Re: [pkix] An alternative proposal Was: Fwd: New Version Notification for draft-hamilton-cmr-00.txt
Rob Stradling <rob.stradling@comodo.com> Thu, 03 November 2011 13:11 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37AC011E80F4 for <pkix@ietfa.amsl.com>; Thu, 3 Nov 2011 06:11:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6SMFh1BDAPK0 for <pkix@ietfa.amsl.com>; Thu, 3 Nov 2011 06:11:06 -0700 (PDT)
Received: from mmmail1.mcr.colo.comodoca.net (mdfw.comodoca.net [91.209.196.68]) by ietfa.amsl.com (Postfix) with ESMTP id 0D80E21F8D24 for <pkix@ietf.org>; Thu, 3 Nov 2011 06:11:05 -0700 (PDT)
Received: (qmail 24655 invoked from network); 3 Nov 2011 13:11:01 -0000
Received: from ian.bd.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.201) by mail.colo.comodoca.net with ESMTPS (DHE-RSA-AES256-SHA encrypted); 3 Nov 2011 13:11:01 -0000
Received: (qmail 18027 invoked by uid 1000); 3 Nov 2011 13:11:01 -0000
Received: from nigel.brad.office.comodo.net (HELO nigel.localnet) (192.168.0.58) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES256-SHA encrypted) ESMTPS; Thu, 03 Nov 2011 13:11:01 +0000
From: Rob Stradling <rob.stradling@comodo.com>
To: pkix@ietf.org
Date: Thu, 03 Nov 2011 13:10:58 +0000
User-Agent: KMail/1.13.7 (Linux/3.0.6-gentoo; KDE/4.6.5; i686; ; )
References: <CAD7F7D5.2003%tmiller@mitre.org>
In-Reply-To: <CAD7F7D5.2003%tmiller@mitre.org>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <201111031311.00428.rob.stradling@comodo.com>
Subject: Re: [pkix] An alternative proposal Was: Fwd: New Version Notification for draft-hamilton-cmr-00.txt
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2011 13:11:07 -0000
On Thursday 03 Nov 2011 12:57:14 Miller, Timothy J. wrote: > On 11/3/11 7:37 AM, "Phillip Hallam-Baker" <hallam@gmail.com> wrote: > >That was the old thinking. It is not the current thinking. > > Maybe not yours, but so far I can't seem to grasp exactly why you think > that way. > > >In the DigiNotar case, whitelisting could have allowed the issue to be > >detected much earlier. > > Ok, how? Give me a scenario. http://isc.sans.edu/diary.html?storyid=11512 "Some of the CA servers have had parts of their logs deleted, leading to DigiNotar not knowing what certificates were issued." "The OCSP server's working at DigiNotar has been reversed since Sept 1st. Normally these servers respond with good to all certificates except those on the CRL (a blacklist). The OCSP now operates in whitelist mode: it will call all unknown certificates signed by DigiNotar as revoked (a whitelist). Hence we need to make sure to use the OCSP server to validate DigiNotar certificates -should we want/need to- and not rely on the published CRLs anymore." > >The authoritative source for status information is and always has been > >the CA certificate database. At present the specs are defective in not > >supporting disclosure of 'does not exist'. > > DigiNotar and Comodo were attacked through compromised Registration > Authority account credentials. The attacker in these cases was acting as > an authorized RA. This means that as far as internal processes at the CA > are concerned, the fraudulent certificates were properly issued and had > entries in the CA database. In the Comodo case, yes, the fraudulent certificates did have entries in our CA database. They were detected and revoked within a few hours of being issued. > Detecting which certificates were frauds required checking the CA database > against data external to the CA--e.g., paperwork, email, payment records, > etc.--because the CA database itself was at question. So where does the > whitelist fit in again? > > > -- T > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.
- [pkix] An alternative proposal Was: Fwd: New Vers… Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … denis.pinkas
- Re: [pkix] An alternative proposal Was: Fwd: New … Trevor Freeman
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] OCSP stapling Michael Myers
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Wilson
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Yoav Nir
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- [pkix] Proposed new singleExtension for OCSP denis.pinkas
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Sylvester
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] Proposed new singleExtension for OCSP Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Phillip Hallam-Baker
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Martin Rex
- Re: [pkix] Proposed new singleExtension for OCSP Tom Ritter
- Re: [pkix] Proposed new singleExtension for OCSP Kemp, David P.
- Re: [pkix] Proposed new singleExtension for OCSP denis.pinkas
- Re: [pkix] Proposed new singleExtension for OCSP Liaquat Khan
- Re: [pkix] Proposed new singleExtension for OCSP Paul Hoffman
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Tom Gindin
- [pkix] Malaysian CA (Was: An alternative proposal… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Rob Stradling
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- [pkix] CRL Whitelist Requirements Was An alternat… Tom Gindin
- Re: [pkix] Malaysian CA (Was: An alternative prop… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- Re: [pkix] Malaysian CA (Was: An alternative prop… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses