IETF Logo Mail Archive

Re: [pkix] Concluding OCSP Agility

Stefan Santesson <stefan@aaa-sec.com> Fri, 11 March 2011 12:04 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@core3.amsl.com
Delivered-To: pkix@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1810F3A68EC for <pkix@core3.amsl.com>; Fri, 11 Mar 2011 04:04:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.79
X-Spam-Level:
X-Spam-Status: No, score=-102.79 tagged_above=-999 required=5 tests=[AWL=0.459, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8+5rzBD9NKL for <pkix@core3.amsl.com>; Fri, 11 Mar 2011 04:04:06 -0800 (PST)
Received: from s87.loopia.se (s87.loopia.se [194.9.95.115]) by core3.amsl.com (Postfix) with ESMTP id A32E13A68DD for <pkix@ietf.org>; Fri, 11 Mar 2011 04:04:06 -0800 (PST)
Received: from s60.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 5F25942F49F for <pkix@ietf.org>; Fri, 11 Mar 2011 13:05:27 +0100 (CET)
Received: (qmail 91824 invoked from network); 11 Mar 2011 12:05:22 -0000
Received: from unknown (HELO [192.168.1.8]) (stefan@fiddler.nu@[85.235.10.93]) (envelope-sender <stefan@aaa-sec.com>) by s60.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <pkix@ietf.org>; 11 Mar 2011 12:05:22 -0000
User-Agent: Microsoft-MacOutlook/14.2.0.101115
Date: Fri, 11 Mar 2011 13:05:14 +0100
From: Stefan Santesson <stefan@aaa-sec.com>
To: pkix <pkix@ietf.org>
Message-ID: <C99FCCA7.1438B%stefan@aaa-sec.com>
Thread-Topic: [pkix] Concluding OCSP Agility
In-Reply-To: <C99FB82B.14373%stefan@aaa-sec.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: Jim Schaad <ietf@augustcellars.com>
Subject: Re: [pkix] Concluding OCSP Agility
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2011 12:04:08 -0000

A new draft has been submitted

http://tools.ietf.org/rfcdiff?url2=draft-ietf-pkix-ocspagility-10.txt

In particular, please check the change in section 8.1. It's revision was
requested by IESG, but I'm not entirely sure what the original text
intended to say.

I.e:
   "In such
   circumstances the responder MUST NOT generate a signature for a
   signing mechanism that is considered unacceptably insecure."


Jim, it would be great if you could check if the ASN.1 changes are OK.

/Stefan




On 11-03-11 11:32 AM, "Stefan Santesson" <stefan@aaa-sec.com> wrote:

>I made an error in the suggested ASN.1
>
>It should not be SMIMECapabilities, it should be SMIMECapability.
>SMIMECapabilities is a SEQUENCE OF SMIMECapability. There is no reason for
>such sequence in the structure.
>
>The correct ASN.1 should be:
>
>     PreferredSignatureAlgorithm ::= SEQUENCE {
>        sigIdentifier        AlgorithmIdentifier,
>        pubKeyAlgIdentifier  SMIMECapability OPTIONAL
>        }
>
>
>/Stefan
>
>
>On 11-03-09 4:33 PM, "Stephen Kent" <kent@bbn.com> wrote:
>
>>At 1:41 AM +0100 3/8/11, Stefan Santesson wrote:
>>>The OCSP agility draft sits with the IESG with an "new ID needed"
>>>status.
>>>
>>>However, I don't think we got a clear consensus on whether to use
>>>Algorithm identifier or SMIMECapabilities.
>>>
>>>The structure at hand is:
>>>
>>>PreferredSignatureAlgorithms ::= SEQUENCE OF
>>>                                        PreferredSignatureAlgorithm
>>>       PreferredSignatureAlgorithm ::= SEQUENCE {
>>>          sigIdentifier   AlgorithmIdentifier,
>>>          certIdentifier  AlgorithmIdentifier OPTIONAL
>>>          }
>>>
>>>
>>>There is now a new PKIX draft for S/MIME Capabilities for public key
>>>definitions which may help move forward on this issue.
>>>
>>>The primary proposal as I recall this is to change the
>>>certIdentifier into SMIMECapabilities as that would allow better
>>>specification of public keys and their parameters.
>>>
>>>Secondly I recall that we should change the name of certIdentifier
>>>to something better as it sounds like an identifier of a certificate
>>>which it is not.
>>>More suitable would be pubKeyAlgIdentifier since this is an
>>>identifier of the preferred algorithm of the public key in the
>>>responders certificate.
>>>
>>>The changed syntax would then be:
>>>
>>>       PreferredSignatureAlgorithm ::= SEQUENCE {
>>>          sigIdentifier        AlgorithmIdentifier,
>>>          pubKeyAlgIdentifier  SMIMECapabilities OPTIONAL
>>>          }
>>>
>>>Would the list agree to this change?
>>>
>>>/Stefan
>>
>>I am comfortable with this change.
>>
>>Steve
>>_______________________________________________
>>pkix mailing list
>>pkix@ietf.org
>>https://www.ietf.org/mailman/listinfo/pkix
>
>
>_______________________________________________
>pkix mailing list
>pkix@ietf.org
>https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email