RE: draft-turner-caclearanceconstraints-01.txt
"Carl Wallace" <CWallace@cygnacom.com> Sat, 11 October 2008 13:51 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9024B3A6A1E for <ietfarch-pkix-archive@core3.amsl.com>; Sat, 11 Oct 2008 06:51:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.431
X-Spam-Level:
X-Spam-Status: No, score=-1.431 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xg7gFakCkQnE for <ietfarch-pkix-archive@core3.amsl.com>; Sat, 11 Oct 2008 06:51:30 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 8C6AA3A6884 for <pkix-archive@ietf.org>; Sat, 11 Oct 2008 06:51:29 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9BD7UUb073418 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 11 Oct 2008 06:07:30 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9BD7UoL073417; Sat, 11 Oct 2008 06:07:30 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by balder-227.proper.com (8.14.2/8.14.2) with SMTP id m9BD7IT9073397 for <ietf-pkix@imc.org>; Sat, 11 Oct 2008 06:07:29 -0700 (MST) (envelope-from CWallace@cygnacom.com)
Received: (qmail 15808 invoked from network); 11 Oct 2008 12:54:02 -0000
Received: from CWallace@cygnacom.com by scygmxsecs1.cygnacom.com with EntrustECS-Server-7.4; 11 Oct 2008 12:54:02 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 11 Oct 2008 12:54:02 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C92BA2.49BA7EFA"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: draft-turner-caclearanceconstraints-01.txt
Date: Sat, 11 Oct 2008 09:07:17 -0400
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D487A42B0@scygexch1.cygnacom.com>
In-Reply-To: <9F11911AED01D24BAA1C2355723C3D3218DDA55C66@EA-EXMSG-C332.europe.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-turner-caclearanceconstraints-01.txt
Thread-Index: AckkCUREtMVRjHr8Tbyvr7tGamq2+wEhfTXQAMS01iA=
References: <p0624051bc5098b483ca0@[128.89.89.71]> <9F11911AED01D24BAA1C2355723C3D3218DDA55C66@EA-EXMSG-C332.europe.corp.microsoft.com>
From: Carl Wallace <CWallace@cygnacom.com>
To: ietf-pkix@imc.org
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I vote yes to adopting this as a PKIX work item. Specification details can be resolved after the draft is accepted as a working group draft. ________________________________ From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Stefan Santesson Sent: Tuesday, October 07, 2008 11:41 AM To: Stephen Kent; ietf-pkix@imc.org Subject: RE: draft-turner-caclearanceconstraints-01.txt I vote NO to adopting this work as a PKIX work item. I do vote for a continued debate on the rationale for this proposal but I have yet not seen any good motivation for doing this work. The rational for my NO vote is: 1) To start with, a certificate is a very bad place to manage clearance. I can at most agree to it's use in AA certificates but clearance is in its nature fundamentally different from Public Key certificates as the certificate is an assertion of an entity's key and identity, which is generic and static, while clearance is context specific and dynamic. 2) If clearance would make it into certificates, then that should be more than enough that we reasonable could handle as a standard. To specify constraints for such information is to ask for big trouble. Elaborating on the difficulties to specify clearance constraints I would like to highlight some quotes from the draft: The draft is taking several shortcuts when it comes to clearance constraints processing. The class list is specified but at the same time defined within the context of PolicyId. This means that there is no generic way to compare ClassList bits, This is highlighted by the following quote from 4.1.1.3: -- Calculate securityCategories intersection in accordance with guidelines associated with the security policy represented by the policyID. So the logic for clearance constraints processing is performed per PolicyId but the logic may be different for every PolicyId. In my world, this does not fly and is not implementable. I also have a number of other problems: * This draft makes clearance processing authoritative over accepting certificate paths. I foresee problems with legacy implementations of PKI: If more than one entry with the same policyId is present in AuthorityClearanceConstraints certificate extension, the certification path is rejected. * This draft mandates processing of extensions in TA certificates (root) which can be argued to be incompatible with RFC 3280 Conclusion: Before this work is accepted as work group item, it must show that clearance constraints processing is possible in a reasonable and meaningful manner, and hence is worth working on. If we decide to work on this item, I foresee a major design commitment for the PKIX group and an even bigger commitment on behalf of implementers. As such, I also encourage use cases that motivates the effort. Stefan Santesson Senior Program Manager Windows Security, Standards From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Stephen Kent Sent: den 1 oktober 2008 22:24 To: ietf-pkix@imc.org Subject: draft-turner-caclearanceconstraints-01.txt It appears to have been two months since there was any PKIX list discussion of this document. In Dublin it was agreed that we would conduct a straw poll on whether to adopt this as a WG item, but I failed to do so prior to leaving for a week-long meeting in NZ and 3-week vacation in KE. My bad. So, I'd like to initiate a 1-week straw poll starting 10/3. Sean, the minutes indicated that you would tell me what status you are seeking for the document, and I have no record of a message from you on that topic, so please provide that vital piece of info to the list before we start the poll. Thanks, Steve
- draft-turner-caclearanceconstraints-01.txt Stephen Kent
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Reddy, Raksha Patel
- RE: draft-turner-caclearanceconstraints-01.txt Russ Housley
- Re: draft-turner-caclearanceconstraints-01.txt Kurt Zeilenga
- RE: draft-turner-caclearanceconstraints-01.txt Ashmore, Samuel R.
- Re: draft-turner-caclearanceconstraints-01.txt Stephen Farrell
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Denis Pinkas
- Re: draft-turner-caclearanceconstraints-01.txt Yoav Nir
- What are certificates fundamentally all about? [w… Stephen Wilson
- RE: draft-turner-caclearanceconstraints-01.txt Carl Wallace
- Re: What are certificates fundamentally all about… Timothy J. Miller
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: What are certificates fundamentally all about… Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: What are certificates fundamentally all about… Stephen Wilson
- Re: What are certificates fundamentally all about… Stephen Kent
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Russ Housley
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin