Re: [pkix] I-D Action:draft-ietf-pkix-new-asn1-07.txt

[Sean Turner <turners@ieca.com>]

Paul Hoffman wrote:
> At 3:10 PM -0400 8/31/09, Sean Turner wrote:
>> During the updates to RFC 3281 it was noted that the wrong OID was used for id-at-clearance.  We fixed this in draft-ietf-pkix-3281bis.  I would like to make sure we incorporate the same fix in draft-ietf-pkix-new-asn1.  If we don't, then we'll need to do another ID that incorporates this one change in an '02 ASN.1 module.  What I'm proposing is that make the following change:
>>
>> OLD:
>>
>> id-at-clearance              OBJECT IDENTIFIER ::=
>>              { joint-iso-ccitt(2) ds(5) module(1)
>>                selected-attribute-types(5) clearance (55) }
>>
>> NEW:
>>
>>  id-at-clearance              OBJECT IDENTIFIER ::= {
>>      joint-iso-ccitt(2) ds(5) attributeType(4) clearance (55) }
>>
>>    -- Uncomment the following declaration and comment the above line if
>>    -- using the id-at-clearance attribute as defined in [RFC3281]
>>
>>    --  id-at-clearance              OBJECT IDENTIFIER ::= {
>>    --    joint-iso-ccitt(2) ds(5) module(1) selected-attribute-types(5)
>>    --    clearance (55) }
> 
> draft-ietf-pkix-new-asn1 has a module for RFC 3281. Jim and I believe that the module in our draft matches RFC 3281 correctly.

Not debating this.

> We can add another module that reflects draft-ietf-pkix-3281update-05.txt  (there is no draft-ietf-pkix-3281bis). However, we do not have any Internet Drafts in draft-ietf-pkix-new-asn1, and I personally think that it is unwise for us to add one at this late state. We could also wait for draft-ietf-pkix-3281update-05.txt to be published as an RFC and add a module for it to draft-ietf-pkix-new-asn1.

I don't think it's too late in the process.  I'd rather fix this error 
now than have to publish another RFC later.

> Personally, I think it is wrong to change the module for RFC 3281 to change bits on the wire from what is represented in RFC 3281.

We did an update ID and it's passed PKIX WG LC and IETF LC and is now 
sitting in the RFC editor's queue pinned in a cluster with 7 other 
documents waiting on draft-ietf-pkix-sha2-dsa-ecdsa.  Other than this 
procedural issue, we'd probably not be having this conversation because 
it would be an RFC.  But since draft-ietf-pkix-3281update is already in 
the RFC editor's queue, I think it's pretty clear that the community 
wants this change incorporated in to any update of RFC 3281 and in my 
mind that includes draft-ietf-pkix-new-asn1.  I think it would be bad to 
have an updated RFC 3281 module that incorporates changes and an RFC 
with a later number that includes an ASN.1 module that essentially 
undoes the fixes.  Can't we just assume draft-ietf-pkix-3281update 
should pop out of the RFC editor's queue first (if only by hours/days) 
and just make this change now?  If not, then I'd advocate waiting for 
draft-ietf-pkix-3281update to be published as an RFC and adding the 
updated RFC 3281 module to draft-ietf-pkix-new-asn1.

In the original message, I forgot to add that we also need to include 
the following:

  -- Uncomment the following lines to support deprecated clearance
  -- syntax and comment out previous Clearance.

  -- Clearance ::= SEQUENCE {
  --  policyId            [0] OBJECT IDENTIFIER,
  --  classList           [1] ClassList DEFAULT {unclassified},
  --  securityCategories  [2] SET OF SecurityCategory  OPTIONAL
  -- }

spt