Re: [pkix] Concluding OCSP Agility
Stefan Santesson <stefan@aaa-sec.com> Fri, 11 March 2011 12:04 UTC
Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@core3.amsl.com
Delivered-To: pkix@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1810F3A68EC for <pkix@core3.amsl.com>; Fri, 11 Mar 2011 04:04:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.79
X-Spam-Level:
X-Spam-Status: No, score=-102.79 tagged_above=-999 required=5 tests=[AWL=0.459, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8+5rzBD9NKL for <pkix@core3.amsl.com>; Fri, 11 Mar 2011 04:04:06 -0800 (PST)
Received: from s87.loopia.se (s87.loopia.se [194.9.95.115]) by core3.amsl.com (Postfix) with ESMTP id A32E13A68DD for <pkix@ietf.org>; Fri, 11 Mar 2011 04:04:06 -0800 (PST)
Received: from s60.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 5F25942F49F for <pkix@ietf.org>; Fri, 11 Mar 2011 13:05:27 +0100 (CET)
Received: (qmail 91824 invoked from network); 11 Mar 2011 12:05:22 -0000
Received: from unknown (HELO [192.168.1.8]) (stefan@fiddler.nu@[85.235.10.93]) (envelope-sender <stefan@aaa-sec.com>) by s60.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <pkix@ietf.org>; 11 Mar 2011 12:05:22 -0000
User-Agent: Microsoft-MacOutlook/14.2.0.101115
Date: Fri, 11 Mar 2011 13:05:14 +0100
From: Stefan Santesson <stefan@aaa-sec.com>
To: pkix <pkix@ietf.org>
Message-ID: <C99FCCA7.1438B%stefan@aaa-sec.com>
Thread-Topic: [pkix] Concluding OCSP Agility
In-Reply-To: <C99FB82B.14373%stefan@aaa-sec.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: Jim Schaad <ietf@augustcellars.com>
Subject: Re: [pkix] Concluding OCSP Agility
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2011 12:04:08 -0000
A new draft has been submitted http://tools.ietf.org/rfcdiff?url2=draft-ietf-pkix-ocspagility-10.txt In particular, please check the change in section 8.1. It's revision was requested by IESG, but I'm not entirely sure what the original text intended to say. I.e: "In such circumstances the responder MUST NOT generate a signature for a signing mechanism that is considered unacceptably insecure." Jim, it would be great if you could check if the ASN.1 changes are OK. /Stefan On 11-03-11 11:32 AM, "Stefan Santesson" <stefan@aaa-sec.com> wrote: >I made an error in the suggested ASN.1 > >It should not be SMIMECapabilities, it should be SMIMECapability. >SMIMECapabilities is a SEQUENCE OF SMIMECapability. There is no reason for >such sequence in the structure. > >The correct ASN.1 should be: > > PreferredSignatureAlgorithm ::= SEQUENCE { > sigIdentifier AlgorithmIdentifier, > pubKeyAlgIdentifier SMIMECapability OPTIONAL > } > > >/Stefan > > >On 11-03-09 4:33 PM, "Stephen Kent" <kent@bbn.com> wrote: > >>At 1:41 AM +0100 3/8/11, Stefan Santesson wrote: >>>The OCSP agility draft sits with the IESG with an "new ID needed" >>>status. >>> >>>However, I don't think we got a clear consensus on whether to use >>>Algorithm identifier or SMIMECapabilities. >>> >>>The structure at hand is: >>> >>>PreferredSignatureAlgorithms ::= SEQUENCE OF >>> PreferredSignatureAlgorithm >>> PreferredSignatureAlgorithm ::= SEQUENCE { >>> sigIdentifier AlgorithmIdentifier, >>> certIdentifier AlgorithmIdentifier OPTIONAL >>> } >>> >>> >>>There is now a new PKIX draft for S/MIME Capabilities for public key >>>definitions which may help move forward on this issue. >>> >>>The primary proposal as I recall this is to change the >>>certIdentifier into SMIMECapabilities as that would allow better >>>specification of public keys and their parameters. >>> >>>Secondly I recall that we should change the name of certIdentifier >>>to something better as it sounds like an identifier of a certificate >>>which it is not. >>>More suitable would be pubKeyAlgIdentifier since this is an >>>identifier of the preferred algorithm of the public key in the >>>responders certificate. >>> >>>The changed syntax would then be: >>> >>> PreferredSignatureAlgorithm ::= SEQUENCE { >>> sigIdentifier AlgorithmIdentifier, >>> pubKeyAlgIdentifier SMIMECapabilities OPTIONAL >>> } >>> >>>Would the list agree to this change? >>> >>>/Stefan >> >>I am comfortable with this change. >> >>Steve >>_______________________________________________ >>pkix mailing list >>pkix@ietf.org >>https://www.ietf.org/mailman/listinfo/pkix > > >_______________________________________________ >pkix mailing list >pkix@ietf.org >https://www.ietf.org/mailman/listinfo/pkix
- [pkix] Concluding OCSP Agility Stefan Santesson
- Re: [pkix] Concluding OCSP Agility Sean Turner
- Re: [pkix] Concluding OCSP Agility Stephen Kent
- Re: [pkix] Concluding OCSP Agility Stefan Santesson
- Re: [pkix] Concluding OCSP Agility Stefan Santesson
- Re: [pkix] Concluding OCSP Agility Jim Schaad
- Re: [pkix] Concluding OCSP Agility Stephen Kent
- Re: [pkix] Concluding OCSP Agility Stefan Santesson
- Re: [pkix] Concluding OCSP Agility Stefan Santesson