IETF Logo Mail Archive

Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15

"Piyush Jain" <piyush@ditenity.com> Fri, 29 March 2013 19:27 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8241621F8EC9 for <pkix@ietfa.amsl.com>; Fri, 29 Mar 2013 12:27:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.974
X-Spam-Level:
X-Spam-Status: No, score=-0.974 tagged_above=-999 required=5 tests=[AWL=-1.570, BAYES_00=-2.599, DOS_OUTLOOK_TO_MX=1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_EQ_LT4=0.442, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2iMPABnhvDMX for <pkix@ietfa.amsl.com>; Fri, 29 Mar 2013 12:27:46 -0700 (PDT)
Received: from mail-gg0-x232.google.com (mail-gg0-x232.google.com [IPv6:2607:f8b0:4002:c02::232]) by ietfa.amsl.com (Postfix) with ESMTP id 3732F21F8ED3 for <pkix@ietf.org>; Fri, 29 Mar 2013 12:27:46 -0700 (PDT)
Received: by mail-gg0-f178.google.com with SMTP id e5so66163ggh.23 for <pkix@ietf.org>; Fri, 29 Mar 2013 12:27:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=o8FpgSuY6P+4bpsz0DjVU5JcgCo4w97r71fi1wecLAk=; b=jSufkgrU6l/GRvp260Dc4sBIrLGjznA3vl6PaGRzigzTycqAlJYF3WRVZcTvFXCH2k pdyFb91O6OJ66i7T+ZZtFQWzA2xDaZdA+6Lesq0kP9SWxhCVvJvrX+D75RfY6JxyoqJt PtIff9pe8erSHhZemgjVayYhSUKLJ0vpG7at8jvaGgX+SwKhO7orGvq6Sq2yOCKSSE8L 7b6LrD3nMR5CZD1EP4BgzwMNH1Iy9oFrNN9QvPFzsPCP8WKkEVGRosTToUGW9DK/4hlY iQZtBFnQ3hmWGvrVpr9wP05IucTnvWV2OFq/w6wAAvbQAhlEno4cvk6kFlmmLUHIPPxW vlSw==
X-Received: by 10.236.115.97 with SMTP id d61mr1222469yhh.136.1364585265603; Fri, 29 Mar 2013 12:27:45 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id x71sm2927779yhg.17.2013.03.29.12.27.43 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 29 Mar 2013 12:27:45 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: "'Black, David'" <david.black@emc.com>, 'Stefan Santesson' <stefan@aaa-sec.com>, sts@aaa-sec.com, mmyers@fastq.com, ambarish@gmail.com, slava.galperin@gmail.com, cadams@eecs.uottawa.ca, gen-art@ietf.org
References: <00fc01ce2c98$ddc41770$994c4650$@ditenity.com> <CD7B80C0.5F100%stefan@aaa-sec.com> <012f01ce2ca0$9eaf4840$dc0dd8c0$@ditenity.com> <8D3D17ACE214DC429325B2B98F3AE71293D36BC5@MX15A.corp.emc.com>
In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71293D36BC5@MX15A.corp.emc.com>
Date: Fri, 29 Mar 2013 12:27:40 -0700
Message-ID: <017c01ce2cb3$7be35ff0$73aa1fd0$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
thread-index: AQEn+8mlhU8+Jh1sNTWP+EAwhHU2PQFaQn1rAjldMbICSr83JZnad9xw
Content-Language: en-us
X-Gm-Message-State: ALoCoQmhHnJVFJwf2kp49tcZWh2KemhoLWOKie3XH/gyrn4Gh3Iimt5NLighU9KANRUo+5EUiw7g
Cc: pkix@ietf.org
Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2013 19:27:47 -0000

Hi David,

Your interpretation of the text is right on target.
How, based on the past discussions in this WG, that is not the intent.

The sole reason cited for overloading the meaning of revoked status with
non-issued was that it allows new servers to interoperate with legacy
clients. The WG agreed that there are many better alternatives but they all
break compatibility with older clients. In fact, a more secure and complete
proposal by Denis was not adopted because of the same reason.

