIGx1bmNodGltZSBh dHRhY2suICBUaGlzIGF0dGFjayBpbnZvbHZlcyB0aGUgZWZmaWNpZW50IHNlYXJjaGluZyBmb3Ig UlNBIGNyeXB0b2dyYXBoaWMga2V5cyBpbiBsYXJnZSBhbW91bnRzIG9mIGRhdGEgdGhhdCBtYXkg YmUgc3RvcmVkIG9uIHRoZSBoYXJkLWRyaXZlIG9mIGEgUEMuICBUaGUgcHJpdmF0ZSBrZXkgYW5k IHRoZSBwdWJsaWMga2V5IGluIHRoZSBSU0EgY3J5cHRvLXN5c3RlbSBjb21wcmlzZXM6DVByaXZh dGUga2V5OiBlIGFuZCBuDVB1YmxpYyBrZXk6IGQgYW5kIG4uDVRoZSBtb2R1bHVzIG4gZm9ybXMg dml0YWwgcGFydCBvZiB0aGUgcHJpdmF0ZSBrZXkgYW5kIHRoZSBwdWJsaWMga2V5LiAgVGh1cywg aWYgYSBoYXJkLWRyaXZlIHdhcyBzZWFyY2hlZCBmb3IgcmFuZG9tbmVzcyBhbmQgd2l0aGluIGFu eSByYW5kb20gc2VjdGlvbiBsb2NhdGVkIGEgc2VhcmNoIHdhcyB1bmRlcnRha2VuIGZvciBhIGJp dCBzdHJpbmcgdGhhdCBjb3JyZXNwb25kcyB0byBuLCB0aGVuIHRoZSBwcml2YXRlIGtleSBtYXkg aGF2ZSBiZWVuIGxvY2F0ZWQuICBUaGUgZWZmaWNpZW5jeSBvZiB0aGlzIGF0dGFjayBpcyB0aGF0 IHRoZSBhbW91bnQgb2YgZGF0YSB0byBiZSBzZWFyY2hlZCBpcyBncmVhdGx5IHJlZHVjZWQuDUl0 IGlzIG5vdCBkaWZmaWN1bHQgdG8gc2VlIHRoYXQgdGhlc2UgYXR0YWNrcyBncmVhdGx5IGhhbXBl ciBhbiBhbGxlZ2VkIHNpZ25hdG9yeSB3aGVyZSB0aGUgTW9kZWwgTGF3IGlzIGltcGxlbWVudGVk IHdpdGhpbiBhIGxlZ2lzbGF0aXZlIG1lY2hhbmlzbS4gIEhvdyBjYW4gYW4gYWxsZWdlZCBzaWdu YXRvcnkgZXZlciBzdWNjZXNzZnVsbHkgZGVueSB0aGF0IGl0IHdhcyBub3QgaGltL2hlciB3aG8g c2lnbmVkIHRoZSBkb2N1bWVudD8gIFVuZGVyIHRoZSBNb2RlbCBMYXcgcG9zaXRpb24gdGhlIGFs bGVnZWQgc2lnbmF0b3J5IGhhcyB0aGUgb251cyBvZiBwcm9vZiBpbiBzaG93aW5nIHRoYXQgaXQg d2FzIG5vdCBoaW0vaGVyIHdobyBzaWduZWQgdGhlIGRvY3VtZW50Lg1GdXJ0aGVybW9yZSB3aXRo IHRoaXMgdHlwZSBvZiBhdHRhY2sgcmVsYXRpdmVseSBlYXN5IHRvIGltcGxlbWVudDogaG93IGNh biBhIHJlbHlpbmcgcGFydHkgdW5kZXIgdGhlIGNvbW1vbiBsYXcgcG9zaXRpb24gZXZlciBwcm9k dWNlIHN1ZmZpY2llbnQgZXZpZGVuY2UgdG8gZXN0YWJsaXNoIHRoYXQgaXMgd2FzIHRoZSBhbGxl Z2VkIHNpZ25hdG9yeSB3aG8gc2lnbmVkIHRoZSBkb2N1bWVudD8gICBVbmRlciB0aGUgY29tbW9u IGxhdywgdGhlIHJlbHlpbmcgcGFydHkgaGFzIHRoZSBvbnVzIG9mIHByb29mIGluIGVzdGFibGlz aGluZyB0aGF0IHRoZSBhbGxlZ2VkIHNpZ25hdG9yeSBkaWQgaW4gZmFjdCBhZmZpeCB0aGF0IHNp Z25hdHVyZS4gIFRoZSBjb21tb24gbGF3IHBvc2l0aW9uIGhhcyBkZXZlbG9wZWQgdW5kZXIgYSBw YXBlci1iYXNlZCBlbnZpcm9ubWVudCB3aGVyZSB3aXRuZXNzaW5nIHdhcyB0aGUgdHJ1c3RlZCBt ZWNoYW5pc20gdG8gcHJldmVudCBub24tcmVwdWRpYXRpb24gb2YgYSBzaWduYXR1cmUuICBXaXRo IHRoaXMgdHJ1c3RlZCBtZWNoYW5pc20gaXQgd2FzIHJlYXNvbmFibGUgZm9yIHRoZSBvbnVzIG9m IHByb29mIHRvIGxpZSB1cG9uIHRoZSByZWx5aW5nIHBhcnR5IHRvIHNob3cgdGhhdCB0aGUgYWxs ZWdlZCBzaWduYXRvcnkgZGlkIGluIGZhY3Qgc2lnbiB0aGUgZG9jdW1lbnQuDVdpdGhvdXQgdGhl IGltcGxlbWVudGF0aW9uIG9mIGEgdHJ1c3RlZCBzaWduaW5nIG1lY2hhbmlzbXMgaXQgZG9lcyBu b3QgbWF0dGVyIHdoaWNoIHBvc2l0aW9uIGlzIGFkb3B0ZWQuICBOZWl0aGVyIHBvc2l0aW9uIChN b2RlbCBsYXcgb3IgQ29tbW9uIExhdykgYWRlcXVhdGVseSBwcm92aWRlcyBhIHNvbHV0aW9uIHRv IHRoZSBvbnVzIG9mIHByb29mIHJlcXVpcmVtZW50Lg1UcnVzdGVkIENvbXB1dGluZyBTeXN0ZW1z DUEgdHJ1c3RlZCBjb21wdXRpbmcgc3lzdGVtIGlzIGEgY29tcHV0aW5nIHN5c3RlbSB0aGF0IHBl cmZvcm1zIGluIGFjY29yZGFuY2Ugd2l0aCBpdHMgZG9jdW1lbnRlZCBzcGVjaWZpY2F0aW9uIGFu ZCB3aWxsIHByZXZlbnQgYW55IHVuYXV0aG9yaXNlZCBhY3Rpdml0eS4gIFNwZWNpZmljYWxseSBh IHRydXN0ZWQgY29tcHV0aW5nIHN5c3RlbSBjYW4gYmUgcmVsaWVkIHVwb24gdG8gZW5mb3JjZSBh IGRvY3VtZW50ZWQgc2VjdXJpdHkgcG9saWN5LiAgU3VjaCBzeXN0ZW1zIGFyZSB1c3VhbGx5IGNs YXNzaWZpZWQgYXMgcHJvdmlkaW5nIGVpdGhlciBkaXNjcmV0aW9uYXJ5IG9yIG1hbmRhdG9yeSBz ZWN1cml0eSBlbmZvcmNlbWVudCBwb2xpY2llcyBhbmQgZnVuY3Rpb25hbGl0eS4NVGhlIHJvbGUg b2YgdHJ1c3RlZCBzeXN0ZW1zIGhhcyBmb3IgbW9yZSB0aGFuIDMwIHllYXJzIGJlZW4gaWRlbnRp ZmllZCBhcyBhIHByb3BlciBtZWNoYW5pc20gdG8gcHJvdGVjdCB0aGUgY29ycmVjdCBmdW5jdGlv bmluZyBvZiBhIGNvbXB1dGVyIHN5c3RlbS4NQ29tcHV0ZXIgc3lzdGVtcyBhcmUgY29udGludWFs bHkgdW5kZXIgdGhyZWF0IG9mIGF0dGFjayBieSBub3Qgb25seSBoYWNrZXJzIGJ1dCBlc3BlY2lh bGx5IHRocm91Z2ggdGhlIHVzZSBvZiAibW9iaWxlIGNvZGUiLiAgVGhlc2UgYXR0YWNrcyBzaW5j ZSB0aGUgZGV2ZWxvcG1lbnQgYW5kIGNvbnRpbnVlZCBhZHZhbmNlbWVudCBvZiB0aGUgSW50ZXJu ZXQgaGF2ZSBzdWJzdGFudGlhbGx5IGluY3JlYXNlZC4NVGhlIG9yaWdpbiBvZiBuZXR3b3JrIHNl Y3VyaXR5IHdhcyBmaXJzdCBhcHByb2FjaGVkIGluIHRoZSBkZWZlbmNlIGVudmlyb25tZW50IGJ5 IHRoZSBkZXZlbG9wbWVudCBvZiB0aGUgVVMgIlJhaW5ib3cgU2VyaWVzIiBpbiB0aGUgMTk4MJJz IHdoaWNoIGFkdmFuY2VkIHRoZSBwcm9wb3NpdGlvbiBvZiBjb21wdXRlciBzeXN0ZW0gcHJvdGVj dGlvbiB0aHJvdWdoIHRoZSBjb25zdHJ1Y3Rpb24gb2YgYSAiVHJ1c3RlZCBDb21wdXRpbmcgQmFz ZSIuICBUaGUgY2xhc3NpZmljYXRpb24gb2YgdHJ1c3RlZCBzeXN0ZW1zIGhhcyByZWNlbnRseSBi ZWVuIHN0YW5kYXJkaXNlZCBpbnRlcm5hdGlvbmFsbHkgdW5kZXIgdGhlIGdlbmVyYWwgdGVybSCT Q29tbW9uIENyaXRlcmlhlCAoSVNPIDE1NDA4KS4NSW4gdGhlIFVTQSBpdCBpcyBub3cgcmVjb2du aXNlZCB0aGF0IHRoZSBOYXRpb25hbCBJbmZvcm1hdGlvbiBJbmZyYXN0cnVjdHVyZSBpcyBjcml0 aWNhbCB0byB0aGUgZW50aXJlIHNvY2lhbCBmYWJyaWMgb2YgdGhlIFVTIGVjb25vbXkuICBCdXQg c3VjaCByZWFsaXNhdGlvbiBzaG91bGQgbm90IGJlIFVTIGNlbnRyaWMgYnV0IHJhdGhlciBiZSBh cHByb2FjaGVkIGZyb20gYSBnbG9iYWwgcGVyc3BlY3RpdmUuICBUaGUgZGV2ZWxvcG1lbnQgb2Yg dGhlIEdsb2JhbCBJbmZvcm1hdGlvbiBJbmZyYXN0cnVjdHVyZSBhbmQgaXRzIGNvbnZlcnNpb24g ZnJvbSBhIHB1cmVseSBkZWZlbmNlL2FjYWRlbWljIGVudmlyb25tZW50IHRvIGEgY29tbWVyY2lh bCBjZW50cmljIHZlaGljbGUgaGFzIGJlZW4gYSBwcmltYXJ5IGltcGV0dXMgaW4gdGhlIGRldmVs b3BtZW50IG9mIHRoZSBDb21tb24gQ3JpdGVyaWEgYXMgYW4gaW50ZXJuYXRpb25hbCBzdGFuZGFy ZCAoSVNPKS4gIEJ1dCB0aGUgQ29tbW9uIENyaXRlcmlhIG9ubHkgYWRkcmVzcyB0aGUgc2VjdXJp dHkgY3JpdGVyaWEgb2Ygc3lzdGVtcyB0aGF0IGhhdmUgYmVlbiBkZXNpZ25lZCBhbmQgbWFudWZh Y3R1cmVkIGFnYWluc3Qga25vd24gc2VjdXJpdHkgYXJjaGl0ZWN0dXJlLg1UaGUgcHJvYmxlbSBs aWVzIGluIHRoZSBjb25uZWN0aW9uIG9mIG1hbnkgdW50cnVzdGVkIHN5c3RlbXMgYnkgd2hhdCBl dmVyIG1lYW5zIHRoZSBwYXJ0aWVzIHNvIHNlbGVjdC4gIENPVFMgcHJvZHVjdHMgaGF2ZSBwcm9s aWZlcmF0ZWQgdGhlIGNvbXB1dGluZyBsYW5kc2NhcGUgYW5kIHRoZSBwZXJ2YXNpdmVuZXNzIG9m IHVudHJ1c3RlZCBvcGVyYXRpbmcgc3lzdGVtcyBhbmQgYWxsaWVkIHNvZnR3YXJlIHN1Yi1zeXN0 ZW1zIGhhcyB2aXJ0dWFsbHkgbWFkZSBpdCBpbXBvc3NpYmxlIGZvciB0cnVzdCB0byBiZSBhbGxv Y2F0ZWQgdG8gYW55IHRyYW5zYWN0aW9uIHRoYXQgaXMgZWZmZWN0ZWQgdXNpbmcgc3VjaCBjb21w dXRpbmcgc3lzdGVtcy4gSW4gb3JkZXIgdG8gb3ZlcmNvbWUgdGhpcyBzZWN1cml0eSBmbGF3IGl0 IGlzIHBvc3NpYmxlIHRvIGltcGxlbWVudCBoaWdobHkgdHJ1c3RlZCBzdWJzeXN0ZW1zIHdoaWNo IG1heSBiZSByZWFzb25hYmx5IGFuZCBjb3N0IGVmZmVjdGl2ZWx5IGluY29ycG9yYXRlZCBpbiB1 bnRydXN0ZWQgc3lzdGVtcy4gIEFuIGV4YW1wbGUgb2YgdGhpcyBpcyB0aGUgdW50cnVzdGVkIGNh c2ggcmVnaXN0ZXIgYW5kIHRoZSBpbmNvcnBvcmF0aW9uIG9mIGEgc2VwYXJhdGUgk3BpbiBwYWSU IHRoYXQgaXMgYW4gaW50ZWdyYWwgcGFydCBvZiB0aGUgaGlnaGx5IHRydXN0ZWQgRUZUUE9TIHN5 c3RlbSBpbiBBdXN0cmFsaWEuDVRoZSBvbmx5IHBvc2l0aW9uIGF2YWlsYWJsZSBhdCBsYXcgaXMg Zm9yIHRoZSBkaWdpdGFsIHNpZ25hdHVyZSBtZWNoYW5pc20gdG8gYmUgZWZmZWN0ZWQgdmlhIGEg dHJ1c3RlZCBjb21wdXRpbmcgc3lzdGVtLiAgU3VjaCBhIGJhc2Ugc2hvdWxkIGJlIGF0IGxlYXN0 IEJsIChUQ1NFQykvRTMoSVRTRUMpLyBvciBldmVuIHBvc3NpYmx5IEIyKFRDU0VDKS9FNCggSVRT RUMpIG9yIHRoZWlyIGVxdWl2YWxlbnQgaW4gdGhlIENvbW1vbiBDcml0ZXJpYS4NV2hpbGUgc2Vj dXJpdHkgZnVuY3Rpb25zIGFuZCB0aGVpciByZWxpYWJpbGl0eSBhc3Nlc3NtZW50IGFyZSBhIGJh c2ljIHJlcXVpcmVtZW50IGZvciBJVFNFQy9UQ1NFQyBldmFsdWF0aW9uIHRoZXJlIGlzIGFuIGV2 ZW4gbW9yZSBmdW5kYW1lbnRhbCBuZWVkIGluIHJlbGF0aW9uIHRvIG92ZXJhbGwgc3lzdGVtIHJl bGlhYmlsaXR5IGFuZCB0aHVzIHRydXN0LiBUaGUgb3JpZ2luYWwgVENTRUMgbm9taW5hdGVkIHNp eCBmdW5kYW1lbnRhbCByZXF1aXJlbWVudHMgb2YgYW55IGNvbXB1dGVyIHN5c3RlbSB0aGF0IGFp bXMgYXQgYXR0YWluaW5nIGEgbGV2ZWwgb2YgdHJ1c3R3b3J0aGluZXNzLiBUaGVzZSB3ZXJlOg1T ZWN1cml0eSBQb2xpY3k6IFRoZXJlIG11c3QgYmUgYW4gZXhwbGljaXQgYW5kIHdlbGwgZGVmaW5l ZCBzZWN1cml0eSBwb2xpY3kgZW5mb3JjZWQgYnkgdGhlIHN5c3RlbTsNTWFya2luZzogQWNjZXNz IGNvbnRyb2wgbGFiZWxzIG11c3QgYmUgYXNzb2NpYXRlZCB3aXRoIG9iamVjdHM7DUlkZW50aWZp Y2F0aW9uOiBJbmRpdmlkdWFsIHN1YmplY3RzICh1c2VycykgbXVzdCBiZSBpZGVudGlmaWVkOw1B Y2NvdW50YWJpbGl0eTogQXVkaXQgaW5mb3JtYXRpb24gbXVzdCBiZSBzZWxlY3RpdmVseSBrZXB0 IGFuZCBwcm90ZWN0ZWQgc28gdGhhdCBhY3Rpb25zIGFmZmVjdGluZyBzZWN1cml0eSBjYW4gYmUg dHJhY2VkIHRvIHRoZSByZXNwb25zaWJsZSBwYXJ0eTsgDUFzc3VyYW5jZTogQ29tcHV0ZXIgc3lz dGVtIG11c3QgY29udGFpbiBoYXJkd2FyZS9zb2Z0d2FyZSBtZWNoYW5pc21zIHRoYXQgY2FuIGJl IGluZGVwZW5kZW50bHkgZXZhbHVhdGVkIHRvIHByb3ZpZGUgc3VmZmljaWVudCAgYXNzdXJhbmNl IHRoYXQgdGhlIHN5c3RlbSBlbmZvcmNlcyB0aGUgc2VjdXJpdHkgcmVxdWlyZW1lbnRzOyBhbmQN Q29udGludW91cyBQcm90ZWN0aW9uOiBUaGUgdHJ1c3RlZCBtZWNoYW5pc20gZW5mb3JjaW5nIHRo ZXNlIGJhc2ljIHJlcXVpcmVtZW50cyBtdXN0IGJlIGNvbnRpbnVvdXNseSBwcm90ZWN0ZWQgYWdh aW5zdCB0YW1wZXJpbmcgYW5kL29yIHVuYXV0aG9yaXNlZCBjaGFuZ2VzLiALDVdpdGggdGhlc2Ug ZnVuZGFtZW50YWwgcmVxdWlyZW1lbnRzIGluIG1pbmQsIElUU0VDIHdlbnQgZnVydGhlciB0aGFu IFRDU0VDIGFuZCBzZXBhcmF0ZWQgc2VjdXJpdHkgZnVuY3Rpb25zIGZyb20gdGhlaXIgcmVsaWFi aWxpdHkgYW5kL29yIGFzc2Vzc21lbnQuIEl0IGRlZmluZWQgc2V2ZW4gZXZhbHVhdGlvbiBsZXZl bHMgdG8gZm9ybSBhICCTdHJ1c3QgaGllcmFyY2h5lCBpbiB0aGUgcmVsaWFibGUgb3BlcmF0aW9u IG9mIHRoZSBzZWN1cml0eSBmZWF0dXJlcyBvZiBhbiBpbmZvcm1hdGlvbiBzeXN0ZW0uIFNlY3Vy aXR5IGZ1bmN0aW9ucyB3ZXJlIHRvIGJlIGFzc2Vzc2VkIG9yIGV2YWx1YXRlZCBieSBodW1hbiCT ZXZhbHVhdG9yc5QgYW5kIGFzIGEgcmVzdWx0IG9mIHRoYXQgZXZhbHVhdGlvbiBhIHNpbXBsZSBt ZWFzdXJlbWVudCBvciB0YWcgd2FzIHRvIGJlIGFzc29jaWF0ZWQgd2l0aCB0aGUgZnVuY3Rpb25z LiBUaGUgd29yZHMgdXNlZCBhcmUgaW1wb3J0YW50IHNpbmNlIHRoZXkgZW1waGFzaXplIHRoaXMg YnVpbGRpbmcgb2YgdHJ1c3QgYnkgaHVtYW4gdXNlcnMgaW4gb3ZlcmFsbCBpbmZvcm1hdGlvbiBz eXN0ZW1zLiAgVGhlIGFzc3VyYW5jZSBsZXZlbHMgYXJlIGFzIGZvbGxvd3M6ICANRTAJSW5hZGVx dWF0ZSBhc3N1cmFuY2UNRTEJSW5mb3JtYWwgZGVzY3JpcHRpb24gb2YgYXJjaGl0ZWN0dXJhbCBk ZXNpZ24gb2YgcHJvZHVjdC9zeXN0ZW0gZXhpc3RzOg1GdW5jdGlvbmFsIHRlc3RpbmcgdXNlZCB0 byBjb25maXJtIHRhcmdldCBpcyBtZXQuDQ1FMglFMSBwbHVzOg1JbmZvcm1hbCBkZXNjcmlwdGlv biBvZiBkZXRhaWxlZCBkZXNpZ24gZXhpc3RzOiALRXZpZGVuY2Ugb2YgZnVuY3Rpb25hbCB0ZXN0 aW5nIHRvIGJlIGV2YWx1YXRlZAtDb25maWd1cmF0aW9uIGNvbnRyb2wgc3lzdGVtIGV4aXN0cwtB cHByb3ZlZCBkaXN0cmlidXRpb24gcHJvY2VzcyBleGlzdHMNRTMJRTIgcGx1czoNU291cmNlIGNv ZGUgYW5kL29yIHNjaGVtYXRpY3MgZm9yIGhhcmR3YXJlIHRvIGJlIGV2YWx1YXRlZA1FdmlkZW5j ZSBvZiB0ZXN0aW5nIG9mIHRoZXNlIG11c3QgYmUgZXZhbHVhdGVkDUU0CUUzIHBsdXM6DVVuZGVy bHlpbmcgZm9ybWFsIG1vZGVsIG9mIHNlY3VyaXR5IHBvbGljeSBzdXBwb3J0aW5nIHRoZSBzZWN1 cml0eSB0YXJnZXQgZXhpc3RzLCBhbmQNU2VjdXJpdHkgZW5mb3JjaW5nIGZ1bmN0aW9ucywgYXJj aGl0ZWN0dXJhbCBkZXNpZ24sIGRldGFpbGVkIGRlc2lnbiBzcGVjaWZpZWQgaW4gc2VtaS1mb3Jt YWwgc3R5bGUNRTUJRTQgcGx1czoNQ2xvc2UgY29ycmVzcG9uZGVuY2UgYmV0d2VlbiBkZXRhaWxl ZCBkZXNpZ24gYW5kIHNvZnR3YXJlIHNvdXJjZSBjb2RlL2VuZ2luZWVyaW5nIGhhcmR3YXJlIGRl c2lnbiBkcmF3aW5ncy4NRTYJRTUgcGx1czoNU2VjdXJpdHkgZW5mb3JjaW5nIGZ1bmN0aW9ucyBh bmQgYXJjaGl0ZWN0dXJhbCBkZXNpZ24gbXVzdCBiZSBzcGVjaWZpZWQgZm9ybWFsbHkgliBjb25z aXN0ZW50IHdpdGggZm9ybWFsIG1vZGVsIG9mIHNlY3VyaXR5IHBvbGljeS4NVGhlIHVzZSBvZiBh IHRydXN0ZWQgc3lzdGVtIHdpbGwgc29sdmUgdGhlIHByb2JsZW0gaWRlbnRpZmllZCBhYm92ZSBh cyByZWdhcmRzIHRvIG1vYmlsZSBjb2RlIGFuZCB0aGUgc3RlYWxpbmcgb2YgY3J5cHRvZ3JhcGhp YyBrZXlzLiAgSWYgdGhlIHNpZ25pbmcgbWVjaGFuaXNtIGlzIGVmZmVjdGVkIHZpYSBhIHRydXN0 ZWQgc3lzdGVtIG9mIGF0IGxlYXN0IEUzIHdoaWNoIGV2aWRlbmNlcyB0aGUgZnVuY3Rpb25hbGl0 eSBvZiB0aGUgc2lnbmluZyBtZWNoYW5pc20gc28gYXMgdG8gcHJldmVudCB1bmF1dGhvcmlzZWQg YWNjZXNzIHRvIHRoZSBwcml2YXRlIGtleSB1c2VkIGZvciBzaWduaW5nIHB1cnBvc2VzIG9yIHVu YXV0aG9yaXplZCBhY3Rpdml0eSB0aGVuIGl0IGlzIHN1Ym1pdHRlZCB0aGF0IHRoZSBjb21tb24g bGF3IHBvc2l0aW9uIGNhbiBiZSBtYWludGFpbmVkIGluIHRoZSBlbGVjdHJvbmljIGNvbW1lcmNl IGVudmlyb25tZW50LiAgIEUzIGFsc28gcHJvdmlkZXMgdGhhdCB0aGUgc291cmNlIGNvZGUgaXMg ZXZhbHVhdGVkIGFuZCB0aHVzIGl0IGlzIHBvc3NpYmxlIHRvIHNob3cgdGhhdCB0aGUgc2lnbmlu ZyBtZWNoYW5pc20gd2lsbCBvbmx5IHBlcmZvcm0gdGhlIGRlc2lyZWQgZnVuY3Rpb24gYW5kIG5v IG90aGVyLiAgRnVydGhlciB0aGUgaW1wbGVtZW50YXRpb24gb2YgdGhlIHNlY3VyaXR5IGZlYXR1 cmVzIGNhbiBiZSBhZGVxdWF0ZWx5IGFzc2Vzc2VkIHNvIGFzIHRvIGVuc3VyZSB0aGF0IHRoZSBw cml2YXRlIGtleSBjYW4gbm90IGJlIHVwbGlmdGVkLiAgV2l0aCB0aGVzZSBmZWF0dXJlcyBpdCBp cyByZWFzb25hYmxlIGZvciB0aGUgY29tbW9uIGxhdyBwb3NpdGlvbiB0byBiZSBpbXBsZW1lbnRl ZCBhbmQgdGh1cyBoYXZlIGEgYmFsYW5jZSBiZXR3ZWVuIHRoZSBlbGVjdHJvbmljIGNvbW1lcmNl IGVudmlyb25tZW50IGFuZCB0aGUgcGFwZXItYmFzZWQgZW52aXJvbm1lbnQuDUNvbmNsdXNpb24N VGhpcyBwYXBlciBzaG93cyB0aGF0IHRoZSBkZXBsb3ltZW50IG9mIGEgVHJ1c3RlZCBDb21wdXRp bmcgU3lzdGVtIGZvciBkaWdpdGFsIHNpZ25hdHVyZSBtZWNoYW5pc21zIGlzIHRoZSBvbmx5IHNl Y3VyZSBvcHRpb24gYW5kIHdpbGwgcmVzdWx0IGluIHRoZSBsZWdhbCBwb3NpdGlvbiB3aGVyZSB0 aGUgb251cyBvZiBwcm9vZiBmb3IgdGhlIGVsZWN0cm9uaWMgZW52aXJvbm1lbnQgd2lsbCBiZSB0 aGUgc2FtZSBhcyBmb3IgdGhlIHBhcGVyLWJhc2VkIGVudmlyb25tZW50LiAgVGhhdCBpcyBpZiBh IHRydXN0ZWQgY29tcHV0aW5nIHN5c3RlbSBpcyB1c2VkIHRvIGVmZmVjdCBhIGRpZ2l0YWwgc2ln bmF0dXJlIG1lY2hhbmlzbSB0aGVuIGFuZCBvbmx5IHRoZW4gY2FuIHRoZSBvbnVzIG9mIHByb29m IGxpZSB3aXRoIHRoZSByZWNpcGllbnQgaW4gdGhlIHNhbWUgbWFubmVyIHRoYXQgZXhpdHMgaW4g dGhlIHBhcGVyLWJhc2VkIGVudmlyb25tZW50LiAgV2l0aG91dCBhIHRydXN0ZWQgY29tcHV0aW5n IHN5c3RlbSBuZWl0aGVyIHBhcnR5ICh0aGUgc2lnbmVyIG9yIHRoZSByZWNpcGllbnQpIGlzIGlu IGEgcG9zaXRpb24gdG8gcHJvZHVjZSB0aGUgbmVjZXNzYXJ5IGV2aWRlbmNlIHRvIHByb3ZlIHRo ZWlyIHJlc3BlY3RpdmUgY2FzZS4NSGVuY2UgdGhlIGltcGxlbWVudGF0aW9uIG9mIGEgdHJ1c3Rl ZCBjb21wdXRpbmcgc3lzdGVtIHdpbGwgYWxsb3cgZm9yIGEgYmFsYW5jZSBiZXR3ZWVuIHRoZSAy IGVudmlyb25tZW50cy4gIFRoZXJlZm9yZSwgbm8gcGFydHkgd2lsbCBiZSBkaXNhZHZhbnRhZ2Vk Lg1UaGUgaXNzdWVzIHJhaXNlZCBpbiB0aGlzIHBhcGVyIGFyZSBoaWdobHkgaW1wb3J0YW50IHRv IHRoZSBpbnZlc3RtZW50L2ZpbmFuY2UgY29tbXVuaXR5IGFzIHN1Y2ggaXNzdWVzIG5lZWQgdG8g YmUgdW5kZXJzdG9vZCBzbyBhcyB0byBlbmdlbmRlciB0aGUgbmVjZXNzYXJ5IGNvbmZpZGVuY2Ug cmVxdWlyZWQgdG8gZWZmZWN0IGdsb2JhbCB0cmFkaW5nIG9wcG9ydHVuaXRpZXMuICBGdXJ0aGVy IHRoZSBpc3N1ZXMgcmFpc2VkIGluIHRoaXMgcGFwZXIgc2hvdWxkIGJlIHVuZGVyc3Rvb2QgYnkg dGhlIHJlbGV2YW50IHBvbGljeSBsYXcgbWFraW5nIGNvbW11bml0eSBzbyBhcyB0byBlZmZlY3Qg dGhlIG5lY2Vzc2FyeSBiYWxhbmNlIGJldHdlZW4gdGhlIHBhcGVyLWJhc2VkIGVudmlyb25tZW50 IGFuZCB0aGUgZW1lcmdpbmcgZ2xvYmFsIGVsZWN0cm9uaWMgY29tbWVyY2UgZW52aXJvbm1lbnQu DQ0TIFBBR0UgFDEzFQ0NTWNDdWxsYWdoLCBBLiBhbmQgQ2FlbGxpLCBXIAkTIERBVEUgXEAgIk1N L2RkL3l5IiAUMTIvMTUvOTkVDQ0TIEZJTEVOQU1FICBcKiBNRVJHRUZPUk1BVCAUQm9uZCBVbmkV ICAgMTcvNi85MiBTDCAgDQ0NAiggIEFkcmlhbiBNY0N1bGxhZ2ggQi5BcHAuU2MgKENvbXB1dGlu ZykgKFEuSS5UKSwgTC5MLkIuKEhvbnMpIChRLkkuVC4pLCBQaC4gRC4gQ2FuZGlkYXRlIChRLlUu VCksIE5hdGlvbmFsIERpcmVjdG9yIGZvciBFbGVjdHJvbmljIENvbW1lcmNlLCBHYWRlbnMgTGF3 eWVycywgQnJpc2JhbmUsIEF1c3RyYWxpYS4LC1Byb2Zlc3NvciBXaWxsaWFtIENhZWxsaSBCLlNj LihIb25zKSAoTmV3Y2FzdGxlKSwgUGguRC4gKEFOVSksIEhlYWQgb2YgU2Nob29sIG9mIERhdGEg Q29tbXVuaWNhdGlvbnMsIFF1ZWVuc2xhbmQgVW5pdmVyc2l0eSBvZiBUZWNobm9sb2d5IChRVVQp LEZvcm1lcmx5IERpcmVjdG9yIG9mIHRoZSBJbmZvcm1hdGlvbiBTZWN1cml0eSBSZXNlYXJjaCBD ZW50ZXIsIFFVVC4gDQIgVGhhdCBpcyB0aGUgcGFydGllcyB3aWxsIG5vdCBhdCB0aGUgdGltZSBv ZiB0cmFuc2FjdGluZyBoYXZlIGZhY2UgdG8gZmFjZSBkaWFsb2d1ZS4NAiBCYW5rIGZvciBJbnRl cm5hdGlvbmFsIFNldHRsZW1lbnRzIJYgUmVwb3J0IE5vLiAzNSCTUmlzayBNYW5hZ2VtZW50IGZv ciBFbGVjdHJvbmljIEJhbmtpbmcgYW5kIEVsZWN0cm9uaWMgTW9uZXkgQWN0aXZpdGllc5QgTWFy Y2ggMTk5ODsgEyBIWVBFUkxJTksgaHR0cDovL3d3dy5iaXMub3JnL3B1YmwvaW5kZXguaHRtIAEU aHR0cDovL3d3dy5iaXMub3JnL3B1YmwvaW5kZXguaHRtFSBhY2Nlc3NlZCBvbiAxNSBEZWNlbWJl ciAxOTk5DXNlZSBhbHNvIJNDb21tdW5pY2F0aW9uIGZyb20gdGhlIENvbW1pc3Npb24gdG8gdGhl IEV1cm9wZWFuIFBhcmxpYW1lbnQtIHRoZSBDb3VuY2lsLCB0aGUgRWNvbm9taWMgYW5kIFNvY2lh bCBDb21taXR0ZWUgYW5kIHRoZSBDb21taXR0ZWUgb2YgdGhlIFJlZ2lvbnMtIJFQcm9wb3NhbCBm b3IgYSBFdXJvcGVhbiBQYXJsaWFtZW50IGFuZCBDb3VuY2lsIERpcmVjdGl2ZSBvbiBhIENvbW1v biBGcmFtZXdvcmsgZm9yIEVsZWN0cm9uaWMgU2lnbmF0dXJlc5IglCAgQ09NKDE5OTgpMjk3Zmlu YWwsIDEzLjA1Ljk4DQIgk0FtZXJpY2FuIEJhciBBc3NvY2lhdGlvbiBHdWlkZWxpbmVzIGZvciBE aWdpdGFsIFNpZ25hdHVyZXOUCyATSFlQRVJMSU5LICJodHRwOi8vd3d3LmFiYW5ldC5vcmcvc2Np dGVjaC9lYy9pc2MvZHNnZnJlZS5odG1sIgEUaHR0cDovL3d3dy5hYmFuZXQub3JnL3NjaXRlY2gv ZWMvaXNjL2RzZ2ZyZWUuaHRtbBUgICAgIGFjY2Vzc2VkIG9uIDE1IERlY2VtYmVyIDE5OTkNAiBM J0VzdHJhbmdlICAgdi4gIEdyYXVjb2IgIFsxOTM0XSAyIEsuQi4gMzk0LgsgU2VlIGFsc28gOiBN Y0N1bGxhZ2ggQS4sIENhZWxsaSBXLiwgTGl0dGxlIFAuLCCTRWxlY3Ryb25pYyBTaWduYXR1cmVz IJYgVW5kZXJzdGFuZCAgdGhlICBQYXN0IHRvIERldmVsb3AgdGhlIEZ1dHVyZZQgMTk5OCBVTlNX TEo7C2FjY2Vzc2VkIG9uIDE1IERlY2VtYmVyIDE5OTkgICAgEyBIWVBFUkxJTksgaHR0cDovL3d3 dy5sYXcudW5zdy5lZHUuYXUvdW5zd2xqL2Vjb21tZXJjZS9tY2N1bGxhZ2guaHRtbCABFGh0dHA6 Ly93d3cubGF3LnVuc3cuZWR1LmF1L3Vuc3dsai9lY29tbWVyY2UvbWNjdWxsYWdoLmh0bWwVDQIg VW5jb25zY2lvbmFibGUgY29uZHVjdCByZXN0cyB1cG9uIHRoZSBjb25jZXB0IG9mIGluZXF1YWxp dHkgb2YgYmFyZ2FpbmluZyBwb3dlci4gVGhlIGNoYXJhY3RlcmlzdGljcyBvZiB0aGUgY29uY2Vw dCBhcmU6DVVuY29uc2Npb25hYmxlIGludm9sdmVzIHRoZSBvYnRhaW5pbmcsIGJ5IG9uZSBwYXJ0 eSB0byBhIHRyYW5zYWN0aW9uLCBvZiBhbiB1bmZhaXIgYWR2YW50YWdlIGFnYWluc3QgdGhlIGJl dHRlciBqdWRnZW1lbnQgb2YgdGhlIG90aGVyIHdlYWtlciBwYXJ0eSB0byB0aGUgdHJhbnNhY3Rp b247DVRoZSBkb21pbmFudCBwYXJ0eSBrbm93aW5nIGVpdGhlciBhY3R1YWxseSBvciBieSBpbXB1 dGF0aW9uIG9mIHRoZSBkaXNhZHZhbnRhZ2U7DUluIG1hbnkgY2FzZXMgdGhlcmUgaXMgYSBzdHJp a2luZyBkaXNwYXJpdHkgaW4gdGhlIHZhbHVlIG9mIHRoZSBjb25zaWRlcmF0aW9uIHBhc3Npbmcg YmV0d2VlbiB0aGUgcGFydGllcy4NU2VlIE0uTC4gQ29wZSCTVGhlIFJldmlldyBvZiBVbmNvbnNj aW9uYWJsZSBCYXJnYWlucyBpbiBFcXVpdHmULiAoMTk4MykgNTcgQS5MLkouIDI3OTsLQ29tbWVy Y2lhbCBCYW5rIG9mIEF1c3RyYWxpYSB2LiBBbWFkaW8gKDE5ODItODMpIDE1MSBDLkwuUi4gNDQ3 Lg0CIEZyYXVkIGludm9sdmVzIGFueSBpbnRlbnRpb25hbCBjb25kdWN0IHRoYXQgaGFzIHRoZSBw dXJwb3NlIG5vdCBuZWNlc3NhcmlseSB0aGUgc29sZSBvciBkb21pbmFudCBwdXJwb3NlIG9mIG9i dGFpbmluZyBzb21lIGdhaW4gZnJvbSB0aGUgcGFydHkgd2hvIGlzIHRoZSBzdWJqZWN0IG9mIHRo ZSBmcmF1ZHVsZW50IGNvbmR1Y3QuICBTZWUgRWFybCBvZiBBeWxlc2ZvcmQgdi4gTW9ycmlzICgx ODczKSA4IEwuUi4gQ2guIEFwcC4gNDg0OiANAiBVbmR1ZSBpbmZsdWVuY2UgaW52b2x2ZXMgYSBz aXR1YXRpb24gd2hlcmUgYSBwZXJzb24gaGFzIHRoZSBhYmlsaXR5IHRvIHRha2UgY29udHJvbCBv dmVyIGFub3RoZXKScyBpbmRlcGVuZGVudCB3aWxsIHBvd2VyIHNvIHRoYXQgdGhlIGlubm9jZW50 IHBlcnNvbiBpcyBub3QgYWJsZSB0byByZXNpc3QgdGhlIGFjdGlvbnMgb2YgdGhlIGZpcnN0IHBl cnNvbi4gIFN1Y2ggY2FzZXMgdXN1YWxseSBpbnZvbHZlIHNvbWUgZGlzYWJpbGl0eSBhcyBpbiBC bG9tbGV5IHYgUnlhbiAoMTk1NikgOTkgQy5MLlIuIDM2Mi4gIE1yLiBSeWFuIHdhcyBhIHNldmVy ZSBhbGNvaG9saWMgYW5kIHdhcyBuZXZlciBpbiBhIHBvc2l0aW9uIHRvIHJlc2lzdCB0aGUgYWN0 aW9ucyBvZiBNci4gQnJvbWxleS4NDQIgk1VOQ0lUUkFMIE1vZGVsIExhdyBvbiBFbGVjdHJvbmlj IENvbW1lcmNlIHdpdGggR3VpZGUgdG8gRW5hY3RtZW50lCBBcnRpY2xlIDEzLgsgE0hZUEVSTElO SyAiaHR0cDovL3d3dy51bi5vci5hdC91bmNpdHJhbC90ZXh0cy9lbGVjdGNvbS9tbC1lYy5odG0i ARRodHRwOi8vd3d3LnVuLm9yLmF0L3VuY2l0cmFsL3RleHRzL2VsZWN0Y29tL21sLWVjLmh0bRUg ICAgYWNjZXNzZWQgb24gMTUgRGVjZW1iZXIgMTk5OSANAiBNY0N1bGxhZ2ggQS4sIENhZWxsaSBX LiwgTGl0dGxlIFAuLCCTRWxlY3Ryb25pYyBTaWduYXR1cmVzIJYgVW5kZXJzdGFuZCB0aGUgUGFz dCB0byBEZXZlbG9wIHRoZSBGdXR1cmWUIDE5OTggVU5TV0xKLiBUaGVtYXRpYyBJc3N1ZSA6CyAT IEhZUEVSTElOSyBodHRwOi8vd3d3Lmxhdy51bnN3LmVkdS5hdS91bnN3bGovZWNvbW1lcmNlL21j Y3VsbGFnaC5odG1sIAEUaHR0cDovL3d3dy5sYXcudW5zdy5lZHUuYXUvdW5zd2xqL2Vjb21tZXJj ZS9tY2N1bGxhZ2guaHRtbBUgC2FjY2Vzc2VkIG9uIDE1IERlY2VtYmVyIDE5OTkNAiBTaG9ydGVy IE94Zm9yZCBEaWN0aW9uYXJ5LCBUaG9tcHNvbiwgRC4gKEVkKSAxOXRoIEVkaXRpb24sIENsYXJl bmRvbiBQcmVzcywLk1JlcHVkaWF0ZZQgMSAoYSkgZGlzb3duLCBkaXNhdm93LCByZWplY3QsIChi KSByZWZ1c2UgZGVhbGluZ3Mgd2l0aCwgKGMpIGRlbnkuIA0CIEliaWQuIA0CIFRoZSBhYm92ZSBw b3NpdGlvbiBpcyB0aGUgc2FtZSBpbiBtYW55IGp1cmlzZGljdGlvbnMuDQIgUmVwb3J0IG9mIHRo ZSBFbGVjdHJvbmljIENvbW1lcmNlIEV4cGVydCBHcm91cCB0byB0aGUgQXR0b3JuZXkgR2VuZXJh bCA6IJNFbGVjdHJvbmljIENvbW1lcmNlOiBCdWlsZGluZyB0aGUgTGVnYWwgRnJhbWV3b3JrIC0g MzEgbWFyY2ggMTk5OJQLOhNIWVBFUkxJTksgImh0dHA6Ly9sYXcuZ292LmF1L2FnaG9tZS9hZHZp c29yeS9lY2VnL2VjZWcuaHRtIgEUaHR0cDovL2xhdy5nb3YuYXUvYWdob21lL2Fkdmlzb3J5L2Vj ZWcvZWNlZy5odG0VICAgICAgICBhY2Nlc3NlZCBvbiAxNSBEZWNlbWJlciAxOTk5DQIgQ2FlbGxp LCBXLiwgTG9uZ2xleSwgRC4sIFNoYWluLCBNLiCTSW5mb3JtYXRpb24gU2VjdXJpdHkgSGFuZGJv b2uUIE1hY01pbGxhbiBQcmVzcyBMaW1pdGVkLCAxOTkxDQIgaWJpZC4NAiBTY2huZWllciwgQi4s IJMgQXBwbGllZCBDcnlwdG9ncmFwaHkglnByb3RvY29scywgYWxnb3JpdGhtcyBhbmQgc291cmNl IGNvZGUgaW4gQ5QgMTk5NiAoMmVkKSwgSm9obiBXaWxleSAmIFNvbnMgYXQgcGFnZSAyLg0CIEdy YW5pdG8sIFIsIGFuZCBIb3ZzdPgsIEEuIChlZGl0b3JzKSwgIJNHdWlkZWxpbmVzIGZvciB0aGUg dXNlIGFuZCBtYW5hZ2VtZW50IG9mIFRydXN0ZWQgVGhpcmQgUGFydHkgc2VydmljZXOULCBKVEMg MS4yNy4xOShXb3JraW5nIERyYWZ0KQ0CIE9uZSBvZiB0aGUgcHJpbWFyeSByb2xlcyBvZiBhIFRU UCBpcyB0b28gcmVsaWFibHkgYXV0aGVudGljYXRlIHRoZSBpZGVudGl0eSBvZiB0aGUgaG9sZGVy IG9mIHRoZSBrZXkgcGFpciwgb2Ygd2hpY2ggdGhlIHB1YmxpYyBrZXkgaXMgZW1ib2RpZWQgaW4g dGhlIGRpZ2l0YWwgY2VydGlmaWNhdGUuIA0CIFRoZSBpc3N1ZSBvZiB3aXRuZXNzaW5nIHRoZSBh ZmZpeGluZyBvZiBkaWdpdGFsIHNpZ25hdHVyZXMgaXMgbW9yZSBmdWxseSBleHBsYWluZWQgaW4g TWNDdWxsYWdoIGV0IGFsLiBJYmlkLiBub3RlIDkNAiBBcnRpY2xlIDEzLiBBdHRyaWJ1dGlvbiBv ZiBkYXRhIG1lc3NhZ2VzIA0oMSkgQSBkYXRhIG1lc3NhZ2UgaXMgdGhhdCBvZiB0aGUgb3JpZ2lu YXRvciBpZiBpdCB3YXMgc2VudCBieSB0aGUgb3JpZ2luYXRvciBpdHNlbGYuIAsoMikgQXMgYmV0 d2VlbiB0aGUgb3JpZ2luYXRvciBhbmQgdGhlIGFkZHJlc3NlZSwgYSBkYXRhIG1lc3NhZ2UgaXMg ZGVlbWVkIHRvIGJlIHRoYXQgb2YgdGhlIG9yaWdpbmF0b3IgaWYgaXQgd2FzIHNlbnQ6IAsoYSkg YnkgYSBwZXJzb24gd2hvIGhhZCB0aGUgYXV0aG9yaXR5IHRvIGFjdCBvbiBiZWhhbGYgb2YgdGhl IG9yaWdpbmF0b3IgaW4gcmVzcGVjdCBvZiB0aGF0IGRhdGEgbWVzc2FnZTsgb3IgCyhiKSBieSBh biBpbmZvcm1hdGlvbiBzeXN0ZW0gcHJvZ3JhbW1lZCBieSwgb3Igb24gYmVoYWxmIG9mLCB0aGUg b3JpZ2luYXRvciB0byBvcGVyYXRlIGF1dG9tYXRpY2FsbHkuCygzKSBBcyBiZXR3ZWVuIHRoZSBv cmlnaW5hdG9yIGFuZCB0aGUgYWRkcmVzc2VlLCBhbiBhZGRyZXNzZWUgaXMgZW50aXRsZWQgdG8g cmVnYXJkIGEgZGF0YSBtZXNzYWdlIGFzIGJlaW5nIHRoYXQgb2YgdGhlIG9yaWdpbmF0b3IsIGFu ZCB0byBhY3Qgb24gdGhhdCBhc3N1bXB0aW9uLCBpZjogCyhhKSBpbiBvcmRlciB0byBhc2NlcnRh aW4gd2hldGhlciB0aGUgZGF0YSBtZXNzYWdlIHdhcyB0aGF0IG9mIHRoZSBvcmlnaW5hdG9yLCB0 aGUgYWRkcmVzc2VlIHByb3Blcmx5IGFwcGxpZWQgYSBwcm9jZWR1cmUgcHJldmlvdXNseSBhZ3Jl ZWQgdG8gYnkgdGhlIG9yaWdpbmF0b3IgZm9yIHRoYXQgcHVycG9zZTsgb3IgCyhiKSB0aGUgZGF0 YSBtZXNzYWdlIGFzIHJlY2VpdmVkIGJ5IHRoZSBhZGRyZXNzZWUgcmVzdWx0ZWQgZnJvbSB0aGUg YWN0aW9ucyBvZiBhIHBlcnNvbiB3aG9zZSByZWxhdGlvbnNoaXAgd2l0aCB0aGUgb3JpZ2luYXRv ciBvciB3aXRoIGFueSBhZ2VudCBvZiB0aGUgb3JpZ2luYXRvciBlbmFibGVkIHRoYXQgcGVyc29u IHRvIGdhaW4gYWNjZXNzIHRvIGEgbWV0aG9kIHVzZWQgYnkgdGhlIG9yaWdpbmF0b3IgdG8gaWRl bnRpZnkgZGF0YSBtZXNzYWdlcyBhcyBpdHMgb3duLiALKDQpIFBhcmFncmFwaCAoMykgZG9lcyBu b3QgYXBwbHk6IAsoYSkgYXMgb2YgdGhlIHRpbWUgd2hlbiB0aGUgYWRkcmVzc2VlIGhhcyBib3Ro IHJlY2VpdmVkIG5vdGljZSBmcm9tIHRoZSBvcmlnaW5hdG9yIHRoYXQgdGhlIGRhdGEgbWVzc2Fn ZSBpcyBub3QgdGhhdCBvZiB0aGUgb3JpZ2luYXRvciwgYW5kIGhhZCByZWFzb25hYmxlIHRpbWUg dG8gYWN0IGFjY29yZGluZ2x5OyBvciALKGIpIGluIGEgY2FzZSB3aXRoaW4gcGFyYWdyYXBoICgz KShiKSwgYXQgYW55IHRpbWUgd2hlbiB0aGUgYWRkcmVzc2VlIGtuZXcgb3Igc2hvdWxkIGhhdmUg a25vd24sIGhhZCBpdCBleGVyY2lzZWQgcmVhc29uYWJsZSBjYXJlIG9yIHVzZWQgYW55IGFncmVl ZCBwcm9jZWR1cmUsIHRoYXQgdGhlIGRhdGEgbWVzc2FnZSB3YXMgbm90IHRoYXQgb2YgdGhlIG9y aWdpbmF0b3IuIAsoNSkgV2hlcmUgYSBkYXRhIG1lc3NhZ2UgaXMgdGhhdCBvZiB0aGUgb3JpZ2lu YXRvciBvciBpcyBkZWVtZWQgdG8gYmUgdGhhdCBvZiB0aGUgb3JpZ2luYXRvciwgb3IgdGhlIGFk ZHJlc3NlZSBpcyBlbnRpdGxlZCB0byBhY3Qgb24gdGhhdCBhc3N1bXB0aW9uLCB0aGVuLCBhcyBi ZXR3ZWVuIHRoZSBvcmlnaW5hdG9yIGFuZCB0aGUgYWRkcmVzc2VlLCB0aGUgYWRkcmVzc2VlIGlz IGVudGl0bGVkIHRvIHJlZ2FyZCB0aGUgZGF0YSBtZXNzYWdlIGFzIHJlY2VpdmVkIGFzIGJlaW5n IHdoYXQgdGhlIG9yaWdpbmF0b3IgaW50ZW5kZWQgdG8gc2VuZCwgYW5kIHRvIGFjdCBvbiB0aGF0 IGFzc3VtcHRpb24uIFRoZSBhZGRyZXNzZWUgaXMgbm90IHNvIGVudGl0bGVkIHdoZW4gaXQga25l dyBvciBzaG91bGQgaGF2ZSBrbm93biwgaGFkIGl0IGV4ZXJjaXNlZCByZWFzb25hYmxlIGNhcmUg b3IgdXNlZCBhbnkgYWdyZWVkIHByb2NlZHVyZSwgdGhhdCB0aGUgdHJhbnNtaXNzaW9uIHJlc3Vs dGVkIGluIGFueSBlcnJvciBpbiB0aGUgZGF0YSBtZXNzYWdlIGFzIHJlY2VpdmVkLiALKDYpIFRo ZSBhZGRyZXNzZWUgaXMgZW50aXRsZWQgdG8gcmVnYXJkIGVhY2ggZGF0YSBtZXNzYWdlIHJlY2Vp dmVkIGFzIGEgc2VwYXJhdGUgZGF0YSBtZXNzYWdlIGFuZCB0byBhY3Qgb24gdGhhdCBhc3N1bXB0 aW9uLCBleGNlcHQgdG8gdGhlIGV4dGVudCB0aGF0IGl0IGR1cGxpY2F0ZXMgYW5vdGhlciBkYXRh IG1lc3NhZ2UgYW5kIHRoZSBhZGRyZXNzZWUga25ldyBvciBzaG91bGQgaGF2ZSBrbm93biwgaGFk IGl0IGV4ZXJjaXNlZCByZWFzb25hYmxlIGNhcmUgb3IgdXNlZCBhbnkgYWdyZWVkIHByb2NlZHVy ZSwgdGhhdCB0aGUgZGF0YSBtZXNzYWdlIHdhcyBhIGR1cGxpY2F0ZQ0NAiAgTGFtYm9zIHYuIENv bW1vbndlYWx0aCBvZiBBdXN0cmFsaWEgKDE5NjctNjgpIDQxIEEuTC5SLiAxODANAiBUaGlzIHBv c2l0aW9uIGhhcyBhbHNvIGJlZW4gYWNjZXB0ZWQgYnkgdGhlIFVLIEdvdmVybm1lbnQgYXMgcHJv bW90ZWQgaW4gdGhlIGRyYWZ0ICCTRWxlY3Ryb25pYyBDb21tdW5pY2F0aW9ucyBBY3SUDQIgIFRo b21wc29uLCBLLiCTUmVmbGVjdGlvbnMgb24gVHJ1c3RpbmcgVHJ1c3SULCByZXByaW50ZWQgaW4g k0NvbXB1dGVycyBVbmRlciBBdHRhY2sgliBJbnRydWRlcnMsIFdvcm1zIGFuZCBWaXJ1c2VzlCBE ZW5uaW5nLCBQLiAoZWRpdG9yKSBBZGRpc29uLVdlc3NsZXkgUHVibGlzaGluZyBDb21wYW55LCAx OTkwLg0CIFNlcmJhbiwgQy4sIJRTZWN1cml0eSBJc3N1ZXMgZm9yIJFBbHdheXMgb26SIERldmlj ZXM6IEFEU0wgYW5kIENhYmxlIE1vZGVtIEFjY2Vzc5QgQVQmVCAxOTk5LCB1bnB1Ymxpc2hlZCBj b3B5IG9mIHRoaXMgcGFwZXIgd2FzIGdpdmVuIHRvIHRoZSBhdXRob3JzIGFuZCBpcyBpbiB0aGVp ciBwb3NzZXNzaW9uLg0CIEliaWQuDQIgCVRoZSBzZWNyZXQga2V5IHJpbmcgaW4gUEdQIGlzIHVz dWFsbHkgZW5jcnlwdGVkIHdpdGggYSBtdWNoIHNpbXBsZXIgY3J5cHRvLXN5c3RlbS4gIEFsc28g dGhlIGtleSByaW5nIGlzIHN1YmplY3QgdG8gYSBwYXNzIHBocmFzZSBidXQgdGhpcyBjYW4gdXN1 YWxseSBiZSBicm9rZW4gdXNpbmcgb25lIG9mIHRoZSBoYWNrZXIgcHJvZ3JhbXMgYXZhaWxhYmxl IG9uIHRoZSBJbnRlcm5ldCBzdWNoIGFzIGNyYWNrZXIsIFNhdGFuIG9yIGNvcHMuIA0CIEJlbGws IEQuRS4gICYgTGEgUGFkdWxhLCBMLkouIJNTZWN1cmUgQ29tcHV0ZXIgU3lzdGVtIDogVW5pZmll ZCBFeHBvc2l0aW9uIGFuZCBNdWx0aWNzIEludGVycHJldGF0aW9ulCBFU0QtVFItNzUtMzA2LiAg TWFyY2ggMTk3NiwgTWl0cmUgQ29ycG9yYXRpb24NAiBTaGFtaXIsIEEgJiBWYW4gU29tZXJlbiwg Ti4gk1BsYXlpbmcgaGlkZSBhbmQgc2VlayB3aXRoIHN0b3JlZCBrZXlzlAtsb2NhdGVkIGF0IBMg SFlQRVJMSU5LIGh0dHA6Ly93d3cubmNpcGhlci5jb20vcHJvZHVjdHMvZmlsZXMvcGFwZXJzL2Fu Z3VpbGxhL2tleWhpZGUyLnBkZiABFGh0dHA6Ly93d3cubmNpcGhlci5jb20vcHJvZHVjdHMvZmls ZXMvcGFwZXJzL2FuZ3VpbGxhL2tleWhpZGUyLnBkZhUgC2FjY2Vzc2VkIG9uIDE1IERlY2VtYmVy IDE5OTkuDQ0NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAACoEAADqBAAAAgUAAIsF AACdBQAAngUAAMkFAADKBQAAzAUAAPgFAAAFBgAAFgsAABcLAADyCwAA8wsAAMwMAADNDAAAzgwA APMPAAAiEAAAKREAACoRAABwEQAAAxIAAAQSAAAnEgAAKBIAAFISAABTEgAAVBIAAPMSAAD0EgAA rBMAAK0TAABIFAAASRQAAL0UAAC+FAAAuRcAALoXAAD7FwAA/BcAAMMaAABPGwAAERwAAD8cAACG HAAAqBwAALEcAAC9HAAAzBwAANocAADcHAAA5xwAAAEdAAA6HQAAmx0AAL8dAADCHQAA0R0AANId AABLHwAAsx8AADwgAAA9IAAAPiAAAEwgAABOIAAA/QD7APsA/fT97P0A5QDlAOPlAP0A5QDe097T 3tPeAOUA5QDlAOUA5QDlAN4A/QDezcW/xb/ev94A+wC7sQD7AOUA/QAAAAAAAAAAAAAAEwNqAAAA ADBKOgA1CIE2CIFVCAEGNQiBNgiBAAs2CIFPSgAAUUoAAA42CIE+KgFPSgAAUUoAAAALPioBT0oA AFFKAAAVA2oAAAAAMEo6AE9KAABRSgAAVQgBCE9KAABRSgAAAANIKgENA2oAAAAAMEo6AFUIAQ41 CIE2CIFPSgMAUUoDAAANCWoBACrwMEo6ADUIgQM+KgEDNQiBAEQABAAALAQAAC8EAABABAAAZgQA AHUEAACHBAAArAQAANAEAADiBAAAAwUAAAcFAAAgBQAALwUAAE0FAABxBQAAgwUAAJ4FAADLBQAA zAUAAPAAAAAAAAAAAAAAAADwAAAAAAAAAAAAAAAA8AAAAAAAAAAAAAAAAOMAAAAAAAAAAAAAAADW AAAAAAAAAAAAAAAA1gAAAAAAAAAAAAAAANYAAAAAAAAAAAAAAADjAAAAAAAAAAAAAAAA4wAAAAAA AAAAAAAAAMcAAAAAAAAAAAAAAADwAAAAAAAAAAAAAAAA8AAAAAAAAAAAAAAAANYAAAAAAAAAAAAA AADWAAAAAAAAAAAAAAAA4wAAAAAAAAAAAAAAAOMAAAAAAAAAAAAAAADHAAAAAAAAAAAAAAAAtwAA AAAAAAAAAAAAAKgAAAAAAAAAAAAAAAAAAAAAAAAAAAAADhYAEmTwAAEAE6TwAA3GDQHMAAPFAooF TggAAAAQFgADJAESZPAAAQATpPAADcYNAcwAA8UCigVOCAAAAAAOKwAPhNsCEmTwAAEADcYNAdsC A8UCigVOCAAAAAAMGAASZPAAAQANxg0BzAADxQKKBU4IAAAAAAwXABJk8AABAA3GDQHMAAPFAooF TggAAAAADhgAEmTwAAEAE6TwAA3GDQHMAAPFAooFTggAAAAAEwAEAAAsBAAALwQAAEAEAABmBAAA dQQAAIcEAACsBAAA0AQAAOIEAAADBQAABwUAACAFAAAvBQAATQUAAHEFAACDBQAAngUAAMsFAADM BQAA7gUAAPgFAAAFBgAA4gcAAIcKAADPDAAAvQ0AAOYNAAAPDgAAVA4AAIkOAADHDgAA0w4AAPMP AAAiEAAAcBEAAI8RAADQEQAABRIAACkSAABUEgAASxQAAJMWAAACGQAAzxkAAMMaAAD7GgAAKhsA AE8bAAARHAAAPxwAAIYcAAA6HQAA0x0AAAYfAABOIAAA9CEAAHwjAAD7IwAATiQAAAslAACQJQAA OCYAAJsmAAAgJwAA3CcAAHMqAABzKwAA7i4AAN8yAAAWNAAAcTQAAJI0AACpNQAACzcAAP39/fv9 /f37+/n9/f39+/v59/f39/v7+/v78vLy8vLy+/396+vk5N39/f39/dbr1P3S/cvryMbDwb6+vr6+ vr6+/fv7+/v7vPv7AAADAiUABQgkAAkBAwI2AAUCAQAFAAMCNwAFAgMABQIMAgMABQIHAggfAAkB AAMCIgADAg8ADAIDAAUCBwIIIwAJAQAMAgQABQMHAwgOAAkBAAwCBAAFAwcDCB4ACQEADAIDAAUC BwIIHgAJAQAIAhcACCYACQEAAwIWAAMCKwADAhcAAwIYAABKzAUAAO4FAAD4BQAABQYAAOIHAACH CgAAzwwAAL0NAADmDQAADw4AAFQOAACJDgAAxw4AANMOAADzDwAAIhAAAHARAACPEQAA0BEAAPEA AAAAAAAAAAAAAADxAAAAAAAAAAAAAAAA4gAAAAAAAAAAAAAAAOIAAAAAAAAAAAAAAADiAAAAAAAA AAAAAAAA4gAAAAAAAAAAAAAAAOIAAAAAAAAAAAAAAADQAAAAAAAAAAAAAAAA0AAAAAAAAAAAAAAA ANAAAAAAAAAAAAAAAADQAAAAAAAAAAAAAAAA0AAAAAAAAAAAAAAAANAAAAAAAAAAAAAAAADiAAAA AAAAAAAAAAAAwAAAAAAAAAAAAAAAALEAAAAAAAAAAAAAAACoAAAAAAAAAAAAAAAAqAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgDAA+ExQINxgcBoAUBxQIAAA4YABJk8AAB ABOk8AANxg0BzAADxQKKBU4IAAAAEBgABiQBEmTwAAEAE6TwAA3GDQHMAAPFAooFTggAAAASFwAK JgALRiYAEmTwAAEAE6TwAA3GDQHMAAPFAooFTggAAAAADhcAEmTwAAEAE6TwAA3GDQHMAAPFAooF TggAAAAOFgADJAESZPAAAQANxg0BzAADxQKKBU4IAAAAABLQEQAABRIAACkSAABUEgAASxQAAJMW AAACGQAAzxkAAMMaAAD7GgAAKhsAAE8bAAARHAAAPxwAAIYcAAA6HQAA0x0AAPcAAAAAAAAAAAAA AAD3AAAAAAAAAAAAAAAA6QAAAAAAAAAAAAAAANoAAAAAAAAAAAAAAADaAAAAAAAAAAAAAAAA2gAA AAAAAAAAAAAAANoAAAAAAAAAAAAAAADaAAAAAAAAAAAAAAAAzgAAAAAAAAAAAAAAAMUAAAAAAAAA AAAAAADBAAAAAAAAAAAAAAAA2gAAAAAAAAAAAAAAAK8AAAAAAAAAAAAAAACfAAAAAAAAAAAAAAAA kwAAAAAAAAAAAAAAAMUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAwAKJgILRh8AD4TF Ag3GBwGgBQHFAgYQGAAGJAESZPAAAQATpPAADcYNAcwAA8UCigVOCAAAABIiAAYkAQ+EAAASZPAA AQATpPAADcYNAdYBA8UCigVOCAAAAAADDwAPhAAAAAgDAA+ExQINxgcBoAUBxQIGDAMACiYCC0Yj AA+ExQINxgcBoAUBxQIGAA4YABJk8AABABOk8AANxg0BzAADxQKKBU4IAAAADgQACiYDC0YOAA+E igURhDz9DcYHAWoIAYoFAAAHBAAPhIoFDcYFAAGKBQAAENMdAAAGHwAATiAAAPQhAAB8IwAA+yMA AE4kAAALJQAAkCUAADgmAACbJgAAICcAANwnAABzKgAAcysAAO4uAADfMgAAFjQAAHE0AACSNAAA qTUAAAs3AAD4AAAAAAAAAAAAAAAA9gAAAAAAAAAAAAAAAPEAAAAAAAAAAAAAAADvAAAAAAAAAAAA AAAA5AAAAAAAAAAAAAAAAOQAAAAAAAAAAAAAAADkAAAAAAAAAAAAAAAA5AAAAAAAAAAAAAAAAOQA AAAAAAAAAAAAAADkAAAAAAAAAAAAAAAA5AAAAAAAAAAAAAAAAOQAAAAAAAAAAAAAAADVAAAAAAAA AAAAAAAAxgAAAAAAAAAAAAAAAMYAAAAAAAAAAAAAAADGAAAAAAAAAAAAAAAAxgAAAAAAAAAAAAAA AMYAAAAAAAAAAAAAAAC2AAAAAAAAAAAAAAAAxgAAAAAAAAAAAAAAAMYAAAAAAAAAAAAAAAAAAAAQ JQAGJAESZPAAAQATpPAADcYNAcwAA8UCigVOCAAAAAAOFwASZPAAAQATpPAADcYNAcwAA8UCigVO CAAAAAAOGAASZPAAAQATpPAADcYNAcwAA8UCigVOCAAAAAsAAAomAAtGJAAPhDgEDcYFAAFoAQAA ATYABQEACiYAC0YAAAABNwAHAwAKJgALRgAAD4T1/wAVTiAAAIcgAACIIAAAMSEAAHYhAAB3IQAA 4yEAAOQhAAD0IQAAfCMAANonAADbJwAA3CcAAIQqAACFKgAABjIAAAcyAADdMgAA3jIAAHE0AACQ NAAAkTQAAJI0AACRNwAAojcAAKM3AAClNwAA3DoAAN06AAAVOwAAazsAAMU7AADGOwAAyDsAANY9 AADXPQAA8D0AAEg+AAAVQAAAWUAAAGtBAABsQQAABkIAAAdCAAAIQgAAhUQAAIZEAADZRQAAokcA AKNHAAAeSwAAH0sAADdLAAA4SwAA9VIAAA9TAADuXQAATF8AAPns+eng+ez5ANj50wDRAMoAygDR ytEAxry6ALXR06+ir9O10dMA0QDKAJ/KAMoA05TTlNOU09EA0wAAAAAAAAAVA2oAAAAAMEo6AE9K AABRSgAAVQgBBDBKOgAAGANqAAAAADBKOgA1CIFPSgAAUUoAAFUIAQALNQiBT0oAAFFKAAAJCWoB ALfwNQiBAzYIgRMDagAAAAAwSjoANgiBPioBVQgBBjYIgT4qAQANA2oAAAAAMEo6AFUIAQM1CIEI T0oAAFFKAAAADzYIgU9KAABRSgAAbUgJCBAwSjoAT0oAAFFKAABtSAkIAARtSAkIABkDagAAAAAw SjoAT0oAAFFKAABVCAFtSAkIDE9KAABRSgAAbUgJCDkLNwAApjcAAPs4AACFOQAAdjoAALc6AADc OgAAFTsAAGs7AADIOwAA1j0AAPA9AABIPgAAFUAAAFlAAABuQQAAfEIAAPFDAACHRAAA2UUAACFL AABbTAAAcEwAAIVMAADtTQAAbk8AAB9SAAD1UgAAD1MAAJRUAAAqVQAAFFYAAKBXAAAhWgAA7VwA AO5dAABMXwAAsF8AAPBfAAAwYAAAxWAAAP39+/v7/fn38vf59/Dw+fnr6/nm4dzX0s3Iw765tK+q paCblo+Fe3EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgI9AAYewP//CCoACQEKAwAAAAASAj0ABl7A //8IKgAJAQoCAAAAABICPQAGnsD//wgqAAkBCgEAAAAADQI9AAYCwf//CCoACQEIAj0ABmDC//8A CAIYAAZhw///AAgCGAAGLcb//wAIAhcABq7I//8ACAIXAAY6yv//AAgCFwAGJMv//wAIAhgABrrL //8ACAIXAAY/zf//AAgCFgAGWc3//wAIAj0ABi/O//8ACAI9AAbg0P//AAgCPQAGYdL//wAIAj0A BsnT//8ACAI9AAbe0///AAgCPQAG89P//wAIAj0ABi3V//8ACAI9AAZ12v//AAgCFgAIKQAJAQAD AhgACAIPAAgoAAkBAAMCDwADAhYAAwIXAAMCJgAAKAs3AACmNwAA+zgAAIU5AAB2OgAAtzoAANw6 AAAVOwAAazsAAMg7AADWPQAA8D0AAEg+AAAVQAAAWUAAAG5BAAB8QgAA8AAAAAAAAAAAAAAAAPAA AAAAAAAAAAAAAADhAAAAAAAAAAAAAAAA4QAAAAAAAAAAAAAAAOEAAAAAAAAAAAAAAADRAAAAAAAA AAAAAAAAwgAAAAAAAAAAAAAAAMAAAAAAAAAAAAAAAACyAAAAAAAAAAAAAAAAwAAAAAAAAAAAAAAA AKIAAAAAAAAAAAAAAADAAAAAAAAAAAAAAAAAkwAAAAAAAAAAAAAAAJMAAAAAAAAAAAAAAACiAAAA AAAAAAAAAAAAogAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOGAASZPAAAQATpPAADcYN AcwAA8UCigVOCAAAABAWAAYkARJk8AABABOk8AANxg0BzAADxQKKBU4IAAAADg8ACiYAC0YoAA+E 0AIRhDD9DcYHAWgBAdACBgABDwAADhYAEmTwAAEAE6TwAA3GDQHMAAPFAooFTggAAAAQJgAGJAES ZPAAAQATpPAADcYNAcwAA8UCigVOCAAAAAAOFwASZPAAAQATpPAADcYNAcwAA8UCigVOCAAAAAAO JgASZPAAAQATpPAADcYNAcwAA8UCigVOCAAAAAAQfEIAAPFDAACHRAAA2UUAACFLAABbTAAAcEwA AIVMAADtTQAAbk8AAB9SAAD1UgAAD1MAAJRUAAAqVQAAFFYAAKBXAAAhWgAA7VwAAO5dAABMXwAA 6wAAAAAAAAAAAAAAAOsAAAAAAAAAAAAAAADbAAAAAAAAAAAAAAAA1wAAAAAAAAAAAAAAANcAAAAA AAAAAAAAAADXAAAAAAAAAAAAAAAA1wAAAAAAAAAAAAAAANcAAAAAAAAAAAAAAADXAAAAAAAAAAAA AAAA1wAAAAAAAAAAAAAAANcAAAAAAAAAAAAAAADbAAAAAAAAAAAAAAAAyAAAAAAAAAAAAAAAALkA AAAAAAAAAAAAAADIAAAAAAAAAAAAAAAAyAAAAAAAAAAAAAAAAMgAAAAAAAAAAAAAAAC5AAAAAAAA AAAAAAAAuQAAAAAAAAAAAAAAANcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAOGAASZPAAAQATpPAADcYNAcwAA8UCigVOCAAAAAAOFwASZPAAAQATpPAADcYNAcwAA8UCigVO CAAAAAADPQAPhAAAEBYABiQBEmTwAAEAE6TwAA3GDQHMAAPFAooFTggAAAAAExYABiQBCiYAC0Yp ABJk8AABABOk8AANxg0BzAADxQKKBU4IAAAAABRMXwAAW18AALBfAAC3XwAA8F8AAP5fAAAwYAAA PmAAAMVgAADOYAAAh2EAAJxhAAClZwAA82sAAP5rAADmcAAA53AAAO1wAADucAAA8HAAAPFwAAAP cQAAEHEAABFxAAAlcQAAJnEAAC5xAAAvcQAAMXEAADJxAABMcQAATXEAAFVxAABWcQAAWXEAAGBx AABicQAAY3EAAGhxAABpcQAAanEAAGxxAAB8cQAAHXIAADVyAADycgAA83IAAEhzAABJcwAA0nMA ANNzAAAAdAAAAXQAAAJ0AAAjdAAAJHQAAGR1AAD59Pn0+fT59Pn0+fQA8gDr6Ovj6wDf1t/W0tYA zQDNys0AyADDALy2ALIAsgCn9Kf0nvSSno+e9AAABDBKNAAAFwIIgQNqAAAAAAYIAU9KAABRSgAA VQgBEQNqAAAAAE9KAABRSgAAVQgBFQNqAAAAADBKOgBPSgAAUUoAAFUIAQY1CIE2CIEACglqAQAq 8DBKOgAADQNqAAAAADBKMwBVCAEJA2oAAA4AVQgBAzwIgQRtSAAEAAkDagAAAABVCAEHaAgAbUgA BBADagAAAABVCAFoCABuSAkEAAdoCABuSAkECDBKPwBtSAAEAAQwSj8AAA0DagAAAAAwSj8AVQgB AzUIgQhPSgAAUUoAAAALPioBT0oAAFFKAAAAOExfAACwXwAA8F8AADBgAADFYAAAh2EAACdiAACc ZAAAtGQAAP5kAAAwZQAAMWUAAD1lAADmZQAA8mUAAC1mAABcZgAAaGYAAL5mAAAhZwAALWcAAPYA AAAAAAAAAAAAAAD2AAAAAAAAAAAAAAAA6QAAAAAAAAAAAAAAAPYAAAAAAAAAAAAAAAD2AAAAAAAA AAAAAAAA9gAAAAAAAAAAAAAAAOUAAAAAAAAAAAAAAADhAAAAAAAAAAAAAAAA4QAAAAAAAAAAAAAA ANYAAAAAAAAAAAAAAADMAAAAAAAAAAAAAAAAxAAAAAAAAAAAAAAAAMAAAAAAAAAAAAAAAADhAAAA AAAAAAAAAAAAuwAAAAAAAAAAAAAAALQAAAAAAAAAAAAAAADhAAAAAAAAAAAAAAAAuwAAAAAAAAAA AAAAALQAAAAAAAAAAAAAAADhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAc9AAomAAtGKwAT pAAABT0ACiYAC0YrAAADPQAPhKAFAAc9AA+EigURhDv9E6QAAAAJPQAPhDMHE6QAAA3GBQABTwgA Cz0ACiYAC0YrAA+EvAYRhOT+E6QAAAADPQAPhMUCAAM9AA+EAAANPQAKJgALRioAD4TFAhGEO/0N xgUAAcUCAAk9AAomAAtGKgAPhMUCEYQ7/QAUxWAAAIdhAAAnYgAAnGQAALRkAAD+ZAAAMGUAADFl AAA9ZQAA5mUAAPJlAAAtZgAAXGYAAGhmAAC+ZgAAIWcAAC1nAACZZwAApWcAACloAADzawAA/msA AIZuAAAebwAA5XAAAOZwAADncAAA7XAAAO5wAADwcAAA8XAAAPJwAADzcAAAMHEAADFxAABmcQAA Z3EAAGhxAADycgAASHMAAEJ0AABldQAAOXYAAJB3AAALeAAAs3gAAAR5AABveQAAB3oAAAR7AACN fAAAjnwAAH19AACpfgAAR38AAFB/AACIfwAAq4AAAA6BAAAWgQAAk4EAACCCAADOggAARIMAAHCD AACpjAAAqowAAOmMAABfjQAAFI4AAMiOAADQjgAA0I8AAGeQAABtkQAAbpEAAPbs6urq5erq6url 5erl5erl6uPj4ePj4+Pf39/f39/f3N/c39/f2dnW1NnZzsa+2dnZ2dTZ2dnZ2dnU2dTZ2dTU2dnZ 2dnZ2dnZ3wAPAjkACCcACQEKAgAAAA0BDwI5AAgnAAkBCgEAAAANAQoCOQAIJwAJAQ0BAAINAQAF AjUADQEFAjkADQEFAhQADQECAQEAAwIqAAMCGAAIAj0ACCsACQEAAwI9ABICPQAGx77//wgqAAkB CgUAAAAAEgI9AAaJv///CCoACQEKBAAAAEstZwAAmWcAAKVnAAApaAAA82sAAP5rAACGbgAAHm8A AOVwAADmcAAA8nAAAPNwAAAwcQAAMXEAAGZxAABncQAAaHEAAPJyAABIcwAA+gAAAAAAAAAAAAAA APYAAAAAAAAAAAAAAADnAAAAAAAAAAAAAAAA1gAAAAAAAAAAAAAAAMUAAAAAAAAAAAAAAADnAAAA AAAAAAAAAAAA5wAAAAAAAAAAAAAAAOcAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAtQAAAAAAAAAA AAAAALIAAAAAAAAAAAAAAACtAAAAAAAAAAAAAAAAsgAAAAAAAAAAAAAAAKoAAAAAAAAAAAAAAACy AAAAAAAAAAAAAAAAqAAAAAAAAAAAAAAAAKYAAAAAAAAAAAAAAACgAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAFOQAPhLQAEYRM/wABOQAAAQAAAxQAMSQAAAQUAAMkATEkAAMAADEkAAMVADEkAAAMGAAS ZPAAAQANxg0BzAADxQKKBU4IAAAAABAqAAMkAAYkARJk8AABABOk8AANxgsAA8UCigVOCAAAAAAQ GAAOhLb/EmTwAAEAE6TwAA3GDQHMAAPFAooFTggAAAAADhgAEmTwAAEAE6TwAA3GDQHMAAPFAooF TggAAAAAAz0AD4TFAgU9AAomAAtGKwAAEkhzAABCdAAAZXUAADl2AACQdwAAC3gAALN4AAAEeQAA b3kAAAd6AAAEewAAjXwAAI58AAB9fQAAqX4AAEd/AABQfwAAiH8AAKuAAAAOgQAAFoEAAJOBAAAg ggAAzoIAAPkAAAAAAAAAAAAAAAD1AAAAAAAAAAAAAAAA7wAAAAAAAAAAAAAAAPkAAAAAAAAAAAAA AAD5AAAAAAAAAAAAAAAA5gAAAAAAAAAAAAAAAN0AAAAAAAAAAAAAAADdAAAAAAAAAAAAAAAA2QAA AAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAANEAAAAAAAAA AAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA +QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAADvAAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAMgAAAAA AAAAAAAAAAD5AAAAAAAAAAAAAAAAAAAAAAAJAAAGJAEPhLQAEYRM/xOkAAAABwAAD4S0ABGETP8T pAAAAAM5AA+EtAAJOQAKJgALRicAD4S0ABGETP8JOQAKJgALRicAD4QcAhGE5P0ABQAAD4S0ABGE TP8AAzUAD4S0AAAFOQAPhLQAEYRM/wAXZHUAAGV1AABmdQAApXUAAKZ1AADjdQAA5HUAAOV1AAAW dgAAF3YAADl2AAA6dgAAO3YAAFN2AAALdwAADHcAAFJ3AABTdwAAVHcAAI53AACPdwAAkHcAAJF3 AAAHegAACHoAAAR7AAAFewAABXwAABN8AACOfAAAj3wAAOF8AADifAAAI30AACR9AAAlfQAAWn0A AFt9AAB9fQAAfn0AAAZ+AAAHfgAATX4AAE5+AABPfgAAiX4AAIp+AACpfgAA+ezl2uXM2sPa5biz rbOks5iklaSzuLO4s7izrbPs5drlh9rD2uW4s6Sze6SVpLMAAAAAAAAAFwIIgQNqEAQAAAYIAU9K AABRSgAAVQgBGwIIgQNqMwMAAAYIAUNKFABPSgAAUUoAAFUIAQQwSjQAABcCCIEDatIBAAAGCAFP SgAAUUoAAFUIAREDagAAAABPSgAAUUoAAFUIAQs2CIFPSgAAUUoAAAhPSgAAUUoAAAAVA2oAAAAA MEo6AE9KAABRSgAAVQgBEDBKNABDShQAT0oAAFFKAAAAGwIIgQNq/QAAAAYIAUNKFABPSgAAUUoA AFUIARUDagAAAABDShQAT0oAAFFKAABVCAEMQ0oUAE9KAABRSgAAABkDagAAAAAwSjoAQ0oUAE9K AABRSgAAVQgBCzoIgU9KAABRSgAAAC+pfgAAqn4AANp+AADcfgAAQH8AAER/AABHfwAASH8AAFB/ AABRfwAAiH8AAIl/AACKfwAA1X8AAAiAAAAYgAAAGYAAAFSAAABVgAAAVoAAAIWAAACGgAAAqoAA AKuAAACsgAAADoEAAA+BAAAWgQAAF4EAAJOBAACUgQAAqoEAALuBAAC9gQAAH4IAACCCAAAhggAA IoIAAMuCAADOggAAz4IAAESDAABFgwAARoMAAG6DAAC7hQAAgocAAKWHAAA0iQAAqYwAAKqMAACr jAAA6YwAAOqMAABfjQAAYI0AAPgA9gDyAOfi5+L4AOLc4tPix9PA0+IA+ACzrOfis6yjmaOs+ADi AOfi+ACPrIysjKzi5+Ln4vgABENKFAAAEzBKPAA1CIFDShQAT0oAAFFKAAATNQiBQ0oUAE9KAABR SgAAbUgJCBBDShQAT0oAAFFKAABtSAkIAAxDShQAT0oAAFFKAAAAGQNqAAAAADBKOgBDShQAT0oA AFFKAABVCAEMMEo0AE9KAABRSgAAABcCCIEDanEFAAAGCAFPSgAAUUoAAFUIAREDagAAAABPSgAA UUoAAFUIAQs1CIFPSgAAUUoAAAhPSgAAUUoAAAAVA2oAAAAAMEo6AE9KAABRSgAAVQgBBjYIgT4q AQADSCoBDQNqAAAAADBKOgBVCAEAN86CAABEgwAAcIMAAKmMAACqjAAA6YwAAF+NAAAUjgAAyI4A ANCOAADQjwAAZ5AAAG2RAABukQAAb5EAAPkAAAAAAAAAAAAAAADzAAAAAAAAAAAAAAAA7wAAAAAA AAAAAAAAAOkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAOMAAAAAAAAAAAAA AAD5AAAAAAAAAAAAAAAA4QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAA AAAAAAAAAAAAAN8AAAAAAAAAAAAAAADSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMGAASZPAAAQANxg0B zAADxQKKBU4IAAAAAAEAAAABOQAABTkAD4QOARGE8v4ABTkAD4TQAhGEMP0AAwAAD4RoAQAFAAAP hNACEYQw/QAFOQAPhLQAEYRM/wAOYI0AABSOAAAVjgAAyI4AAMmOAADQjgAA0Y4AANCPAADRjwAA Z5AAAGiQAAC5kAAAupAAAAiRAAAJkQAACpEAAEyRAABNkQAAb5EAAAD4APgA+AD4APgA8wDr8+jz AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEMEo0AAAPAgiBA2pCBgAABggBVQgBCQNqAAAA AFUIAQ0DagAAAAAwSjoAVQgBABJukQAAb5EAAP0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAMCGAAAAT4ACjABETABEjAAFDAqFpBoAR+waC4gsLRBIbAtByKwXQQjkKUG JJC8BiWwAAAFMAAD8gDeIgTyANACA/IBBxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAA/QAAAEQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0Mnqefm6zhGMggCqAEupCwIAAAAXAAAAIgAA AGgAdAB0AHAAOgAvAC8AdwB3AHcALgBiAGkAcwAuAG8AcgBnAC8AcAB1AGIAbAAvAGkAbgBkAGUA eAAuAGgAdABtAAAA4Mnqefm6zhGMggCqAEupC0QAAABoAHQAdABwADoALwAvAHcAdwB3AC4AYgBp AHMALgBvAHIAZwAvAHAAdQBiAGwALwBpAG4AZABlAHgALgBoAHQAbQAAANUAAABEAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANDJ 6nn5us4RjIIAqgBLqQsCAAAAAwAAAODJ6nn5us4RjIIAqgBLqQtkAAAAaAB0AHQAcAA6AC8ALwB3 AHcAdwAuAGEAYgBhAG4AZQB0AC4AbwByAGcALwBzAGMAaQB0AGUAYwBoAC8AZQBjAC8AaQBzAGMA LwBkAHMAZwBmAHIAZQBlAC4AaAB0AG0AbAAAAGEBAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANDJ6nn5us4RjIIAqgBLqQsC AAAAFwAAADsAAABoAHQAdABwADoALwAvAHcAdwB3AC4AbABhAHcALgB1AG4AcwB3AC4AZQBkAHUA LgBhAHUALwB1AG4AcwB3AGwAagAvAGUAYwBvAG0AbQBlAHIAYwBlAC8AbQBjAGMAdQBsAGwAYQBn AGgALgBoAHQAbQBsAAAA4Mnqefm6zhGMggCqAEupC3YAAABoAHQAdABwADoALwAvAHcAdwB3AC4A bABhAHcALgB1AG4AcwB3AC4AZQBkAHUALgBhAHUALwB1AG4AcwB3AGwAagAvAGUAYwBvAG0AbQBl AHIAYwBlAC8AbQBjAGMAdQBsAGwAYQBnAGgALgBoAHQAbQBsAAAA3QAAAEQAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0Mnqefm6 zhGMggCqAEupCwIAAAADAAAA4Mnqefm6zhGMggCqAEupC2wAAABoAHQAdABwADoALwAvAHcAdwB3 AC4AdQBuAC4AbwByAC4AYQB0AC8AdQBuAGMAaQB0AHIAYQBsAC8AdABlAHgAdABzAC8AZQBsAGUA YwB0AGMAbwBtAC8AbQBsAC0AZQBjAC4AaAB0AG0AAABhAQAARAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQyep5+brOEYyCAKoA S6kLAgAAABcAAAA7AAAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGwAYQB3AC4AdQBuAHMAdwAuAGUA ZAB1AC4AYQB1AC8AdQBuAHMAdwBsAGoALwBlAGMAbwBtAG0AZQByAGMAZQAvAG0AYwBjAHUAbABs AGEAZwBoAC4AaAB0AG0AbAAAAODJ6nn5us4RjIIAqgBLqQt2AAAAaAB0AHQAcAA6AC8ALwB3AHcA dwAuAGwAYQB3AC4AdQBuAHMAdwAuAGUAZAB1AC4AYQB1AC8AdQBuAHMAdwBsAGoALwBlAGMAbwBt AG0AZQByAGMAZQAvAG0AYwBjAHUAbABsAGEAZwBoAC4AaAB0AG0AbAAAANEAAABEAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANDJ 6nn5us4RjIIAqgBLqQsCAAAAAwAAAODJ6nn5us4RjIIAqgBLqQtgAAAAaAB0AHQAcAA6AC8ALwBs AGEAdwAuAGcAbwB2AC4AYQB1AC8AYQBnAGgAbwBtAGUALwBhAGQAdgBpAHMAbwByAHkALwBlAGMA ZQBnAC8AZQBjAGUAZwAuAGgAdABtAAAAgQEAAEQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0Mnqefm6zhGMggCqAEupCwIAAAAX AAAAQwAAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBuAGMAaQBwAGgAZQByAC4AYwBvAG0ALwBwAHIA bwBkAHUAYwB0AHMALwBmAGkAbABlAHMALwBwAGEAcABlAHIAcwAvAGEAbgBnAHUAaQBsAGwAYQAv AGsAZQB5AGgAaQBkAGUAMgAuAHAAZABmAAAA4Mnqefm6zhGMggCqAEupC4YAAABoAHQAdABwADoA LwAvAHcAdwB3AC4AbgBjAGkAcABoAGUAcgAuAGMAbwBtAC8AcAByAG8AZAB1AGMAdABzAC8AZgBp AGwAZQBzAC8AcABhAHAAZQByAHMALwBhAG4AZwB1AGkAbABsAGEALwBrAGUAeQBoAGkAZABlADIA LgBwAGQAZgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAABIAQQAKAAEAWwAPAAIABAAAAAQANAAAQPH/AgA0AAAABgBOAG8AcgBtAGEAbAAA AAYAAAATpPAAEABDShgAT0oFAFFKBQBtSAkMQAABQAEA8gBAAAAADwBIAGUAYQBkAGkAbgBnACAA MQAsADEALgAsAGgAMQAAAAwAAQAKJgALRh4AQCYABABLSBwAOAACAAEA8gA4AAAADQBIAGUAYQBk AGkAbgBnACAAMgAsADEALgAxAAAADAACAAomAQtGHgBAJgEAADgAA0ABAAIBOAAAAA0ASABlAGEA ZABpAG4AZwAgADMALAAoAGEAKQAAAAwAAwAKJgILRh4AQCYCAAA4AARAAQASATgAAAANAEgAZQBh AGQAaQBuAGcAIAA0ACwAKABpACkAAAAMAAQACiYDC0YeAEAmAwAAOAAFAAEAIgE4AAAADQBIAGUA YQBkAGkAbgBnACAANQAsACgAQQApAAAADAAFAAomBAtGHgBAJgQAADgABgABADIBOAAAAA0ASABl AGEAZABpAG4AZwAgADYALAAoAEkAKQAAAAwABgAKJgULRh4AQCYFAAAwAAcAEQByADAAAAAJAEgA ZQBhAGQAaQBuAGcAIAA3AAAADAAHAAomBgtGHgBAJgYAADAACAARAIIAMAAAAAkASABlAGEAZABp AG4AZwAgADgAAAAMAAgACiYHC0YeAEAmBwAANAAJABEAAgA0AAAACQBIAGUAYQBkAGkAbgBnACAA OQAAAA8ACQADJAEKJggLRh4AQCYIAAAAPABBQPL/oQA8AAAAFgBEAGUAZgBhAHUAbAB0ACAAUABh AHIAYQBnAHIAYQBwAGgAIABGAG8AbgB0AAAAAAAAAAAAAAAAADgAQ0ABAPIAOAAAABAAQgBvAGQA eQAgAFQAZQB4AHQAIABJAG4AZABlAG4AdAAAAAYADwAPhNACAABAAP4P8QACAUAAAAAUAEIAbwBk AHkAIABUAGUAeAB0ACAASQBuAGQAZQBuAHQAIAAoAGEAKQAAAAYAEAAPhIoFAABAAP4PAQESAUAA AAAUAEIAbwBkAHkAIABUAGUAeAB0ACAASQBuAGQAZQBuAHQAIAAoAGkAKQAAAAYAEQAPhGsIAABA AP4PAQAiAUAAAAAUAEIAbwBkAHkAIABUAGUAeAB0ACAASQBuAGQAZQBuAHQAIAAoAEEAKQAAAAYA EgAPhKELAABAAP4PIQEyAUAAAAAUAEIAbwBkAHkAIABUAGUAeAB0ACAASQBuAGQAZQBuAHQAIAAo AEkAKQAAAAYAEwAPhNgNAAA2ACBAAQBCATYAAAAGAEYAbwBvAHQAZQByAAAAFAAUAAMkAhOkAAAN xggAAjkQciABAgQAQ0oOADIAH0ABAFIBMgAAAAYASABlAGEAZABlAHIAAAAUABUAAyQBE6QAAA3G CAACORByIAECAABEAP5PAQBiAUQAAAAHAFQAeABCAHIAXwBwADEAAAAUABYAEmT5AAAAE6QAAA3G BQABzAAADwBPSgAAUUoAAGgIAG5ICQQARAD+TwEAcgFEAAAABwBUAHgAQgByAF8AcAAyAAAAFAAX ABJk3QAAABOkAAANxgUAAcwAAA8AT0oAAFFKAABoCABuSAkEAEQA/k8BAIIBRAAAAAcAVAB4AEIA cgBfAHAAMwAAABQAGAASZN0AAAATpAAADcYFAAHMAAAPAE9KAABRSgAAaAgAbkgJBABMAP4PAQCS AUwAAAAHAFQAeABCAHIAXwBwADQAAAAcABkAD4SJBRGEev0SZN0AAAATpAAADcYFAAGGAgAPAE9K AABRSgAAaAgAbkgJBABMAP4PAQCiAUwAAAAHAFQAeABCAHIAXwBwADUAAAAcABoAD4SJBRGEev0S ZN0AAAATpAAADcYFAAFABAAPAE9KAABRSgAAaAgAbkgJBABMAP4PAQCyAUwAAAAHAFQAeABCAHIA XwBwADYAAAAcABsAD4TPAxGEwPsSZEMBAAATpAAADcYFAAFABAAPAE9KAABRSgAAaAgAbkgJBAA8 AP4PAQDCATwAAAAHAFQAeABCAHIAXwBwADcAAAAMABwAEmTLAQAAE6QAAA8AT0oAAFFKAABoCABu SAkEAFIA/g8BANIBUgAAAAgAVAB4AEIAcgBfAHAAMQAxAAAAHwAdAA+ETwARhBP+EmTdAAAAE6QA AA3GCAAC/APpBQAAAA8AT0oAAFFKAABoCABuSAkEAEoA/g8BAOIBSgAAAAgAVAB4AEIAcgBfAHAA MQAyAAAAGAAeAA+EdwYSZN0AAAATpAAADcYFAAGYAQAPAE9KAABRSgAAaAgAbkgJBABKAP4PAQDy AUoAAAAIAFQAeABCAHIAXwBwADEAMwAAABgAHwAPhJkGEmTdAAAAE6QAAA3GBQABdgEADwBPSgAA UUoAAGgIAG5ICQQARgD+DwEAAgJGAAAACABUAHgAQgByAF8AcAAxADUAAAAUACAAEmTwAAAAE6QA AA3GBQABzAAADwBPSgAAUUoAAGgIAG5ICQQAUgD+DwEAEgJSAAAACABUAHgAQgByAF8AcAAxADYA AAAfACEAD4RaARGEWP0SZN0AAAATpAAADcYIAAKYAUAEAAAADwBPSgAAUUoAAGgIAG5ICQQASgD+ TwEAIgJKAAAACABUAHgAQgByAF8AcAAxADcAAAAYACIAD4Q5BhJk8AAAABOkAAANxgUAAdYBAA8A T0oAAFFKAABoCABuSAkEAEoA/g8BADICSgAAAAgAVAB4AEIAcgBfAHAAMQA4AAAAGAAjAA+EiQUS ZPAAAAATpAAADcYFAAGGAgAPAE9KAABRSgAAaAgAbkgJBABKAP4PAQBCAkoAAAAIAFQAeABCAHIA XwBwADIANAAAABgAJAAPhHIFEmTuAAAAE6QAAA3GBQABnAIADwBPSgAAUUoAAGgIAG5ICQQARgD+ TwEAUgJGAAAACABUAHgAQgByAF8AcAAyADEAAAAUACUAEmTwAAAAE6QAAA3GBQABzAAADwBPSgAA UUoAAGgIAG5ICQQARgD+TwEAYgJGAAAACABUAHgAQgByAF8AcAAyADUAAAAUACYAEmTiAAAAE6QA AA3GBQABzAAADwBPSgAAUUoAAGgIAG5ICQQAQgD+DwEAcgJCAAAACABUAHgAQgByAF8AYwAyADcA AAAPACcAAyQBEmTwAAAAE6QAAAAPAE9KAABRSgAAaAgAbkgJBABKAP4PAQCCAkoAAAAIAFQAeABC AHIAXwBwADIAOAAAABgAKAAPhN8EEmTdAAAAE6QAAA3GBQABMAMADwBPSgAAUUoAAGgIAG5ICQQA RgD+DwEAkgJGAAAACABUAHgAQgByAF8AcAAyADkAAAAUACkAEmTdAAAAE6QAAA3GBQABzAAADwBP SgAAUUoAAGgIAG5ICQQAQgD+TwEAogJCAAAACABUAHgAQgByAF8AYwAzADIAAAAPACoAAyQBEmTw AAAAE6QAAAAPAE9KAABRSgAAaAgAbkgJBABOAP5PAQCyAk4AAAAIAFQAeABCAHIAXwBwADMAMwAA ABwAKwAPhDQFEYQl/RJk8AAAABOkAAANxgUAAdsCAA8AT0oAAFFKAABoCABuSAkEAEoA/g8BAMIC SgAAAAgAVAB4AEIAcgBfAHAAMwA0AAAAGAAsAA+E6gQSZPAAAAATpAAADcYFAAElAwAPAE9KAABR SgAAaAgAbkgJBABEADAAAQDSAkQAAQALAEwAaQBzAHQAIABCAHUAbABsAGUAdAAAABsALQAKJgAL RhUAD4TFAhGEO/0NxgcBaAEBxQI+AAAASAA2AAEA4gJIAAEADQBMAGkAcwB0ACAAQgB1AGwAbABl AHQAIAAyAAAAGwAuAAomAAtGFwAPhIoFEYQ7/Q3GBwGDAgGKBQYAAABIADcAAQDyAkgAAQANAEwA aQBzAHQAIABCAHUAbABsAGUAdAAgADMAAAAbAC8ACiYAC0YZAA+ETwgRhDv9DcYHAWgBAU8IAAAA AEgAOAABAAIDSAABAA0ATABpAHMAdAAgAEIAdQBsAGwAZQB0ACAANAAAABsAMAAKJgALRhsAD4QT CxGEO/0NxgcBuQQBEwsGAAAASAA5AAEAEgNIAAEADQBMAGkAcwB0ACAAQgB1AGwAbABlAHQAIAA1 AAAAGwAxAAomAAtGHQAPhNgNEYQ7/Q3GBwHUBQHYDQYAAAAyAB1AAQAiAzIAAAANAEYAbwBvAHQA bgBvAHQAZQAgAFQAZQB4AHQAAAACADIABABDShQAOAAmQKIAMQM4AAAAEgBGAG8AbwB0AG4AbwB0 AGUAIABSAGUAZgBlAHIAZQBuAGMAZQAAAAMASCoBACgAVUCiAEEDKAAAAAkASAB5AHAAZQByAGwA aQBuAGsAAAAGAD4qAUIqAioAQkABAFIDKgAAAAkAQgBvAGQAeQAgAFQAZQB4AHQAAAACADUABABD ShQATABSQAEAYgNMAAAAEgBCAG8AZAB5ACAAVABlAHgAdAAgAEkAbgBkAGUAbgB0ACAAMgAAAAYA NgAPhDgEDwA2CIFPSgAAUUoAAG1ICQgAQABTQAEAcgNAAAAAEgBCAG8AZAB5ACAAVABlAHgAdAAg AEkAbgBkAGUAbgB0ACAAMwAAAAYANwAPhNACAwA2CIEAPABaAAEAggM8AAAACgBQAGwAYQBpAG4A IABUAGUAeAB0AAAABgA4ABOkAAAQAENKFABPSgYAUUoGAG1ICQQwACtAAQCSAzAAAAAMAEUAbgBk AG4AbwB0AGUAIABUAGUAeAB0AAAAAgA5AAQAQ0oUADYAKkCiAKEDNgAAABEARQBuAGQAbgBvAHQA ZQAgAFIAZQBmAGUAcgBlAG4AYwBlAAAAAwBIKgEATAD+DwEAsgNMAAAACgBCAGwAbwBjAGsAcQB1 AG8AdABlAAAAEgA7AA6EaAEPhGgBE6RkABSkZAATAE9KAABRSgAAaAgAbUgJBG5ICQQAJABYQKIA wQMkAAAACABFAG0AcABoAGEAcwBpAHMAAAADADYIgQAuAFBAAQDSAy4AAAALAEIAbwBkAHkAIABU AGUAeAB0ACAAMgAAAAYAPQAPhNACAAA0AP4PAQDiAzQAAAAKAEwAZQB2AGUAbAAgADEALgBmAG8A AAAGAD4AD4TQAggAT0oHAFFKBwAmAClAogDxAyYAAAALAFAAYQBnAGUAIABOAHUAbQBiAGUAcgAA AAAAOABWQKIAAQQ4AAAAEQBGAG8AbABsAG8AdwBlAGQASAB5AHAAZQByAGwAaQBuAGsAAAAGAD4q AUIqDMkBAAAWBwAA8gcAAM0IAAApDQAAAw4AACcOAABSDgAA8w4AAKwPAABIEAAAvRAAALkTAAD7 EwAA0RkAADwcAACHHAAA4x0AAAYuAADdLgAAkDAAAKIzAADFNwAAaz0AAAc+AACFQAAAokMAAB5H AAA3RwAAb40AAAAAAQACAAMABAAFAAYABwAIAAkAAQAKAAsAAQABAAwAAQANAAEAAQABAA4ADwAB AAEAAQABAAEAAQAAAAAAigEAAOABAAD9AwAA0QQAACgGAACfCAAAnAkAACYLAAAVDAAAQQ0AAN8N AADoDQAAIA4AAEMPAACmDwAArg8AACsQAAC4EAAAZhEAANwRAABCGwAAgRsAAPcbAACsHAAAYB0A AGgdAABoHgAA/x4AAAUgAAAIIAAAAAAAAG+NAAADAAC8AAAKAP////8AAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA0AAAANAAAASwAAAEsAAACBAAAAhAAAAAAEAABOIAAATF8AAGR1AACp fgAAYI0AAG+RAABKAAAAUAAAAFQAAABZAAAAWgAAAFwAAAAABAAAzAUAANARAADTHQAACzcAAHxC AABMXwAALWcAAEhzAADOggAAb5EAAEsAAABNAAAATgAAAE8AAABSAAAAUwAAAFUAAABXAAAAWAAA AFsAAAAABAAACzcAAMVgAABukQAAb5EAAEwAAABRAAAAVgAAAF0AAAAAAAAABwAAAAoAAAAqAAAA PwAAAEgAAABLAAAAZgAAAG8AAACEAAAAEyE0/5WAEx80/5WAEx20/5WAagIAAJkCAAC7AgAAPQQA AHwEAACuBAAAowUAAOsFAAAmBgAAeQsAALwLAADyCwAAngwAAOYMAAAhDQAAsA4AAO0OAAAdDwAA UR8AAKEfAADkHwAACCAAABNYFP8VgBNYlAGVhBNYFP8VgBNYlAGVhBNYFP8VgBNYlAGVhBNYFP8V gP//BgAAAA0AXwBUAG8AYwA0ADIAOQAzADkAOQA4ADcAMgANAF8AVABvAGMANAAzADMANwAyADEA NgA5ADEADQBfAEgAbAB0ADQANgA5ADgANwA1ADgAMgA5AA0AXwBIAGwAdAA0ADYAOQA4ADcANQA3 ADMANQANAF8ASABsAHQANAA2ADkAOAA3ADUANgA2ADQADQBfAEgAbAB0ADQANgA5ADgANwA0ADgA NgA5AE4cAABOHAAA/nEAAEl5AABNeQAAa3wAAHCNAAAAAAAAAQAAAAIAAAADAAAABAAAAAUAAADj HQAA4x0AAP9xAABKeQAATnkAAGx8AABwjQAAAAAAAI9CAACgQgAA5mwAAGdtAABobQAAuXwAAMB8 AADGfAAAy3wAAPB8AAD5fAAAGH0AACB9AADYiwAA3IsAAOOLAADpiwAAIYwAACiMAABVjAAAWowA AF6NAABmjQAAcI0AAAcAHAAHAAcAAgAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcA BAAHAAAAAABURgAAV0YAAJhSAACkUgAAsGQAAApmAADmbAAAZ20AAGhtAAAQfQAAFX0AAAGMAAAJ jAAAhYwAAGyNAABwjQAABwAaAAcAGgAHABoABwAHAAIABwAaAAcAGgAHAAQABwD//xQAAAAQAEEA ZAByAGkAYQBuACAATQBjAEMAdQBsAGwAYQBnAGgAVgBDADoAXABXAEkATgBOAFQAXABQAHIAbwBm AGkAbABlAHMAXABBAGQAcgBpAGEAbgAgAE0AYwBDAHUAbABsAGEAZwBoAFwARABlAHMAawB0AG8A cABcAEEASgBNACAALQAgAFAASABEAFwAUABIAEQAXABwAGgAZAAtAGEAagBtAC0AYQByAHQAaQBj AGwAZQBzAFwAQgBvAG4AZAAgAFUAbgBpAC4AZABvAGMAEABBAGQAcgBpAGEAbgAgAE0AYwBDAHUA bABsAGEAZwBoAFYAQwA6AFwAVwBJAE4ATgBUAFwAUAByAG8AZgBpAGwAZQBzAFwAQQBkAHIAaQBh AG4AIABNAGMAQwB1AGwAbABhAGcAaABcAEQAZQBzAGsAdABvAHAAXABBAEoATQAgAC0AIABQAEgA RABcAFAASABEAFwAcABoAGQALQBhAGoAbQAtAGEAcgB0AGkAYwBsAGUAcwBcAEIAbwBuAGQAIABV AG4AaQAuAGQAbwBjABAAQQBkAHIAaQBhAG4AIABNAGMAQwB1AGwAbABhAGcAaAApAEMAOgBcAFQA RQBNAFAAXABBAHUAdABvAFIAZQBjAG8AdgBlAHIAeQAgAHMAYQB2AGUAIABvAGYAIABCAG8AbgBk ACAAVQBuAGkALgBhAHMAZAAQAEEAZAByAGkAYQBuACAATQBjAEMAdQBsAGwAYQBnAGgAVgBDADoA XABXAEkATgBOAFQAXABQAHIAbwBmAGkAbABlAHMAXABBAGQAcgBpAGEAbgAgAE0AYwBDAHUAbABs AGEAZwBoAFwARABlAHMAawB0AG8AcABcAEEASgBNACAALQAgAFAASABEAFwAUABIAEQAXABwAGgA ZAAtAGEAagBtAC0AYQByAHQAaQBjAGwAZQBzAFwAQgBvAG4AZAAgAFUAbgBpAC4AZABvAGMAEABB AGQAcgBpAGEAbgAgAE0AYwBDAHUAbABsAGEAZwBoAFYAQwA6AFwAVwBJAE4ATgBUAFwAUAByAG8A ZgBpAGwAZQBzAFwAQQBkAHIAaQBhAG4AIABNAGMAQwB1AGwAbABhAGcAaABcAEQAZQBzAGsAdABv AHAAXABBAEoATQAgAC0AIABQAEgARABcAFAASABEAFwAcABoAGQALQBhAGoAbQAtAGEAcgB0AGkA YwBsAGUAcwBcAEIAbwBuAGQAIABVAG4AaQAuAGQAbwBjABAAQQBkAHIAaQBhAG4AIABNAGMAQwB1 AGwAbABhAGcAaAApAEMAOgBcAFQARQBNAFAAXABBAHUAdABvAFIAZQBjAG8AdgBlAHIAeQAgAHMA YQB2AGUAIABvAGYAIABCAG8AbgBkACAAVQBuAGkALgBhAHMAZAAQAEEAZAByAGkAYQBuACAATQBj AEMAdQBsAGwAYQBnAGgAVgBDADoAXABXAEkATgBOAFQAXABQAHIAbwBmAGkAbABlAHMAXABBAGQA cgBpAGEAbgAgAE0AYwBDAHUAbABsAGEAZwBoAFwARABlAHMAawB0AG8AcABcAEEASgBNACAALQAg AFAASABEAFwAUABIAEQAXABwAGgAZAAtAGEAagBtAC0AYQByAHQAaQBjAGwAZQBzAFwAQgBvAG4A ZAAgAFUAbgBpAC4AZABvAGMAEABBAGQAcgBpAGEAbgAgAE0AYwBDAHUAbABsAGEAZwBoACkAQwA6 AFwAVABFAE0AUABcAEEAdQB0AG8AUgBlAGMAbwB2AGUAcgB5ACAAcwBhAHYAZQAgAG8AZgAgAEIA bwBuAGQAIABVAG4AaQAuAGEAcwBkABAAQQBkAHIAaQBhAG4AIABNAGMAQwB1AGwAbABhAGcAaABW AEMAOgBcAFcASQBOAE4AVABcAFAAcgBvAGYAaQBsAGUAcwBcAEEAZAByAGkAYQBuACAATQBjAEMA dQBsAGwAYQBnAGgAXABEAGUAcwBrAHQAbwBwAFwAQQBKAE0AIAAtACAAUABIAEQAXABQAEgARABc AHAAaABkAC0AYQBqAG0ALQBhAHIAdABpAGMAbABlAHMAXABCAG8AbgBkACAAVQBuAGkALgBkAG8A YwAQAEEAZAByAGkAYQBuACAATQBjAEMAdQBsAGwAYQBnAGgAVgBDADoAXABXAEkATgBOAFQAXABQ AHIAbwBmAGkAbABlAHMAXABBAGQAcgBpAGEAbgAgAE0AYwBDAHUAbABsAGEAZwBoAFwARABlAHMA awB0AG8AcABcAEEASgBNACAALQAgAFAASABEAFwAUABIAEQAXABwAGgAZAAtAGEAagBtAC0AYQBy AHQAaQBjAGwAZQBzAFwAQgBvAG4AZAAgAFUAbgBpAC4AZABvAGMADwCA////UJPGpjEA/w//D/8P /w//D/8P/w//DwEAgf///0CJqqQwAP8P/w//D/8P/w//D/8P/w8BAIL///+G6ayk/w//D/8P/w// D/8P/w//D/8PAQCD////DvZuFi4A/w//D/8P/w//D/8P/w//DwEAif///zRUnNItAP8P/w//D/8P /w//D/8P/w8BAPv////6NkaoAQACAAMABAAFAAYABwAIAAkAAAD+//////////8PAAAAAAAAAAAA AAAAAAAAAAEAjE+RAdaI0Nb/DwAAAAAAAAAAAAAAAAAAAAABAFdwbTCCJSL2/w8AAAAAAAAAAAAA AAAAAAAAAQBcWH5TGQAJBP8P/w//D/8P/w//D/8P/w//DwEArX/NXAEACQz/DwAAAAAAAAAAAAAA AAAAAAABAEpBfWEBAAkE/w8AAAAAAAAAAAAAAAAAAAAAAQCfU/5uQOj0XS8AAAAAAAAAAAAAAAAA AAAAAAEAuX66dkLNLsT/D/8P/w//D/8P/w//D/8P/w8BAIYnZngZAAkE/w//D/8P/w//D/8P/w// D/8PAQABAAAAFwAAAAAAAAAAAAAAAAAAAAAAAAALEAAAD4TUBRGEmP4VxgUAAdQFBk9KAQBRSgEA bygAAQC38AEAAAAXAAAAAAAAAAAAAAAAAAAAAAAAAAsQAAAPhLkEEYSY/hXGBQABuQQGT0oBAFFK AQBvKAABALfwAQAAABcAAAAAAAAAAAAAAAAAAAAAAAAACxAAAA+EngMRhJj+FcYFAAGeAwZPSgEA UUoBAG8oAAEAt/ABAAAAFwAAAAAAAAAAAAAAAAAAAAAAAAALEAAAD4SDAhGEmP4VxgUAAYMCBk9K AQBRSgEAbygAAQC38AEAAAAXAAAAAAAAAAAAAAAAAAAAAAAAAAsQAAAPhGgBEYSY/hXGBQABaAEG T0oBAFFKAQBvKAABALfwAQAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAABAAAA+E0AIRhDD9FcYFAAHQ AgYCAAAALgABAAAAAAABAwAAAAAAAAAAAAAAAAAAAAASEAAAD4TQAhGEMP0VxgUAAdACBjUIADYI AENKGABPSgUAUUoFAAMAAAAuAAEAAQAAAAQAAgAAAAAAAAAAAAAAAAAAAAAAABAAAA+EoAURhDD9 FcYFAAGgBQYDACgAAgApAAEAAAACAAIAAAAAAAAAAAAAAAAAAAAAAAAQAAAPhGoIEYQ2/RXGBQAB aggGAwAoAAMAKQABAAAAAwACAAAAAAAAAAAAAAAAAAAAAAAAEAAAD4RLCxGEH/0VxgUAAUsLBgMA KAAEACkAAQAAAAEAAgAAAAAAAAAAAAAAAAAAAAAAABAAAA+EEA4RhDv9FcYFAAEQDgYDACgABQAp AAEAAAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAPhOAQEYQw/RXGBQAB4BAGAAABAAAA/wAAAAAA AAAAAAAAAAAAAAAAAAAAEAAAD4SwExGEMP0VxgUAAbATBgAAAQAAAP8AAAAAAAAAAAAAAgAAAAAA AAAAAAgAAA+EgBYRhDD9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAqAAEAAAAEQAEA AAAAAAAAAAAAAAAAaAEAAAAIAAAPhIMCEYSY/gIAAAApAAEAAAAEQAIAAAAAAAAAAAAAAAAA0AIA AAAIAAAPhNACEYQw/QMAKAAAACkAAQAAAAQAAgAAAAAAAAAAAAAAAAAAAAAAAxAAAA+EaAERhJj+ FcYFAAFoAQZvKAADACgAAAApAAEAAAAXAAAAAAAAAAAAAAAAAAAAAAAAAAsQAAAPhGgBEYSY/hXG BQABaAEGT0oBAFFKAQBvKAABALfwAQAAABcAAAAAAAAAAAAAAAAAAAAAAAAACxAAAA+EaAERhJj+ FcYFAAFoAQZPSgEAUUoBAG8oAAEAt/ABAAAAFwAAAAAAAAAAAAAAAAAAAAAAAAALEAAAD4RoARGE mP4VxgUAAWgBBk9KAQBRSgEAbygAAQC38AEAAAAEAAIAAAAAAAAAAAAAAAAAAAAAAAMQAAAPhCsC EYTV/RXGBQABKwIGbygAAwAoAAAAKQABAAAABAACAAAAAAAAAAAAAAAAAAAAAAADEAAAD4RoARGE mP4VxgUAAWgBBm8oAAMAKAAAACkAKwAAAPv///8AAAAAAAAAAAAAAAD7////AAAAAAAAAAAAAAAA +////wAAAAAAAAAAAAAAAPv///8AAAAAAAAAAAAAAAD7////AAAAAAAAAAAAAAAA+////wAAAAAA AAAAAAAAAPv///8AAAAAAAAAAAAAAAD7////AAAAAAAAAAAAAAAA+////wAAAAAAAAAAAAAAAK1/ zVwAAAAAAAAAAAAAAAD7////AAAAAAAAAAAAAAAA+////wAAAAAAAAAAAAAAAPv///8AAAAAAAAA AAAAAAD7////AAAAAAAAAAAAAAAA+////wAAAAAAAAAAAAAAAPv///8AAAAAAAAAAAAAAAD7//// AAAAAAAAAAAAAAAA+////wAAAAAAAAAAAAAAAPv///8AAAAAAAAAAAAAAACJ////AAAAAAAAAAAA AAAAif///wAAAAAAAAAAAAAAAIP///8AAAAAAAAAAAAAAACD////AAAAAAAAAAAAAAAAgv///wAA AAAAAAAAAAAAAJ9T/m4AAAAAAAAAAAAAAACB////AAAAAAAAAAAAAAAAgf///wAAAAAAAAAAAAAA AID///8AAAAAAAAAAAAAAACA////AAAAAAAAAAAAAAAA+////wAAAAAAAAAAAAAAAPv///8AAAAA XLOYAgkAAAD7////AAAAAKizmAIJAAAA+////wAAAAD0s5gCCQAAAPv///8AAAAAAAAAAAAAAAD7 ////AAAAAEC0mAIJAAAA/v///wAAAACMtJgCAQAAAIxPkQEAAAAAAAAAAAAAAABcWH5TAAAAAAAA AAAAAAAAuX66dgAAAAAAAAAAAAAAAEpBfWEAAAAAAAAAAAAAAACGJ2Z4AAAAAAAAAAAAAAAAV3Bt MAAAAAAAAAAAAAAAAP7///8AAAAA6LSYAgEAAAD///////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////AQAAABAAAQABAAAAEQAAAAEA AAASAAAAAQAAAFNK4QYBAAAAlDPhBgEAAAAVAAEDAQAAABYAAAABAAAAFwAAAAEAAABYSuEG//// /wEAAAAQAAEAAQAAABEAAAABAAAAEgAAAAEAAACTbeEGAQAAAJRt4QYBAAAAFQABAwEAAAAWAAAA AQAAABcAAAABAAAA2G3hBv////8BAAAAUEoDAAEAAAARAAAAAQAAABIAAAABAAAAEwAAAAEAAAAU AAAAAQAAANVV4QYBAAAAllXhBgEAAAAXhLkEAQAAABjGBQD//////////wEAAAAQAAEAAQAAABEA AAABAAAAEgAAAAEAAADTMuEGAQAAANQy4QYBAAAAFQABAwEAAAAWAAAAAQAAABcAAAABAAAAGDPh Bv////+YtJgCIAAAAAEAAAAXQAAAAAAAAAAAAAAAAAAAaAEAAAsIAAAPhGgBEYSY/k9KAQBRSgEA bygAAQC38P/////////////////////////////////////0tJgCIAAyAAEAAAAXQAAAAAAAAAAA AAAAAAAAaAEAAAsIAAAPhAgHEYSY/k9KAQBRSgEAbygAAQC38P//DwAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAP//AwAEAAoAQQB1AHQAaABvAHIATgBhAG0AZQCQtZgCCwBEAG8AYwBW AGEAcgBpAGEAYgBsAGUAuLWYAgcATwByAGwAaQBkAG8AYwDYtZgCEABBAGQAcgBpAGEAbgAgAE0A YwBDAHUAbABsAGEAZwBoAA0ARwBhAGQAZQBuAHMAIABNAGEAcwB0AGUAcgAEAHQAcgB1AGUA/0Bc XFBSSU5UX1NFUlZFUlxQbGFpbl9Db21UZWNoAE5lMDE6AHdpbnNwb29sAFhlcm94IERvY3VQcmlu dCBOMjQvTjMyIFBTMgBcXFBSSU5UX1NFUlZFUlxQbGFpbl9Db21UZWNoAAAAAAEEAAScALQGE9cB AAEACQCaCzQIZAABAA8AWAIBAAEAAAADAAAAQTQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQ UklW4hAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAECcQJxAnAAAQJwAAAAAAAAAA6kUH AP8E/wAB/wEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAB AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAQAAAAEAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQBkAG0AaQBu AGkAcwB0AHIAYQB0AG8AcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAADEAOQA5ADkAMAA5ADIAMQAwADAAMAAwADAAMAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQABABcA FwAXAAEAAAABAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAA AAAEAABcXFBSSU5UX1NFUlZFUlxQbGFpbl9Db21UZWNoAAAAAAEEAAScALQGE9cBAAEACQCaCzQI ZAABAA8AWAIBAAEAAAADAAAAQTQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQUklW4hAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAECcQJxAnAAAQJwAAAAAAAAAA6kUHAP8E/wAB/wEA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAABAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAA AAEAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQBkAG0AaQBuAGkAcwB0AHIA YQB0AG8AcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAADEAOQA5ADkAMAA5ADIAMQAwADAAMAAwADAAMAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQABABcAFwAXAAEAAAAB AAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAEAAACEAAA AAAAAABvjQAAMAAACABAAAAIAAAARxaQAQAAAgIGAwUEBQIDBIcCAAAAAAAAAAAAAAAAAACfAAAA AAAAAFQAaQBtAGUAcwAgAE4AZQB3ACAAUgBvAG0AYQBuAAAANRaQAQIABQUBAgEHBgIFBwAAAAAA AAAQAAAAAAAAAAAAAACAAAAAAFMAeQBtAGIAbwBsAAAAMyaQAQAAAgsGBAICAgICBIcCAAAAAAAA AAAAAAAAAACfAAAAAAAAAEEAcgBpAGEAbAAAAEUWkAEAAAIDCQQFAwYCBwSHAAAAAAAAAAAAAAAA AAAAGwAAAAAAAABCAGUAbgBnAHUAaQBhAHQAIABCAGsAIABCAFQAAABZEpABAAkAAAAAAAAAAAAA AwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAATgBlAHcAIABZAG8AcgBrAAAAVABpAG0AZQBzACAATgBl AHcAIABSAG8AbQBhAG4AAABvFpABABMCBAYEBQUFAgMEAwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAA QwBlAG4AdAB1AHIAeQAgAFMAYwBoAG8AbwBsAGIAbwBvAGsAAABOAGUAdwBDAGUAbgB0AHUAcgB5 AFMAYwBoAGwAYgBrAAAAPzWQAQAAAgcDCQICBQIEBIcCAAAAAAAAAAAAAAAAAACfAAAAAAAAAEMA bwB1AHIAaQBlAHIAIABOAGUAdwAAAG8GkAFNEwAAAAAAAAAAAAADAAAAAAAAAAAAAAAAAAAAAQAA AAAAAABOAGUAdwAgAEMAZQBuAHQAdQByAHkAIABTAGMAaABsAGIAawAAAE4AZQB3AEMAZQBuAHQA dQByAHkAUwBjAGgAbABiAGsAAAAiAAQAQQAIGIAFMQIAAAAAAAAAAIU8OUbSeTxmKZI7hhcAQgQA AMAPAADLWQAAAQAtAAAABACDgL8AAAA3PQAA71wBAAEAsgAAAOgCAAAAAAAAIQOABSuEAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAApQbAB7QAtACAADIwAAAQABkAZAAAABkAAABFbgAAJpoBAAAA AAA5fZw+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAP//EgAAAAAAPwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwATQBpAGMA cgBvAHMAbwBmAHQAIABPAGYAZgBpAGMAZQBcAFQAZQBtAHAAbABhAHQAZQBzAFwAQgBGAE0AVABc AEEANAAgAC0AIABCAGwAYQBuAGsALgBkAG8AdAABAKkAAAAAAAAAEABBAGQAcgBpAGEAbgAgAE0A YwBDAHUAbABsAGEAZwBoABAAQQBkAHIAaQBhAG4AIABNAGMAQwB1AGwAbABhAGcAaAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP7/AAAEAAIAAAAAAAAAAAAAAAAA AAAAAAEAAADghZ/y+U9oEKuRCAArJ7PZMAAAAIABAAARAAAAAQAAAJAAAAACAAAAmAAAAAMAAACk AAAABAAAALAAAAAFAAAAzAAAAAcAAADYAAAACAAAAOwAAAAJAAAACAEAABIAAAAUAQAACgAAADAB AAALAAAAPAEAAAwAAABIAQAADQAAAFQBAAAOAAAAYAEAAA8AAABoAQAAEAAAAHABAAATAAAAeAEA AAIAAADkBAAAHgAAAAIAAACpAHMAHgAAAAEAAAAAAHMAHgAAABEAAABBZHJpYW4gTWNDdWxsYWdo AABkAB4AAAABAAAAAGRyaR4AAAALAAAAQTQgLSBCbGFuawBsHgAAABEAAABBZHJpYW4gTWNDdWxs YWdoAABkAB4AAAADAAAAMjMAaR4AAAATAAAATWljcm9zb2Z0IFdvcmQgOC4wAABAAAAAAAxwRZgA AABAAAAAAKb90UwxvwFAAAAAAN51rgf5vgFAAAAAADTVsnhGvwEDAAAAAQAAAAMAAADADwAAAwAA AMtZAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD+/wAABAACAAAAAAAAAAAAAAAAAAAAAAACAAAA AtXN1ZwuGxCTlwgAKyz5rkQAAAAF1c3VnC4bEJOXCAArLPmuaAEAACQBAAAOAAAAAQAAAHgAAAAD AAAAgAAAAA8AAACYAAAABAAAALAAAAAFAAAAuAAAAAYAAADAAAAAEQAAAMgAAAAXAAAA0AAAAAsA AADYAAAAEAAAAOAAAAATAAAA6AAAABYAAADwAAAADQAAAPgAAAAMAAAABgEAAAIAAADkBAAAHgAA AA4AAABXb3JkIERvY3VtZW50AHByHgAAAA8AAABHYWRlbnMgTGF3eWVycwByAwAAAPkqAAADAAAA vwAAAAMAAAAtAAAAAwAAAEVuAAADAAAAMRUIAAsAAAAAAAAACwAAAAAAAAALAAAAAAAAAAsAAAAA AAAAHhAAAAEAAAACAAAAqQAMEAAAAgAAAB4AAAAGAAAAVGl0bGUAAwAAAAEAAAC4BQAACAAAAAAA AABIAAAAAQAAAMQAAAACAAAAzAAAAAMAAAAkAQAABAAAAIgFAAAFAAAAlAUAAAYAAACgBQAABwAA AKwFAAAGAAAAAgAAAAoAAABfUElEX0dVSUQAAwAAAAwAAABfUElEX0hMSU5LUwAEAAAAEAAAAHBy T3BlcmF0b3JfaW5pdAAFAAAACQAAAHByTWF0dGVyAAYAAAAOAAAAcHJBdXRob3JfSW5pdAAHAAAA CwAAAHByRG9jX1R5cGUAAgAAAOQEAABBAAAATgAAAHsANQA3ADEANwA3ADkAOQBCAC0AOQA4AEYA RgAtADEAMQBEADEALQBCADEAOABCAC0AMAAwAEEAMABDADkAOABBAEIANgBEAEUAfQAAAAAAQQAA AFwEAAAqAAAAAwAAACgAPAADAAAAEgAAAAMAAAAAAAAAAwAAAAUAAAAfAAAAQwAAAGgAdAB0AHAA OgAvAC8AdwB3AHcALgBuAGMAaQBwAGgAZQByAC4AYwBvAG0ALwBwAHIAbwBkAHUAYwB0AHMALwBm AGkAbABlAHMALwBwAGEAcABlAHIAcwAvAGEAbgBnAHUAaQBsAGwAYQAvAGsAZQB5AGgAaQBkAGUA MgAuAHAAZABmAAAAAAAfAAAAAQAAAAAAAAADAAAAYQBlAAMAAAAPAAAAAwAAAAAAAAADAAAABQAA AB8AAAAwAAAAaAB0AHQAcAA6AC8ALwBsAGEAdwAuAGcAbwB2AC4AYQB1AC8AYQBnAGgAbwBtAGUA LwBhAGQAdgBpAHMAbwByAHkALwBlAGMAZQBnAC8AZQBjAGUAZwAuAGgAdABtAAAAHwAAAAEAAAAA AAAAAwAAADUAbgADAAAADAAAAAMAAAAAAAAAAwAAAAUAAAAfAAAAOwAAAGgAdAB0AHAAOgAvAC8A dwB3AHcALgBsAGEAdwAuAHUAbgBzAHcALgBlAGQAdQAuAGEAdQAvAHUAbgBzAHcAbABqAC8AZQBj AG8AbQBtAGUAcgBjAGUALwBtAGMAYwB1AGwAbABhAGcAaAAuAGgAdABtAGwAAAAAAB8AAAABAAAA AAAAAAMAAABTAE0AAwAAAAkAAAADAAAAAAAAAAMAAAAFAAAAHwAAADYAAABoAHQAdABwADoALwAv AHcAdwB3AC4AdQBuAC4AbwByAC4AYQB0AC8AdQBuAGMAaQB0AHIAYQBsAC8AdABlAHgAdABzAC8A ZQBsAGUAYwB0AGMAbwBtAC8AbQBsAC0AZQBjAC4AaAB0AG0AAAAfAAAAAQAAAAAAAAADAAAANQBu AAMAAAAGAAAAAwAAAAAAAAADAAAABQAAAB8AAAA7AAAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGwA YQB3AC4AdQBuAHMAdwAuAGUAZAB1AC4AYQB1AC8AdQBuAHMAdwBsAGoALwBlAGMAbwBtAG0AZQBy AGMAZQAvAG0AYwBjAHUAbABsAGEAZwBoAC4AaAB0AG0AbAAAAAAAHwAAAAEAAAAAAAAAAwAAAAsA HgADAAAAAwAAAAMAAAAAAAAAAwAAAAUAAAAfAAAAMgAAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBh AGIAYQBuAGUAdAAuAG8AcgBnAC8AcwBjAGkAdABlAGMAaAAvAGUAYwAvAGkAcwBjAC8AZABzAGcA ZgByAGUAZQAuAGgAdABtAGwAAAAfAAAAAQAAAAAAAAADAAAATgBeAAMAAAAAAAAAAwAAAAAAAAAD AAAABQAAAB8AAAAiAAAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGIAaQBzAC4AbwByAGcALwBwAHUA YgBsAC8AaQBuAGQAZQB4AC4AaAB0AG0AAAAfAAAAAQAAAAAAAAAeAAAABAAAAFRYQwAeAAAAAQAA AABYQwAeAAAABAAAAEFKTQAeAAAAAgAAAGQATQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAIAAAADAAAABAAAAAUAAAAGAAAABwAAAAgAAAAJAAAA CgAAAAsAAAAMAAAADQAAAA4AAAAPAAAAEAAAABEAAAASAAAAEwAAABQAAAAVAAAAFgAAABcAAAAY AAAAGQAAABoAAAAbAAAAHAAAAB0AAAAeAAAAHwAAACAAAAAhAAAAIgAAACMAAAAkAAAAJQAAACYA AAAnAAAAKAAAACkAAAAqAAAAKwAAACwAAAAtAAAALgAAAC8AAAAwAAAAMQAAADIAAAAzAAAANAAA ADUAAAA2AAAANwAAADgAAAA5AAAAOgAAADsAAAA8AAAAPQAAAD4AAAA/AAAAQAAAAEEAAABCAAAA QwAAAEQAAABFAAAARgAAAEcAAABIAAAASQAAAEoAAABLAAAATAAAAE0AAABOAAAATwAAAFAAAABR AAAAUgAAAFMAAABUAAAAVQAAAFYAAABXAAAAWAAAAFkAAABaAAAAWwAAAFwAAABdAAAAXgAAAP7/ //9gAAAAYQAAAGIAAABjAAAAZAAAAGUAAABmAAAA/v///2gAAABpAAAAagAAAGsAAABsAAAAbQAA AG4AAABvAAAAcAAAAHEAAAByAAAAcwAAAHQAAAB1AAAAdgAAAHcAAAB4AAAAeQAAAHoAAAB7AAAA fAAAAH0AAAB+AAAAfwAAAIAAAACBAAAAggAAAIMAAACEAAAA/v///4YAAACHAAAAiAAAAIkAAACK AAAAiwAAAIwAAAD+////jgAAAI8AAACQAAAAkQAAAJIAAACTAAAAlAAAAP7////9/////f///5gA AAD+/////v////7///////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////1IAbwBvAHQAIABFAG4AdAByAHkAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWAAUB//////////8DAAAABgkCAAAAAADAAAAAAAAA RgAAAADAtRTPB/m+AUDTg8p4Rr8BmgAAAIAAAAAAAAAARABhAHQAYQAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAgH///////////////8A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfAAAAABAAAAAAAAAxAFQAYQBiAGwA ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgAC AAEAAAD//////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGcAAADoOwAA AAAAAFcAbwByAGQARABvAGMAdQBtAGUAbgB0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAaAAIBBgAAAAUAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAEC8AAAAAAAABQBTAHUAbQBtAGEAcgB5AEkAbgBmAG8AcgBtAGEAdABpAG8AbgAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgAAgH///////////////8AAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAACFAAAAABAAAAAAAAAFAEQAbwBjAHUAbQBlAG4AdABTAHUAbQBt AGEAcgB5AEkAbgBmAG8AcgBtAGEAdABpAG8AbgAAAAAAAAAAAAAAOAACAQQAAAD//////////wAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI0AAAAAEAAAAAAAAAEAQwBvAG0AcABP AGIAagAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASAAIB AgAAAAcAAAD/////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGoAAAAA AAAATwBiAGoAZQBjAHQAUABvAG8AbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAABYAAQD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAEDTg8p4Rr8BQNOD ynhGvwEAAAAAAAAAAAAAAAABAAAA/v////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////wEA/v8DCgAA/////wYJAgAAAAAAwAAAAAAAAEYYAAAATWljcm9zb2Z0 IFdvcmQgRG9jdW1lbnQACgAAAE1TV29yZERvYwAQAAAAV29yZC5Eb2N1bWVudC44APQ5snEAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA ------_=_NextPart_000_01C0BE2B.043EA760-- Received: from thunder.dstc.qut.edu.au (thunder.dstc.qut.edu.au [131.181.71.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA17172 for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 14:00:12 -0700 (PDT) Received: from dstc.qut.edu.au (datsun.dstc.qut.edu.au [131.181.71.19]) by thunder.dstc.qut.edu.au (8.10.1/8.10.1) with ESMTP id f35L01m27649; Fri, 6 Apr 2001 07:00:05 +1000 (EST) Message-Id: <200104052100.f35L01m27649@thunder.dstc.qut.edu.au> To: Russ Housley <rhousley@rsasecurity.com> cc: ietf-pkix@imc.org Subject: Re: A standard encoding for Certification Paths In-reply-to: Your message of "Thu, 05 Apr 2001 14:19:32 -0400." <5.0.1.4.2.20010405141739.01c2b190@exna07.securitydynamics.com> Date: Fri, 06 Apr 2001 07:00:00 +1000 From: Dean Povey <povey@dstc.qut.edu.au> >Sean: > >You are right, but I want to explain why RFC 2630 uses a SET OF construct >for certificates. We do not assume that each of the recipients has the >same trust anchors as the originator. Therefore, the "bag of certificates" >provided might help construct certification paths to any number of >potential trust anchors. > Although just to be a grouch, the exact same semantics could have been achieved using a SEQUENCE OF and saying that it is not ordered, as SET OF is a pain in the butt to encode with DER. But let us not start on what is wrong with PKCS#7/CMS, as we could be here for a long time :-). Degenerate PKCS#7/CMS SignedData indeed seems to be the most common method to pass around cert paths, which although something of an insanity is a small insanity in a very large universe of insanities. SEQUENCE OF Certificate is also not uncommon, and Polar's method of just streaming the Certificates without wrapping them up in a higher level ASN.1 structure is the way it is done in SSL/TLS. Cheers. -- Dean Povey, | e-m: povey@dstc.edu.au | JCSI: Java Crypto Toolkit Research Scientist | ph: +61 7 3864 5120 | uPKI: C PKI toolkit for embedded Security Unit, DSTC | fax: +61 7 3864 1282 | systems Brisbane, Australia | www: security.dstc.com | Received: from mtiwmhc27.worldnet.att.net (mtiwmhc27.worldnet.att.net [204.127.131.52]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA15870 for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 13:45:54 -0700 (PDT) Received: from barth ([12.82.142.35]) by mtiwmhc27.worldnet.att.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010405204524.ZJDE4349.mtiwmhc27.worldnet.att.net@barth>; Thu, 5 Apr 2001 20:45:24 +0000 From: "Dr. JohnDavid Hascup" <jdhascup@att.net> To: "Aisenberg, Michael" <maisenberg@netsol.com>, <ietf-pkix@imc.org> Subject: RE: Meaning of Non-repudiation Date: Thu, 5 Apr 2001 13:44:41 -0700 Message-ID: <LOBBLCKKJBEHIDHDEPBBOEKCCDAA.jdhascup@att.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0008_01C0BDD6.9102BA60" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <3309B573228FD411AF4500D0B784A14801DE02E4@netsol-nic-ex01.prod.netsol.com> This is a multi-part message in MIME format. ------=_NextPart_000_0008_01C0BDD6.9102BA60 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Meaning of Non-repudiationMichael I wish the issue was as simple as you desire it. Unfortunately when making use of PKI in the legal world there is always an added complexity. I would love to see non-repudiation as a non-issue, but having been in the discussion over the years, it is the one issue that I continually faced at a table with legal councils. I know that this list has quite often been faced with this and many points were discussed with passion. Within the ABA the discussion has been also quite active and gone on for years. Attempts were made to come to a common "legal" understanding, unfortunately, until the legal councils I have to interact with see decisions in a court related to non-repudiation by use of a certificate they continue to make it hard for the acceptance of PKI in a legal market. But I have no doubt that as with other new technologies the real world will force lawyers to make use of it. I know this seems strange given the history of questions surrounding the introduction of any new technology by the legal market (privileged related to faxes, then cell phones, and even email) and the eventual defining of the issues. But in each of those cases the legal community came to its decisions not on the basis of the technology but rather on the basis of court decisions. This may not be so for every market. Financial contracts and e-commerce seems to have evolved with less issues surrounding non-repudiation in the real world. But in the legal industry in which I am most familiar there are always caveats and pages of interpretation to somehow work through. RFCs are easy compared to the legal papers I have had to come to grips with. Dr. JohnDavid Hascup Senior Security Architect ELF Technologies -----Original Message----- From: Aisenberg, Michael [mailto:maisenberg@netsol.com] Sent: Thursday, April 05, 2001 1:01 PM To: 'Dr. JohnDavid Hascup'; Dave Oshman; ietf-pkix@imc.org Subject: RE: Meaning of Non-repudiation Am I missing something--Isn't the concept of non-repudiation to be framed against the precedent of "repudiation" in the Code----2-610. Isn't the point of this great adventure to develop a common syntax for deployment of certificate policies, not draw distinctions and create arguments for exceptions. Complexities of this sort strike me as being at the heart of marketplace resistance.... Michael Aisenberg ------=_NextPart_000_0008_01C0BDD6.9102BA60 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Meaning of Non-repudiation</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4611.1300" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D030052820-05042001>Michael I wish the issue was as simple as you = desire=20 it. Unfortunately when making use of PKI in the legal world there is = always an=20 added complexity. I would love to see non-repudiation as a non-issue, = but having=20 been in the discussion over the years, it is the one issue that I = continually=20 faced at a table with legal councils. I know that this list has quite = often been=20 faced with this and many points were discussed with passion. Within the = ABA the=20 discussion has been also quite active and gone on for years. Attempts = were made=20 to come to a common "legal" understanding, unfortunately, until the = legal=20 councils I have to interact with see decisions in a court related = to=20 non-repudiation by use of a certificate they continue to make it hard = for the=20 acceptance of PKI in a legal market. But I have no doubt that as with = other new=20 technologies the real world will force lawyers to make use of=20 it.</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D030052820-05042001></SPAN></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D030052820-05042001>I know=20 this seems strange given the history of questions surrounding the = introduction=20 of any new technology by the legal market (privileged related to faxes, = then=20 cell phones, and even email) and the eventual defining of the issues. = But in=20 each of those cases the legal community came to its decisions not on the = basis=20 of the technology but rather on the basis of court decisions.=20 </SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D030052820-05042001></SPAN></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D030052820-05042001>This=20 may not be so for every market. Financial contracts and e-commerce seems = to have=20 evolved with less issues surrounding non-repudiation in the real world. = But in=20 the legal industry in which I am most familiar there are always caveats = and=20 pages of interpretation to somehow work through. RFCs are easy compared = to the=20 legal papers I have had to come to grips with.</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D030052820-05042001></SPAN></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D030052820-05042001>Dr.=20 JohnDavid Hascup</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D030052820-05042001>Senior=20 Security Architect</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D030052820-05042001>ELF=20 Technologies</SPAN></FONT></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Aisenberg, Michael = [mailto:maisenberg@netsol.com]<BR><B>Sent:</B> Thursday, April 05, = 2001 1:01=20 PM<BR><B>To:</B> 'Dr. JohnDavid Hascup'; Dave Oshman;=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: Meaning of=20 Non-repudiation<BR><BR></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D013505619-05042001>Am I=20 missing something--Isn't the concept of non-repudiation to be framed = against=20 the precedent of "repudiation" in the = Code----2-610.</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D013505619-05042001></SPAN></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D013505619-05042001>Isn't the point of this great adventure to = develop a=20 common syntax for deployment of certificate policies, not draw = distinctions=20 and</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D013505619-05042001>create arguments for exceptions. = Complexities=20 of this sort strike me as being at the heart of marketplace=20 resistance....</SPAN></FONT></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D013505619-05042001></SPAN></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN = class=3D013505619-05042001> <P><B><I><FONT face=3D"Monotype Corsiva" size=3D4>Michael = Aisenberg</FONT></I></B>=20 <BR></P></SPAN></FONT></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT> </BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0008_01C0BDD6.9102BA60-- Received: from NETSOL-NIC-EX03.prod.netsol.com ([216.168.234.115]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA12973 for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 13:03:00 -0700 (PDT) Received: by netsol-nic-ex03.prod.netsol.com with Internet Mail Service (5.5.2653.19) id <1Q9JYQYN>; Thu, 5 Apr 2001 15:59:13 -0400 Message-ID: <3309B573228FD411AF4500D0B784A14801DE02E4@netsol-nic-ex01.prod.netsol.com> From: "Aisenberg, Michael" <maisenberg@netsol.com> To: "'Dr. JohnDavid Hascup'" <jdhascup@att.net>, Dave Oshman <Dave.Oshman@identrus.com>, ietf-pkix@imc.org Subject: RE: Meaning of Non-repudiation Date: Thu, 5 Apr 2001 16:00:38 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0BE0B.15A61EE0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0BE0B.15A61EE0 Content-Type: text/plain; charset="iso-8859-1" Am I missing something--Isn't the concept of non-repudiation to be framed against the precedent of "repudiation" in the Code----2-610. Isn't the point of this great adventure to develop a common syntax for deployment of certificate policies, not draw distinctions and create arguments for exceptions. Complexities of this sort strike me as being at the heart of marketplace resistance.... Michael Aisenberg -----Original Message----- From: Dr. JohnDavid Hascup [mailto:jdhascup@att.net] Sent: Thursday, April 05, 2001 1:15 PM To: Dave Oshman; ietf-pkix@imc.org Subject: RE: Meaning of Non-repudiation Dave -----Original Message----- From: Dave Oshman [mailto:Dave.Oshman@identrus.com] Sent: Thursday, April 05, 2001 9:24 AM To: ietf-pkix@imc.org Subject: Meaning of Non-repudiation I am trying to clarify the meaning of non-repudiation (as defined by the technology standards) for our legal counsel. 2459 says this about non-repudiation: [JDH] this is the abyss of PKI. Having spent over three years working with legal counsel on how to understand non-repudiation I have yet to find a viable "legal" interpretation of the technological protocol. I think the past year Tom Grindin was developing a "technical non-repudiation" draft which I think has lapsed as of the past meeting in Minneapolis. It was an attempt to ground non-repudiation with a meaning that would be "legal" neutral but protocol specific. The nonRepudiation bit is asserted when the subject public key is used to verify digital signatures used to provide a non- repudiation service which protects against the signing entity falsely denying some action, excluding certificate or CRL signing. The question is what does "some action" mean? Is the action merely signing the transaction? Or, is the action perhaps committing to the terms described in the signed transaction? To rephrase: Is non-repudiation stating simply that I, Dave Oshman, signed this document? Or, is it supposed to mean that I, Dave Oshman, attest that I am committing myself (or my company) to the terms described herein? [JDH] IMO "legal" non-repudiation must be set via the entire environment of the PKI as specifically defined in whatever policies the RP sets. This means that it is the RP's use of the bit or non-use that is important. The reason I felt this was due to the fact that once the question enters the court it, the technical setting of the bit is not what is important but rather the interpretation placed upon it by the RP and thus the EE. Apart from a "clear stated policy" of what the RP intends for it's understanding of non-repudiation the technical aspects are meaningless. The asserting of the bit must be given meaning in the context of the environment and cannot have a meaning legally apart from that environment. Therefore, your second meaning can only be grounded in the policies set by the environment in which you are signing and not in the technical underlying protocol. As for the first, at most, one can argue that the cert granted to you signed. This is why we had such a difficult time moving "technical" non-repudiation into a legal context. What is the legal relationship between the certificate and the person to whom the cert was issued. The protocol can offer forensic evidence regarding the relationship and the actions of the cert but in and of itself offers no legal meaning. Is this more clearly defined in X.813 (ITU-T Recommendation X.8131) | ISO/IEC 10181-3:...1), Information technology - Open Systems Interconnection - Security Frameworks in Open Systems - Non-repudiation framework)? Can anyone snip a description of non-repudiation from X.813? Thanks! Dave Oshman Senior Vice President Technology Identrus LLC Dr. JohnDavid Hascup Senior Security Architect ELF Technologies ------_=_NextPart_001_01C0BE0B.15A61EE0 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>Meaning of Non-repudiation</TITLE> <META content="MSHTML 5.00.3013.2600" name=GENERATOR></HEAD> <BODY> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=013505619-05042001>Am I missing something--Isn't the concept of non-repudiation to be framed against the precedent of "repudiation" in the Code----2-610.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=013505619-05042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=013505619-05042001>Isn't the point of this great adventure to develop a common syntax for deployment of certificate policies, not draw distinctions and</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=013505619-05042001>create arguments for exceptions. Complexities of this sort strike me as being at the heart of marketplace resistance....</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=013505619-05042001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=013505619-05042001> <P><B><I><FONT face="Monotype Corsiva" size=4>Michael Aisenberg</FONT></I></B> <BR></P></SPAN></FONT></DIV> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Dr. JohnDavid Hascup [mailto:jdhascup@att.net]<BR><B>Sent:</B> Thursday, April 05, 2001 1:15 PM<BR><B>To:</B> Dave Oshman; ietf-pkix@imc.org<BR><B>Subject:</B> RE: Meaning of Non-repudiation<BR><BR></DIV></FONT> <DIV><SPAN class=520255216-05042001><FONT color=#0000ff face=Arial size=2>Dave</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Dave Oshman [mailto:Dave.Oshman@identrus.com]<BR><B>Sent:</B> Thursday, April 05, 2001 9:24 AM<BR><B>To:</B> ietf-pkix@imc.org<BR><B>Subject:</B> Meaning of Non-repudiation<BR><BR></FONT></DIV> <P><FONT size=2>I am trying to clarify the meaning of non-repudiation (as defined by the technology standards) for our legal counsel. 2459 says this about non-repudiation:<BR><SPAN class=520255216-05042001><FONT color=#0000ff face=Arial>[JDH] this is the abyss of PKI. Having spent over three years working with legal counsel on how to understand non-repudiation I have yet to find a viable "legal" interpretation of the technological protocol. I think the past year Tom Grindin was developing a "technical non-repudiation" draft which I think has lapsed as of the past meeting in Minneapolis. It was an attempt to ground non-repudiation with a meaning that would be "legal" neutral but protocol specific.</FONT></SPAN></FONT></P> <P><FONT size=2> The nonRepudiation bit is asserted when the subject public key is</FONT> <BR><FONT size=2> used to verify digital signatures used to provide a non-</FONT> <BR><FONT size=2> repudiation service which protects against the signing entity</FONT> <BR><FONT size=2> falsely denying some action, excluding certificate or CRL signing.</FONT> </P> <P><FONT size=2>The question is what does "some action" mean? Is the action merely signing the transaction? Or, is the action perhaps committing to the terms described in the signed transaction?</FONT></P> <P><FONT size=2>To rephrase: Is non-repudiation stating simply that I, Dave Oshman, signed this document? Or, is it supposed to mean that I, Dave Oshman, attest that I am committing myself (or my company) to the terms described herein?<BR><SPAN class=520255216-05042001><FONT color=#0000ff face=Arial>[JDH] <SPAN class=520255216-05042001><FONT color=#0000ff face=Arial size=2>IMO "legal" non-repudiation must be set via the entire environment of the PKI as specifically defined in whatever policies the RP sets. This means that it is the RP's use of the bit or non-use that is important. The reason I felt this was due to the fact that once the question enters the court it, the technical setting of the bit is not what is important but rather the interpretation placed upon it by the RP and thus the EE. Apart from a "clear stated policy" of what the RP intends for it's understanding of non-repudiation the technical aspects are meaningless. The asserting of the bit must be given meaning in the context of the environment and cannot have a meaning legally apart from that environment.</FONT></SPAN> Therefore, your second meaning can only be grounded in the policies set by the environment in which you are signing and not in the technical underlying protocol. As for the first, at most, one can argue that the cert granted to you signed. This is why we had such a difficult time moving "technical" non-repudiation into a legal context. What is the legal relationship between the certificate and the person to whom the cert was issued. The protocol can offer forensic evidence regarding the relationship and the actions of the cert but in and of itself offers no legal meaning.</FONT></SPAN></FONT></P> <P><FONT color=#0000ff face=Arial size=2><SPAN class=520255216-05042001></SPAN></FONT><FONT color=#0000ff face=Arial size=2><SPAN class=520255216-05042001></SPAN></FONT> </P> <P><FONT size=2>Is this more clearly defined in X.813 (ITU-T Recommendation X.8131) | ISO/IEC 10181-3:...1), Information technology - Open Systems Interconnection - Security Frameworks in Open Systems - Non-repudiation framework)? Can anyone snip a description of non-repudiation from X.813?</FONT></P> <P><FONT size=2>Thanks!</FONT> <BR><FONT size=2>Dave Oshman </FONT><BR><FONT size=2>Senior Vice President </FONT><BR><FONT size=2>Technology </FONT><BR><FONT size=2>Identrus LLC</FONT> <BR></P><SPAN class=520255216-05042001><FONT color=#0000ff face=Arial size=2></FONT></SPAN></BLOCKQUOTE> <BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"> <DIV><SPAN class=520255216-05042001><FONT color=#0000ff face=Arial size=2>Dr. JohnDavid Hascup</FONT></SPAN></DIV> <DIV><SPAN class=520255216-05042001><FONT color=#0000ff face=Arial size=2>Senior Security Architect</FONT></SPAN></DIV> <DIV><SPAN class=520255216-05042001><FONT color=#0000ff face=Arial size=2>ELF Technologies</FONT></SPAN></DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0BE0B.15A61EE0-- Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA06889 for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 11:50:08 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 5 Apr 2001 18:47:44 UT Received: from HOUSLEY-LAP.rsasecurity.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id OAA12727; Thu, 5 Apr 2001 14:49:51 -0400 (EDT) Message-Id: <5.0.1.4.2.20010405141739.01c2b190@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 05 Apr 2001 14:19:32 -0400 To: Sean Mullan <sean.mullan@sun.com> From: Russ Housley <rhousley@rsasecurity.com> Subject: Re: A standard encoding for Certification Paths Cc: ietf-pkix@imc.org In-Reply-To: <3ACC9086.439C4EA1@sun.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sean: You are right, but I want to explain why RFC 2630 uses a SET OF construct for certificates. We do not assume that each of the recipients has the same trust anchors as the originator. Therefore, the "bag of certificates" provided might help construct certification paths to any number of potential trust anchors. Russ At 04:34 PM 4/5/2001 +0100, Sean Mullan wrote: >X.509 defines several ASN.1 structures for encoding a >certification path: > >Certificates ::= SEQUENCE { > userCertificate Certificate, > certificationPath ForwardCertificationPath OPTIONAL } > >CertificationPath ::= SEQUENCE { > userCertificate Certificate, > theCACertificates SEQUENCE OF CertificatePair OPTIONAL } > >ForwardCertificationPath ::= SEQUENCE OF CrossCertificates >CrossCertificates ::= SET OF Certificate > >CertificatePair ::= SEQUENCE { > forward [0] Certificate OPTIONAL, > reverse [1] Certificate OPTIONAL > -- at least one of the pair shall be present -- } > >But they all seem a bit more complex than necessary. A much >simpler structure should be sufficient for most applications: > >CertificationPath ::= SEQUENCE OF Certificate > >where the SEQUENCE OF Certificates are ordered from the end-entity >certificate to the certificate issued by the trust anchor. > >It seems that a standard, simple ASN.1 format for representing an >ordered certification path is useful and is missing. > >Has anyone else faced this issue and if so can you suggest any solutions >or other possible standard encoding formats not mentioned above? Note that >a PKCS #7 SignedData object is not a good solution, since it uses >an ASN.1 SET OF construct to hold certificates, thus the order may not be >preserved. > >Thanks, >Sean Received: from marcy.adiron.com (root@[128.230.111.5]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA05303 for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 11:34:55 -0700 (PDT) Received: from localhost (polar@localhost) by marcy.adiron.com (8.10.2/8.10.2) with ESMTP id f35ISbM18862; Thu, 5 Apr 2001 18:28:37 GMT X-Authentication-Warning: marcy.adiron.com: polar owned process doing -bs Date: Thu, 5 Apr 2001 14:28:37 -0400 (EDT) From: Polar Humenn <polar@adiron.com> To: Sean Mullan <sean.mullan@sun.com> cc: <ietf-pkix@imc.org> Subject: Re: A standard encoding for Certification Paths In-Reply-To: <3ACC9086.439C4EA1@sun.com> Message-ID: <Pine.LNX.4.33.0104051308020.17352-100000@marcy.adiron.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi, Comment below: On Thu, 5 Apr 2001, Sean Mullan wrote: > X.509 defines several ASN.1 structures for encoding a > certification path: > > Certificates ::= SEQUENCE { > userCertificate Certificate, > certificationPath ForwardCertificationPath OPTIONAL } > > CertificationPath ::= SEQUENCE { > userCertificate Certificate, > theCACertificates SEQUENCE OF CertificatePair OPTIONAL } > > ForwardCertificationPath ::= SEQUENCE OF CrossCertificates > CrossCertificates ::= SET OF Certificate > > CertificatePair ::= SEQUENCE { > forward [0] Certificate OPTIONAL, > reverse [1] Certificate OPTIONAL > -- at least one of the pair shall be present -- } > > But they all seem a bit more complex than necessary. A much > simpler structure should be sufficient for most applications: > > CertificationPath ::= SEQUENCE OF Certificate I believe the lowest common denominator for a sequence of certificates is exactly that, a stream of ASN.1 Certificate encodings. Each ASN.1 Certificate object already has an encoded length, and is therefore each object (certificate) is extractable from the stream. Anyway, a byte stream is what sits behind the ASN.1 Sequence Header. Usually, if you have such a stream, such as a file or a byte buffer, it is encapsulated so that the length of the sequence is determinable from other means, either by the length of the file, or buffer. So, the ASN.1 sequence header information is really redundant. Isn't it? IMHO, the only reason to standardize such a format, i.e. make an ASN.1 object out of a sequence of certificates, would be to place it inside other ASN.1 object. However, that is easily accomplished by inserting member SEQUENCE OF Certificate inside the object's description. Cheers, -Polar > where the SEQUENCE OF Certificates are ordered from the end-entity > certificate to the certificate issued by the trust anchor. > > It seems that a standard, simple ASN.1 format for representing an > ordered certification path is useful and is missing. > > Has anyone else faced this issue and if so can you suggest any solutions > or other possible standard encoding formats not mentioned above? Note that > a PKCS #7 SignedData object is not a good solution, since it uses > an ASN.1 SET OF construct to hold certificates, thus the order may not be > preserved. > > Thanks, > Sean > Received: from mtiwmhc24.worldnet.att.net (mtiwmhc24.worldnet.att.net [204.127.131.49]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA00722 for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 10:16:18 -0700 (PDT) Received: from barth ([12.82.137.231]) by mtiwmhc24.worldnet.att.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010405171533.XUJS10838.mtiwmhc24.worldnet.att.net@barth>; Thu, 5 Apr 2001 17:15:33 +0000 From: "Dr. JohnDavid Hascup" <jdhascup@att.net> To: "Dave Oshman" <Dave.Oshman@identrus.com>, <ietf-pkix@imc.org> Subject: RE: Meaning of Non-repudiation Date: Thu, 5 Apr 2001 10:14:35 -0700 Message-ID: <LOBBLCKKJBEHIDHDEPBBEEJPCDAA.jdhascup@att.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0002_01C0BDB9.36E2B340" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <2B55DABB95C4D4119C1300508BD953F114420B@BLUE01> This is a multi-part message in MIME format. ------=_NextPart_000_0002_01C0BDB9.36E2B340 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Meaning of Non-repudiationDave -----Original Message----- From: Dave Oshman [mailto:Dave.Oshman@identrus.com] Sent: Thursday, April 05, 2001 9:24 AM To: ietf-pkix@imc.org Subject: Meaning of Non-repudiation I am trying to clarify the meaning of non-repudiation (as defined by the technology standards) for our legal counsel. 2459 says this about non-repudiation: [JDH] this is the abyss of PKI. Having spent over three years working with legal counsel on how to understand non-repudiation I have yet to find a viable "legal" interpretation of the technological protocol. I think the past year Tom Grindin was developing a "technical non-repudiation" draft which I think has lapsed as of the past meeting in Minneapolis. It was an attempt to ground non-repudiation with a meaning that would be "legal" neutral but protocol specific. The nonRepudiation bit is asserted when the subject public key is used to verify digital signatures used to provide a non- repudiation service which protects against the signing entity falsely denying some action, excluding certificate or CRL signing. The question is what does "some action" mean? Is the action merely signing the transaction? Or, is the action perhaps committing to the terms described in the signed transaction? To rephrase: Is non-repudiation stating simply that I, Dave Oshman, signed this document? Or, is it supposed to mean that I, Dave Oshman, attest that I am committing myself (or my company) to the terms described herein? [JDH] IMO "legal" non-repudiation must be set via the entire environment of the PKI as specifically defined in whatever policies the RP sets. This means that it is the RP's use of the bit or non-use that is important. The reason I felt this was due to the fact that once the question enters the court it, the technical setting of the bit is not what is important but rather the interpretation placed upon it by the RP and thus the EE. Apart from a "clear stated policy" of what the RP intends for it's understanding of non-repudiation the technical aspects are meaningless. The asserting of the bit must be given meaning in the context of the environment and cannot have a meaning legally apart from that environment. Therefore, your second meaning can only be grounded in the policies set by the environment in which you are signing and not in the technical underlying protocol. As for the first, at most, one can argue that the cert granted to you signed. This is why we had such a difficult time moving "technical" non-repudiation into a legal context. What is the legal relationship between the certificate and the person to whom the cert was issued. The protocol can offer forensic evidence regarding the relationship and the actions of the cert but in and of itself offers no legal meaning. Is this more clearly defined in X.813 (ITU-T Recommendation X.8131) | ISO/IEC 10181-3:...1), Information technology - Open Systems Interconnection - Security Frameworks in Open Systems - Non-repudiation framework)? Can anyone snip a description of non-repudiation from X.813? Thanks! Dave Oshman Senior Vice President Technology Identrus LLC Dr. JohnDavid Hascup Senior Security Architect ELF Technologies ------=_NextPart_000_0002_01C0BDB9.36E2B340 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Meaning of Non-repudiation</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4611.1300" name=3DGENERATOR></HEAD> <BODY> <DIV><SPAN class=3D520255216-05042001><FONT face=3DArial color=3D#0000ff = size=3D2>Dave</FONT></SPAN></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Dave Oshman=20 [mailto:Dave.Oshman@identrus.com]<BR><B>Sent:</B> Thursday, April 05, = 2001=20 9:24 AM<BR><B>To:</B> ietf-pkix@imc.org<BR><B>Subject:</B> Meaning of=20 Non-repudiation<BR><BR></FONT></DIV> <P><FONT size=3D2>I am trying to clarify the meaning of = non-repudiation (as=20 defined by the technology standards) for our legal counsel. 2459 says = this=20 about non-repudiation:<BR><SPAN class=3D520255216-05042001><FONT = face=3DArial=20 color=3D#0000ff>[JDH] this is the abyss of PKI. Having spent over = three=20 years working with legal counsel on how to understand non-repudiation = I have=20 yet to find a viable "legal" interpretation of the technological = protocol. I=20 think the past year Tom Grindin was developing a "technical=20 non-repudiation" draft which I think has lapsed as of the past = meeting in=20 Minneapolis. It was an attempt to ground non-repudiation with a = meaning that=20 would be "legal" neutral but protocol = specific.</FONT></SPAN></FONT></P> <P><FONT size=3D2> The nonRepudiation bit is = asserted=20 when the subject public key is</FONT> <BR><FONT=20 size=3D2> used to verify digital = signatures used=20 to provide a non-</FONT> <BR><FONT = size=3D2> =20 repudiation service which protects against the signing entity</FONT> = <BR><FONT=20 size=3D2> falsely denying some action, = excluding=20 certificate or CRL signing.</FONT> </P> <P><FONT size=3D2>The question is what does "some action" mean? Is the = action=20 merely signing the transaction? Or, is the action perhaps committing = to the=20 terms described in the signed transaction?</FONT></P> <P><FONT size=3D2>To rephrase: Is non-repudiation stating simply that = I, Dave=20 Oshman, signed this document? Or, is it supposed to mean that I, Dave = Oshman,=20 attest that I am committing myself (or my company) to the terms = described=20 herein?<BR><SPAN class=3D520255216-05042001><FONT face=3DArial=20 color=3D#0000ff>[JDH] <SPAN class=3D520255216-05042001><FONT = face=3DArial=20 color=3D#0000ff size=3D2>IMO "legal" non-repudiation must be set via = the entire=20 environment of the PKI as specifically defined in whatever policies = the RP=20 sets. This means that it is the RP's use of the bit or non-use that is = important. The reason I felt this was due to the fact that once the = question=20 enters the court it, the technical setting of the bit is not what is = important=20 but rather the interpretation placed upon it by the RP and thus the = EE. Apart=20 from a "clear stated policy" of what the RP intends for it's = understanding of=20 non-repudiation the technical aspects are meaningless. The asserting = of the=20 bit must be given meaning in the context of the environment and cannot = have a=20 meaning legally apart from that = environment.</FONT></SPAN> Therefore,=20 your second meaning can only be grounded in the policies set by the=20 environment in which you are signing and not in the technical = underlying=20 protocol. As for the first, at most, one can argue that the cert = granted to=20 you signed. This is why we had such a difficult time moving = "technical"=20 non-repudiation into a legal context. What is the legal relationship = between=20 the certificate and the person to whom the cert was issued. The = protocol can=20 offer forensic evidence regarding the relationship and the actions of = the cert=20 but in and of itself offers no legal meaning.</FONT></SPAN></FONT></P> <P><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D520255216-05042001></SPAN></FONT><FONT face=3DArial = color=3D#0000ff=20 size=3D2><SPAN class=3D520255216-05042001></SPAN></FONT> </P> <P><FONT size=3D2>Is this more clearly defined in X.813 (ITU-T = Recommendation=20 X.8131) | ISO/IEC 10181-3:...1), Information technology - Open Systems = Interconnection - Security Frameworks in Open Systems - = Non-repudiation=20 framework)? Can anyone snip a description of non-repudiation from=20 X.813?</FONT></P> <P><FONT size=3D2>Thanks!</FONT> <BR><FONT size=3D2>Dave Oshman = </FONT><BR><FONT=20 size=3D2>Senior Vice President </FONT><BR><FONT size=3D2>Technology=20 </FONT><BR><FONT size=3D2>Identrus LLC</FONT> <BR></P><SPAN=20 class=3D520255216-05042001><FONT face=3DArial color=3D#0000ff=20 size=3D2></FONT></SPAN></BLOCKQUOTE> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV><SPAN class=3D520255216-05042001><FONT face=3DArial = color=3D#0000ff size=3D2>Dr.=20 JohnDavid Hascup</FONT></SPAN></DIV> <DIV><SPAN class=3D520255216-05042001><FONT face=3DArial = color=3D#0000ff=20 size=3D2>Senior Security Architect</FONT></SPAN></DIV> <DIV><SPAN class=3D520255216-05042001><FONT face=3DArial = color=3D#0000ff size=3D2>ELF=20 Technologies</FONT></SPAN></DIV></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0002_01C0BDB9.36E2B340-- Received: from blue01.identrus.com ([216.213.93.123]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA29456 for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 09:26:00 -0700 (PDT) Received: by BLUE01 with Internet Mail Service (5.5.2653.19) id <G6T1YBBB>; Thu, 5 Apr 2001 12:24:04 -0400 Message-ID: <2B55DABB95C4D4119C1300508BD953F114420B@BLUE01> From: Dave Oshman <Dave.Oshman@identrus.com> To: ietf-pkix@imc.org Subject: Meaning of Non-repudiation Date: Thu, 5 Apr 2001 12:23:55 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0BDEC.CF21BC40" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0BDEC.CF21BC40 Content-Type: text/plain; charset="iso-8859-1" I am trying to clarify the meaning of non-repudiation (as defined by the technology standards) for our legal counsel. 2459 says this about non-repudiation: The nonRepudiation bit is asserted when the subject public key is used to verify digital signatures used to provide a non- repudiation service which protects against the signing entity falsely denying some action, excluding certificate or CRL signing. The question is what does "some action" mean? Is the action merely signing the transaction? Or, is the action perhaps committing to the terms described in the signed transaction? To rephrase: Is non-repudiation stating simply that I, Dave Oshman, signed this document? Or, is it supposed to mean that I, Dave Oshman, attest that I am committing myself (or my company) to the terms described herein? Is this more clearly defined in X.813 (ITU-T Recommendation X.8131) | ISO/IEC 10181-3:...1), Information technology - Open Systems Interconnection - Security Frameworks in Open Systems - Non-repudiation framework)? Can anyone snip a description of non-repudiation from X.813? Thanks! Dave Oshman Senior Vice President Technology Identrus LLC ------_=_NextPart_001_01C0BDEC.CF21BC40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>Meaning of Non-repudiation</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I am trying to clarify the meaning of non-repudiation = (as defined by the technology standards) for our legal counsel. 2459 = says this about non-repudiation:</FONT></P> <P><FONT SIZE=3D2> The nonRepudiation bit is = asserted when the subject public key is</FONT> <BR><FONT SIZE=3D2> used to verify = digital signatures used to provide a non-</FONT> <BR><FONT SIZE=3D2> repudiation service = which protects against the signing entity</FONT> <BR><FONT SIZE=3D2> falsely denying some = action, excluding certificate or CRL signing.</FONT> </P> <P><FONT SIZE=3D2>The question is what does "some action" = mean? Is the action merely signing the transaction? Or, is the action = perhaps committing to the terms described in the signed = transaction?</FONT></P> <P><FONT SIZE=3D2>To rephrase: Is non-repudiation stating simply that = I, Dave Oshman, signed this document? Or, is it supposed to mean that = I, Dave Oshman, attest that I am committing myself (or my company) to = the terms described herein?</FONT></P> <P><FONT SIZE=3D2>Is this more clearly defined in X.813 (ITU-T = Recommendation X.8131) | ISO/IEC 10181-3:...1), Information technology = - Open Systems Interconnection - Security Frameworks in Open Systems - = Non-repudiation framework)? Can anyone snip a description of = non-repudiation from X.813?</FONT></P> <P><FONT SIZE=3D2>Thanks!</FONT> <BR><FONT SIZE=3D2>Dave Oshman </FONT> <BR><FONT SIZE=3D2>Senior Vice President </FONT> <BR><FONT SIZE=3D2>Technology </FONT> <BR><FONT SIZE=3D2>Identrus LLC</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0BDEC.CF21BC40-- Received: from mail.funk.com (machine-22.funk.com [198.186.160.22] (may be forged)) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA26868 for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 08:47:49 -0700 (PDT) Received: by machine-22.funk.com with Internet Mail Service (5.5.2653.19) id <H7V2SC0R>; Thu, 5 Apr 2001 11:48:53 -0400 Message-ID: <2D6D813F2AEBD411BC6C000103C42C9412AAD0@machine-22.funk.com> From: Aslam <aslam@funk.com> To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: V3 Extensions Date: Thu, 5 Apr 2001 11:48:52 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" > Hi, > > I wanna know about some docs which give me datails about v3 > extensions like SubjectKeyIdentifier etc.. and how they r generated? > > Thanks > Aslam > Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA24077 for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 08:34:30 -0700 (PDT) Received: from ireserver.Ireland.Sun.COM ([129.156.220.7]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id IAA05776 for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 08:34:31 -0700 (PDT) Received: from sun.com (boston [129.156.220.153]) by ireserver.Ireland.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v2.1p1) with ESMTP id QAA27088; Thu, 5 Apr 2001 16:34:30 +0100 (BST) Sender: Sean.Mullan@sun.com Message-ID: <3ACC9086.439C4EA1@sun.com> Date: Thu, 05 Apr 2001 16:34:30 +0100 From: Sean Mullan <sean.mullan@sun.com> Organization: Sun Microsystems X-Mailer: Mozilla 4.75 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: A standard encoding for Certification Paths Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X.509 defines several ASN.1 structures for encoding a certification path: Certificates ::= SEQUENCE { userCertificate Certificate, certificationPath ForwardCertificationPath OPTIONAL } CertificationPath ::= SEQUENCE { userCertificate Certificate, theCACertificates SEQUENCE OF CertificatePair OPTIONAL } ForwardCertificationPath ::= SEQUENCE OF CrossCertificates CrossCertificates ::= SET OF Certificate CertificatePair ::= SEQUENCE { forward [0] Certificate OPTIONAL, reverse [1] Certificate OPTIONAL -- at least one of the pair shall be present -- } But they all seem a bit more complex than necessary. A much simpler structure should be sufficient for most applications: CertificationPath ::= SEQUENCE OF Certificate where the SEQUENCE OF Certificates are ordered from the end-entity certificate to the certificate issued by the trust anchor. It seems that a standard, simple ASN.1 format for representing an ordered certification path is useful and is missing. Has anyone else faced this issue and if so can you suggest any solutions or other possible standard encoding formats not mentioned above? Note that a PKCS #7 SignedData object is not a good solution, since it uses an ASN.1 SET OF construct to hold certificates, thus the order may not be preserved. Thanks, Sean Received: from plmta00.chello.pl (plmta00.chello.pl [213.46.248.62]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA02967 for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 03:41:07 -0700 (PDT) Message-Id: <200104051041.DAA02967@above.proper.com> Received: from hetnet.nl ([213.93.48.181]) by plmta00.chello.pl (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with SMTP id pl for <ietf-pkix@imc.org>; Thu, 5 Apr 2001 08:02:35 -0100 From: "Rita de Groot" <R.deGroot@hetnet.nl> To: <ietf-pkix@imc.org> Subject: huidziekte Sender: "Rita de Groot" <R.deGroot@hetnet.nl> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Thu, 5 Apr 2001 11:00:06 +0200 Content-Transfer-Encoding: 8bit Vijf jaar voordat deze foto's werden genomen werd bij mij diagnose reumatische artritis gesteld en als zodanig ook behandeld. Niets hielp. Toen de ziekte zich zo manifesteerde zoals u hieronder kunt zien.......... http://www.naardedokter.com/testimonials/sys_lup_eryth.htm Received: from exafix.addtrust.com ([212.112.175.83]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA27525 for <ietf-pkix@imc.org>; Wed, 4 Apr 2001 13:33:22 -0700 (PDT) Received: from santesson.addtrust.com ([62.20.231.85]) by exafix.addtrust.com with Microsoft SMTPSVC(5.0.2195.1600); Wed, 4 Apr 2001 22:32:13 +0200 Message-Id: <5.0.0.25.2.20010404222714.02a978b8@mail.addtrust.com> X-Sender: sts@mail.addtrust.com X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Wed, 04 Apr 2001 22:33:35 +0200 To: Stephen Kent <kent@bbn.com> From: Stefan Santesson <stefan@addtrust.com> Subject: RE: Logotypes in certificates Cc: ietf-pkix@imc.org In-Reply-To: <p05010400b6ef9022503a@[128.33.4.39]> References: <5.0.0.25.2.20010402222124.033fbc38@mail.addtrust.com> <5.0.0.25.2.20010322185247.0420d990@mail.addtrust.com> < <D44EACB40164D311BEF00090274EDCCA1E740A@sydneymail1.zergo.com.au> <D44EACB40164D311BEF00090274EDCCA1E740A@sydneymail1.zergo.com.au> <5.0.0.25.2.20010322185247.0420d990@mail.addtrust.com> <5.0.0.25.2.20010402222124.033fbc38@mail.addtrust.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-OriginalArrivalTime: 04 Apr 2001 20:32:14.0359 (UTC) FILETIME=[55586270:01C0BD46] Steve, At 10:43 2001-04-03 -0400, Stephen Kent wrote: >I learned long ago that it's often a bad idea to agree to a concept >irrespective of a proposed means of achieving it. So, absent a concrete >proposal for HOW, I don't think we have consensus on WHETHER to pursue >this work item. That's why I proposed that you, as the prime mover behind >the idea, develop a comprehensive proposal for what you are trying to >achieve and how you propose to achieve it. if you can't find the time to >do that, then we will not pursue it. Well I will do my homework, including investigating other ways and foras to pursue this. If there is enough interest and consensus and if there is a general understanding that PKIX is the right place, then I will make sure that the material you ask for will be presented to the list. /Stefan Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA06021 for <ietf-pkix@imc.org>; Tue, 3 Apr 2001 14:00:31 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id RAA22223 for <ietf-pkix@imc.org>; Tue, 3 Apr 2001 17:00:32 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p0501041ab6efe961481e@[128.33.4.39]> In-Reply-To: <p0501040fb6efdaa4d1c0@[128.33.4.39]> References: <98536438424555@kahu.cs.auckland.ac.nz> <p05010400b6e1961baf8d@[128.33.4.39]> <p05100802b6e1aad52bbf@[165.227.249.20]> <p0501040bb6efb5d22afc@[128.33.4.39]> <p05100802b6efb8522a2a@[165.227.249.20]> <p0501040eb6efbec745a3@[128.33.4.39]> <p05100803b6efcacc8177@[165.227.249.20]> <p0501040fb6efdaa4d1c0@[128.33.4.39]> Date: Tue, 3 Apr 2001 16:58:48 -0400 To: ietf-pkix@imc.org From: Stephen Kent <kent@bbn.com> Subject: slides anyone Content-Type: text/plain; charset="us-ascii" ; format="flowed" Folks, I have submitted the corrected minutes for our last meeting, (cc'd to this list as well) and was about to submit the slides. But I have contributions only from Mike Myers and Denis Pinkas (and, of course, me). All other speakers from the PKIX WG meetings at the 50th IETF should send me their slides now, so that I can forward them to the secretariat. Thanks, Steve Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA06022 for <ietf-pkix@imc.org>; Tue, 3 Apr 2001 14:00:31 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id RAA22220; Tue, 3 Apr 2001 17:00:31 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010417b6efe80ff8b5@[128.33.4.39]> Date: Tue, 3 Apr 2001 16:57:32 -0400 To: minutes@ietf.org From: Stephen Kent <kent@bbn.com> Subject: PKIX minutes Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" PKIX WG Meeting 3/20/01 Edited by Steve Kent (WG co-chairs) The PKIX WG met once during the 50th IETF. A total of approximately 155 individuals participated in the meeting. Tim quickly reviewed the agenda and document status, noting that there are many I-Ds in progress. (see slides) Two new RFCs: RFC 3029 Data Validation and Certification Server (Experimental) RFC 3039 Qualified Certificates (Proposed Standard) In the IESG Review Process: Timestamp Protocol (missing IANA considerations section) Attribute Certificate Profile (missing IANA considerations section and another issue) Soon to be Submitted to IESG: PKIX Roadmap (Informational) Permanent Identifier (Experimental?) Repository Locator Service (Experimental) In WG Last Call: Son-of-RFC 2459 Public Algorithms and Identifiers CRMF & CMP CMP/CRMF Interoperability results? Close to WG last call: OCSPv1 bis Evolving Specifications Technical NR (being revised) OCSPv2 Additional LDAP Schema Attribute Certificate Acquisition Protocol CP/CPS Framework DPD/DPV requirements New Work Impersonation Certificates Group Name Status of RFC 2459bis- Russ Housley (RSA Labs) After discussions with ITU-T counterparts, path length computation was fixed, in a fashion consistent with the existing PKIX documents. Also answered the question "who can issue CRLs," by allowing a CA certificate to contain EITHER the keyCertSign OR cRLSign bits OR BOTH. Thus only CAs (syntactically speaking) issue CRLs, bit it allows creation of an entity that is marked as a CA, but which is restricted to signing CRLs. (slides) OCSPv1 - Ambarish Malpani (ValiCert) Moving OCSPv1 to Draft Standard. Interoperability efforts going well, including PKI Forum work. Also some minor clarifications of the text. Make RSA mandatory, drop required support for DSA. (slides) CMC - Jim Schaad (Soaring Hawk Consulting) Updating document, symmetric key distribution ambiguity, minor editorial corrections. Hope to complete updates and get interoperability test data for progression to Draft in about 6 months. (no slides) Impersonation Certificates - Stephen Tuecke (Argonne Labs) Renamed proxy certificates. Motivation is single signon delegation support. Intent is to bind a new key pair to a subject alt name and to an extension that labels this as a proxy certificate. However, there are conflicts between this proposal and the existing and revised profile (and X.509). Specifically, the EE is acting like a CA, syntactically, but the EE certificate does not have the basicConstraints flag set to mark it as a CA. Thus the path validation algorithm would reject these proxy certificates. (slides) DPD/DPV Requirements - Steve Kent (BBN) Presentation described revised proposals for DPD and DPV requests and responses, using ASN.1 strawmen examples. Ended with a plan for progress on the topic, resulting in selection of a protocol before the next IETF meeting in August. Steve Farrell expressed concern that the DPD request is too complex, contains unnecessary controls, based on a model that does not require returned paths to be ones that will necessarily successfully validate for the client. (slides) OCSPv2 - Michael Myers (VeriSign) Expansion of OCSPv1 to create a candidate protocol for the DPD & DPV functions. Includes a facility to support nonce relay, by concatenating new nonces with old ones. Emphasis on reuse of OCSPv1 structures wherever possible, e.g., with regard to status responses. There are fewer controls on path construction for DPD vs. DPD, based on assumptions about relative capability of clients and on perception of likely complexity of certificate graphs. (slides) DPD/DPV - Denis Pinkas (Bull) For DPV, major focus is valid/invalid response, plus optional proof returned when needed, e.g., for NR. Can have a small response with Y/N response and hash as a link to the supporting info. Suggests just a single path and revocation status data should be returned. For DPD need a path returned always, unlike DPV. Suggests partial revocation status data might be returned, if complete data not available. (Both DPD + DPV specify the target by either supplying a certificate or an Issuer name and serial number.) Suggestion that CA and EE certificates may not want the same revocation status data, but Mike Myers disagrees with this distinction. Proposal for partial responses, e.g., incomplete paths. Argument against DPV support for a posteriori validation when the time frame is outside of the certificate validity period. Finally, argues for stateless servers, i.e., no retry facility in DPD. (slides) SCVP - Ambarish Malpani (ValiCert) Removed XML syntax, and will use CMS as secure enveloping mechanism. (one slide) Group Name - Mike St. Johns (??) Motivation is to support a commonly employed OS naming convention in EE certificates, instead of having to map from a DN. Possible uses in attribute certificates too. Currently proposed as an OtherName but open to suggestions for encoding. (slides) Policy Requirements for TSAs - Denis Pinkas (Bull) This is a new ETSI work item. Will complement existing ETSI standards on electronic signature formats, qualified certificates, and a document addressing policy for CAs issuing qualified certificates. TSA policy will be based on RFC 2527 and ETSI 456. Welcome participation and inputs from PKIX and SMIME WG members. (slides) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA04257 for <ietf-pkix@imc.org>; Tue, 3 Apr 2001 13:40:54 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id QAA18996; Tue, 3 Apr 2001 16:40:55 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010414b6efe45d1a47@[128.33.4.39]> In-Reply-To: <5.0.2.1.0.20010402133714.02b83630@exchsvr1.entegrity.com> References: <5.0.2.1.0.20010402133714.02b83630@exchsvr1.entegrity.com> Date: Tue, 3 Apr 2001 16:36:35 -0400 To: Nada Kapidzic Cicovic <nada@entegrity.com> From: Stephen Kent <kent@bbn.com> Subject: Re: draft meeting minutes, please comment Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 1:51 PM +0200 4/2/01, Nada Kapidzic Cicovic wrote: >>... > >Hi Steve, > >Just one quick comment: > >>Status of RFC 2459bis- Russ Housley (RSA Labs) >> Fixed path length computation. Fix "who can issue CRLs" >>problem by allowing a CA certificate to contain EITHER the >>KeyCertSign OR cRLSign bits. > >My understanding of the explanation was "a certificate with either >keyCertSign bit on, or cRLSign bit on, or BOTH". The above sentence >implies that the presence of keyCertSign bit excludes the presence >of cRLSign bit, and vice versa. There is some ambiguity in the Englsih language re expressing inclusive vs. exclusive OR. My text was intended to connote the former, and it is proper to do so in that fashion, but I agree that it is less confusing to include the "BOTH" and avoid any possible confusion. I'll make that change, plus a few others that have been submitted privately, and send in the minutes today. Steve Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA00926; Tue, 3 Apr 2001 13:00:42 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id QAA13117; Tue, 3 Apr 2001 16:00:43 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p0501040fb6efdaa4d1c0@[128.33.4.39]> In-Reply-To: <p05100803b6efcacc8177@[165.227.249.20]> References: <98536438424555@kahu.cs.auckland.ac.nz> <p05010400b6e1961baf8d@[128.33.4.39]> <p05100802b6e1aad52bbf@[165.227.249.20]> <p0501040bb6efb5d22afc@[128.33.4.39]> <p05100802b6efb8522a2a@[165.227.249.20]> <p0501040eb6efbec745a3@[128.33.4.39]> <p05100803b6efcacc8177@[165.227.249.20]> Date: Tue, 3 Apr 2001 16:02:30 -0400 To: Paul Hoffman / IMC <phoffman@imc.org> From: Stephen Kent <kent@bbn.com> Subject: Re: some thoughts re DPD and DPV Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Paul, >At 1:57 PM -0400 4/3/01, Stephen Kent wrote: >>Well, we're not negotiating policy here, in general. > >OK, then I misunderstood your proposal. > >> The client, absent serve-mandated overrides, is merely uploading >>policy to a server and getting back a policy reference. > >That sounds OK, although still more complicated than allowing a >client to say the same things directly in a request. It means two >protocols instead of one, or one protocol that has two modes: >"what's my policy reference?" and "is this cert valid using this >policy reference?". Well, it depends on one's model of operation. If each application makes use of one or a few policies all the time, as several folks have suggested, then one can configure the OIDs for the appropriate policies in the app and have it use them in the request. In that case, one could get away without implementing the policy registration protocol protocol in the client. If there are default policies mandated by an organization, then even this level of complexity might be avoided, if one has a means of signalling which application context is being invoked, although this begins to be a lot like the trivial case of the preceding mechanism. > >> Or the client is asking the server to tell the client about >>server-configured (e.g., default) policies. > >This requires that a (supposedly simple) client can parse a huge bag >of bags of policies looking for the one it likes best. I believe >that this is unlikely to happen in the real world. I see this as a separate application, a utility, outside of the client apps. Here too, one need not provide the facility if the client has no choice. > >> Your concerns dont' seem to align with what I have proposed. > >My apologies. If what you meant was "there is a mode where a client >says what policy it wants to use in future requests and can get a >reference/OID for that", I think that's OK, but it doesn't simplify >the protocol, it just splits the protocol into two parts. And it >requires the client to remember the OID for the desired policy >across requests, which is probably feasble but more limiting than >allowing the client to just put the policy directly into the request. You are right that this is cheating, in a way, splitting the protocol into two parts. But, if many client would not need to invoke the policy management facilities, the clients would not have to implement the policy management protocol and thus could be simpler. >Why not have an optional second protocol for policy-to-OID mapping, >and allow either policies or OIDs in the request? Because allowing policy parameters to be specified in the protocol makes the protocol much more complicated, syntactically, and makes it harder to extend if one wants to add more controls. The split permits policy invocation and policy management to be separated, which may generally be appropriate. Steve Received: from mail.spyrus.com (mail.spyrus.com [207.212.34.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA27165 for <ietf-pkix@imc.org>; Tue, 3 Apr 2001 12:18:40 -0700 (PDT) Received: from dlinsenbardtpc ([207.212.34.102]) by mail.spyrus.com (8.9.3/8.9.3) with SMTP id MAA23020 for <ietf-pkix@imc.org>; Tue, 3 Apr 2001 12:18:10 -0700 (PDT) From: "Duane Linsenbardt" <dlinsenbardt@spyrus.com> To: <ietf-pkix@imc.org> Subject: Date: Tue, 3 Apr 2001 12:18:45 -0700 Message-ID: <001a01c0bc72$e730e9d0$6622d4cf@spyrus.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal subscribe Received: from [165.227.249.20] (ip20.proper.com [165.227.249.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA25668; Tue, 3 Apr 2001 11:54:53 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org Message-Id: <p05100803b6efcacc8177@[165.227.249.20]> In-Reply-To: <p0501040eb6efbec745a3@[128.33.4.39]> References: <98536438424555@kahu.cs.auckland.ac.nz> <p05010400b6e1961baf8d@[128.33.4.39]> <p05100802b6e1aad52bbf@[165.227.249.20]> <p0501040bb6efb5d22afc@[128.33.4.39]> <p05100802b6efb8522a2a@[165.227.249.20]> <p0501040eb6efbec745a3@[128.33.4.39]> Date: Tue, 3 Apr 2001 11:54:46 -0700 To: Stephen Kent <kent@bbn.com> From: Paul Hoffman / IMC <phoffman@imc.org> Subject: Re: some thoughts re DPD and DPV Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 1:57 PM -0400 4/3/01, Stephen Kent wrote: >Well, we're not negotiating policy here, in general. OK, then I misunderstood your proposal. > The client, absent serve-mandated overrides, is merely uploading >policy to a server and getting back a policy reference. That sounds OK, although still more complicated than allowing a client to say the same things directly in a request. It means two protocols instead of one, or one protocol that has two modes: "what's my policy reference?" and "is this cert valid using this policy reference?". > Or the client is asking the server to tell the client about >server-configured (e.g., default) policies. This requires that a (supposedly simple) client can parse a huge bag of bags of policies looking for the one it likes best. I believe that this is unlikely to happen in the real world. > Your concerns dont' seem to align with what I have proposed. My apologies. If what you meant was "there is a mode where a client says what policy it wants to use in future requests and can get a reference/OID for that", I think that's OK, but it doesn't simplify the protocol, it just splits the protocol into two parts. And it requires the client to remember the OID for the desired policy across requests, which is probably feasble but more limiting than allowing the client to just put the policy directly into the request. Why not have an optional second protocol for policy-to-OID mapping, and allow either policies or OIDs in the request? --Paul Hoffman, Director --Internet Mail Consortium Received: from mail.spyrus.com (mail.spyrus.com [207.212.34.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA24889 for <ietf-pkix@imc.org>; Tue, 3 Apr 2001 11:40:36 -0700 (PDT) Received: from dlinsenbardtpc ([207.212.34.102]) by mail.spyrus.com (8.9.3/8.9.3) with SMTP id LAA21999 for <ietf-pkix@imc.org>; Tue, 3 Apr 2001 11:40:05 -0700 (PDT) From: "Duane Linsenbardt" <dlinsenbardt@spyrus.com> To: <ietf-pkix@imc.org> Subject: Date: Tue, 3 Apr 2001 11:40:40 -0700 Message-ID: <001801c0bc6d$94ec5fb0$6622d4cf@spyrus.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal unsubscribe ietf-pkix@imc.org Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA22387; Tue, 3 Apr 2001 11:00:57 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id OAA24474; Tue, 3 Apr 2001 14:00:58 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p0501040eb6efbec745a3@[128.33.4.39]> In-Reply-To: <p05100802b6efb8522a2a@[165.227.249.20]> References: <98536438424555@kahu.cs.auckland.ac.nz> <p05010400b6e1961baf8d@[128.33.4.39]> <p05100802b6e1aad52bbf@[165.227.249.20]> <p0501040bb6efb5d22afc@[128.33.4.39]> <p05100802b6efb8522a2a@[165.227.249.20]> Date: Tue, 3 Apr 2001 13:57:09 -0400 To: Paul Hoffman / IMC <phoffman@imc.org> From: Stephen Kent <kent@bbn.com> Subject: Re: some thoughts re DPD and DPV Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 10:31 AM -0700 4/3/01, Paul Hoffman / IMC wrote: >At 1:20 PM -0400 4/3/01, Stephen Kent wrote: >>I think we are dealing with a very different situation here, >>relative to the general policy mess you allude to. > >They all say that, often in their charters. :-) > >> The motivation is to make the protocol exchange smaller, and the >>DPD/DPV protocols simpler. Don't you think reference to policies in >>this fashion achieves these goals? > >The first motivation seems spurious. Having policy negotiation does >not achieve the second motivation, and in fact fights directly >against it. SCVP already has references to policies: server-defined >OIDs. It also allows a client and a server to agree to use a bit >more bandwidth in passing the request in exchange for the client not >needing to know the server's OIDs. Prohibiting this sensible action >seems draconian, given that the clients and servers will aready >agree to use it. (If a server doesn't agree, it will return an error >for any requests other than OID-based ones.) Well, we're not negotiating policy here, in general. The client, absent serve-mandated overrides, is merely uploading policy to a server and getting back a policy reference. Or the client is asking the server to tell the client about server-configured (e.g., default) policies. Your concerns dont' seem to align with what I have proposed. Steve Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA21570; Tue, 3 Apr 2001 10:51:14 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id NAA23050; Tue, 3 Apr 2001 13:51:00 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p0501040db6efbc60b534@[128.33.4.39]> In-Reply-To: <FLEELNBJKAIIGDJJKPDGOEGOCDAA.ccovey@cylink.com> References: <FLEELNBJKAIIGDJJKPDGOEGOCDAA.ccovey@cylink.com> Date: Tue, 3 Apr 2001 13:44:21 -0400 To: "Carlin Covey" <ccovey@cylink.com> From: Stephen Kent <kent@bbn.com> Subject: RE: some thoughts re DPD and DPV Cc: "Paul Hoffman / IMC" <phoffman@imc.org>, <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 2:26 PM -0700 3/24/01, Carlin Covey wrote: >Paul and Steve, > >I agree that the DPD and DPV protocols should be simplified by >including just a reference to a server-resident path-validation >policy. I also agree with Paul that a typical client will >make a choice among very few policies. In fact, most clients >will never make a choice. The clients and servers will be >pre-configured with one policy per client-type per enterprise. >Simply including one policy OID in the request (possibly echoed >in the response) will satisfy the great majority of use cases. > >Paul points out the near-zero success-rate of policy protocols. >DPD/DPV should not be made into a quasi-policy-protocol by >including explicit policy information in the requests. An OID >will do. If there remains a need for client-configuration of >server-resident policies, put that in a separate protocol as >Steve has suggested. > >Let's proceed with a simplified, low-bandwidth DPD/DPV that is as >free as possible of the burden of policy configuration. I think this is what I was proposing. Steve Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA20948 for <ietf-pkix@imc.org>; Tue, 3 Apr 2001 10:41:03 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id NAA21399; Tue, 3 Apr 2001 13:41:01 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p0501040cb6efb6d567dd@[128.33.4.39]> In-Reply-To: <001001c0b453$62212b00$851efea9@vaio> References: <98536438424555@kahu.cs.auckland.ac.nz> <p05010400b6e1961baf8d@[128.33.4.39]> <001001c0b453$62212b00$851efea9@vaio> Date: Tue, 3 Apr 2001 13:43:12 -0400 To: "Liaquat Khan" <liaquat.khan@dcrypt.co.uk> From: Stephen Kent <kent@bbn.com> Subject: Re: some thoughts re DPD and DPV Cc: <ietf-pkix@imc.org> Content-Type: multipart/alternative; boundary="============_-1225802689==_ma============" --============_-1225802689==_ma============ Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 11:12 AM +0000 3/24/01, Liaquat Khan wrote: >I'm not against the idea of having a (validation) policy registered >on the server, which the client refers to in its request message. >However, IMO would it not be more practical for the CA which issued >the certificate to be responsible for defining this policy and >registering it directly with its validation server? This may remove >some of the complexity of each client having its own policy and a >protocol for registering this at the server. The client would >only need to refer to the appropriate policy, which will be based on >the target certificate being checked. Just some initial thoughts... > >Regards, >Liaquat > The validation policy is a matter for the client (RP) to decide upon, not the CA that issued the cert being validated. Steve --============_-1225802689==_ma============ Content-Type: text/html; charset="us-ascii" <!doctype html public "-//W3C//DTD W3 HTML//EN"> <html><head><style type="text/css"><!-- blockquote, dl, ul, ol, li { margin-top: 0 ; margin-bottom: 0 } --></style><title>Re: some thoughts re DPD and DPV</title></head><body> <div>At 11:12 AM +0000 3/24/01, Liaquat Khan wrote:</div> <blockquote type="cite" cite><font face="Arial" size="-1">I'm not against the idea of having a (validation) policy registered on the server, which the client refers to in its request message. However, IMO would it not be more practical for the CA which issued the certificate to be responsible for defining this policy and registering it directly with its validation server? This may remove some of the complexity of each client having its own policy and a protocol for registering this at the server. The client would only need to refer to the appropriate policy, which will be based on the target certificate being checked. Just some initial thoughts...</font></blockquote> <blockquote type="cite" cite> </blockquote> <blockquote type="cite" cite><font face="Arial" size="-1">Regards,</font></blockquote> <blockquote type="cite" cite><font face="Arial" size="-1">Liaquat</font></blockquote> <blockquote type="cite" cite> </blockquote> <div> The validation policy is a matter for the client (RP) to decide upon, not the CA that issued the cert being validated.</div> <div><br></div> <div>Steve</div> </body> </html> --============_-1225802689==_ma============-- Received: from [165.227.249.20] (ip20.proper.com [165.227.249.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA19920; Tue, 3 Apr 2001 10:31:40 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org Message-Id: <p05100802b6efb8522a2a@[165.227.249.20]> In-Reply-To: <p0501040bb6efb5d22afc@[128.33.4.39]> References: <98536438424555@kahu.cs.auckland.ac.nz> <p05010400b6e1961baf8d@[128.33.4.39]> <p05100802b6e1aad52bbf@[165.227.249.20]> <p0501040bb6efb5d22afc@[128.33.4.39]> Date: Tue, 3 Apr 2001 10:31:34 -0700 To: Stephen Kent <kent@bbn.com> From: Paul Hoffman / IMC <phoffman@imc.org> Subject: Re: some thoughts re DPD and DPV Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 1:20 PM -0400 4/3/01, Stephen Kent wrote: >I think we are dealing with a very different situation here, >relative to the general policy mess you allude to. They all say that, often in their charters. :-) > The motivation is to make the protocol exchange smaller, and the >DPD/DPV protocols simpler. Don't you think reference to policies in >this fashion achieves these goals? The first motivation seems spurious. Having policy negotiation does not achieve the second motivation, and in fact fights directly against it. SCVP already has references to policies: server-defined OIDs. It also allows a client and a server to agree to use a bit more bandwidth in passing the request in exchange for the client not needing to know the server's OIDs. Prohibiting this sensible action seems draconian, given that the clients and servers will aready agree to use it. (If a server doesn't agree, it will return an error for any requests other than OID-based ones.) --Paul Hoffman, Director --Internet Mail Consortium Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA18936 for <ietf-pkix@imc.org>; Tue, 3 Apr 2001 10:21:12 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id NAA18350; Tue, 3 Apr 2001 13:21:04 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p0501040ab6efb5540d51@[128.33.4.39]> In-Reply-To: <MABBLIPCLMIBCAMBOADOOEPMCBAA.myers@coastside.net> References: <MABBLIPCLMIBCAMBOADOOEPMCBAA.myers@coastside.net> Date: Tue, 3 Apr 2001 13:15:48 -0400 To: "Michael Myers" <myers@coastside.net> From: Stephen Kent <kent@bbn.com> Subject: RE: some thoughts re DPD and DPV Cc: "Ietf-Pkix@Imc. Org" <ietf-pkix@imc.org> Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 5:20 PM -0800 3/23/01, Michael Myers wrote: >Steve, > >Speaking from the OCSP perspective, our formulations of OCSPv1 and OCSPv2 >implicitly assumed and continues to assume that policy management between >relying parties and validating parties is out of scope. We of the OCSP team >agree that the parallel development of such protocols is strongly preferred >vice deltas to OCSPv2. There is no need for the policy registration/query mechanism to be part of the protocol that provides the base DPV/DPD service. My question was whether we progress both at the same time, or complete the DPD/DPV protocols first, then provide the policy management protocol. >I have no problem with an optional evidentiary hash in a DPV response if >it's client-precipitated. As Denis and I had discussed earlier this week, >some environments may prefer this to the constant reiteration by a server of >a full chain or other policy indicators (e.g. the full text of a policy >document). We will take this as a requirement and study how best to fold >this requirement into the current OCSPv2 technical framework. > >When you refer to "incremental queries relative to the same target >certificate" are you speaking to the currently proposed retryReference >mechanism? yes. Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA18907; Tue, 3 Apr 2001 10:21:07 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id NAA18359; Tue, 3 Apr 2001 13:21:08 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p0501040bb6efb5d22afc@[128.33.4.39]> In-Reply-To: <p05100802b6e1aad52bbf@[165.227.249.20]> References: <98536438424555@kahu.cs.auckland.ac.nz> <p05010400b6e1961baf8d@[128.33.4.39]> <p05100802b6e1aad52bbf@[165.227.249.20]> Date: Tue, 3 Apr 2001 13:20:11 -0400 To: Paul Hoffman / IMC <phoffman@imc.org> From: Stephen Kent <kent@bbn.com> Subject: Re: some thoughts re DPD and DPV Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 5:42 PM -0800 3/23/01, Paul Hoffman / IMC wrote: >At 7:09 PM -0500 3/23/01, Stephen Kent wrote: >>We could make ALL requests refer to a policy configured at the >>server, rather than allowing for explicit transmission of these >>parameters. To make this as flexible as the current proposals, we >>would have to add a new protocol, to allow a client to register a >>policy with a server, so that the client could later refer to that >>policy. We probably want a facility to inquire about a registered >>policy as well. > >This sounds horrendously complex. To date, the IETF has had >near-zero success with defining policy protocols, with policy >working groups pretty much being unable to get closure. The method >promoted in SCVP (can give individual policy info in requests or can >use aggregated OIDs) seems much more sensible than forcing all >clients to know (or, worse, discover and push) the policies on the >server. I think we are dealing with a very different situation here, relative to the general policy mess you allude to. The set of parameters for controlling path validation is better defined, although there are some points of disagreement. If we have a policy registration protocol, then the user can (subject to local controls) just register the few policies he regularly uses, or can retrieve (for review) the ones that his company imposes. >The number of policies a typical client wants will probably be few >(most likely, just roots). Why make this so much more complicated >than needed? > The motivation is to make the protocol exchange smaller, and the DPD/DPV protocols simpler. Don't you think reference to policies in this fashion achieves these goals? Steve Received: from maild.telia.com (maild.telia.com [194.22.190.3]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA15054 for <ietf-pkix@imc.org>; Tue, 3 Apr 2001 09:02:58 -0700 (PDT) Received: from d1o69.telia.com (d1o69.telia.com [62.20.144.241]) by maild.telia.com (8.9.3/8.9.3) with ESMTP id SAA26876; Tue, 3 Apr 2001 18:02:57 +0200 (CEST) Received: from mega (t4o69p112.telia.com [62.20.145.232]) by d1o69.telia.com (8.10.2/8.10.1) with SMTP id f33G2ua21174; Tue, 3 Apr 2001 18:02:57 +0200 (CEST) Message-ID: <002501c0bc57$47146730$0200a8c0@vincent.se> From: "Anders Rundgren" <anders.rundgren@telia.com> To: "Stephen Kent" <kent@bbn.com>, "Stefan Santesson" <stefan@addtrust.com> Cc: <ietf-pkix@imc.org> References: <5.0.0.25.2.20010322185247.0420d990@mail.addtrust.com> < <D44EACB40164D311BEF00090274EDCCA1E740A@sydneymail1.zergo.com.au> <D44EACB40164D311BEF00090274EDCCA1E740A@sydneymail1.zergo.com.au> <5.0.0.25.2.20010322185247.0420d990@mail.addtrust.com> <5.0.0.25.2.20010402222124.033fbc38@mail.addtrust.com> Subject: Re: Logotypes in certificates Date: Tue, 3 Apr 2001 18:00:57 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id JAA15055 > I think though that enough persons, where many of those actually represent > significant market players in PKI, has spoken in favour of including > logotypes in certificates in some form. Stefan, welcome to the club! I.e. the club of mentally disturbed engineers like me who actually think that market aspects should influence standards! In the same way as I insist that son-of-2459 should officially support e-mail addresses in the subject field (which all major CA players use), you will get nowhere with this issue. Try PKI-forum. Anders Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA05100 for <ietf-pkix@imc.org>; Tue, 3 Apr 2001 07:41:30 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id KAA21271; Tue, 3 Apr 2001 10:41:28 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010400b6ef9022503a@[128.33.4.39]> In-Reply-To: <5.0.0.25.2.20010402222124.033fbc38@mail.addtrust.com> References: <5.0.0.25.2.20010322185247.0420d990@mail.addtrust.com> < <D44EACB40164D311BEF00090274EDCCA1E740A@sydneymail1.zergo.com.au> <D44EACB40164D311BEF00090274EDCCA1E740A@sydneymail1.zergo.com.au> <5.0.0.25.2.20010322185247.0420d990@mail.addtrust.com> <5.0.0.25.2.20010402222124.033fbc38@mail.addtrust.com> Date: Tue, 3 Apr 2001 10:43:13 -0400 To: Stefan Santesson <stefan@addtrust.com> From: Stephen Kent <kent@bbn.com> Subject: RE: Logotypes in certificates Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Stefan, >Steve, > >I have problem to find the time to compile the input you ask for. > >I think though that enough persons, where many of those actually >represent significant market players in PKI, has spoken in favour of >including logotypes in certificates in some form. In the IETF we make decisions based on technical inputs from individuals, not endorsements from company representatives, so the motivation you cite here is not persuasive. Also, several folks other than I have pointed out potential vulnerabilities of logotype use. I think it fair to say that there are pluses and minuses here. >I would further regard Bob Junemans very relevant input as yet >another very good reason for this. Bob made an argument for the acceptability of the logotype notion based on presumed legal redress against a public (TTP) CA. The concerns I and others have raised assume a rogue CA below that level. Also, the IETF, in making standards, tends to prefer security mechanisms that are proactive and that do not rely on the legal system for redress. >So to me the question is more HOW instead of IF or WHY. Everybody >doesn't have to need or want a feature in order to motivate its >support in standards. What is important though is that there is a >consensus that the choosen solution doesn't break the systems for >those who doesn't need or want to use it. I learned long ago that it's often a bad idea to agree to a concept irrespective of a proposed means of achieving it. So, absent a concrete proposal for HOW, I don't think we have consensus on WHETHER to pursue this work item. That's why I proposed that you, as the prime mover behind the idea, develop a comprehensive proposal for what you are trying to achieve and how you propose to achieve it. if you can't find the time to do that, then we will not pursue it. Steve Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA23694 for <ietf-pkix@imc.org>; Tue, 3 Apr 2001 04:53:22 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA27333; Tue, 3 Apr 2001 07:53:21 -0400 (EDT) Message-Id: <200104031153.HAA27333@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-pi-02.txt Date: Tue, 03 Apr 2001 07:53:20 -0400 Sender: nsyracus@cnri.reston.va.us --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Permanent Identifier Author(s) : D. Pinkas, T. Gindin Filename : draft-ietf-pkix-pi-02.txt Pages : 9 Date : 02-Apr-01 This document define a new form of name, called permanent identifier, that may be included in the subjectAltName extension of a public key certificate issued to a physical person. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-02.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-pi-02.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-pi-02.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20010402124846.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-pi-02.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-pi-02.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20010402124846.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA20532 for <ietf-pkix@imc.org>; Tue, 3 Apr 2001 04:14:16 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id NAA34270; Tue, 3 Apr 2001 13:13:23 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id NAA17364; Tue, 3 Apr 2001 13:13:30 +0200 Message-ID: <3AC9B05D.CE66139B@bull.net> Date: Tue, 03 Apr 2001 13:13:33 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Gary Visser <gary@timestamp.com> CC: IETF-PKIX <ietf-pkix@imc.org> Subject: Re: Interpretation of the Timestamp Accuracy References: <PKELJKDELDJOFGCJNPLCCEBOCCAA.gary@timestamp.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Gary, > Up until now I have interpreted the accuracy field of a Timestamp Token to > give an indication as to how accurate the genTime field is in relation to > the actual time of day GMT. In other words its a statement of how accurate > the clock is. It is not a statement of how accurate the clock is. The text says: By adding the accuracy value to the GeneralizedTime, an upper limit of the time at which the timestamp has been created by the TSA can be obtained. In the same way, by subtracting the accuracy to the GeneralizedTime, a lower limit of the time at which the timestamp has been created by the TSA can be obtained. > But there is another interpretation, the accuracy is an indication of how > timely the timestamp was created. In other words the accuracy states that > the Timestamp Token was generated within the time span allowed by the > accuracy and not necessarily at the exact time state in the genTime field. This is along the lines of the right interpretation. Regards, Denis > For example: if GMT is 13:00:00, the clock of the TSA is 13:01:00, the > genTime of a timestamp token from this TSA is 13:01:00 and the accuracy is 1 > second, then the token may have been created between 12:59:59 GMT and > 13:00:01 GMT. > There are some other subtlety different interpretations: the > difference in time between when the Timestamp Request was received and when > the Token was issued, the difference in time between when the Request was > validated and when the Token was created, or the difference in time between > the genTime and when the actual timestamp Signature was generated, and so > on. > > So I have either overlooked something or there may be an ambiguity in the > draft. > > Sincerely, > Gary Visser > Timestamp.com Received: from mail2.microsoft.com (mail2.microsoft.com [131.107.3.124]) by above.proper.com (8.9.3/8.9.3) with SMTP id VAA05980 for <ietf-pkix@imc.org>; Mon, 2 Apr 2001 21:18:33 -0700 (PDT) Received: from 157.54.9.104 by mail2.microsoft.com (InterScan E-Mail VirusWall NT); Mon, 02 Apr 2001 19:48:55 -0700 (Pacific Daylight Time) Received: from red-msg-02.redmond.corp.microsoft.com ([157.54.12.70]) by inet-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Mon, 2 Apr 2001 20:48:56 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Subject: RE: search for PKCS10 extension Date: Mon, 2 Apr 2001 20:48:55 -0700 Message-ID: <24A715275661C8428C00432EFCA5CB7C01A33761@red-msg-02.redmond.corp.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: search for PKCS10 extension Thread-Index: AcC7YJDNQt1JpzEVSJqBYA3qOig0qAAj8f6A From: "David Cross" <dcross@microsoft.com> To: "Santoni Adriano" <adriano.santoni@sia.it>, "Martin Szotkowski" <martin.szotkowski@ica.cz> Cc: <ietf-pkix@imc.org> X-OriginalArrivalTime: 03 Apr 2001 03:48:56.0072 (UTC) FILETIME=[01F50080:01C0BBF1] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id VAA05981 This is a sample dump from a PKCS#10 request generated by a Microsoft client using rhe xenroll.dll control, sorry I don't have a specification for you. Here is the items you mentioned: Attribute[2]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP) Value[2][0]: Unknown Attribute type CSP Provider Info KeySpec = 1 Provider = Microsoft Base Cryptographic Provider v1.0 ------------------------------------------------------------------------ ---------------------------- PKCS10 Certificate Request: Version: 1 Subject: CN=test Public Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA Algorithm Parameters: 05 00 .. Public Key Length: 512 bits Public Key: UnusedBits = 0 0000 30 48 02 41 00 e2 c2 87 55 c1 14 1e 83 fe e0 86 0010 c4 81 30 de 29 20 47 01 a3 5d 10 f0 cf 9f d4 57 0020 58 40 2b 4a 05 22 83 65 65 7a a1 c1 e1 a7 94 37 0030 df 7d 08 7d 46 50 f7 73 54 62 14 21 1f 5d 76 93 0040 fe 32 97 61 e1 02 03 01 00 01 Request Attributes: 3 3 attributes: Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version) Value[0][0]: 5.1.2462.2 Attribute[1]: 1.2.840.113549.1.9.14 (Certificate Extensions) Value[1][0]: Unknown Attribute type Certificate Extensions: 3 2.5.29.15: Flags = 1(Critical), Length = 4 Key Usage Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0) 1.2.840.113549.1.9.15: Flags = 0, Length = 29 SMIME Capabilities [1]SMIME Capability Object ID=1.2.840.113549.3.2 Parameters=02 01 38 [2]SMIME Capability Object ID=1.2.840.113549.3.4 Parameters=02 01 38 [3]SMIME Capability Object ID=1.3.14.3.2.7 2.5.29.37: Flags = 0, Length = c Enhanced Key Usage Client Authentication (1.3.6.1.5.5.7.3.2) Attribute[2]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP) Value[2][0]: Unknown Attribute type CSP Provider Info KeySpec = 1 Provider = Microsoft Base Cryptographic Provider v1.0 Signature: UnusedBits=0 0000 27 21 0f 8f 03 85 29 c9 f9 74 c9 d5 76 71 99 df 0010 0f 68 24 f8 5b 18 62 2a 49 85 e1 fa 8f dd ef 13 0020 89 f9 a1 52 17 3e ee 7d 04 9f 71 72 ff 81 d7 75 0030 5b f6 be f4 38 e1 0d 7a f2 d5 b2 95 93 9a 98 1d 0040 6a 75 6b b0 3c 9d 14 2e cf 0f 96 eb a8 24 01 99 0050 ee 53 78 4f f3 07 7a 10 bd f4 d8 e6 b8 67 58 4a 0060 b1 cd bf f6 0a 60 8d 07 73 5c 28 b3 f2 4d c5 f6 0070 5a 83 10 8f 65 36 c3 d6 30 16 96 2c 3d 61 e8 62 0080 00 00 00 00 00 00 00 00 Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: 05 00 .. Signature: UnusedBits=0 0000 1b 6b 5c c0 61 6d 7e a0 e5 25 7a 6f 5c 14 90 d9 0010 d4 77 d3 df 57 ea 19 57 6f ff 89 e5 df 23 8e 86 0020 be de 34 11 6b cb ee e1 12 53 23 4c 77 5d 6a a8 0030 00 4f 6f f6 a8 78 d5 d2 1d 3c 38 b8 53 19 6e 3c Signature matches Public Key Key Id Hash(sha1): 2d 5a 38 04 29 43 fb cf 50 68 76 b7 56 62 8c ad 12 08 29 ab CertUtil: -dump command completed successfully. ------------------------------------------------------------------------ ---------------------------- Hope this helps, David B. Cross -----Original Message----- From: Santoni Adriano [mailto:adriano.santoni@sia.it] Sent: Monday, April 02, 2001 3:30 AM To: 'Martin Szotkowski' Cc: ietf-pkix@imc.org Subject: R: search for PKCS10 extension Martin, Afaik, there is no "standard" extension to do that. However, Microsoft defined their own proprietary extension for exactly this purpose, and that extension usually gets added to the PKCS#10 request if this is generated via their XENROLL control. The extension has an OID of {1 3 6 1 4 1 311 13 2 2} (aka ???) and identifies a SEQUENCE of 3 items, one of which is or contains the Unicode name of the CSP used to generate the keypair. Btw, it might be interesting to find out what is the inner structure of this rather obscure Microsoft extension. I'va not been able to find any mention of it on Microsoft websites. Adriano -----Messaggio originale----- Da: Martin Szotkowski [mailto:martin.szotkowski@ica.cz] Inviato: venerdì 30 marzo 2001 9.17 A: ietf-pkix@imc.org Oggetto: search for PKCS10 extension I will add into PKCS10 request information about source of private key, but I don't know if some extension exist or if I must create own. I search for cases: 1. This information will be CSP Name who generate request 2. This information will be SHA1 over the Secret data on hardware token thanks Martin Received: from wildpackets.com (wildpackets.com [192.216.124.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA25862 for <ietf-pkix@imc.org>; Mon, 2 Apr 2001 15:40:19 -0700 (PDT) Received: from GARYNOTEBOOK (c939355-a.plstn1.sfba.home.com [24.20.160.126]) by wildpackets.com (8.11.1/8.10.1) with SMTP id f32MZb710395 for <ietf-pkix@imc.org>; Mon, 2 Apr 2001 15:35:37 -0700 (PDT) From: "Gary Visser" <gary@timestamp.com> To: "IETF-PKIX" <ietf-pkix@imc.org> Subject: Interpretation of the Timestamp Accuracy Date: Mon, 2 Apr 2001 15:40:12 -0700 Message-ID: <PKELJKDELDJOFGCJNPLCCEBOCCAA.gary@timestamp.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Up until now I have interpreted the accuracy field of a Timestamp Token to give an indication as to how accurate the genTime field is in relation to the actual time of day GMT. In other words its a statement of how accurate the clock is. But there is another interpretation, the accuracy is an indication of how timely the timestamp was created. In other words the accuracy states that the Timestamp Token was generated within the time span allowed by the accuracy and not necessarily at the exact time state in the genTime field. For example: if GMT is 13:00:00, the clock of the TSA is 13:01:00, the genTime of a timestamp token from this TSA is 13:01:00 and the accuracy is 1 second, then the token may have been created between 12:59:59 GMT and 13:00:01 GMT. There are some other subtlety different interpretations: the difference in time between when the Timestamp Request was received and when the Token was issued, the difference in time between when the Request was validated and when the Token was created, or the difference in time between the genTime and when the actual timestamp Signature was generated, and so on. So I have either overlooked something or there may be an ambiguity in the draft. Sincerely, Gary Visser Timestamp.com Received: from mtiwmhc23.worldnet.att.net (mtiwmhc23.worldnet.att.net [204.127.131.48]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA24709 for <ietf-pkix@imc.org>; Mon, 2 Apr 2001 15:20:25 -0700 (PDT) From: todd.glassey@att.net Received: from webmail.worldnet.att.net ([204.127.135.42]) by mtiwmhc23.worldnet.att.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010402221952.ZKQL21907.mtiwmhc23.worldnet.att.net@webmail.worldnet.att.net>; Mon, 2 Apr 2001 22:19:52 +0000 Received: from [12.81.78.211] by webmail.worldnet.att.net; Mon, 02 Apr 2001 22:19:52 +0000 To: Stefan Santesson <stefan@addtrust.com> Cc: ietf-pkix@imc.org Subject: RE: Logotypes in certificates Date: Mon, 02 Apr 2001 22:19:52 +0000 X-Mailer: AT&T Message Center Version 1 (Mar 27 2001) Message-Id: <20010402221952.ZKQL21907.mtiwmhc23.worldnet.att.net@webmail.worldnet.att.net> -- Regards, Todd > Steve, > > I have problem to find the time to compile the input you ask for. > > I think though that enough persons, where many of those actually represent > significant market players in PKI, You mean people that provide PKI solutions, not people that use them. This is a key differentiation, (pardon the pun) since I have yet to hear anyone who would be using LogoTypes say what and how they would use them for. > has spoken in favour of including > logotypes in certificates in some form. > > I would further regard Bob Junemans very relevant input as yet another very > good reason for this. > > So to me the question is more HOW instead of IF or WHY. Everybody doesn't > have to need or want a feature in order to motivate its support in > standards. here again. Is this feature for the users of the system or for you as a technologist? > What is important though is that there is a consensus that the > choosen solution doesn't break Impugn the QoS, or increase the overhead of > the systems for those who don't need or > want to use it. > > I agree with those who consider inclusion of logotypes in policy qualifiers > as a primitive hack, but I also see the good sides of this and right now I > agree with Russ that this is probably the best way to do it in order to > avoid the problems you address. I see it differently. I see it as a way to complicate an already very complex process. Once again more and more of the use model seems to be sneaking from the Application into the core protocol, making creeping featureism an everyday word it seems. > > If policy qualifiers would be deprecated, then I'm open for suggestions. I > don't care that much about HOW as long as this important need gets addressed. > > /Stefan > > > At 10:11 2001-03-23 -0500, Stephen Kent wrote: > >Stefan, > > > >>Steve, > >> > >>There was a suggestion during a dinner yesterday that logotypes actually > >>could be provided as a policy qualifier. That would actually solve your > >>problem since you could directly tie acceptance of logotypes in > >>certificates to a particular policy. > >> > >>This enables you to control the path validation problem with the use of > >>policy constraints. > > > >I'd be comfortable with that approach, except that we have discouraged use > >of policy qualifiers, as Russ noted. > > > >Let me suggest again that you send another message that includes a > >comprehensive rationale for inclusion of logotypes, indicating what types > >of certs would be allowed to contain them, what reference form you > >envision, and what controls you think should be employed to prevent the > >sorts of misuse I warned about. With a concrete proposal, and well > >articulated rationale on the table, I think we have a better chance of > >making progress. > > > >Steve > Received: from exafix.addtrust.com ([212.112.175.83]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA19227 for <ietf-pkix@imc.org>; Mon, 2 Apr 2001 14:27:38 -0700 (PDT) Received: from santesson.addtrust.com ([62.20.231.166]) by exafix.addtrust.com with Microsoft SMTPSVC(5.0.2195.1600); Mon, 2 Apr 2001 23:26:47 +0200 Message-Id: <5.0.0.25.2.20010402222124.033fbc38@mail.addtrust.com> X-Sender: sts@mail.addtrust.com X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Mon, 02 Apr 2001 23:28:03 +0200 To: Stephen Kent <kent@bbn.com> From: Stefan Santesson <stefan@addtrust.com> Subject: RE: Logotypes in certificates Cc: ietf-pkix@imc.org In-Reply-To: <p05010408b6e11769eb54@[128.33.4.39]> References: <5.0.0.25.2.20010322185247.0420d990@mail.addtrust.com> < <D44EACB40164D311BEF00090274EDCCA1E740A@sydneymail1.zergo.com.au> <D44EACB40164D311BEF00090274EDCCA1E740A@sydneymail1.zergo.com.au> <5.0.0.25.2.20010322185247.0420d990@mail.addtrust.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-OriginalArrivalTime: 02 Apr 2001 21:26:47.0796 (UTC) FILETIME=[9FA3BB40:01C0BBBB] Steve, I have problem to find the time to compile the input you ask for. I think though that enough persons, where many of those actually represent significant market players in PKI, has spoken in favour of including logotypes in certificates in some form. I would further regard Bob Junemans very relevant input as yet another very good reason for this. So to me the question is more HOW instead of IF or WHY. Everybody doesn't have to need or want a feature in order to motivate its support in standards. What is important though is that there is a consensus that the choosen solution doesn't break the systems for those who doesn't need or want to use it. I agree with those who consider inclusion of logotypes in policy qualifiers as a primitive hack, but I also see the good sides of this and right now I agree with Russ that this is probably the best way to do it in order to avoid the problems you address. If policy qualifiers would be deprecated, then I'm open for suggestions. I don't care that much about HOW as long as this important need gets addressed. /Stefan At 10:11 2001-03-23 -0500, Stephen Kent wrote: >Stefan, > >>Steve, >> >>There was a suggestion during a dinner yesterday that logotypes actually >>could be provided as a policy qualifier. That would actually solve your >>problem since you could directly tie acceptance of logotypes in >>certificates to a particular policy. >> >>This enables you to control the path validation problem with the use of >>policy constraints. > >I'd be comfortable with that approach, except that we have discouraged use >of policy qualifiers, as Russ noted. > >Let me suggest again that you send another message that includes a >comprehensive rationale for inclusion of logotypes, indicating what types >of certs would be allowed to contain them, what reference form you >envision, and what controls you think should be employed to prevent the >sorts of misuse I warned about. With a concrete proposal, and well >articulated rationale on the table, I think we have a better chance of >making progress. > >Steve Received: from mail.ec.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.201]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA05019 for <ietf-pkix@imc.org>; Mon, 2 Apr 2001 11:05:28 -0700 (PDT) Received: from kahu.cs.auckland.ac.nz (pgut001@kahu.cs.auckland.ac.nz [130.216.36.13]) by mail.ec.auckland.ac.nz (8.9.3/8.8.6/cs-master) with SMTP id GAA29400; Tue, 3 Apr 2001 06:05:28 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by kahu.cs.auckland.ac.nz (relaymail v0.9) id <98623472812726>; Tue, 3 Apr 2001 06:05:28 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: myers@coastside.net Subject: Re: OCSPv2 certHash option will be deleted Cc: ietf-pkix@imc.org Sender: pgut001@cs.auckland.ac.nz Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on kahu.cs.auckland.ac.nz Date: Tue, 3 Apr 2001 06:05:28 (NZST) Message-ID: <98623472812726@kahu.cs.auckland.ac.nz> "Michael Myers" <myers@coastside.net> writes: >We're going to take the certHash option out of ReqCert for the -03 rev. Anyone >who cares for it, now's the time to speak up. Well just for form's sake I'll have to register some dissatisfaction with this, but given the issues which James Manger raised I guess it can't be salvaged. One thing I would like to see included (and others have raised this issue in the past) is that a responder MUST return a response identified in the same way as the request (ie if the client sends in an issuerSerial, you can't come back with a pKCert or certID). I suspect everyone will do this automatically anyway, but it'd be better to have it made explicit so we can beat the authors of any new implementations with soggy weetbix if they decide to rewrite the IDs in the response. Peter. Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA03269 for <ietf-pkix@imc.org>; Mon, 2 Apr 2001 10:35:28 -0700 (PDT) Received: from heatherdale (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f32HZPO10876 for <ietf-pkix@imc.org>; Mon, 2 Apr 2001 10:35:25 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: <ietf-pkix@imc.org> Subject: OCSPv2 certHash option will be deleted Date: Mon, 2 Apr 2001 10:42:26 -0700 Message-ID: <MABBLIPCLMIBCAMBOADOAEDJCCAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <5.0.2.1.0.20010402133714.02b83630@exchsvr1.entegrity.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal All, We're going to take the certHash option out of ReqCert for the -03 rev. Anyone who cares for it, now's the time to speak up. Mike Received: from exchsvr1.entegrity.com (exchsvr1.entegrity.com [207.215.19.3]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA08148 for <ietf-pkix@imc.org>; Mon, 2 Apr 2001 04:55:19 -0700 (PDT) Received: from cooper.entegrity.com (dave.entegrity.se [195.100.88.62]) by exchsvr1.entegrity.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id GFRD0YSL; Mon, 2 Apr 2001 04:54:57 -0700 Message-Id: <5.0.2.1.0.20010402133714.02b83630@exchsvr1.entegrity.com> X-Sender: nada@exchsvr1.entegrity.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Mon, 02 Apr 2001 13:51:58 +0200 To: "Stephen Kent" <kent@bbn.com>, ietf-pkix@imc.org From: Nada Kapidzic Cicovic <nada@entegrity.com> Subject: Re: draft meeting minutes, please comment In-Reply-To: <p05010400b6de6e8bbcdf@[128.33.238.79]> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed >... Hi Steve, Just one quick comment: >Status of RFC 2459bis- Russ Housley (RSA Labs) > Fixed path length computation. Fix "who can issue CRLs" problem > by allowing a CA certificate to contain EITHER the KeyCertSign OR cRLSign > bits. My understanding of the explanation was "a certificate with either keyCertSign bit on, or cRLSign bit on, or BOTH". The above sentence implies that the presence of keyCertSign bit excludes the presence of cRLSign bit, and vice versa. Nada ... Received: from ntsiaexch.office (exchange.sia.it [192.106.192.201]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA02000 for <ietf-pkix@imc.org>; Mon, 2 Apr 2001 03:31:00 -0700 (PDT) Received: by ntsiaexch.office with Internet Mail Service (5.5.2653.19) id <2DPH0ARK>; Mon, 2 Apr 2001 12:30:30 +0200 Message-ID: <8160937F4F4CD111A93E00805FC1752904AA258B@ntsiaexch.office> From: Santoni Adriano <adriano.santoni@sia.it> To: "'Martin Szotkowski'" <martin.szotkowski@ica.cz> Cc: ietf-pkix@imc.org Subject: R: search for PKCS10 extension Date: Mon, 2 Apr 2001 12:30:27 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id DAA02001 Martin, Afaik, there is no "standard" extension to do that. However, Microsoft defined their own proprietary extension for exactly this purpose, and that extension usually gets added to the PKCS#10 request if this is generated via their XENROLL control. The extension has an OID of {1 3 6 1 4 1 311 13 2 2} (aka ???) and identifies a SEQUENCE of 3 items, one of which is or contains the Unicode name of the CSP used to generate the keypair. Btw, it might be interesting to find out what is the inner structure of this rather obscure Microsoft extension. I'va not been able to find any mention of it on Microsoft websites. Adriano -----Messaggio originale----- Da: Martin Szotkowski [mailto:martin.szotkowski@ica.cz] Inviato: venerdì 30 marzo 2001 9.17 A: ietf-pkix@imc.org Oggetto: search for PKCS10 extension I will add into PKCS10 request information about source of private key, but I don't know if some extension exist or if I must create own. I search for cases: 1. This information will be CSP Name who generate request 2. This information will be SHA1 over the Secret data on hardware token thanks Martin *******************Internet Email Confidentiality Footer******************* Qualsiasi utilizzo non autorizzato del presente messaggio nonche' dei suoi allegati e' vietato e potrebbe costituire reato. Se lei ha ricevuto erroneamente il presente messaggio, Le saremmo grati se, via e-mail, ce ne comunicasse la ricezione e provvedesse alla distruzione del messaggio stesso e dei suoi eventuali allegati. Le dichiarazioni contenute nel presente messaggio nonche' nei suoi eventuali allegati devono essere attribuite esclusivamente al mittente e non possono essere considerate come trasmesse o autorizzate da SIA S.p.A.; le medesime dichiarazioni non impegnano SIA S.p.A. nei confronti del destinatario o di terzi. SIA S.p.A. non si assume alcuna responsabilita' per eventuali intercettazioni, modifiche o danneggiamenti del presente messaggio e-mail. Any unauthorized use of this e-mail or any of its attachments is prohibited and could constitute an offence. If you are not the intended addressee please advise immediately the sender by using the reply facility in your e-mail software and destroy the message and its attachments. The statements and opinions expressed in this e-mail message are those of the author of the message and do not necessarily represent those of SIA. Besides, The contents of this message shall be understood as neither given nor endorsed by SIA S.p.A.. SIA S.p.A. does not accept liability for corruption, interception or amendment, if any, or the consequences thereof. Received: from tama3.tas.ntt.co.jp (tama3.tas.ntt.co.jp [192.68.248.40]) by above.proper.com (8.9.3/8.9.3) with ESMTP id VAA10792 for <ietf-pkix@imc.org>; Sun, 1 Apr 2001 21:43:38 -0700 (PDT) Received: from nttmail.ecl.ntt.co.jp (nttmail.tas.ntt.co.jp [192.68.248.11]) by tama3.tas.ntt.co.jp (8.9.3+3.2W/3.7W/01/21/00) with ESMTP id NAA28166 for <ietf-pkix@imc.org>; Mon, 2 Apr 2001 13:43:36 +0900 (JST) (envelope-from odahara@dsa.isl.ntt.co.jp) Received: from dsa.isl.ntt.co.jp by nttmail.ecl.ntt.co.jp (8.9.3+3.2W/3.7W/03/21/01) with ESMTP id NAA20412 for <ietf-pkix@imc.org>; Mon, 2 Apr 2001 13:43:34 +0900 (JST) (envelope-from odahara@dsa.isl.ntt.co.jp) Received: from cats by dsa.isl.ntt.co.jp (8.9.3/isl-2.0) id NAA22901; Mon, 2 Apr 2001 13:43:33 +0900 (JST) Date: Mon, 02 Apr 2001 13:45:14 +0900 From: Hideyuki Odahara <odahara@dsa.isl.ntt.co.jp> To: ietf-pkix@imc.org Subject: a protocols of handling ACs Message-Id: <20010402130743.5EB5.ODAHARA@dsa.isl.ntt.co.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-2022-JP" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.00.03 Please teach me the way of handling ACs. I concerned with handle of ACs (Attribute Certificates). A few month ago, I could find LAAP on PKIX-homepage. But now,it disappeared. (http://www.imc.org/draft-ietf-pkix-laap). Do you propose not to need protocols of handling ACs? If you know protocols of handling ACs, would you teach me the following; 1)RFC or Internet-Draft to take place the LAAP 2)RFC or Internet-Draft to handle ACs for example,Issuing AC, Acquisition AC, Revoking AC, Verifying AC, e.t.c. ---------- Hideyuki Odahara $B!'(B odahara@dsa.isl.ntt.co.jp Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net [207.69.200.243]) by above.proper.com (8.9.3/8.9.3) with ESMTP id VAA10388 for <ietf-pkix@imc.org>; Sun, 1 Apr 2001 21:33:22 -0700 (PDT) Received: from asn-1.com (user-2ivf262.dialup.mindspring.com [165.247.136.194]) by maynard.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id AAA09774 for <ietf-pkix@imc.org>; Mon, 2 Apr 2001 00:33:24 -0400 (EDT) Message-ID: <3AC80154.F7360B4B@asn-1.com> Date: Sun, 01 Apr 2001 23:34:28 -0500 From: "Phillip H. Griffin" <phil.griffin@asn-1.com> Reply-To: phil.griffin@asn-1.com Organization: Griffin Consulting X-Mailer: Mozilla 4.61 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Potential Security Risk in Qualified Certificate images? References: <200104020312.f323Com01048@thunder.dstc.qut.edu.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit If you are interested in the secure biometrics (techniques for digital signatures and encryption) you may want to have a look at "X9.84 Biometric Information Management and Security". This standard was recently approved by ASC X9 for use in the financial services industry. It is very flexible and well thought out. X9.84 defines the requirements needed to manage, secure, and audit biometric information for customer identification and employee verification. It was developed in conjunction with the BioAPI Consortium, the NIST Information Technology Laboratory's Common Biometric Exchange File Format (CBEFF) initiative, and the International Biometric Industry Association (IBIA). X9.84 provides a solid set of guidelines for the secure implementation of biometrics within financial transaction environments, and is well suited for use by other industry sectors as well. The IBIA serves as the registrar for new biometric types, matching methods, processing algorithms and vendor specific formats that will be allocated under an X9 defined OID arc that the IBIA will manage. See http://www.ibia.org/formats.htm. There is a lot more going in this effort than just pictures and written signatures. The current set of biometric types defined for use in X9.84 secure messages in the financial services industry are: BiometricTypes BIOMETRIC ::= { { BIOMETRIC id : body-Odor } | { BIOMETRIC id : dna } | { BIOMETRIC id : ear-Shape } | { BIOMETRIC id : facial-Features } | { BIOMETRIC id : finger-Image } | { BIOMETRIC id : finger-Geometry } | { BIOMETRIC id : hand-Geometry } | { BIOMETRIC id : iris-Features } | { BIOMETRIC id : keystroke-Dynamics } | { BIOMETRIC id : palm } | { BIOMETRIC id : retina } | { BIOMETRIC id : signature } | { BIOMETRIC id : speech-Pattern } | { BIOMETRIC id : thermal-Image } | { BIOMETRIC id : vein-Pattern }, ... -- expect additional biometric types -- } A CMS module is defined in X9.84 based on X9.73, which is closely aligned with the work in SMIME, but which extends the IETF effort. So the familiar cryptographic types, SignedData, EnvelopedData, and AuthenticatedData are used in X9.84 for security. And the x9.84 OID x9-84 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) tc68(133) country(16) x9(840) x9Standards(9) x9-84(84) } can be paired in any of the certificate formats defined in X9.84 and X9.73 (X.509 identity certificates and AttributeCertificates, X9.68 Domain certificates, and any other formats that may arise, such as WTLS and XML) to carry a value of BiometricSyntax ::= CHOICE { biometricObject BiometricObject, -- unprotected integrityObject IntegrityObject, privacyObject PrivacyObject, privacyAndIntegrityObject PrivacyAndIntegrityObject } to allow applications that need to do so, to deal with privacy concerns, and to also support those applications that have no such concerns. A very flexible design. You can find out more about this new standard at http://www.x9.org. I believe that the work is now in a period of public review for those who would like to comment. X9.84 has also been proposed as a NWI for international standardization in ISO TC 68. Phil ---- Phillip H. Griffin Griffin Consulting http://asn-1.com Secure ASN.1 Design & Implementation p: +1-919-832-7008 1625 Glenwood Avenue f: +1-919-832-7390 Hayes Barton at Five Points e: phil@asn-1.com Raleigh, North Carolina 27608-2319 USA ------------------------------------------------------------ Dean Povey wrote: > > Hi all, > > I have just being perusing RFC3039 (Qualified Certificates Profile) with > a view to coming up with a more concrete proposal for logotypes in > certificates. > > RFC3039 uses the following syntax to represent an image of the subject in > its biometricInfo Extension. > > biometricInfo EXTENSION ::= { > SYNTAX BiometricSyntax > IDENTIFIED BY id-pe-biometricInfo } > > id-pe-biometricInfo OBJECT IDENTIFIER ::= {id-pe 2} > > BiometricSyntax ::= SEQUENCE OF BiometricData > > BiometricData ::= SEQUENCE { > typeOfBiometricData TypeOfBiometricData, > hashAlgorithm AlgorithmIdentifier, > biometricDataHash OCTET STRING, > sourceDataUri IA5String OPTIONAL } > > TypeOfBiometricData ::= CHOICE { > predefinedBiometricType PredefinedBiometricType, > biometricDataID OBJECT IDENTIFIER } > > PredefinedBiometricType ::= INTEGER { picture(0), > handwritten-signature(1)} (picture|handwritten-signature,...) > > Specifically it states: > > The predefined biometric type picture, when present, SHALL identify > that the source picture is in the form of a displayable graphical > image of the subject. The hash of the graphical image SHALL only be > calculated over the image data excluding any labels defining the > image type. > > i.e. The image type is not part of the digest and is therefore not > authenticated. This leads to a potential risk where the CA signs an image > after viewing it one format, but it is presented to the user in a different > format. It is an open question whether it would be possible to produce > a single binary data file crafted such that it would appear as a plausibly > different image to both the CA and the user when presented in different > formats. However, I think we would have to concede that it is possible. > > It gets worse. Even if the image type is included in the certificate many > modern image formats have different options for how they are displayed. > For example, I seem to recall that animated gifs on old browsers would just > display the first image rather than the whole animated sequence. It may be > possible to fool a CA into signing an animated gif, where an initial image > is shown for an imperceptibly brief time, before showing the final image. > The user with the old browser then sees just the initial image. > > There may well be many other ways of attacking specific formats. > > Can anyone come up with a solution to this? I can think of three > less than perfect alternatives: > > 1. The risk could be avoided by requiring the CA to always generate the image > from an analog source rather than certifying a digital image, but this > obviously makes such a scheme less flexible. > > 2. Another approach might be to recommend a profile for common > image types and their options outlining which are appropriate for use. > The main disadvantage of this, is that these image types will evolve > over time, meaning they will need continual updating. Another > disadvantage is that it may be very difficult for a CA to verify what > particular combination of options are being used in a particular > image they are being presented. > > 3. A third approach might be that the CA and end-user must use the same > software/hardware to view the image. However, in an environment with > many versions this would quickly become unworkable. > > Are there any views on this? > > Cheers. > > -- > Dean Povey, | e-m: povey@dstc.edu.au | JCSI: Java Crypto Toolkit > Research Scientist | ph: +61 7 3864 5120 | uPKI: C PKI toolkit for embedded > Security Unit, DSTC | fax: +61 7 3864 1282 | systems > Brisbane, Australia | www: security.dstc.com | Oscar: C++ PKI toolkit Received: from thunder.dstc.qut.edu.au (thunder.dstc.qut.edu.au [131.181.71.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id UAA08332 for <ietf-pkix@imc.org>; Sun, 1 Apr 2001 20:12:51 -0700 (PDT) Received: from dstc.qut.edu.au (garnet.dstc.qut.edu.au [131.181.71.36]) by thunder.dstc.qut.edu.au (8.10.1/8.10.1) with ESMTP id f323Com01048 for <ietf-pkix@imc.org>; Mon, 2 Apr 2001 13:12:50 +1000 (EST) Message-Id: <200104020312.f323Com01048@thunder.dstc.qut.edu.au> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: ietf-pkix@imc.org Subject: Potential Security Risk in Qualified Certificate images? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 02 Apr 2001 13:12:50 +1000 From: Dean Povey <povey@dstc.qut.edu.au> Hi all, I have just being perusing RFC3039 (Qualified Certificates Profile) with a view to coming up with a more concrete proposal for logotypes in certificates. RFC3039 uses the following syntax to represent an image of the subject in its biometricInfo Extension. biometricInfo EXTENSION ::= { SYNTAX BiometricSyntax IDENTIFIED BY id-pe-biometricInfo } id-pe-biometricInfo OBJECT IDENTIFIER ::= {id-pe 2} BiometricSyntax ::= SEQUENCE OF BiometricData BiometricData ::= SEQUENCE { typeOfBiometricData TypeOfBiometricData, hashAlgorithm AlgorithmIdentifier, biometricDataHash OCTET STRING, sourceDataUri IA5String OPTIONAL } TypeOfBiometricData ::= CHOICE { predefinedBiometricType PredefinedBiometricType, biometricDataID OBJECT IDENTIFIER } PredefinedBiometricType ::= INTEGER { picture(0), handwritten-signature(1)} (picture|handwritten-signature,...) Specifically it states: The predefined biometric type picture, when present, SHALL identify that the source picture is in the form of a displayable graphical image of the subject. The hash of the graphical image SHALL only be calculated over the image data excluding any labels defining the image type. i.e. The image type is not part of the digest and is therefore not authenticated. This leads to a potential risk where the CA signs an image after viewing it one format, but it is presented to the user in a different format. It is an open question whether it would be possible to produce a single binary data file crafted such that it would appear as a plausibly different image to both the CA and the user when presented in different formats. However, I think we would have to concede that it is possible. It gets worse. Even if the image type is included in the certificate many modern image formats have different options for how they are displayed. For example, I seem to recall that animated gifs on old browsers would just display the first image rather than the whole animated sequence. It may be possible to fool a CA into signing an animated gif, where an initial image is shown for an imperceptibly brief time, before showing the final image. The user with the old browser then sees just the initial image. There may well be many other ways of attacking specific formats. Can anyone come up with a solution to this? I can think of three less than perfect alternatives: 1. The risk could be avoided by requiring the CA to always generate the image from an analog source rather than certifying a digital image, but this obviously makes such a scheme less flexible. 2. Another approach might be to recommend a profile for common image types and their options outlining which are appropriate for use. The main disadvantage of this, is that these image types will evolve over time, meaning they will need continual updating. Another disadvantage is that it may be very difficult for a CA to verify what particular combination of options are being used in a particular image they are being presented. 3. A third approach might be that the CA and end-user must use the same software/hardware to view the image. However, in an environment with many versions this would quickly become unworkable. Are there any views on this? Cheers. -- Dean Povey, | e-m: povey@dstc.edu.au | JCSI: Java Crypto Toolkit Research Scientist | ph: +61 7 3864 5120 | uPKI: C PKI toolkit for embedded Security Unit, DSTC | fax: +61 7 3864 1282 | systems Brisbane, Australia | www: security.dstc.com | Oscar: C++ PKI toolkit Received: from server.village.com.ar (host069098.arnet.net.ar [200.45.69.98]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA04721 for <ietf-pkix@imc.org>; Sun, 1 Apr 2001 16:11:32 -0700 (PDT) From: mb644@arabia.com Received: from 44mexi7server42 ([127.0.0.1]) by server.village.com.ar (8.9.3/8.9.3) with SMTP id UAA18150 for ietf-pkix@imc.org; Sun, 1 Apr 2001 20:26:29 -0400 Date: Sun, 1 Apr 2001 20:26:29 -0400 Message-Id: <200104020026.UAA18150@server.village.com.ar> To: <ietf-pkix@imc.org> Subject: ADV: Top Search Engine Rankings MIME-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Removal instructions below. I saw your listing on the internet. I work for a company that specializes in getting clients web sites listed as close to the top of the major search engines as possible. Our fee is only $29.95 per month to submit your site at least twice a month to over 350 search engines and directories. To get started and put your web site in the fast lane, call our toll free number below. Mike Bender 888-532-8842 To be removed call: 888-800-6339 X1377
- CPS Pointer Housley, Russ
- Re: CPS Pointer Paul Hoffman / IMC
- Re: CPS Pointer Roger Younglove
- Re: CPS Pointer Terry Hayes
- RE: CPS Pointer Trevor Freeman
- RE: CPS Pointer Peter Williams