Re: Problem with draft-ietf-pkix-authorityclearanceconstraints-02
Stefan Santesson <stefan@aaa-sec.com> Thu, 02 April 2009 15:09 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 23BD328C247 for <ietfarch-pkix-archive@core3.amsl.com>; Thu, 2 Apr 2009 08:09:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.905
X-Spam-Level:
X-Spam-Status: No, score=-0.905 tagged_above=-999 required=5 tests=[AWL=-0.053, BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5t+KFVMq7NP7 for <ietfarch-pkix-archive@core3.amsl.com>; Thu, 2 Apr 2009 08:09:26 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 2BD8028C24A for <pkix-archive@ietf.org>; Thu, 2 Apr 2009 08:08:32 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n32ElFQ5098389 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Apr 2009 07:47:15 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n32ElF5S098388; Thu, 2 Apr 2009 07:47:15 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from s87.loopia.se (s87.loopia.se [194.9.95.112]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n32El2LB098369 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-pkix@imc.org>; Thu, 2 Apr 2009 07:47:13 -0700 (MST) (envelope-from stefan@aaa-sec.com)
Received: (qmail 52585 invoked from network); 2 Apr 2009 14:47:06 -0000
Received: from s34.loopia.se (HELO s19.loopia.se) ([194.9.94.70]) (envelope-sender <stefan@aaa-sec.com>) by s87.loopia.se (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for <ietf-pkix@imc.org>; 2 Apr 2009 14:47:06 -0000
Received: (qmail 17568 invoked from network); 2 Apr 2009 14:47:01 -0000
Received: from 90-229-233-249-no153.tbcn.telia.com (HELO [192.168.0.17]) (stefan@fiddler.nu@[90.229.233.249]) (envelope-sender <stefan@aaa-sec.com>) by s19.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <stefan@aaa-sec.com>; 2 Apr 2009 14:47:01 -0000
User-Agent: Microsoft-Entourage/12.15.0.081119
Date: Thu, 02 Apr 2009 16:47:00 +0200
Subject: Re: Problem with draft-ietf-pkix-authorityclearanceconstraints-02
From: Stefan Santesson <stefan@aaa-sec.com>
To: Stefan Santesson <stefan@aaa-sec.com>, IETF-pkix <ietf-pkix@imc.org>
Message-ID: <C5FA9C84.13AE%stefan@aaa-sec.com>
Thread-Topic: Problem with draft-ietf-pkix-authorityclearanceconstraints-02
Thread-Index: AcmzjAxNtzBfJ61Ws0OScv3P3Q+ASgAFdSIf
In-Reply-To: <C5FA77E4.1393%stefan@aaa-sec.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3321535621_12455632"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Small correction, I copied the text from the wrong draft, as you may see from the old title. The actual text from draft-ietf-pkix-authorityclearanceconstraints-02 Is almost the same and has the same problem: When processing Authority Clearance Constraints certificate extension for the purposes of validating Clearance attribute in the end PKC, the processing described in this section or an equivalent algorithm MUST be included in the certification path validation. The processing is presented as additions to the certification path validation algorithm described in section 6 of [RFC5280]. This is just a nit that could be fixed at any later update. I would suggest the following small change: When processing Authority Clearance Constraints certificate extension for the purposes of validating Clearance attribute in the end PKC, the processing described in this section or an equivalent algorithm MUST be performed in addition to the certification path validation algorithm described in section 6 of [RFC5280]. /Stefan On 4/2/09 2:10 PM, "Stefan Santesson" <stefan@aaa-sec.com> wrote: > I found a problem with draft-turner-caclearanceconstraints-02.txt > > Section 4.1.1. Certification Path Processing states > > When processing Authority Clearance Constraints certificate extension > for the purposes of validating Clearance attribute in the end certificate, > PKC, > the processing described in this section or an equivalent algorithm > MUST be included in the certification path validation. > > It is problematic, and unnecessary to require ca clearance constraints > processing to be ³included² in certification path validation. > None of the clearance constraints information is needed to determine the > validity of the certificate, and as such it does not be processed as an > integrated process. > > It would be perfectly valid for an application who choose to rely on the > clearance information, to process clearance constraints as a post process, > i.e. after path validation is completed. > > A requirement to integrate caclearance constraints into path validation would > make this a lot harder to implement as it would require modification to core > security components. > > Stefan Santesson > AAA-sec.com > > > >
- Problem with draft-turner-caclearanceconstraints-… Stefan Santesson
- Re: Problem with draft-ietf-pkix-authorityclearan… Stefan Santesson
- RE: Problem with draft-ietf-pkix-authorityclearan… Santosh Chokhani