I believe that Stefan is trying to convey that requiring servers to return
revoked in this context will make them non-compliant with 2560 and 5019 as
opposed to breaking interoperability with legacy clients.

Cheers
-Piyush

> -----Original Message-----
> From: Black, David [mailto:david.black@emc.com]
> Sent: Friday, March 29, 2013 11:18 AM
> To: Piyush Jain; 'Stefan Santesson'; sts@aaa-sec.com; mmyers@fastq.com;
> ambarish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca;
> gen-art@ietf.org
> Cc: pkix@ietf.org; Black, David
> Subject: RE: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
> 
> Hi Piyush,
> 
> The usual backwards compatibility concern is mixed new/legacy
> deployments.
> In this case, the specifics appear to be:
> 
> New clients with legacy servers cannot expect to see "revoked" in this
case.
> This matters because a hypothetical client coded to depend on a "revoked"
> response in this case won't work correctly with legacy servers (even
though
> it'd be rather questionable to code that dependency into a new client -
never
> underestimate the creativity and cleverness of implementers).
> 
> New servers with legacy clients risk breaking clients that can't cope with
> "revoked" in this case, as you noted:
> 
> >>> any other approach would break backward compatibility with legacy
> >>> clients.
> 
> Both of these are justifications for "optional", as these RFCs apply to
both
> clients and servers.
> 
> Thanks,
> --David
> 
> > -----Original Message-----
> > From: Piyush Jain [mailto:piyush@ditenity.com]
> > Sent: Friday, March 29, 2013 1:13 PM
> > To: 'Stefan Santesson'; Black, David; sts@aaa-sec.com;
> > mmyers@fastq.com; ambarish@gmail.com; slava.galperin@gmail.com;
> > cadams@eecs.uottawa.ca; gen- art@ietf.org
> > Cc: pkix@ietf.org
> > Subject: RE: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
> >
> > Not arguing that it should be required. I'm with you on keeping it
optional.
> >
> > It is your statement about backward compatibility to justify it that
> > is incorrect.
> > Backward compatibility "with deployments of RFC2560" is not affected
> > in either case. Legacy clients will continue to work whether you make
> > it required or optional.
> >
> > You probably meant "maintain compliance with RFC 2560 and RFC 5019."
> >
> > -Piyush
> >
> > > -----Original Message-----
> > > From: Stefan Santesson [mailto:stefan@aaa-sec.com]
> > > Sent: Friday, March 29, 2013 9:37 AM
> > > To: Piyush Jain; 'Black, David'; sts@aaa-sec.com; mmyers@fastq.com;
> > > ambarish@gmail.com; slava.galperin@gmail.com;
> > > cadams@eecs.uottawa.ca; gen-art@ietf.org
> > > Cc: pkix@ietf.org; ietf@ietf.org
> > > Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
> > >
> > > On 3/29/13 5:17 PM, "Piyush Jain" <piyush@ditenity.com> wrote:
> > >
> > > >' "revoked" status is still optional in this context in order to
> > > >maintain backwards compatibility with deployments of RFC 2560.'
> > > >
> > > >I fail to understand this statement about backward compatibility.
> > > >How does "revoked" being "optional/required breaks backward
> > > compatibility?
> > > >The only reason cited in the WG discussions to use revoked for
> > > >"not-issued"
> > > >was that any other approach would break backward compatibility with
> > > >legacy clients. And now the draft says that revoked is optional
> > > >because making it required won't be backward compatible.
> > >
> > > Yes. Making it required would prohibit other valid ways to respond
> > > to this situation that is allowed by RFC 2560 and RFC 5019.
> > > Such as responding "good" or responding with "unauthorized" error.
> > >
> > > >
> > > >And it gives the impression that best course of action for 2560bis
> > > >responders is to start issuing revoked for "not-issued", which is
> > > >far from the originally stated goal to provide a way for CAs to be
> > > >able to return revoked for such serial numbers.
> > >
> > > The latter is what optional means.
> > >
> > > /Stefan
> > >
> >
> >

v2.23.0 | Report a Bug | By Email